[nycbug-talk] RADIUS experiences

Paul Dlug paul at aps.org
Thu May 25 08:47:10 EDT 2006


On May 23, 2006, at 2:49 PM, Isaac Levy wrote:

> 1) For a network of 300-5000 users, do the standard unix /etc/
> password files scale sanely?  I mean, the docs have this as the
> default config for user db, which is a type of data backend I'd
> usually have in some other kind of DB.  It just seems like a recipe
> for poor scalability.

Definitely move to a DB/LDAP for this, there are also tons of account  
management tools and reporting features that you never knew you  
needed until the system was deployed. Having an easy way to query  
accounts makes scripting these much more pleasant.


> 2) LDAP backends?  Is this common practice? (I'm concerned about over-
> complexity)

I'm running FreeRADIUS with an OpenLDAP backend to support an Aruba  
wireless system. A consideration with LDAP/SQL is that not all  
authentication methods will be available to you. If you intend to  
bind to LDAP to authenticate and you're using WPA you'll need to have  
your users set TTLS/PAP as the authentication scheme. This is because  
the other mechanisms prehash the passwords and the binds will all  
fail. (See FreeRADIUS mailing list for details).

> 3) SQL backends?  Is this common practice? (Again, concerned about
> over-complexity)

Fairly common for large deployments, I prefer LDAP for these cases  
because it's easier to replicate everywhere and seems to be more  
widely supported for authentication.

Let me know if you have questions, I've done a few large deployments  
with both SQL and LDAP authentication for services with RADIUS for  
wireless/routers/firewalls/etc.


--Paul



More information about the talk mailing list