RADIUS server specs

Hey everyone,

I am going to try and spin a RADIUS server implementation in my work environment. I ran a test configuration in a VM and GNS3, and I plan on scaling it a little larger tomorrow. I am confidant I can get it up and running, but what should I run it on?

I plan on using Ubuntu Server as the OS, and freeRADIUS to be the service. What kind of specs would the server need to serve as the authentication authority for 50-100 routers/switches, with the ability to expand?

I'm sure it won't need much, but I figured I'd ask if anyone has an experience in the implementation.

Thanks for your help,

chmorin

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

peanutnoggin

Does your company use Active Directory for user/admin authentication? If so, these forums has a nice write up on using the W2K3 IAS to authenticate users to AD. That way, your admin account in AD can be a "one-stop shop". If someone has access to your devices and they leave the company, once their AD account is deleted, they no longer have access to any of your devices. Just a thought. HTH.

-Peanut

EDIT: Here's the link to the post in which I was referring. I was able to employ this on a small network such as the one you mentioned. HTH.

Forsaken_GA

chmorin wrote: »

Hey everyone,

I am going to try and spin a RADIUS server implementation in my work environment. I ran a test configuration in a VM and GNS3, and I plan on scaling it a little larger tomorrow. I am confidant I can get it up and running, but what should I run it on?

What are you going to use it for? Is this going to be for things like network device access, or is the entire workspace going to need to authenticate against it, and how many users would that be?

If it's only a few here and there, you don't need much of a machine to handle it. You could probably get away with running it in a VM. If you're going to need to support several thousand or more users, then that might require a decent box (and you'll also want to start thinking redundancy as well, life sucks when primary authentication systems break)

chmorin

Forsaken_GA wrote: »

What are you going to use it for? Is this going to be for things like network device access, or is the entire workspace going to need to authenticate against it, and how many users would that be?

If it's only a few here and there, you don't need much of a machine to handle it. You could probably get away with running it in a VM. If you're going to need to support several thousand or more users, then that might require a decent box (and you'll also want to start thinking redundancy as well, life sucks when primary authentication systems break)

It would be lucky to get 4 people authenticating at the same time. I was thinking with Ubuntu and a 2gig VM would be safe for almost anything. It will only be used on routers and switches.

We do have an AD environment, but our team is so small and our administrator account's on AD not only does not include me, but with the way our administration is split I'm not sure if I could find a safe bet to implement it with that. I'm much more of looking for a streamed line access plan, since we have waaaaaay to many passwords lying around.

Like I said the team is small, so we could simply change the password and be just fine if something like that was to occur.

Thanks for the advice everyone, as usual.

As far as redundancy, during my sweep of aaa configurations I'll be trying to streamline the local users/passwords to be used should the server be unreachable.

peanutnoggin

Ahhh... understood. If only 4 users are going to be authenticating, then yes... I was thinking it was 50 - 100 users, but that's devices... so yeah, your setup options you listed should suffice... as mentioned earlier, be sure to build it out for redundancy. HTH.

-Peanut

DevilWAH

I played around with windows IAS, when I was testing my network authentication set up.

It proved the point but its not pretty to use,

I then looked at some linux based solutions, but in the end work saw the CISCO ACS interdface I had a demo of and decided it was worth the extra. Having used it for a while now it is very smooth to use and makes i easy for the non techy people to manage. It also allows TACACS+ so you can pass the manamgent of switch administraion over to it. And the fact it links in to AD makes it all a sinch to set up!

Currently it runs on VMware and even wih a few 1000+ user logging in with in a 1 hour period in the morning I have never seen it strugle and we dont set the vm to have many resorces.

chmorin

DevilWAH wrote: »

I played around with windows IAS, when I was testing my network authentication set up.

It proved the point but its not pretty to use,

I then looked at some linux based solutions, but in the end work saw the CISCO ACS interdface I had a demo of and decided it was worth the extra. Having used it for a while now it is very smooth to use and makes i easy for the non techy people to manage. It also allows TACACS+ so you can pass the manamgent of switch administraion over to it. And the fact it links in to AD makes it all a sinch to set up!

Currently it runs on VMware and even wih a few 1000+ user logging in with in a 1 hour period in the morning I have never seen it strugle and we dont set the vm to have many resorces.

