I'm part of a large organization with multiple sites, where all PCs are Active Directory (AD) joined, but our AD infrastructure is centralized in the main office. We have site-to-site VPN connections in place, and everything runs smoothly for PC authentication. But now we're thinking about implementing RADIUS for our WiFi authentication. My main concern is what happens if the VPN goes down; will WiFi authentication fail and consequently block access to local resources? Do we need to set up Domain Controllers (DCs) and RADIUS servers at every site as a solution, or is there a more efficient alternative that I'm overlooking?
5 Answers
Consider setting up your RADIUS server in the cloud, like Azure. This way, if one site experiences an outage, the RADIUS auth won't be affected. Avoiding all that infrastructure overhead would definitely be beneficial too. If you don't already have the capability to set up multiple virtual machines at each location, using the cloud could be the best route.
Good point! Azure RADIUS could be easy to set up and integrate.
If you're not getting the security you need from on-prem RADIUS, cloud RADIUS could lighten things up. Services like SecureW2 offer good options and you'd have added flexibility for authentication methods as well.
It’s essential to distinguish between RADIUS as a protocol and NAC (Network Access Control) systems. RADIUS can sometimes be limited by VPN issues. If you look into NAC solutions, some platforms support local authentication mechanisms, reducing dependency on RADIUS during connectivity issues. Explore modern practices like SAML or OAuth for direct integration with your identity provider, which could streamline authentication significantly. Also, consider SCIM for user management without password dependencies.
By the way, the ability to cache successful RADIUS authentications can depend on the WiFi technology you're using. Some vendors allow this feature, so even if the VPN drops, users who had previously authenticated can reconnect. However, you might also consider configuring VLAN assignments for users based on RADIUS availability. It could be handy to maintain some level of internet access during outages without compromising security too much.
That could definitely soften the blow if something goes awry with the VPN.
Yeah, it sounds like a good compromise—keeping users connected with a guest VLAN while the main RADIUS is down.
You're on the right track! If the VPN goes down, your setup wouldn't know where to send RADIUS requests. A possible solution would be to look into cloud-based RADIUS services, which could provide more reliability for your 802.1x authentication without needing to deploy servers at each site. That could save a lot of hassle!
That's a solid idea! A cloud solution might make it easier, especially since you're already syncing AD users with 365 for email.
Exactly, I think relying on cloud RADIUS could be a strong backup plan.
Totally agree—using a SaaS option for RADIUS could save costs compared to self-hosting.