On 8/19/07, Peter Nixon <listuser@peternixon.net> wrote:
On Sun 19 Aug 2007, Douglas Lane wrote:
> Hi All,
>
> I have a little project for a small ISP that I would like to execute,
> however, am just wondering about the infrastructure.
>
> Currently, the core radius server is hosted in a secure datacenter that
> has ample bandwidth available.
>
> Now the issue I have is the "cells" where the Cisco Concentrators are have
> slow links to the core radius server (these would be around 64 - 512kb).
> Now I know that radius packets are small, however, the other issue is
> these links will be used for internet access aswell. Currently each router
> controlling the cell links have a VPN link over the internet to the core
> radius server.
>
> Now steps have been taken to enable QoS on these links so the VPN traffic
> gets highest priority, however, what I wanna ask is the following:
>
> I'd like to "cache" the usernames and password (effectively radcheck and
> radgroupcheck) on each cell network (each cell has a local RADIUS server
> that proxies the realm to the core radius server). This way, avoiding the
> possibility that the link may be to slow to auth the user and hence cause
> a timeout, as well as in case the VPN link itself is down.
>
> The other question I'd like to get your opinion on is I'd like to have
> accounting local to the cell's RADIUS server (for lookups from the Cisco),
> but also have a way to replicate the accounting data to the core-radius
> server.
>
> I've looked at use MySQL replication, but i feel its not sufficient for my
> requirements. Perhaps I'm wrong?
>
> Obviously, for this particular situation, I'd like to only "cache" the
> radcheck and radgroupcheck information for valid accounts in the that
> cell. I don't really want to have every cell's users part of the the other
> cell's. Obviously the idea is if the local RADIUS can't auth the use on
> itself, it must peer to the next available RADIUS server (core radius).
>
> Hope I've been as descriptive as possible.
>
> I appreciate the help.

Use an LDAP backend for authentication and just replicate the parts of the
tree you need to each remote POP. Use radrelay (or even direct proxying) to
push your accounting records back to your central radius..

--

Peter Nixon
http://peternixon.net/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Hi Peter,

Thanks for the reply. Already started setting up my LDAP directory here.

I just wanted to confirm something:

I can use rlm_ldap for authentication and authorization and the rlm_sql for accounting? (need simultaneous support here).

Also when it comes to "peering" the authentication, I'd imagine I'd define a pool of ldap servers. the first being my local radius for the POP, then the next ldap in the heirachy?

Also, last question I have is, my users will have at times multiple services available to them (like Shaped/Unshaped ADSL and Hotspot access). In this case, would I have to add multiple users to the organizationalUnit controlling my POP, with different reply messages if the auth is accepted?

Or could I have a single entry for my user, say myuser@example.com and under neath that, have multiple services assigned with the correct reply messages show auth succeed? I'd imagine in this case i would have a multiple entries of the same username and password as the parent uid entry, however, with different reply messages?

Thanks again for the help

Thanks
Doug