FreeRADIUS question

Peter Nixon listuser at peternixon.net
Sun Aug 19 18:09:56 CEST 2007


On Sun 19 Aug 2007, Douglas Lane wrote:
> Hi All,
>
> I have a little project for a small ISP that I would like to execute,
> however, am just wondering about the infrastructure.
>
> Currently, the core radius server is hosted in a secure datacenter that
> has ample bandwidth available.
>
> Now the issue I have is the "cells" where the Cisco Concentrators are have
> slow links to the core radius server (these would be around 64 - 512kb).
> Now I know that radius packets are small, however, the other issue is
> these links will be used for internet access aswell. Currently each router
> controlling the cell links have a VPN link over the internet to the core
> radius server.
>
> Now steps have been taken to enable QoS on these links so the VPN traffic
> gets highest priority, however, what I wanna ask is the following:
>
> I'd like to "cache" the usernames and password (effectively radcheck and
> radgroupcheck) on each cell network (each cell has a local RADIUS server
> that proxies the realm to the core radius server). This way, avoiding the
> possibility that the link may be to slow to auth the user and hence cause
> a timeout, as well as in case the VPN link itself is down.
>
> The other question I'd like to get your opinion on is I'd like to have
> accounting local to the cell's RADIUS server (for lookups from the Cisco),
> but also have a way to replicate the accounting data to the core-radius
> server.
>
> I've looked at use MySQL replication, but i feel its not sufficient for my
> requirements. Perhaps I'm wrong?
>
> Obviously, for this particular situation, I'd like to only "cache" the
> radcheck and radgroupcheck information for valid accounts in the that
> cell. I don't really want to have every cell's users part of the the other
> cell's. Obviously the idea is if the local RADIUS can't auth the use on
> itself, it must peer to the next available RADIUS server (core radius).
>
> Hope I've been as descriptive as possible.
>
> I appreciate the help.

Use an LDAP backend for authentication and just replicate the parts of the 
tree you need to each remote POP. Use radrelay (or even direct proxying) to 
push your accounting records back to your central radius..

-- 

Peter Nixon
http://peternixon.net/



More information about the Freeradius-Users mailing list