Design question - proxying RADIUS auth request to a backend webservice

Alexandr Kovalenko alexandr.kovalenko at
Mon Feb 18 00:35:13 CET 2013

On Sun, Feb 17, 2013 at 11:05 PM, Walter Goulet <wgoulet at> wrote:
> I'm looking for some input from the experts to help validate a solution
> approach that I've come up with. The problem I'm trying to solve is that
> allow NAS equipment and other RADIUS clients to authenticate users against a
> proprietary authentication service that uses REST APIs over HTTP.
> The solution that I've put together is to use rlm_perl which allows me to
> use standard Perl modules to interact with the authentication service. I'm
> pretty happy with the results so far in that I am able to build exactly what
> I need and authentication against the webservice works just fine.
> The question to the list, are there other solution approaches that might be
> better? Any significant disadvantages to using rlm_perl as I've described?
> Would it be better to write a custom module instead, hoping that by doing so
> there may be some performance improvements?
> Any input is greatly appreciated.

Not exactly your case, but. Here is my story.

I had a need to proxy/convert DHCP requests from equipment (and later
- end user's routers/computers (I worked @ISP)) to RADIUS.

First version was using FreeRADIUS's rlm_perl for handling incoming
DHCP requests and it did work pretty cool, while sometimes it had
problems with duplicated requests, didn't scale well (probably my
fault, but I didn't wish to find this out) and so on, so I analyzed
request patterns, read RFC 2131, and reimplemented DHCP server on pure
perl, without using FreeRADIUS's DHCP feature. As a backend RADIUS
client (to connect to closed source commercial billing system) I used
Authen::Radius first (leftover from quick-n-dirty rlm_perl version),
but it didn't work well for me and was not powerful enough, so I used
Net::Radius::Packet/Net::Radius::Dictionary and implemented stripped
down radius client myself.

So, as for your question, besides using rlm_rest (which is devel as of
now, as I understand) you may try writing stripped down RADIUS server
combined with REST client for your auth service.
But for that you either have to reimplement full radius server (which
is not an option, I think), or implement just a subset, which works
only for your specific equipment. It may be an option.


Just my $0.02.

Alexandr Kovalenko

More information about the Freeradius-Users mailing list