Security Solutions
3-89
Designing Access Controls
Choose RADIUS Servers
In addition, the same network administrators control the policies at all sites.
Policies should be centralized, so network administrators consider using
either the multi-site fully centralized option or the multi-site distributed AAA
with centralized policies option.
To choose between the two options, the PCU network administrators pose the
second question: are they concerned with minimizing traffic on WAN links?
They decide that they are; the university WAN has some trouble with conges-
tion already. Therefore, the network administrators choose the multi-site
distributed AAA option rather than the fully centralized option.
Table 3-70 shows the results when PCU network administrators factor their
selections for both the component combination and access control architecture.
Table 3-70. RADIUS Server Locations for PCU
Determine the Number of RADIUS Servers
You should now know which devices should provide RADIUS services and
store credentials. You have also determined at which sites, in a multi-site
network, the RADIUS servers should be located. Next, determine the number
of servers that you must deploy.
Generally, it is best practice to use as few RADIUS servers as possible, and as
you learned in the previous sections, centralizing policies is often desirable.
However, your network might require multiple RADIUS servers for several
reasons.
Providing Redundancy. Your network should have at least two RADIUS
servers so that users can continue to log in even if a RADIUS server, or the
connection to a RADIUS server, fails. If you have chosen an architecture that
deploys RADIUS servers at each site, you might build in redundancy at
each site.
Improving Performance. You must ensure that your RADIUS server can
handle the number of authentication requests that it receives.
Access Control
Component
Combination
Access Control
Architecture
RADIUS Server
Devices
RADIUS Server
Location
Credential
Repository
Credential
Repository
Location
General Multi-site
distributed AAA
with centralized
policies
NAC 800s One or more at
each site
Directory service Central site