Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: RADIUS server - single point of failure?  (Read 1932 times)

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
RADIUS server - single point of failure?
« on: November 01, 2021, 12:34:36 AM »

Is this true? Do corporates suffer from this weakness or is there a fix for it?
Logged

Reformed

  • Reg Member
  • ***
  • Posts: 318
Re: RADIUS server - single point of failure?
« Reply #1 on: November 17, 2021, 02:05:07 PM »

Use a series of authentication methods.

aesmith

  • Kitizen
  • ****
  • Posts: 1216
Re: RADIUS server - single point of failure?
« Reply #2 on: November 18, 2021, 08:50:00 AM »

Is this true? Do corporates suffer from this weakness or is there a fix for it?

Depends what it's used for but typically we would use two Radius servers. On network equipment we also have a local username/password, and the equipment is configured to only use local authentication if Radius (or TACACS) fails - that means no response from either server not a login failure. So the local account can only be used if both Radius servers are down, or if the equipment is unable to reach them over the network.
Logged

Reformed

  • Reg Member
  • ***
  • Posts: 318
Re: RADIUS server - single point of failure?
« Reply #3 on: November 18, 2021, 01:56:31 PM »

Just looking at a deployment here it uses OAuth via https://www.okta.com, TACACS+, https://en.wikipedia.org/wiki/TACACS, RADIUS and a last resort local login.

This allows Okta to use 2-factor authentication from anywhere to permit access, then the other methods for use from the internal network.

A frequent one is to use 2 RADIUS servers and alternate between them, with both reporting back to an accounting cluster. In case of failure of one everything fails over to the other.

snadge

  • Kitizen
  • ****
  • Posts: 1450
Re: RADIUS server - single point of failure?
« Reply #4 on: November 25, 2021, 12:51:34 AM »

Can I ask what it is your talking about with RADIUS servers, operations, and what they are about, please?

I'm Intrigued!

if you don't mind that is :)

cheers
Logged
Aquiss - 900/110/16ms - TP-Link AR73

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: RADIUS server - single point of failure?
« Reply #5 on: November 25, 2021, 01:08:45 AM »

RADIUS servers provide login lookups. I’m thinking about using one for WPA with individual user logins and separate passwords instead of the common domestic WPA/PSK ie pre-shared key where there’s only one WLAN login password. It’s so that I can change the password for one user to lock them out without changing it for everyone and finding that for example Janet’s printer or TV stops working as the one and only password got changed. The WAPs themselves might be able to do RADIUS and possibly my FB2900 router may be able to as well, can’t remember. I’m concerned though about (1) single point of failure, and (2) single point delaying the network boot process - some things might want to be up before the RADIUS server is.

I’m hoping someone can tell me about them as I’ve never used one before, and what is normally done about the single point of failure badness.
Logged

snadge

  • Kitizen
  • ****
  • Posts: 1450
Re: RADIUS server - single point of failure?
« Reply #6 on: November 27, 2021, 02:00:56 PM »

RADIUS servers provide login lookups. I’m thinking about using one for WPA with individual user logins and separate passwords instead of the common domestic WPA/PSK ie pre-shared key where there’s only one WLAN login password. It’s so that I can change the password for one user to lock them out without changing it for everyone and finding that for example Janet’s printer or TV stops working as the one and only password got changed. The WAPs themselves might be able to do RADIUS and possibly my FB2900 router may be able to as well, can’t remember. I’m concerned though about (1) single point of failure, and (2) single point delaying the network boot process - some things might want to be up before the RADIUS server is.

I’m hoping someone can tell me about them as I’ve never used one before, and what is normally done about the single point of failure badness.

