Hi everyone! I'm looking to modernize our outdated wireless authentication system. Currently, we're working with an Active Directory (AD) server using Network Policy Server (NPS) and a standalone PKI for authenticating users based on VLAN assignments. Right now, we rely on PEAP-MSCHAPv2 since it avoids the hassle of local certificate installation for non-corporate devices, but I know this method has its drawbacks, like weak security and the need to disable certain features on our devices.
I want to find a solution that allows for seamless user management, VLAN assignment, and has robust logging capabilities without the reliance on machine certificates, which rules out options like EAP-TLS and EAP-TTLS. Ideally, it should be self-hosted, well-documented, easy to deploy via Docker, and support non-English languages. Also, I'm looking for support for IPv6, as our new management network doesn't handle native IPv4.
I've explored a few alternatives but found their limitations. For instance, FreeRADIUS seems complex and requires tinkering, while PacketFence is cumbersome with its dependencies. I've considered FreeIPA from Red Hat but have seen little documentation regarding its Docker deployment. I'd love to hear any recommendations or experiences you might have!
5 Answers
Honestly, keeping your AD could be the best course of action, especially if you're relying on Windows endpoints. Have you looked into Aruba Clearpass? It's robust and packed with features that could serve as a solid RADIUS replacement.
I’m currently researching Foxpass by Splashtop—it seems like a promising tool for addressing your needs. It might be worth checking out!
Have you thought about using a captive portal with a 365 Single Sign-On instead? It might alleviate some pain points with RADIUS, especially when users need to reset their passwords. A captive portal could prompt re-authentication regularly, making it easier for users to stay updated. For company devices, consider switching to certificate-based authentication instead.
You might be dismissing EAP-TLS a bit too soon. If your main concern is avoiding machine certificates on unmanaged devices, EAP-TLS can utilize user certificates as well. It can still work with NPS to provide VLAN assignment. Just keep in mind that you’d then need to manage the onboarding, issuance, and revocation of those certificates, especially for BYOD and external users.
We're running a hybrid setup using cloud-based PKI instead of RADIUS and it’s working great for us! I’d recommend exploring that path if you’re looking for something more streamlined.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures