RADIUS server specs
Hey everyone,
I am going to try and spin a RADIUS server implementation in my work environment. I ran a test configuration in a VM and GNS3, and I plan on scaling it a little larger tomorrow. I am confidant I can get it up and running, but what should I run it on?
I plan on using Ubuntu Server as the OS, and freeRADIUS to be the service. What kind of specs would the server need to serve as the authentication authority for 50-100 routers/switches, with the ability to expand?
I'm sure it won't need much, but I figured I'd ask if anyone has an experience in the implementation.
Thanks for your help,
chmorin
I am going to try and spin a RADIUS server implementation in my work environment. I ran a test configuration in a VM and GNS3, and I plan on scaling it a little larger tomorrow. I am confidant I can get it up and running, but what should I run it on?
I plan on using Ubuntu Server as the OS, and freeRADIUS to be the service. What kind of specs would the server need to serve as the authentication authority for 50-100 routers/switches, with the ability to expand?
I'm sure it won't need much, but I figured I'd ask if anyone has an experience in the implementation.
Thanks for your help,
chmorin
Currently Pursuing
WGU (BS in IT Network Administration) - 52%| CCIE:Voice Written - 0% (0/200 Hours)
mikej412 wrote:Cisco Networking isn't just a job, it's a Lifestyle.
Comments
-
peanutnoggin Member Posts: 1,096 ■■■□□□□□□□Does your company use Active Directory for user/admin authentication? If so, these forums has a nice write up on using the W2K3 IAS to authenticate users to AD. That way, your admin account in AD can be a "one-stop shop". If someone has access to your devices and they leave the company, once their AD account is deleted, they no longer have access to any of your devices. Just a thought. HTH.
-Peanut
EDIT: Here's the link to the post in which I was referring. I was able to employ this on a small network such as the one you mentioned. HTH.We cannot have a superior democracy with an inferior education system!
-Mayor Cory Booker -
Forsaken_GA Member Posts: 4,024Hey everyone,
I am going to try and spin a RADIUS server implementation in my work environment. I ran a test configuration in a VM and GNS3, and I plan on scaling it a little larger tomorrow. I am confidant I can get it up and running, but what should I run it on?
What are you going to use it for? Is this going to be for things like network device access, or is the entire workspace going to need to authenticate against it, and how many users would that be?
If it's only a few here and there, you don't need much of a machine to handle it. You could probably get away with running it in a VM. If you're going to need to support several thousand or more users, then that might require a decent box (and you'll also want to start thinking redundancy as well, life sucks when primary authentication systems break) -
chmorin Member Posts: 1,446 ■■■■■□□□□□Forsaken_GA wrote: »What are you going to use it for? Is this going to be for things like network device access, or is the entire workspace going to need to authenticate against it, and how many users would that be?
If it's only a few here and there, you don't need much of a machine to handle it. You could probably get away with running it in a VM. If you're going to need to support several thousand or more users, then that might require a decent box (and you'll also want to start thinking redundancy as well, life sucks when primary authentication systems break)
It would be lucky to get 4 people authenticating at the same time. I was thinking with Ubuntu and a 2gig VM would be safe for almost anything. It will only be used on routers and switches.
We do have an AD environment, but our team is so small and our administrator account's on AD not only does not include me, but with the way our administration is split I'm not sure if I could find a safe bet to implement it with that. I'm much more of looking for a streamed line access plan, since we have waaaaaay to many passwords lying around.
Like I said the team is small, so we could simply change the password and be just fine if something like that was to occur.
Thanks for the advice everyone, as usual.
As far as redundancy, during my sweep of aaa configurations I'll be trying to streamline the local users/passwords to be used should the server be unreachable.Currently PursuingWGU (BS in IT Network Administration) - 52%| CCIE:Voice Written - 0% (0/200 Hours)mikej412 wrote:Cisco Networking isn't just a job, it's a Lifestyle. -
peanutnoggin Member Posts: 1,096 ■■■□□□□□□□Ahhh... understood. If only 4 users are going to be authenticating, then yes... I was thinking it was 50 - 100 users, but that's devices... so yeah, your setup options you listed should suffice... as mentioned earlier, be sure to build it out for redundancy. HTH.
-PeanutWe cannot have a superior democracy with an inferior education system!
-Mayor Cory Booker -
DevilWAH Member Posts: 2,997 ■■■■■■■■□□I played around with windows IAS, when I was testing my network authentication set up.
It proved the point but its not pretty to use,
I then looked at some linux based solutions, but in the end work saw the CISCO ACS interdface I had a demo of and decided it was worth the extra. Having used it for a while now it is very smooth to use and makes i easy for the non techy people to manage. It also allows TACACS+ so you can pass the manamgent of switch administraion over to it. And the fact it links in to AD makes it all a sinch to set up!
Currently it runs on VMware and even wih a few 1000+ user logging in with in a 1 hour period in the morning I have never seen it strugle and we dont set the vm to have many resorces.- If you can't explain it simply, you don't understand it well enough. Albert Einstein
- An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Linkin Profile - Blog: http://Devilwah.com -
chmorin Member Posts: 1,446 ■■■■■□□□□□I played around with windows IAS, when I was testing my network authentication set up.
It proved the point but its not pretty to use,
I then looked at some linux based solutions, but in the end work saw the CISCO ACS interdface I had a demo of and decided it was worth the extra. Having used it for a while now it is very smooth to use and makes i easy for the non techy people to manage. It also allows TACACS+ so you can pass the manamgent of switch administraion over to it. And the fact it links in to AD makes it all a sinch to set up!
Currently it runs on VMware and even wih a few 1000+ user logging in with in a 1 hour period in the morning I have never seen it strugle and we dont set the vm to have many resorces.
I worked with TACACS+ in my last work environment and it was great and smooth, however this network might have a need for AAA outside of cisco, so that already throws TACACS+ out. So if I can implement a free solution that serves more devices I think I would be better off than paying for TACACS, and maybe having to implement RADIUS later anyway.
Thanks for the suggestion though! I appreciate it, everyone!Currently PursuingWGU (BS in IT Network Administration) - 52%| CCIE:Voice Written - 0% (0/200 Hours)mikej412 wrote:Cisco Networking isn't just a job, it's a Lifestyle. -
DevilWAH Member Posts: 2,997 ■■■■■■■■□□TACACS can only really be used for switch admin.
Network access still has to be handled via RAdius even on CISCO devices.
So ACS supports both protocols, you use RADIUS for the 802.1x port based authentication and TACACS+ for you device admin managment
I have lots of policys set up to allow access determined by user and machine ID, the web interface and locical method of CISCO makes it easy to build up complex policies in steps and resued elements of policys.
However if you only want one policay that says something like "if use is in AD group X, allow access" then Windows IAS or any free radius server is plenty.- If you can't explain it simply, you don't understand it well enough. Albert Einstein
- An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Linkin Profile - Blog: http://Devilwah.com -
chmorin Member Posts: 1,446 ■■■■■□□□□□However if you only want one policay that says something like "if use is in AD group X, allow access" then Windows IAS or any free radius server is plenty.
Bingo bango bongoCurrently PursuingWGU (BS in IT Network Administration) - 52%| CCIE:Voice Written - 0% (0/200 Hours)mikej412 wrote:Cisco Networking isn't just a job, it's a Lifestyle. -
Forsaken_GA Member Posts: 4,024It would be lucky to get 4 people authenticating at the same time. I was thinking with Ubuntu and a 2gig VM would be safe for almost anything. It will only be used on routers and switches.
With that few users, and assuming it's not going to be handling anything else, I'd give it a vm with like 10 gigs of space and 256m of memory, and even that's probably overkill. -
tiersten Member Posts: 4,505If you're using this for authentication and as you also want to make it a VM, please make sure that you can actually access it if something goes wrong and your network/VM/RADIUS is down :P
I've seen networks with so many interdependencies between the various devices and servers that it cause major pain if something goes down or it is a completely cold start. At one place I worked at, the startup sequence for a cold start was over 50 pages long as you needed to turn on and off devices in a very specific order so everything would boot correctly. -
docrice Member Posts: 1,706 ■■■■■■■■■■Where I work, we do a lot of RADIUS / AAA for general user auth and accounting, as well as 802.1X. It's not for Cisco device login authentication though. That said, I've worked with FreeRADIUS, IAS / NPS, Juniper SBR, as well as ACS ... and in my experience RADIUS in general is really lightweight. The only time it creates potential issues is if you have a lot proxying / hand-offs to downstream RADIUS hosts for the purpose of realm-based or other policy-based routing which might create round-trip authentication time lag. This doesn't seem to be the case for you though.
FreeRADIUS does not need much resources at all, but you might want to consider how much logging is needed. If it's going to be stored on the RADIUS server itself, you'll need to account for the disk space. Otherwise, I wouldn't have a problem running FreeRADIUS on CentOS with even 512 MB of memory, assuming you do basic OS resource optimization with the running services, etc..
IAS / NPS also gives you one-stop-shop convenience authentication-wise, but at the same time it's not the most friendly thing to use if you need to mess around with incorporating new vendor-specific attributes, etc..Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/ -
chmorin Member Posts: 1,446 ■■■■■□□□□□If you're using this for authentication and as you also want to make it a VM, please make sure that you can actually access it if something goes wrong and your network/VM/RADIUS is down :P
I've seen networks with so many interdependencies between the various devices and servers that it cause major pain if something goes down or it is a completely cold start. At one place I worked at, the startup sequence for a cold start was over 50 pages long as you needed to turn on and off devices in a very specific order so everything would boot correctly.
O_o holy cow. Well with this you simple tell the router to authenticate to the radius server first, then the local attributes should the server not be available, then line attributes should local's be messed up (or something). So it should be pretty solid as far as that goes. I have been playing with it in a lab and have had no issues turning it off and logging in with the backup credentials.
That being said I am having some issues. Two really. For some reason the server is either not receiving requests correctly or GNS3 messed up, which is more likely. I never changed the server configurations and suddenly it just would not authenticate, it would keep getting denied. I ran freeradius in debug mode and test authenticating showed no errors and accept-accept across the board. Not sure what's up there.
And I can't get it to work properly for the enable password. Supposedly cisco sends the username $enable15$ to the aaa server for enable authentication, but when I test the connection with that username the username gets sent as just '$' with nothing following. I assume this has something to do with $ being a special character, I have yet to find a work around since I'm not using SQL.Currently PursuingWGU (BS in IT Network Administration) - 52%| CCIE:Voice Written - 0% (0/200 Hours)mikej412 wrote:Cisco Networking isn't just a job, it's a Lifestyle. -
peanutnoggin Member Posts: 1,096 ■■■□□□□□□□O_o holy cow. Well with this you simple tell the router to authenticate to the radius server first, then the local attributes should the server not be available, then line attributes should local's be messed up (or something). So it should be pretty solid as far as that goes. I have been playing with it in a lab and have had no issues turning it off and logging in with the backup credentials.
That being said I am having some issues. Two really. For some reason the server is either not receiving requests correctly or GNS3 messed up, which is more likely. I never changed the server configurations and suddenly it just would not authenticate, it would keep getting denied. I ran freeradius in debug mode and test authenticating showed no errors and accept-accept across the board. Not sure what's up there.
And I can't get it to work properly for the enable password. Supposedly cisco sends the username $enable15$ to the aaa server for enable authentication, but when I test the connection with that username the username gets sent as just '$' with nothing following. I assume this has something to do with $ being a special character, I have yet to find a work around since I'm not using SQL.
Chmorin,
Above you mentioned that your method list was RADIUS, Local, Line... are you sure you added your enable to your method list? That may be why you're getting denied. Just a thought. HTH.
-PeanutWe cannot have a superior democracy with an inferior education system!
-Mayor Cory Booker -
chmorin Member Posts: 1,446 ■■■■■□□□□□peanutnoggin wrote: »Chmorin,
Above you mentioned that your method list was RADIUS, Local, Line... are you sure you added your enable to your method list? That may be why you're getting denied. Just a thought. HTH.
