Cloud Radius Server
Michael Geary
mgeary at greataukwireless.com
Thu Sep 27 16:34:14 CEST 2012
Thank you all for your input.
I would be managing the Radius servers hosted by like HostGator or
Rackspace or someone like that.
On Thu, Sep 27, 2012 at 4:39 AM, Phil Mayers <p.mayers at imperial.ac.uk>wrote:
> On 09/26/2012 11:42 PM, Michael Geary wrote:
>
>> Good Evening,
>>
>> We have several separate networks. Our main network runs PPPoE while all
>> of the others run over DHCP. I would like to migrate the DHCP networks
>> to use PPPoE.
>>
>
> I assume these are Ethernet-over-ADSL lines and you want to move away from
> static DSLAM port config, and to @isp.com dynamic routing?
>
>
We are a fixed-terrestrial wireless internet service provider
>
>
>> Currently, our Radius server resides at the head end of our PPPoE
>> network. I would like to remove the chance that if the Internet failed
>> there, that no one on the separate networks would be able to authenticate.
>>
>
> So the other networks have separate internet connectivity?
>
>
Yes, they are located throughout Vermont, New Hampshire and Massachusetts
>
>
>> Has anyone had any experience with using a Radius server in the cloud to
>> authenticate users?
>>
>
> Personally, I'd never do it. FreeRADIUS performs well on commodity
> hardware, so just build more RADIUS servers and put them in various
> locations e.g. one in each remote location. Presumably you have DHCP
> servers in those locations now - the same hardware would probably suffice,
> since the load should be approximately the same.
>
> However, as Fajar says, if you want to "cloud" it there's nothing magic -
> RADIUS is just UDP/IP packets, so running it in the cloud should work fine.
>
> Couple of things to watch out for:
>
> 1. RADIUS shared-secrets are keyed off source IP and destination IP/port.
> We occasionally see people who've painted themselves into a corner with
> NAT, or NASes on dynamic, unknown-prior IPs. Think carefully about how
> you'll avoid this issue, particularly if your NASes are on private IPs.
>
> This is not usually a problem over an internal network.
>
> 2. Normal radius doesn't encrypt (but does sign) the entire packet. Only
> selected fields like "User-Password" (and EAP payloads that are encrypted
> by the EAP method). Decide if you care about this - the RADIUS packet will
> contain things like user names, MAC addresses and so on, and they'll be
> flowing over an untrusted network. It's probably not a worry, but in the EU
> at least, I'd be concerned about data protection.
>
> In theory you can solve this with RADSEC. In practice, virtually no NAS
> supports RADSEC, so you are left with IPSec or some other VPN as an option,
> or just live with it.
>
>
Thank you, I was thinking of connecting them to the internal networks via
OpenVPN or IPSec
> Likewise, not usually a problem over an internal network.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html <http://www.freeradius.org/list/users.html>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120927/3d7a8f37/attachment.html>
More information about the Freeradius-Users
mailing list