Last updated: 
2 weeks 2 days ago
Group Manager
The content in this group is private. Please request membership to view it.

RADIUS Server Choice Guide for eduroam

27 April 2015 at 9:03am

The RADIUS implementations most likely to be deployed or implemented at the present time are:

  • FreeRADIUS – a free, open source implementation: http://www.freeradius.org/
  • Microsoft NPS (Network Policy Server) - the Windows Server 2008 implementation of RADIUS, replacing IAS (Internet Authentication Server) – the Windows® Server 2000/2003 implementation of RADIUS: http://www.microsoft.com/windows2000/technologies/communications/ias/default.mspx
  • OSC Radiator – a feature-rich, perl-based commercial package, source supplied: http://www.open.com.au/radiator/
  • Cisco Secure ACS and Cisco ISE (Identity Services Engine) - originally a software based GUI-fronted system, now available as an appliance
  • Aruba Clearpass
  • Radsecproxy - a proxy-only RADIUS system, which was designed to support RadSec (TLS/TCP and latterly DD)
System Cost Plus Points Issues Why to choose
FreeRADIUS nil (Commercial support available if required)
  • Integrates with a wide range of authentication backends, including AD, LDAP, Kerberos, and multiple flavours of SQL
  • Supports all EAP flavours commonly used for user authentication in eduroam (EAP-PEAP, EAP-TLS, EAP-TTLS-PAP, EAP-TTLS-MSCHAPv2)
  • Flexible configuration language for defining complex policies.
  • Allows breakout into Perl or Python for exceptionally complex policies. Or integration with more escoteric data sources
  • Extensible via plugin modules.
  • Supports RadSec natively (as of version 3.x)
  • Fast and efficient - a pair of RADIUS servers is usually sufficient for eduroam deployments
  • Many distributions only provide very out of date versions. You may have to role your own .debs and .rpms (though the requisite files for this are bundled with the server)
  • Stability issues with the latest major release branch v3.0.x. Though most of these should be resolved as of v3.0.4
  • Does not yet support DNS based Dynamic Discovery for RadSec (not yet relevant to eduroam for ORPS deployments)
  • Can be difficult to configure due to the number of options available, especially for novice system administrators

It's extreme flexibility and high performance means that FreeRADIUS is a good fit for most eduroam sites, which is why it is the most deployed RADIUS servers within the eduroam federation.

The upshot of it's popularity is that there are many technical guides already published which take some of the edge of the sharp learning curve.

If you need a flexible and scalable RADIUS server, and have the in house expertise to configure it, FreeRADIUS is the best choice

If you're primarily a Windows shop, one of the other servers may be a better fit

Microsoft NPS Very little since it is included in Windows Server and academic licences for WS are very cheap
  • Windows GUI means no linux or scripting skills or experience needed
  • Works well with AD
  • Can be made to do the basics of the required job

Lack of functionality:

  • filtering of RADIUS attributes not properly supported, but over-write workround is satisfactory
  • doesn't support Status Server
  • doesn't support Operator-Name injection
  • doesn't support Chargeable User Identity

Lack of flexibility:

  • GUI interface limits what you can configure
  • everything is policy-based, which makes configuration based on logic somewhat difficult
If you're primarily a Windows shop you may be comfortable with the familiar interface and feel confident in selecting a fully supported product whilst accepting NPS's limitations.
OSC Radiator Moderate
  • Integrates with a wide range of authentication backends, including AD, LDAP, Kerberos, and multiple flavours of SQL.
  • Supports all EAP flavours commonly used for user authentication in eduroam (EAP-PEAP, EAP-TLS, EAP-TTLS-PAP, EAP-TTLS-MSCHAPv2).
  • Flexible configuration language for defining complex policies.
  • Supports RadSec natively.
  • A pair of RADIUS servers is usually sufficient for eduroam deployments.
  • Fully supported product - a range of support options are available
  • Written in PERL so when your configuration get large and complex the server will get slower.

It's extreme flexibility means that RADIATOR is a good fit for most eduroam sites. It is used for the UK NRPS and the eduroam European top level RADIUS servers - not least because it is a fully supported product.

The upshot of it's popularity is that there are many technical guides already published which take some of the edge of the sharp learning curve and it is provided with a 'goodies' directory containing many recipes ready for use or to start off with.

If you need a flexible RADIUS server, and have the in house expertise to configure it, RADIATOR is a good choice

RADIATOR is written in PERL and can be run on Windows servers (with a prerequisite PERL interpreter installed) which would suit if you're primarily a Windows shop

Cisco Secure ACS

Ciso Secure ISE

Commercial (VM or appliance)
  • latest versions support Operator-Name attribute addition
  • doesn't support Status Server
 
Aruba Clearpass Commercial    
  • FreeRADIUS under the bonnet with a GUI front end
radsecproxy nil
  • can filter attributes
  • can add attributes
  • can do RadSec
  • but just a proxy
  • just a proxy ;-)
  • if your platform cannot do good filtering or add attributes then if you use this at the border to talk to the NRPS you can leverage these abilities