Opinion about idea

Peter Lambrechtsen peter at crypt.nz
Sat Apr 6 04:33:44 CEST 2019


This is exactly what I did with my previous employer but we had around 4
million users in the database. We used a LDAP database rather than SQL for
it's read performance and I was looking to move to an in-memory redis
database before I left but I don't think that ever happened.

I used client-shortname and realms as we had possibilities of users coming
in via different NAS types and I had to do a number of decisions based on
the source NAS type which I bundled up using client-shortname.

The auth normally isn't the big issue it is the accounting that will be the
problem depending on what exactly you need to do.

Freeradius will cope with it fine with little or no tweaking other than
configuration of the policies you require and some unlang logic. What you
will need to put a fair amount of planning into how you structure and
deploy your database to make sure it is fast enough to cope with the load.
You may need to go down the disconnected accounting and offload that
traffic to dedicated accounting servers depending on how frequently the
NASs send interim updates and if you are billing based on usage.

Fun times ahead.

On Sat, Apr 6, 2019 at 11:01 AM Jorge Pereira <jpereira at freeradius.org>
wrote:

> Rafael,
>
> 1. Add multiples sql statements in
> /opt/freeradius4/etc/raddb/mods-available/sql. e.g: clientX_sql { .... },
> clientY_sql { .... }
> 2. Then, create somelogic to forward the authentications based on
> %{NAS-IP-Address}
>
> e.g:
>
> if ("%{NAS-IP-Address}" == "X") {
>     %{clientX_sql: SELECT * ...... }
> }
> ....
>
> ps: Maybe something based on realm can be better. Boa sorte.
>
> --
> Jorge Pereira
>
> On Fri, Apr 5, 2019 at 6:42 PM Rafael Labiak Olivastro <
> rolivastro at hotmail.com> wrote:
>
> >
> > Good afternoon to all,
> >
> >
> >
> > Currently I have almost 1000 clients (enterprises) using your own MySQL
> > database and FreeRadius instance, working very Well. (each one with their
> > own Linux server)
> >
> > Recently, some of them ask me to host the database and FreeRadius, to
> > avoid infra-sctructure problems.
> >
> >
> >
> > Is it possible to run just one FreeRadius Server, where it will be
> > multiple MySQL databases, and “tell” to FreeRadius authenticate according
> > client IP ?
> >
> >
> >
> > Example:
> >
> >
> >
> > Client Enterprise 1 -> NAS IP 200.200.200.200 --> Then the FreeRadius
> will
> > use MySQL database “client1”
> >
> > Client Enterprise 2 -> NAS IP 100.100.100.100 --> Then the FreeRadius
> will
> > use MySQL database “client2”
> >
> > Client Enterprise 3 -> NAS IP 222.222.222.222 --> Then the FreeRadius
> will
> > use MySQL database “client3”
> >
> >
> >
> > In this way, every enterprise could have their own usernames, where the
> > username “joao” from client1 is diferent than “joao” from client2.
> >
> > I research a little about virtual servers and sql instances, but I don´t
> > know if this is the correct way.
> >
> >
> >
> > What do you guys think about it ?
> >
> >
> >
> > We are talking about 1000 enterprises and almost 1.000.000 usernames.
> >
> >
> >
> > Rafael Labiak Olivastro
> >
> > http://www.vigo.com.br
> >
> >
> >
> >
> >
> > Enviado do Email<https://go.microsoft.com/fwlink/?LinkId=550986> para
> > Windows 10
> >
> >
> >
> > ________________________________
> > De: Freeradius-Users <freeradius-users-bounces+rolivastro=
> > hotmail.com at lists.freeradius.org> em nome de Alan DeKok <
> > aland at deployingradius.com>
> > Enviado: Friday, April 5, 2019 12:10:28 PM
> > Para: FreeRadius users mailing list
> > Assunto: Re: Help with external authentication using PHP
> >
> > On Apr 5, 2019, at 12:03 PM, Ekene Ezeasor <ezeasorekene at gmail.com>
> wrote:
> > > Changing the passwords to clear-text is not an option ofcourse and we
> do
> > > Wi-Fi. Assuming we want to start using the SQL authorization with
> sha512
> > > (with hash). How do I implement the SQL query to check for sha512
> > password
> > > using the correct hash?
> >
> >   Are you using TTLS with inner PAP?  If not, then what you want is
> > impossible.
> >
> >   If blowfish doesn't work, then changing to SHA512 hashed passwords
> won't
> > help.
> >
> >   Understanding the problem helps here.
> >
> >   Alan DeKok.
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> >
> https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=02%7C01%7C%7C6e61990faf4e425fb0ae08d6b9e14738%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636900774536523880&sdata=77U%2FMr80B1EYVpHJgEcv9r3c4WdyjQxaINrZVp6hew8%3D&reserved=0
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list