Replcacing Cisco ACS with Freeradius for VPN auth.

pivertd

Hi,

I would like to replace an old cisco ACS server with a cheaper solution. (Freeradius seems OK for that)
We use cisco ACS server for :
- Mainly for Authenticating VPN connections (PSK)
- Authenticating routers logins (Not important, I'll probably remove that in future)

Should I use flat files to define the login/passwords, or is it better to user a DB such as mysql/postgress ?
How about redundancy ? Is there an easy way to get failover ? Should I use a hot standby database on the standby radius server ? (Postgress ?)

Personally, I would prefer to use flat files, as I have few login/passwords to keep. (Less than 60)

Does anybody got some experience/infos about this ?

Regards,

RinkyDinks_RJ · n00b Joined: 12 Aug 2003 Posts: 42

For that many users it's easier to keep flat files (imo).

For redundancy, did you have a redundant ACS? You could probably implement something easily with Linux Virtual Server Project.

pivertd · Posted: Mon Jun 13, 2005 12:22 pm Post subject:

Yes, I could... But it's not necessary, because I think we can give two radius servers to the cisco devices... So if one fail it will switch to the other one.
The main problem is for keeping both configs up to date. Actually, the best method would perhap's to use an ldap server, and use the replication given with ldap ?

Prompty · Apprentice Joined: 08 Feb 2004 Posts: 292

my config is pix + freeradius on linux ...

I don't know how failover would work but I am running the same radius for ages and never had any problems.
Then again I have every user as a system account (for mail, ftp and webpages).
I'm doing periodical backups (if that's real redundancy :]] )
_________________
<input stupid message here>

dj_farid · l33t Joined: 14 Jun 2004 Posts: 613

How did it go with this project?
I am in the same situation, looking for advice before I start.