Ahh, that's interesting - so it's like a Wi-Fi management system for large Wi-Fi setups with multiple Access Points, is it?

sorry I can't help with your questions, someone else should be able too help I imagine with the knowledgable users on this forum.
« Last Edit: November 28, 2021, 06:02:46 PM by snadge »
Logged
Aquiss - 900/110/16ms - TP-Link AR73

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: RADIUS server - single point of failure?
« Reply #7 on: November 27, 2021, 11:07:11 PM »

It’s where you have a lot of users. If you need to manage multiple WAPs there are lots of proprietary solutions and also the standard that is CAPWAP. My WAPs support CAPWAP but they can not be a CAPWAP admin controller and a normal WAP at the same time, unfortunately so you have to buy one extra at £400 [!]. I used to have a lot of WAPs but due to untimely death I’m now down to three: two in active use and (I think) there is a spare in Janet’s stores in case one fails. With that number it now isn’t worth my while doing CAPWAP.
« Last Edit: November 28, 2021, 07:40:23 PM by Weaver »
Logged

meritez

  • Content Team
  • Kitizen
  • *
  • Posts: 1623
Re: RADIUS server - single point of failure?
« Reply #8 on: November 27, 2021, 11:55:19 PM »

You can have multiple radius servers, with database replication.

For example, Talktalk had three primary radius servers across the United Kingdom, there maybe more now, this is information from 2006.

Three is the minimum, as two can give splitbrain, where both are operating at the same time.
Logged

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: RADIUS server - single point of failure?
« Reply #9 on: November 28, 2021, 06:03:12 AM »

I’m thinking about a system that is designed such that the first server that is up handles the RADIUS query, that way if the system as a whole is booting then there’s no problem with the who thing failing just because the boot order is wrong or some server isn’t up in time. Th FB2900 boots in a lot less than 6 s iirc, I need to check that.
Logged

snadge

  • Kitizen
  • ****
  • Posts: 1450
Re: RADIUS server - single point of failure?
« Reply #10 on: November 28, 2021, 06:22:01 PM »

It’s where you have a lot of users. If you need to manage multiple WAPs there are lots of proprietary solutions and also the standard that is CAPWAP. My WAPs support CAPWAP but they can be a CAPWAP admin controller and a normal WAP at the same time, unfortunately so you have to buy one extra at £400 [!]. I used to have a lot of WAPs but due to untimely death I’m now down to three: two in active use and (I think) there is a spare in Janet’s stores in case one fails. With that number it now isn’t worth my while doing CAPWAP.

I was just reading and learning about CAPWAP there on techtarget.com, which states, and I quote:

.."CAPWAP (Control and Provisioning of Wireless Access Points) is a protocol that enables an access controller (AC) to manage a collection of wireless termination points. ... Control messages contain information and instructions related to WLAN management, while Data messages encapsulate forwarded wireless frames." very interesting.

it's quite a good read, thanks for the direction.
Logged
Aquiss - 900/110/16ms - TP-Link AR73

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: RADIUS server - single point of failure?
« Reply #11 on: November 28, 2021, 07:46:45 PM »

I mistyped that so that it made no sense and have now fixed it too late. It should have read "can not be a CAPWAP admin controller" and a normal WAP at the same time. The crucial not was missing. Apologies for the confusion. That’s why the WAPs are so expensive, they have a lot of business-oriented software. I don’t think that CAPWAP would suit me, might have been relevant when I had four WAPs but now not only are there are only two, but the two are not the same, and I’m not sure if the CAPWAP admin software facilitates having multiple different configurations pushed into different APs.
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: RADIUS server - single point of failure?
« Reply #12 on: November 28, 2021, 08:53:13 PM »

It should have read "can not be a CAPWAP admin controller" and a normal WAP at the same time.

When I initially read your post, I now realise that I subconsciously inserted a "not" into the phrase . . .
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

snadge

  • Kitizen
  • ****
  • Posts: 1450
Re: RADIUS server - single point of failure?
« Reply #13 on: November 29, 2021, 01:15:21 PM »

I mistyped that so that it made no sense and have now fixed it too late. It should have read "can not be a CAPWAP admin controller" and a normal WAP at the same time. The crucial not was missing. Apologies for the confusion. That’s why the WAPs are so expensive, they have a lot of business-oriented software. I don’t think that CAPWAP would suit me, might have been relevant when I had four WAPs but now not only are there are only two, but the two are not the same, and I’m not sure if the CAPWAP admin software facilitates having multiple different configurations pushed into different APs.

Don't worry about it, I'm just happy to learn something new related to networking and broadband/internet  :)
Logged
Aquiss - 900/110/16ms - TP-Link AR73