understanding FreeRADIUS

Alan DeKok aland at deployingradius.com
Fri Oct 17 09:04:43 CEST 2008


Tom D. Davidson wrote:
> Hello, I have some usage questions about FreeRADIUS that I am not
> finding answers for on the wiki.
> 
> Can FR:

  FreeRADIUS can put anything into any RADIUS packet.  The rest of your
questions are best answered by pointing to general RADIUS concepts:

	http://deployingradius.com/book/concepts/

  In short, if your NAS has those features, FreeRADIUS can tell the NAS
when and where to use those features.

> FR architecture:
> * Does being a WPA user make a difference to any of these questions?
> What about being a device rather than a user?

  If you are using WPA-PSK, then the NAS does not contact the RADIUS
server.  So dynamic policies are not possible.

  If you are using EAP, then FreeRADIUS supports whatever the NAS
implements.

> * Authorization policies are not "in" radius, but in the db or
> directory correct? So to change policy for a user or device, the
> change would be done through the data store and not through radius?

  See the "concepts" page for some discussion.  A database is... a
database, and not a policy engine.  FreeRADIUS implements a policy
language that can query databases, scripts, flat-text files...

> But the policy logic would need to exists in FR (ie modules?)? OR does
> the policy logic come form the data store as well?

  It comes from anywhere you need.

> * Is there an OS API or does all the direction come through the data store?

  ? OS API for... what?  The server comes with a policy language that
lets you pull information from custom SQL schemas.

> * Is there any reason why FR couldnt be used as an all encompassing
> NAC (for WAN)?

  No.

> * Do my questions clearly demostrat that I do not understand FR? :)

  It's more "how RADIUS works".  RADIUS is the glue between dumb NASes
and dumb databases.

> FR 2.0:
> Is 2.0 a move to DIAMETER or is DIA not evolutionary?

  2.0 does not implement Diameter.  Diameter is used mainly in the 3GPP
world, but large telco's.  Almost no one else uses it.

> Is 2.0 recommended for production or should operators stick with 1.x?

  2.1.1 is widely used in production environments.  It makes 1.x look
like something out of the stone age.

  Alan DeKok.



More information about the Freeradius-Users mailing list