On 8/19/07, <b class="gmail_sendername">Peter Nixon</b> <<a href="mailto:listuser@peternixon.net">listuser@peternixon.net</a>> wrote:<div><span class="gmail_quote"></span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
On Sun 19 Aug 2007, Douglas Lane wrote:<br>> Hi All,<br>><br>> I have a little project for a small ISP that I would like to execute,<br>> however, am just wondering about the infrastructure.<br>><br>> Currently, the core radius server is hosted in a secure datacenter that
<br>> has ample bandwidth available.<br>><br>> Now the issue I have is the "cells" where the Cisco Concentrators are have<br>> slow links to the core radius server (these would be around 64 - 512kb).
<br>> Now I know that radius packets are small, however, the other issue is<br>> these links will be used for internet access aswell. Currently each router<br>> controlling the cell links have a VPN link over the internet to the core
<br>> radius server.<br>><br>> Now steps have been taken to enable QoS on these links so the VPN traffic<br>> gets highest priority, however, what I wanna ask is the following:<br>><br>> I'd like to "cache" the usernames and password (effectively radcheck and
<br>> radgroupcheck) on each cell network (each cell has a local RADIUS server<br>> that proxies the realm to the core radius server). This way, avoiding the<br>> possibility that the link may be to slow to auth the user and hence cause
<br>> a timeout, as well as in case the VPN link itself is down.<br>><br>> The other question I'd like to get your opinion on is I'd like to have<br>> accounting local to the cell's RADIUS server (for lookups from the Cisco),
<br>> but also have a way to replicate the accounting data to the core-radius<br>> server.<br>><br>> I've looked at use MySQL replication, but i feel its not sufficient for my<br>> requirements. Perhaps I'm wrong?
<br>><br>> Obviously, for this particular situation, I'd like to only "cache" the<br>> radcheck and radgroupcheck information for valid accounts in the that<br>> cell. I don't really want to have every cell's users part of the the other
<br>> cell's. Obviously the idea is if the local RADIUS can't auth the use on<br>> itself, it must peer to the next available RADIUS server (core radius).<br>><br>> Hope I've been as descriptive as possible.
<br>><br>> I appreciate the help.<br><br>Use an LDAP backend for authentication and just replicate the parts of the<br>tree you need to each remote POP. Use radrelay (or even direct proxying) to<br>push your accounting records back to your central radius..
<br><br>--<br><br>Peter Nixon<br><a href="http://peternixon.net/">http://peternixon.net/</a><br>-<br>List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html
</a></blockquote><div><br>Hi Peter,<br><br>Thanks for the reply. Already started setting up my LDAP directory here.<br><br>I just wanted to confirm something:<br><br>I can use rlm_ldap for authentication and authorization and the rlm_sql for accounting? (need simultaneous support here).
<br><br>Also when it comes to "peering" the authentication, I'd imagine I'd define a pool of ldap servers. the first being my local radius for the POP, then the next ldap in the heirachy?<br><br>Also, last question I have is, my users will have at times multiple services available to them (like Shaped/Unshaped ADSL and Hotspot access). In this case, would I have to add multiple users to the organizationalUnit controlling my POP, with different reply messages if the auth is accepted?
<br><br>Or could I have a single entry for my user, say <a href="mailto:myuser@example.com">myuser@example.com</a> and under neath that, have multiple services assigned with the correct reply messages show auth succeed? I'd imagine in this case i would have a multiple entries of the same username and password as the parent uid entry, however, with different reply messages?
<br></div><br>Thanks again for the help<br><br>Thanks<br>Doug<br></div>