Design question - proxying RADIUS auth request to a backend webservice
Hi, I'm looking for some input from the experts to help validate a solution approach that I've come up with. The problem I'm trying to solve is that allow NAS equipment and other RADIUS clients to authenticate users against a proprietary authentication service that uses REST APIs over HTTP. The solution that I've put together is to use rlm_perl which allows me to use standard Perl modules to interact with the authentication service. I'm pretty happy with the results so far in that I am able to build exactly what I need and authentication against the webservice works just fine. The question to the list, are there other solution approaches that might be better? Any significant disadvantages to using rlm_perl as I've described? Would it be better to write a custom module instead, hoping that by doing so there may be some performance improvements? Any input is greatly appreciated. Walter Goulet
Hi,
The question to the list, are there other solution approaches that might be better? Any significant disadvantages to using rlm_perl as I've described? Would it be better to write a custom module instead, hoping that by doing so there may be some performance improvements?
PERL method should be fine...the alternative is the latest HEAD (3.x) pre-release code which actually has an rlm_rest module (so no writing of a module to be done!) alan
Oh wow; that's even cooler! I'll give that module a shot. Thanks! On Sun, Feb 17, 2013 at 4:12 PM, <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
The question to the list, are there other solution approaches that might be better? Any significant disadvantages to using rlm_perl as I've described? Would it be better to write a custom module instead, hoping that by doing so there may be some performance improvements?
PERL method should be fine...the alternative is the latest HEAD (3.x) pre-release code which actually has an rlm_rest module (so no writing of a module to be done!)
alan
Walter Goulet wrote:
I'm looking for some input from the experts to help validate a solution approach that I've come up with. The problem I'm trying to solve is that allow NAS equipment and other RADIUS clients to authenticate users against a proprietary authentication service that uses REST APIs over HTTP.
That works... provided that the backend is fast.
The solution that I've put together is to use rlm_perl which allows me to use standard Perl modules to interact with the authentication service. I'm pretty happy with the results so far in that I am able to build exactly what I need and authentication against the webservice works just fine.
That's the real test: it works.
The question to the list, are there other solution approaches that might be better? Any significant disadvantages to using rlm_perl as I've described? Would it be better to write a custom module instead, hoping that by doing so there may be some performance improvements?
In git "master" there's an rlm_rest module. That *might* be higher performance. But if it works, don't touch it until there are issues. Alan DeKok.
On Sun, Feb 17, 2013 at 11:05 PM, Walter Goulet <wgoulet@gmail.com> wrote:
I'm looking for some input from the experts to help validate a solution approach that I've come up with. The problem I'm trying to solve is that allow NAS equipment and other RADIUS clients to authenticate users against a proprietary authentication service that uses REST APIs over HTTP.
The solution that I've put together is to use rlm_perl which allows me to use standard Perl modules to interact with the authentication service. I'm pretty happy with the results so far in that I am able to build exactly what I need and authentication against the webservice works just fine.
The question to the list, are there other solution approaches that might be better? Any significant disadvantages to using rlm_perl as I've described? Would it be better to write a custom module instead, hoping that by doing so there may be some performance improvements?
Any input is greatly appreciated.
Not exactly your case, but. Here is my story. I had a need to proxy/convert DHCP requests from equipment (and later - end user's routers/computers (I worked @ISP)) to RADIUS. First version was using FreeRADIUS's rlm_perl for handling incoming DHCP requests and it did work pretty cool, while sometimes it had problems with duplicated requests, didn't scale well (probably my fault, but I didn't wish to find this out) and so on, so I analyzed request patterns, read RFC 2131, and reimplemented DHCP server on pure perl, without using FreeRADIUS's DHCP feature. As a backend RADIUS client (to connect to closed source commercial billing system) I used Authen::Radius first (leftover from quick-n-dirty rlm_perl version), but it didn't work well for me and was not powerful enough, so I used Net::Radius::Packet/Net::Radius::Dictionary and implemented stripped down radius client myself. So, as for your question, besides using rlm_rest (which is devel as of now, as I understand) you may try writing stripped down RADIUS server combined with REST client for your auth service. But for that you either have to reimplement full radius server (which is not an option, I think), or implement just a subset, which works only for your specific equipment. It may be an option. Cheers, Just my $0.02. -- Alexandr Kovalenko http://uafug.org.ua/
Thanks for your input; your descriptions of limitations you ran into is helpful. I think I will stick with using rlm_perl for now; I definitely don't want to tackle writing my own stripped down RADIUS server. If performance or scale become problems I will investigate other options at that time. On Sun, Feb 17, 2013 at 5:35 PM, Alexandr Kovalenko < alexandr.kovalenko@gmail.com> wrote:
On Sun, Feb 17, 2013 at 11:05 PM, Walter Goulet <wgoulet@gmail.com> wrote:
I'm looking for some input from the experts to help validate a solution approach that I've come up with. The problem I'm trying to solve is that allow NAS equipment and other RADIUS clients to authenticate users against a proprietary authentication service that uses REST APIs over HTTP.
The solution that I've put together is to use rlm_perl which allows me to use standard Perl modules to interact with the authentication service. I'm pretty happy with the results so far in that I am able to build exactly what I need and authentication against the webservice works just fine.
The question to the list, are there other solution approaches that might be better? Any significant disadvantages to using rlm_perl as I've described? Would it be better to write a custom module instead, hoping that by doing so there may be some performance improvements?
Any input is greatly appreciated.
Not exactly your case, but. Here is my story.
I had a need to proxy/convert DHCP requests from equipment (and later - end user's routers/computers (I worked @ISP)) to RADIUS.
First version was using FreeRADIUS's rlm_perl for handling incoming DHCP requests and it did work pretty cool, while sometimes it had problems with duplicated requests, didn't scale well (probably my fault, but I didn't wish to find this out) and so on, so I analyzed request patterns, read RFC 2131, and reimplemented DHCP server on pure perl, without using FreeRADIUS's DHCP feature. As a backend RADIUS client (to connect to closed source commercial billing system) I used Authen::Radius first (leftover from quick-n-dirty rlm_perl version), but it didn't work well for me and was not powerful enough, so I used Net::Radius::Packet/Net::Radius::Dictionary and implemented stripped down radius client myself.
So, as for your question, besides using rlm_rest (which is devel as of now, as I understand) you may try writing stripped down RADIUS server combined with REST client for your auth service. But for that you either have to reimplement full radius server (which is not an option, I think), or implement just a subset, which works only for your specific equipment. It may be an option.
Cheers,
Just my $0.02.
-- Alexandr Kovalenko http://uafug.org.ua/
On 17 Feb 2013, at 18:38, Walter Goulet <wgoulet@gmail.com> wrote:
Thanks for your input; your descriptions of limitations you ran into is helpful. I think I will stick with using rlm_perl for now; I definitely don't want to tackle writing my own stripped down RADIUS server. If performance or scale become problems I will investigate other options at that time.
The only way rlm_rest gets out development is if people test it and contribute to it. I'm willing to put the effort in to extend it and fix any issues if people are willing to test it and make suggestions. -Arran
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Alexandr Kovalenko -
Arran Cudbard-Bell -
Walter Goulet