802.1x setup across WAN ?

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › 802.1x setup across WAN ?

fran1942

82 posts

Master Geek

Trusted

#147142 10-Jun-2014 13:14

Hello, a company has a number of branches around the country that all have their own Active directory domain controllers on their own networks.
If it were to implement wifi at each branch ,using 802.1x radius authentication what would be the best way to go about that?

i.e would you set up a separate NPS/Radius server at each branch to authenticate locally at each branch, or would you try and centralise 802.1x authentication by having all remote branch clients authenticate against a single centrally located NPS/Radius server ?
If you took the second option, then the remote wife users would be authenticating across the WAN. I don't know if that is considered good practice or not ?
Then again it would seem very messy to have each remote branch implement their own NPS/Radius setup ?

Having never done this before I am interested in what the best strategy would be.

Thanks for any advice.

Inphinity

2780 posts

Uber Geek
+1 received by user: 1184

#1062561 10-Jun-2014 13:21

Are the DCs all part of the same domain, or forest, or are they all standalone? If they're not standalone , you presumably have VPN tunnels between the sites? In the interests of not having the wifi rely on a WAN link, I would probably run NPS at each site, but there's no real reason (other than reliability / bandwidth / latency) that you couldn't do it via a VPN tunnel to a central NPS/RADIUS.

hashbrown

463 posts

Ultimate Geek
+1 received by user: 131

#1062578 10-Jun-2014 13:49

I would lean towards 2x centrally managed Radius servers, acting as primary and backup.