[nycbug-talk] RADIUS experiences

Isaac Levy ike at lesmuug.org
Tue May 23 15:53:16 EDT 2006


Thx Pete,

On May 23, 2006, at 3:08 PM, Peter Wright wrote:

>
>> Hi All,
>>
>> I'm wondering if anyone here has experience with RADIUS servers?  I'm
>> setting one up for a fun project (wireless captive portal), and not
>> all that exited about using FreeRADIUS- lots of unanswered questions
>> in my brain...
>> That stated, my concerns are with ease of management, and redundant
>> replication for high-availability.
>>
>> I'm basically concerned about scale issues-
>>
>> 1) For a network of 300-5000 users, do the standard unix /etc/
>> password files scale sanely?  I mean, the docs have this as the
>> default config for user db, which is a type of data backend I'd
>> usually have in some other kind of DB.  It just seems like a recipe
>> for poor scalability.
>>
>
> yea i would be worried about this too, aside from scalability but i  
> would
> be concerned about curroption of the password table and security  
> issues as
> well.
>
>> 2) LDAP backends?  Is this common practice? (I'm concerned about  
>> over-
>> complexity)
>>
> aside from the initial learning curve of setting up an ldap  
> environment we
> seem to have pretty good success using LDAP+RADIUS for our wireless  
> and
> remote access networks.

Gotcha.  Good to hear- this sounds like a sane path.  I guess the  
downside is learning curve here- I'm not exited about managing LDAP,  
and then training other people to then manage it.  Hrm.  It ain't  
rocket science, it's just work...

>
>> 3) SQL backends?  Is this common practice? (Again, concerned about
>> over-complexity)
>>
>> 4) Custom RADIUS implementations- RADIUS is more or less just a
>> protocol, with defined parameters for how it manages the big AAA.
>> Since it's the data backend I'm concerned about, (and know a lot
>> about how to deal with), I'm thinking of just implementing a simple
>> RADIUS server on top of databases I know and love?  I've found a  
>> good-
>> looking RADIUS library in Python, my favorite language, and I was
>> thinking of rolling my own server with a tiny, easily replicatable,
>> Python embedded DB.  It seems the simplest route to me, but I'm
>> hesitant because I feel there may be best-practicices for heavy
>> RADIUS users?  (ISP's, Telcos, anyone managing remote AAA)
>>
>> Any thoughts, URLS, as always are much appreciated!
>>
>
> I'm familiar with LDAP so i'll lean that way.  There are plenty  
> python and
> perl libraries to make scripting ldap easy...and frankly ldap is  
> just a
> database anyway.

Right.  Well, I'm trying to use as few API's in the stack as  
possible, so I'm leaning towards tossing LDAP out of the stack-  
unless I hit compelling evidence to take me there...

> Although ramping up on LDAP may be a pain a SQL RDBMS
> sounds a little heavy for this solution.  or...you could use  
> berkeleyDB
> ;^)

Well, yeah- I was going to use a thing called Durus, (somewhat like  
berkeleyDB) which is a Python Object-Relational DB that's VERY nice,  
very simples.  However, in the end, it would be embedded in the  
server, so basically it would be taken out of the stack of things to  
manage in the end.

Hrm.  Still chewing on this....

Rocket-
.ike





More information about the talk mailing list