I worked with TACACS+ in my last work environment and it was great and smooth, however this network might have a need for AAA outside of cisco, so that already throws TACACS+ out. So if I can implement a free solution that serves more devices I think I would be better off than paying for TACACS, and maybe having to implement RADIUS later anyway.

Thanks for the suggestion though! I appreciate it, everyone!

DevilWAH

TACACS can only really be used for switch admin.

Network access still has to be handled via RAdius even on CISCO devices.

So ACS supports both protocols, you use RADIUS for the 802.1x port based authentication and TACACS+ for you device admin managment

I have lots of policys set up to allow access determined by user and machine ID, the web interface and locical method of CISCO makes it easy to build up complex policies in steps and resued elements of policys.

However if you only want one policay that says something like "if use is in AD group X, allow access" then Windows IAS or any free radius server is plenty.

chmorin

DevilWAH wrote: »

However if you only want one policay that says something like "if use is in AD group X, allow access" then Windows IAS or any free radius server is plenty.

Bingo bango bongo

Forsaken_GA

chmorin wrote: »

It would be lucky to get 4 people authenticating at the same time. I was thinking with Ubuntu and a 2gig VM would be safe for almost anything. It will only be used on routers and switches.

With that few users, and assuming it's not going to be handling anything else, I'd give it a vm with like 10 gigs of space and 256m of memory, and even that's probably overkill.

tiersten

If you're using this for authentication and as you also want to make it a VM, please make sure that you can actually access it if something goes wrong and your network/VM/RADIUS is down :P

I've seen networks with so many interdependencies between the various devices and servers that it cause major pain if something goes down or it is a completely cold start. At one place I worked at, the startup sequence for a cold start was over 50 pages long as you needed to turn on and off devices in a very specific order so everything would boot correctly.

docrice

Where I work, we do a lot of RADIUS / AAA for general user auth and accounting, as well as 802.1X. It's not for Cisco device login authentication though. That said, I've worked with FreeRADIUS, IAS / NPS, Juniper SBR, as well as ACS ... and in my experience RADIUS in general is really lightweight. The only time it creates potential issues is if you have a lot proxying / hand-offs to downstream RADIUS hosts for the purpose of realm-based or other policy-based routing which might create round-trip authentication time lag. This doesn't seem to be the case for you though.

FreeRADIUS does not need much resources at all, but you might want to consider how much logging is needed. If it's going to be stored on the RADIUS server itself, you'll need to account for the disk space. Otherwise, I wouldn't have a problem running FreeRADIUS on CentOS with even 512 MB of memory, assuming you do basic OS resource optimization with the running services, etc..

IAS / NPS also gives you one-stop-shop convenience authentication-wise, but at the same time it's not the most friendly thing to use if you need to mess around with incorporating new vendor-specific attributes, etc..

chmorin

tiersten wrote: »

If you're using this for authentication and as you also want to make it a VM, please make sure that you can actually access it if something goes wrong and your network/VM/RADIUS is down :P

I've seen networks with so many interdependencies between the various devices and servers that it cause major pain if something goes down or it is a completely cold start. At one place I worked at, the startup sequence for a cold start was over 50 pages long as you needed to turn on and off devices in a very specific order so everything would boot correctly.

O_o holy cow. Well with this you simple tell the router to authenticate to the radius server first, then the local attributes should the server not be available, then line attributes should local's be messed up (or something). So it should be pretty solid as far as that goes. I have been playing with it in a lab and have had no issues turning it off and logging in with the backup credentials.

That being said I am having some issues. Two really. For some reason the server is either not receiving requests correctly or GNS3 messed up, which is more likely. I never changed the server configurations and suddenly it just would not authenticate, it would keep getting denied. I ran freeradius in debug mode and test authenticating showed no errors and accept-accept across the board. Not sure what's up there.

And I can't get it to work properly for the enable password. Supposedly cisco sends the username $enable15$ to the aaa server for enable authentication, but when I test the connection with that username the username gets sent as just '$' with nothing following. I assume this has something to do with $ being a special character, I have yet to find a work around since I'm not using SQL.

peanutnoggin

chmorin wrote: »

O_o holy cow. Well with this you simple tell the router to authenticate to the radius server first, then the local attributes should the server not be available, then line attributes should local's be messed up (or something). So it should be pretty solid as far as that goes. I have been playing with it in a lab and have had no issues turning it off and logging in with the backup credentials.

