[nycbug-talk] RADIUS experiences

Lonnie Olson fungus at aros.net
Tue May 23 16:23:12 EDT 2006

On May 23, 2006, at 12:49 PM, Isaac Levy wrote:
> I'm wondering if anyone here has experience with RADIUS servers?  I'm
> setting one up for a fun project (wireless captive portal), and not
> all that exited about using FreeRADIUS- lots of unanswered questions
> in my brain...
> That stated, my concerns are with ease of management, and redundant
> replication for high-availability.

I only have experience using Radiator, so I am a bit biased.

> I'm basically concerned about scale issues-
> 1) For a network of 300-5000 users, do the standard unix /etc/
> password files scale sanely?  I mean, the docs have this as the
> default config for user db, which is a type of data backend I'd
> usually have in some other kind of DB.  It just seems like a recipe
> for poor scalability.

I think it would work ok for that many users, but not much more.
I use an SQL backend for my main radius setup with about 4000 users,  
but that is kept in sync with the passwd files for my legacy apps.   
It is pretty ugly, but it works.

> 2) LDAP backends?  Is this common practice? (I'm concerned about over-
> complexity)

LDAP does introduce quite a bit of complexity, but could be useful if  
you have many applications that do authentication.
I actually would like to move in that direction "some day".  If this  
is just for radius, don't even bother.

> 3) SQL backends?  Is this common practice? (Again, concerned about
> over-complexity)

SQL backends work well, and won't introduce much more complexity if  
you are already maintaining a db server.  However it is not quite as  
ubiquitous as LDAP in your apps.  (unless you look at pam_mysql)

> 4) Custom RADIUS implementations- RADIUS is more or less just a
> protocol, with defined parameters for how it manages the big AAA.
> Since it's the data backend I'm concerned about, (and know a lot
> about how to deal with), I'm thinking of just implementing a simple
> RADIUS server on top of databases I know and love?  I've found a good-
> looking RADIUS library in Python, my favorite language, and I was
> thinking of rolling my own server with a tiny, easily replicatable,
> Python embedded DB.  It seems the simplest route to me, but I'm
> hesitant because I feel there may be best-practicices for heavy
> RADIUS users?  (ISP's, Telcos, anyone managing remote AAA)

Radiator will connect to a whole lot of different backends.  It is  
extremely configurable, but has a moderate learning curve.

If you are just looking for a radius server with a separate  
authentication database, Radiator w/ an SQL db backend will work  
fine.  However it might be better in the long run to take the time to  
centralize you authentication if you can.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2593 bytes
Desc: not available
URL: <http://lists.nycbug.org/pipermail/talk/attachments/20060523/9ee663aa/attachment.bin>

More information about the talk mailing list