how many clients use TCP Radius

Arran Cudbard-Bell a.cudbardb at freeradius.org
Wed May 4 03:26:35 CEST 2016


> On 3 May 2016, at 18:21, Florin Andrei <florin at andrei.myip.org> wrote:
> 
> On 2016-05-03 18:07, Alan DeKok wrote:
>> On May 3, 2016, at 9:01 PM, Florin Andrei <florin at andrei.myip.org> wrote:
>>> I can't find even a single example of a client that can connect to a Radius server via TCP.
>>  radclient?
>>> Not custom-written clients that someone wrote specifically to do that, but devices or apps that are in fairly common use and just employ Radius for authentication.
>>  RADIUS over TCP is not intended to be used by anyone.  TLS is better.
> 
> I'm sorry, I wasn't clear enough. I'm not looking for a test client. I was just curious if it's worth the trouble to even think of doing anything else besides UDP, if almost everybody in the real world uses UDP.

Yes.

> If it was a single FreeRadius frontend that I had to build, it would be simple enough - I would enable TLS when needed. But I have to build load balancers and a bunch of other infrastructure, and then I'll probably have to think beforehand about TCP vs UDP.
> 
> If essentially everyone in the real world uses UDP, I'll throw a simple LVS load balancer (kernel-based) in front of everything. But if there's a substantial chance I'll stumble upon real world clients that can do anything besides UDP, then that's a different infrastructure that will have to be built (different load balancers, etc). I don't have any control over what clients will be used.

No one uses TCP.

> I just don't have any idea what the real world Radius clients can and cannot do, that's what I'm saying.

TCP is actually a pretty crap transport for RADIUS.  It enforces packet ordering which you don't need, it doesn't fix the issue with only having an 8bit ID field, so you need multiple TCP sockets if you have more than 255 packets in flight, it requires a file descriptor per connection which makes scaling a pain.

SCTP would have been a better choice, but at the time implementations were not mature.

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160503/87d2af71/attachment.sig>


More information about the Freeradius-Users mailing list