I’m looking for suggestions for easy to use software that can handle WIFI 802.1X certificate based authentications, and do secondary authentication lookups like OCSP revocation check, and checks in Active Directory for group membership or computer object enabled/disabled.
Currently I am using Microsoft NPS for this, and its great when it works, but when it doesn’t the logging feedback is abysmal and makes finding the root cause very frustrating.
I am aware that freeRadius exists, the package available in PFSense does not support the secondary authentication to active directory (best I could tell anyways). I gather from google this might be possible to build via manually editing configuration files, but I was hoping a more elegant solution exists already.
I am open to using a commercial solution as long as its not cost prohibitive for a non-profit/SMB type environment
Best of luck to you…
I wasn’t involved in this search, but other people at my corporation went searching for RADIUS and TACACS systems, because we need to replace our Cisco ACS. The options found were NPS (RADIUS only), Aruba Clearpass (RADIUS and TACACS), and Cisco ISE (RADIUS and TACACS). I have no idea about pricing for small businesses, but Clearpass and ISE are about the same price for what we need them to do.
Maybe there are other options out there I didn’t hear about because they aren’t suitable for a corporation of our size and network complexity.
Currently using NPS - the logging is nonexistent. It works but we don’t count on any great logs from it. So when there are issues you just kind of have to figure it out. I wish Microsoft would improve NPS as it’s built into Windows.
We are also an Okta customer - they do RADIUS as well. We are looking at moving to that for RADIUS but requires everyone to be part of your Okta org. That’s not always the case for some users who need RADIUS auth into services. They may only be in your AD directory.
I use Cisco ISE with cert based authentication and it works well, but be prepared to spend some time learning it.