That being said I am having some issues. Two really. For some reason the server is either not receiving requests correctly or GNS3 messed up, which is more likely. I never changed the server configurations and suddenly it just would not authenticate, it would keep getting denied. I ran freeradius in debug mode and test authenticating showed no errors and accept-accept across the board. Not sure what's up there.

And I can't get it to work properly for the enable password. Supposedly cisco sends the username $enable15$ to the aaa server for enable authentication, but when I test the connection with that username the username gets sent as just '$' with nothing following. I assume this has something to do with $ being a special character, I have yet to find a work around since I'm not using SQL.

Chmorin,

Above you mentioned that your method list was RADIUS, Local, Line... are you sure you added your enable to your method list? That may be why you're getting denied. Just a thought. HTH.

-Peanut

chmorin

peanutnoggin wrote: »

Chmorin,

Above you mentioned that your method list was RADIUS, Local, Line... are you sure you added your enable to your method list? That may be why you're getting denied. Just a thought. HTH.

-Peanut

Oh, sorry if that sounded like that. You actually need to configure a different means for enable. For login I have it set to RADIUS, local, then line; and for enable I have it set to RADIUS, then enable. If I set it to just enable it will use the local enable password that is set, so RADIUS tells it to authenticate with the RADIUS server and cisco sends the default enable username, and requests the user for the password.

DevilWAH

chmorin wrote: »

Oh, sorry if that sounded like that. You actually need to configure a different means for enable. For login I have it set to RADIUS, local, then line; and for enable I have it set to RADIUS, then enable. If I set it to just enable it will use the local enable password that is set, so RADIUS tells it to authenticate with the RADIUS server and cisco sends the default enable username, and requests the user for the password.

why not just set up aaa authentication and authorisation methods to point to radius server group? with local as back up.

And then pass privilage level 15 back from the radius server when an authenticated use logs on.

Then you dont need to worry about the enable password. Personal If think if people have level 15 access then log them in as that. And if people only have level 1 access then they log in as that. And only a long complex enable secret passward set localy for emergencies.

The same with local users, they should all be level 0 (for things like VPN users if you don't of load them to radius, but cant manage device). And one complex level 15 user for emergency access.

enable... so yesturday

PS it does send it as $enable$, I did set this up using windows AD, where I had a username set up as $enable$ with password the same, and it worked fine. I just had issues when things went wrong with the radius authorisation and you can't use the local enable password becasue it wants to use the radius server.

Which is why I would hard code the consol port to use local authention no matter what! If you need to use the consol port some thing is wrong, and the last thing you want is to be locked out casue the radius server is playing up, if the switch can see the radius server it will use it! if some one deletes the user accounts on the radius server, it wont fall back to Local unless you remove it from the network or other wise cut it of from the radius server!

Yes make sure you have another way in that bypasses radius !!

chmorin

DevilWAH wrote: »

why not just set up aaa authentication and authorisation methods to point to radius server group? with local as back up.

And then pass privilage level 15 back from the radius server when an authenticated use logs on.

Then you dont need to worry about the enable password. Personal If think if people have level 15 access then log them in as that. And if people only have level 1 access then they log in as that. And only a long complex enable secret passward set localy for emergencies.

The same with local users, they should all be level 0 (for things like VPN users if you don't of load them to radius, but cant manage device). And one complex level 15 user for emergency access.

enable... so yesturday

PS it does send it as $enable$, I did set this up using windows AD, where I had a username set up as $enable$ with password the same, and it worked fine. I just had issues when things went wrong with the radius authorisation and you can't use the local enable password becasue it wants to use the radius server.

Which is why I would hard code the consol port to use local authention no matter what! If you need to use the consol port some thing is wrong, and the last thing you want is to be locked out casue the radius server is playing up, if the switch can see the radius server it will use it! if some one deletes the user accounts on the radius server, it wont fall back to Local unless you remove it from the network or other wise cut it of from the radius server!

Yes make sure you have another way in that bypasses radius !!

Great scott, what a fantastic idea! I'm going to throw all this together in a lab real quickly and tell you how it goes.

Thanks for the great advice!

chmorin

Well I have the radius server up and running but I must have something wrong with my aaa configs, because when I turn off my radius server it does not fail back to local authentication.

aaa authentication login default group RadiusServers local

Currently it is rejecting all usernames and passwords.

username backup privilege 15 password 0 backup