FreeRADIUS question

[Douglas Lane]

On 8/19/07, Peter Nixon <listuser at peternixon.net> wrote:
>
> On Sun 19 Aug 2007, Douglas Lane wrote:
> > Hi All,
> >
> > I have a little project for a small ISP that I would like to execute,
> > however, am just wondering about the infrastructure.
> >
> > Currently, the core radius server is hosted in a secure datacenter that
> > has ample bandwidth available.
> >
> > Now the issue I have is the "cells" where the Cisco Concentrators are
> have
> > slow links to the core radius server (these would be around 64 - 512kb).
> > Now I know that radius packets are small, however, the other issue is
> > these links will be used for internet access aswell. Currently each
> router
> > controlling the cell links have a VPN link over the internet to the core
> > radius server.
> >
> > Now steps have been taken to enable QoS on these links so the VPN
> traffic
> > gets highest priority, however, what I wanna ask is the following:
> >
> > I'd like to "cache" the usernames and password (effectively radcheck and
> > radgroupcheck) on each cell network (each cell has a local RADIUS server
> > that proxies the realm to the core radius server). This way, avoiding
> the
> > possibility that the link may be to slow to auth the user and hence
> cause
> > a timeout, as well as in case the VPN link itself is down.
> >
> > The other question I'd like to get your opinion on is I'd like to have
> > accounting local to the cell's RADIUS server (for lookups from the
> Cisco),
> > but also have a way to replicate the accounting data to the core-radius
> > server.
> >
> > I've looked at use MySQL replication, but i feel its not sufficient for
> my
> > requirements. Perhaps I'm wrong?
> >
> > Obviously, for this particular situation, I'd like to only "cache" the
> > radcheck and radgroupcheck information for valid accounts in the that
> > cell. I don't really want to have every cell's users part of the the
> other
> > cell's. Obviously the idea is if the local RADIUS can't auth the use on
> > itself, it must peer to the next available RADIUS server (core radius).
> >
> > Hope I've been as descriptive as possible.
> >
> > I appreciate the help.
>
> Use an LDAP backend for authentication and just replicate the parts of the
> tree you need to each remote POP. Use radrelay (or even direct proxying)
> to
> push your accounting records back to your central radius..
>
> --
>
> Peter Nixon
> http://peternixon.net/
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


Hi Peter,

Thanks for the reply. Already started setting up my LDAP directory here.

I just wanted to confirm something:

I can use rlm_ldap for authentication and authorization and the rlm_sql for
accounting? (need simultaneous support here).

Also when it comes to "peering" the authentication, I'd imagine I'd define a
pool of ldap servers. the first being my local radius for the POP, then the
next ldap in the heirachy?

Also, last question I have is, my users will have at times multiple services
available to them (like Shaped/Unshaped ADSL and Hotspot access). In this
case, would I have to add multiple users to the organizationalUnit
controlling my POP, with different reply messages if the auth is accepted?

Or could I have a single entry for my user, say myuser at example.com and under
neath that, have multiple services assigned with the correct reply messages
show auth succeed? I'd imagine in this case i would have a multiple entries
of the same username and password as the parent uid entry, however, with
different reply messages?

Thanks again for the help

Thanks
Doug
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070819/53a3895c/attachment.html>