Designing Access Controls
Choose RADIUS Servers
In addition, the same network administrators control the policies at all sites. Policies should be centralized, so network administrators consider using either the
To choose between the two options, the PCU network administrators pose the second question: are they concerned with minimizing traffic on WAN links? They decide that they are; the university WAN has some trouble with conges- tion already. Therefore, the network administrators choose the
Table
Table 3-70. RADIUS Server Locations for PCU
Access Control | Access Control | RADIUS Server | RADIUS Server | Credential | Credential |
Component | Architecture | Devices | Location | Repository | Repository |
Combination |
|
|
|
| Location |
General | NAC 800s | One or more at | Directory service | Central site | |
| distributed AAA |
| each site |
|
|
| with centralized |
|
|
|
|
| policies |
|
|
|
|
|
|
|
|
|
|
Determine the Number of RADIUS Servers
You should now know which devices should provide RADIUS services and store credentials. You have also determined at which sites, in a
Generally, it is best practice to use as few RADIUS servers as possible, and as you learned in the previous sections, centralizing policies is often desirable. However, your network might require multiple RADIUS servers for several reasons.
Providing Redundancy. Your network should have at least two RADIUS servers so that users can continue to log in even if a RADIUS server, or the connection to a RADIUS server, fails. If you have chosen an architecture that deploys RADIUS servers at each site, you might build in redundancy at each site.
Improving Performance. You must ensure that your RADIUS server can handle the number of authentication requests that it receives.
