[nycbug-talk] RADIUS experiences
Paul Dlug
paul at aps.org
Thu May 25 08:47:10 EDT 2006
On May 23, 2006, at 2:49 PM, Isaac Levy wrote:
> 1) For a network of 300-5000 users, do the standard unix /etc/
> password files scale sanely? I mean, the docs have this as the
> default config for user db, which is a type of data backend I'd
> usually have in some other kind of DB. It just seems like a recipe
> for poor scalability.
Definitely move to a DB/LDAP for this, there are also tons of account
management tools and reporting features that you never knew you
needed until the system was deployed. Having an easy way to query
accounts makes scripting these much more pleasant.
> 2) LDAP backends? Is this common practice? (I'm concerned about over-
> complexity)
I'm running FreeRADIUS with an OpenLDAP backend to support an Aruba
wireless system. A consideration with LDAP/SQL is that not all
authentication methods will be available to you. If you intend to
bind to LDAP to authenticate and you're using WPA you'll need to have
your users set TTLS/PAP as the authentication scheme. This is because
the other mechanisms prehash the passwords and the binds will all
fail. (See FreeRADIUS mailing list for details).
> 3) SQL backends? Is this common practice? (Again, concerned about
> over-complexity)
Fairly common for large deployments, I prefer LDAP for these cases
because it's easier to replicate everywhere and seems to be more
widely supported for authentication.
Let me know if you have questions, I've done a few large deployments
with both SQL and LDAP authentication for services with RADIUS for
wireless/routers/firewalls/etc.
--Paul
More information about the talk
mailing list