7

We are looking to deploy about 15-20 Cisco 1131ag access points on campus. I have been reading up on different authentication methods, but I don’t know what will be the best long term solution that allows for a balance between simple management and future expansion.

The first option I have considered is to use Cisco ACS for Windows because we already have the server so that will save some money.

Also some people recommend setting up a radius server such as free-radius on a Linux box and tying that into the existing LDAP for end user authentication this is also a money saver since the OS and free-radius are free to use.

I personally feel more comfortable in a Windows environment but I am no stranger to Linux when I have been required to use it in the past. I just wanted to get some thoughts on what is the best solution for management. Or if there is a better solution all together I would love to know about that as well.

AviD
  • 72,138
  • 22
  • 136
  • 218
YerPhate
  • 141
  • 1
  • 2
  • 5
  • 4
    You can get a RADIUS server for Windows, too. – Soumya Jul 01 '11 at 14:44
  • I don't really have any facts to support this, so I won't make it an answer, but I'd definitely say RADIUS! :P –  Jul 01 '11 at 15:29
  • In the context of wireless authenticating users on campus, [Eduroam](http://www.eduroam.org/) may be interesting, especially the [documentation](https://confluence.terena.org/display/H2eduroam/How+to+deploy+eduroam+on-site+or+on+campus) – Hendrik Brummermann Jul 01 '11 at 20:11
  • Eduroam is for visiting other academic institutions and having roaming access, usually at much greater QoS controls for such clients. Campus's tend to provide their own seperate network for use with their own students. – ewanm89 Jul 01 '11 at 20:32

1 Answers1

4

Most places use radius in combination with a backend authentication system.

Freeradius could do the job and integrates with Active Directory: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO

Cisco ACS can do the job and also integrates with AD, though in my experience this can be cludgey. It supports policies and of course can be used to provide TACACS AAA services for cisco devices as well.

Microsoft has been pushing NPS with their Network Access Protection http://msdn.microsoft.com/en-us/library/bb892033(v=vs.85).aspx it has the whole "call microsoft" benefit and negative. It's supports policies similar to ACS and you can send people to get trained on it and does the RADIUS job too.

Really if you're in the EDU space you can get Microsoft licenses cheaper than a ream of paper I'd recommend going that way. Cisco and Microsoft basically give you the same "one throat to choke" even if they're not perfect, they do allow you to easily receive vendor support.

In the same vein I'd say if you're in the private space stick with ACS and save your money. As long as you've got a robust ACS infrastructure it's a single place to manage it all, and you've already got the license.

Ori
  • 2,757
  • 1
  • 15
  • 29