FreeRADIUS question

Peter Nixon listuser at peternixon.net
Mon Aug 20 10:04:16 CEST 2007


On Sun 19 Aug 2007, Douglas Lane wrote:
> On 8/19/07, Peter Nixon <listuser at peternixon.net> wrote:
> > On Sun 19 Aug 2007, Douglas Lane wrote:
> > > Hi All,
> > >
> > > I have a little project for a small ISP that I would like to execute,
> > > however, am just wondering about the infrastructure.
> > >
> > > Currently, the core radius server is hosted in a secure datacenter
> > > that has ample bandwidth available.
> > >
> > > Now the issue I have is the "cells" where the Cisco Concentrators are
> >
> > have
> >
> > > slow links to the core radius server (these would be around 64 -
> > > 512kb). Now I know that radius packets are small, however, the other
> > > issue is these links will be used for internet access aswell.
> > > Currently each
> >
> > router
> >
> > > controlling the cell links have a VPN link over the internet to the
> > > core radius server.
> > >
> > > Now steps have been taken to enable QoS on these links so the VPN
> >
> > traffic
> >
> > > gets highest priority, however, what I wanna ask is the following:
> > >
> > > I'd like to "cache" the usernames and password (effectively radcheck
> > > and radgroupcheck) on each cell network (each cell has a local RADIUS
> > > server that proxies the realm to the core radius server). This way,
> > > avoiding
> >
> > the
> >
> > > possibility that the link may be to slow to auth the user and hence
> >
> > cause
> >
> > > a timeout, as well as in case the VPN link itself is down.
> > >
> > > The other question I'd like to get your opinion on is I'd like to have
> > > accounting local to the cell's RADIUS server (for lookups from the
> >
> > Cisco),
> >
> > > but also have a way to replicate the accounting data to the
> > > core-radius server.
> > >
> > > I've looked at use MySQL replication, but i feel its not sufficient
> > > for
> >
> > my
> >
> > > requirements. Perhaps I'm wrong?
> > >
> > > Obviously, for this particular situation, I'd like to only "cache" the
> > > radcheck and radgroupcheck information for valid accounts in the that
> > > cell. I don't really want to have every cell's users part of the the
> >
> > other
> >
> > > cell's. Obviously the idea is if the local RADIUS can't auth the use
> > > on itself, it must peer to the next available RADIUS server (core
> > > radius).
> > >
> > > Hope I've been as descriptive as possible.
> > >
> > > I appreciate the help.
> >
> > Use an LDAP backend for authentication and just replicate the parts of
> > the tree you need to each remote POP. Use radrelay (or even direct
> > proxying) to
> > push your accounting records back to your central radius..
> >
> > --
> >
> > Peter Nixon
> > http://peternixon.net/
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
> Hi Peter,
>
> Thanks for the reply. Already started setting up my LDAP directory here.
>
> I just wanted to confirm something:
>
> I can use rlm_ldap for authentication and authorization and the rlm_sql
> for accounting? (need simultaneous support here).

Sure. You can even have multiple LDAP and SQL servers used for AuthX and 
multiple SQL servers used for Acct if you wish.

> Also when it comes to "peering" the authentication, I'd imagine I'd define
> a pool of ldap servers. the first being my local radius for the POP, then
> the next ldap in the heirachy?

If you wish. LDAP also has the capability to refer to other LDAP servers in a 
hieracy..Or you could proxy the radius request to a parent RADIUS server if 
the local one cant service it.. Depends on how you prefer to solve the 
problem

> Also, last question I have is, my users will have at times multiple
> services available to them (like Shaped/Unshaped ADSL and Hotspot access).
> In this case, would I have to add multiple users to the organizationalUnit
> controlling my POP, with different reply messages if the auth is accepted?
>
> Or could I have a single entry for my user, say myuser at example.com and
> under neath that, have multiple services assigned with the correct reply
> messages show auth succeed? I'd imagine in this case i would have a
> multiple entries of the same username and password as the parent uid
> entry, however, with different reply messages?

You can selectively return attributes from both ldap and sql as you can 
modify the query.. Thats why we don't hard code queries :-)

> Thanks again for the help

You're welcome

-- 

Peter Nixon
http://peternixon.net/



More information about the Freeradius-Users mailing list