Design question - proxying RADIUS auth request to a backend webservice

Walter Goulet wgoulet at gmail.com
Mon Feb 18 00:38:58 CET 2013


Thanks for your input; your descriptions of limitations you ran into is
helpful. I think I will stick with using rlm_perl for now; I definitely
don't want to tackle writing my own stripped down RADIUS server. If
performance or scale become problems I will investigate other options at
that time.


On Sun, Feb 17, 2013 at 5:35 PM, Alexandr Kovalenko <
alexandr.kovalenko at gmail.com> wrote:

> On Sun, Feb 17, 2013 at 11:05 PM, Walter Goulet <wgoulet at gmail.com> wrote:
> > I'm looking for some input from the experts to help validate a solution
> > approach that I've come up with. The problem I'm trying to solve is that
> > allow NAS equipment and other RADIUS clients to authenticate users
> against a
> > proprietary authentication service that uses REST APIs over HTTP.
> >
> > The solution that I've put together is to use rlm_perl which allows me to
> > use standard Perl modules to interact with the authentication service.
> I'm
> > pretty happy with the results so far in that I am able to build exactly
> what
> > I need and authentication against the webservice works just fine.
> >
> > The question to the list, are there other solution approaches that might
> be
> > better? Any significant disadvantages to using rlm_perl as I've
> described?
> > Would it be better to write a custom module instead, hoping that by
> doing so
> > there may be some performance improvements?
> >
> > Any input is greatly appreciated.
>
> Not exactly your case, but. Here is my story.
>
> I had a need to proxy/convert DHCP requests from equipment (and later
> - end user's routers/computers (I worked @ISP)) to RADIUS.
>
> First version was using FreeRADIUS's rlm_perl for handling incoming
> DHCP requests and it did work pretty cool, while sometimes it had
> problems with duplicated requests, didn't scale well (probably my
> fault, but I didn't wish to find this out) and so on, so I analyzed
> request patterns, read RFC 2131, and reimplemented DHCP server on pure
> perl, without using FreeRADIUS's DHCP feature. As a backend RADIUS
> client (to connect to closed source commercial billing system) I used
> Authen::Radius first (leftover from quick-n-dirty rlm_perl version),
> but it didn't work well for me and was not powerful enough, so I used
> Net::Radius::Packet/Net::Radius::Dictionary and implemented stripped
> down radius client myself.
>
> So, as for your question, besides using rlm_rest (which is devel as of
> now, as I understand) you may try writing stripped down RADIUS server
> combined with REST client for your auth service.
> But for that you either have to reimplement full radius server (which
> is not an option, I think), or implement just a subset, which works
> only for your specific equipment. It may be an option.
>
> Cheers,
>
> Just my $0.02.
>
> --
> Alexandr Kovalenko
> http://uafug.org.ua/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130217/066d9604/attachment.html>


More information about the Freeradius-Users mailing list