Kitz Forum

Computers & Hardware => Networking => Topic started by: Weaver on November 01, 2021, 12:34:36 AM

Title: RADIUS server - single point of failure?
Post by: Weaver on November 01, 2021, 12:34:36 AM
Is this true? Do corporates suffer from this weakness or is there a fix for it?
Title: Re: RADIUS server - single point of failure?
Post by: Reformed on November 17, 2021, 02:05:07 PM
Use a series of authentication methods.
Title: Re: RADIUS server - single point of failure?
Post by: aesmith on November 18, 2021, 08:50:00 AM
Is this true? Do corporates suffer from this weakness or is there a fix for it?

Depends what it's used for but typically we would use two Radius servers. On network equipment we also have a local username/password, and the equipment is configured to only use local authentication if Radius (or TACACS) fails - that means no response from either server not a login failure. So the local account can only be used if both Radius servers are down, or if the equipment is unable to reach them over the network.
Title: Re: RADIUS server - single point of failure?
Post by: Reformed on November 18, 2021, 01:56:31 PM
Just looking at a deployment here it uses OAuth via https://www.okta.com, TACACS+, https://en.wikipedia.org/wiki/TACACS, RADIUS and a last resort local login.

This allows Okta to use 2-factor authentication from anywhere to permit access, then the other methods for use from the internal network.

A frequent one is to use 2 RADIUS servers and alternate between them, with both reporting back to an accounting cluster. In case of failure of one everything fails over to the other.
Title: Re: RADIUS server - single point of failure?
Post by: snadge on November 25, 2021, 12:51:34 AM
Can I ask what it is your talking about with RADIUS servers, operations, and what they are about, please?

I'm Intrigued!

if you don't mind that is :)

cheers
Title: Re: RADIUS server - single point of failure?
Post by: Weaver on November 25, 2021, 01:08:45 AM
RADIUS servers provide login lookups. I’m thinking about using one for WPA with individual user logins and separate passwords instead of the common domestic WPA/PSK ie pre-shared key where there’s only one WLAN login password. It’s so that I can change the password for one user to lock them out without changing it for everyone and finding that for example Janet’s printer or TV stops working as the one and only password got changed. The WAPs themselves might be able to do RADIUS and possibly my FB2900 router may be able to as well, can’t remember. I’m concerned though about (1) single point of failure, and (2) single point delaying the network boot process - some things might want to be up before the RADIUS server is.

I’m hoping someone can tell me about them as I’ve never used one before, and what is normally done about the single point of failure badness.
Title: Re: RADIUS server - single point of failure?
Post by: snadge on November 27, 2021, 02:00:56 PM
RADIUS servers provide login lookups. I’m thinking about using one for WPA with individual user logins and separate passwords instead of the common domestic WPA/PSK ie pre-shared key where there’s only one WLAN login password. It’s so that I can change the password for one user to lock them out without changing it for everyone and finding that for example Janet’s printer or TV stops working as the one and only password got changed. The WAPs themselves might be able to do RADIUS and possibly my FB2900 router may be able to as well, can’t remember. I’m concerned though about (1) single point of failure, and (2) single point delaying the network boot process - some things might want to be up before the RADIUS server is.

I’m hoping someone can tell me about them as I’ve never used one before, and what is normally done about the single point of failure badness.

Ahh, that's interesting - so it's like a Wi-Fi management system for large Wi-Fi setups with multiple Access Points, is it?

sorry I can't help with your questions, someone else should be able too help I imagine with the knowledgable users on this forum.
Title: Re: RADIUS server - single point of failure?
Post by: Weaver on November 27, 2021, 11:07:11 PM
It’s where you have a lot of users. If you need to manage multiple WAPs there are lots of proprietary solutions and also the standard that is CAPWAP. My WAPs support CAPWAP but they can not be a CAPWAP admin controller and a normal WAP at the same time, unfortunately so you have to buy one extra at £400 [!]. I used to have a lot of WAPs but due to untimely death I’m now down to three: two in active use and (I think) there is a spare in Janet’s stores in case one fails. With that number it now isn’t worth my while doing CAPWAP.
Title: Re: RADIUS server - single point of failure?
Post by: meritez on November 27, 2021, 11:55:19 PM
You can have multiple radius servers, with database replication.

For example, Talktalk had three primary radius servers across the United Kingdom, there maybe more now, this is information from 2006.

Three is the minimum, as two can give splitbrain, where both are operating at the same time.
Title: Re: RADIUS server - single point of failure?
Post by: Weaver on November 28, 2021, 06:03:12 AM
I’m thinking about a system that is designed such that the first server that is up handles the RADIUS query, that way if the system as a whole is booting then there’s no problem with the who thing failing just because the boot order is wrong or some server isn’t up in time. Th FB2900 boots in a lot less than 6 s iirc, I need to check that.
Title: Re: RADIUS server - single point of failure?
Post by: snadge on November 28, 2021, 06:22:01 PM
It’s where you have a lot of users. If you need to manage multiple WAPs there are lots of proprietary solutions and also the standard that is CAPWAP. My WAPs support CAPWAP but they can be a CAPWAP admin controller and a normal WAP at the same time, unfortunately so you have to buy one extra at £400 [!]. I used to have a lot of WAPs but due to untimely death I’m now down to three: two in active use and (I think) there is a spare in Janet’s stores in case one fails. With that number it now isn’t worth my while doing CAPWAP.

I was just reading and learning about CAPWAP there on techtarget.com (https://www.techtarget.com/searchnetworking/definition/CAPWAP-Control-and-Provisioning-of-Wireless-Access-Points), which states, and I quote:

.."CAPWAP (Control and Provisioning of Wireless Access Points) is a protocol that enables an access controller (AC) to manage a collection of wireless termination points. ... Control messages contain information and instructions related to WLAN management, while Data messages encapsulate forwarded wireless frames." very interesting.

it's quite a good read, thanks for the direction.
Title: Re: RADIUS server - single point of failure?
Post by: Weaver on November 28, 2021, 07:46:45 PM
I mistyped that so that it made no sense and have now fixed it too late. It should have read "can not be a CAPWAP admin controller" and a normal WAP at the same time. The crucial not was missing. Apologies for the confusion. That’s why the WAPs are so expensive, they have a lot of business-oriented software. I don’t think that CAPWAP would suit me, might have been relevant when I had four WAPs but now not only are there are only two, but the two are not the same, and I’m not sure if the CAPWAP admin software facilitates having multiple different configurations pushed into different APs.
Title: Re: RADIUS server - single point of failure?
Post by: burakkucat on November 28, 2021, 08:53:13 PM
It should have read "can not be a CAPWAP admin controller" and a normal WAP at the same time.

When I initially read your post, I now realise that I subconsciously inserted a "not" into the phrase . . .
Title: Re: RADIUS server - single point of failure?
Post by: snadge on November 29, 2021, 01:15:21 PM
I mistyped that so that it made no sense and have now fixed it too late. It should have read "can not be a CAPWAP admin controller" and a normal WAP at the same time. The crucial not was missing. Apologies for the confusion. That’s why the WAPs are so expensive, they have a lot of business-oriented software. I don’t think that CAPWAP would suit me, might have been relevant when I had four WAPs but now not only are there are only two, but the two are not the same, and I’m not sure if the CAPWAP admin software facilitates having multiple different configurations pushed into different APs.

Don't worry about it, I'm just happy to learn something new related to networking and broadband/internet  :)