[nycbug-talk] RADIUS experiences

Peter Wright pete at nomadlogic.org
Tue May 23 15:08:44 EDT 2006

> Hi All,
> I'm wondering if anyone here has experience with RADIUS servers?  I'm
> setting one up for a fun project (wireless captive portal), and not
> all that exited about using FreeRADIUS- lots of unanswered questions
> in my brain...
> That stated, my concerns are with ease of management, and redundant
> replication for high-availability.
> I'm basically concerned about scale issues-
> 1) For a network of 300-5000 users, do the standard unix /etc/
> password files scale sanely?  I mean, the docs have this as the
> default config for user db, which is a type of data backend I'd
> usually have in some other kind of DB.  It just seems like a recipe
> for poor scalability.

yea i would be worried about this too, aside from scalability but i would
be concerned about curroption of the password table and security issues as

> 2) LDAP backends?  Is this common practice? (I'm concerned about over-
> complexity)
aside from the initial learning curve of setting up an ldap environment we
seem to have pretty good success using LDAP+RADIUS for our wireless and
remote access networks.

> 3) SQL backends?  Is this common practice? (Again, concerned about
> over-complexity)
> 4) Custom RADIUS implementations- RADIUS is more or less just a
> protocol, with defined parameters for how it manages the big AAA.
> Since it's the data backend I'm concerned about, (and know a lot
> about how to deal with), I'm thinking of just implementing a simple
> RADIUS server on top of databases I know and love?  I've found a good-
> looking RADIUS library in Python, my favorite language, and I was
> thinking of rolling my own server with a tiny, easily replicatable,
> Python embedded DB.  It seems the simplest route to me, but I'm
> hesitant because I feel there may be best-practicices for heavy
> RADIUS users?  (ISP's, Telcos, anyone managing remote AAA)
> Any thoughts, URLS, as always are much appreciated!

I'm familiar with LDAP so i'll lean that way.  There are plenty python and
perl libraries to make scripting ldap easy...and frankly ldap is just a
database anyway.  Although ramping up on LDAP may be a pain a SQL RDBMS
sounds a little heavy for this solution.  or...you could use berkeleyDB


Peter Wright
pete at nomadlogic.org

More information about the talk mailing list