-Peanut
Oh, sorry if that sounded like that. You actually need to configure a different means for enable. For login I have it set to RADIUS, local, then line; and for enable I have it set to RADIUS, then enable. If I set it to just enable it will use the local enable password that is set, so RADIUS tells it to authenticate with the RADIUS server and cisco sends the default enable username, and requests the user for the password.Currently PursuingWGU (BS in IT Network Administration) - 52%| CCIE:Voice Written - 0% (0/200 Hours)mikej412 wrote:Cisco Networking isn't just a job, it's a Lifestyle. -
DevilWAH Member Posts: 2,997 ■■■■■■■■□□Oh, sorry if that sounded like that. You actually need to configure a different means for enable. For login I have it set to RADIUS, local, then line; and for enable I have it set to RADIUS, then enable. If I set it to just enable it will use the local enable password that is set, so RADIUS tells it to authenticate with the RADIUS server and cisco sends the default enable username, and requests the user for the password.
why not just set up aaa authentication and authorisation methods to point to radius server group? with local as back up.
And then pass privilage level 15 back from the radius server when an authenticated use logs on.
Then you dont need to worry about the enable password. Personal If think if people have level 15 access then log them in as that. And if people only have level 1 access then they log in as that. And only a long complex enable secret passward set localy for emergencies.
The same with local users, they should all be level 0 (for things like VPN users if you don't of load them to radius, but cant manage device). And one complex level 15 user for emergency access.
enable... so yesturday
PS it does send it as $enable$, I did set this up using windows AD, where I had a username set up as $enable$ with password the same, and it worked fine. I just had issues when things went wrong with the radius authorisation and you can't use the local enable password becasue it wants to use the radius server.
Which is why I would hard code the consol port to use local authention no matter what! If you need to use the consol port some thing is wrong, and the last thing you want is to be locked out casue the radius server is playing up, if the switch can see the radius server it will use it! if some one deletes the user accounts on the radius server, it wont fall back to Local unless you remove it from the network or other wise cut it of from the radius server!
Yes make sure you have another way in that bypasses radius !!- If you can't explain it simply, you don't understand it well enough. Albert Einstein
- An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Linkin Profile - Blog: http://Devilwah.com -
chmorin Member Posts: 1,446 ■■■■■□□□□□why not just set up aaa authentication and authorisation methods to point to radius server group? with local as back up.
And then pass privilage level 15 back from the radius server when an authenticated use logs on.
Then you dont need to worry about the enable password. Personal If think if people have level 15 access then log them in as that. And if people only have level 1 access then they log in as that. And only a long complex enable secret passward set localy for emergencies.
The same with local users, they should all be level 0 (for things like VPN users if you don't of load them to radius, but cant manage device). And one complex level 15 user for emergency access.
enable... so yesturday
PS it does send it as $enable$, I did set this up using windows AD, where I had a username set up as $enable$ with password the same, and it worked fine. I just had issues when things went wrong with the radius authorisation and you can't use the local enable password becasue it wants to use the radius server.
Which is why I would hard code the consol port to use local authention no matter what! If you need to use the consol port some thing is wrong, and the last thing you want is to be locked out casue the radius server is playing up, if the switch can see the radius server it will use it! if some one deletes the user accounts on the radius server, it wont fall back to Local unless you remove it from the network or other wise cut it of from the radius server!
Yes make sure you have another way in that bypasses radius !!
Great scott, what a fantastic idea! I'm going to throw all this together in a lab real quickly and tell you how it goes.
Thanks for the great advice!Currently PursuingWGU (BS in IT Network Administration) - 52%| CCIE:Voice Written - 0% (0/200 Hours)mikej412 wrote:Cisco Networking isn't just a job, it's a Lifestyle. -
chmorin Member Posts: 1,446 ■■■■■□□□□□Well I have the radius server up and running but I must have something wrong with my aaa configs, because when I turn off my radius server it does not fail back to local authentication.
aaa authentication login default group RadiusServers local
Currently it is rejecting all usernames and passwords.username backup privilege 15 password 0 backup
Currently PursuingWGU (BS in IT Network Administration) - 52%| CCIE:Voice Written - 0% (0/200 Hours)mikej412 wrote:Cisco Networking isn't just a job, it's a Lifestyle.