Thank you very much for your detailed answer to my questions. I am in the process of planning an ISP deployment with proxy and local clients, including wholesale dialup from Qwest, MegaPOP and Aleron, having multiple RADIUS servers downstream. I also will need to have a local authentication scheme for Dial-up, DSL, and Wireless. I have yet to begin that stage of investigating though, and any insight into either Wireless Authentication or DSL would be appreciated. No detailed instructions are necessary, only real-world deployments that have worked or failures. If it's being done, It can be done again with enough time and persistence. I also believe that if this whole setup could work over a MySQL backend, administration and maintenance could benefit from it. Any insight or comments here would be well appreciated also.
Zack > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:freeradius-users- > [EMAIL PROTECTED]] On Behalf Of Franklin Trumpy > Sent: Friday, November 01, 2002 11:48 AM > To: [EMAIL PROTECTED] > Subject: RE: Experience > > Zack W Kneisley wrote: > > > Very Interesting. I have been evaluating Radiator off and on and find it > > interesting that you would prefer FreeRADIUS over a $700 Radius > > solution. Could you give me more insight into this switch? More details > > on the AV pairs to certain proxy requests based on Client-IP-Address? > > Could you provide any details on the hardware that your setup is running > > on? > > > > Zack > > FreeRADIUS versus Radiator was a fairly easy decision. First, I > was already familiar with Cistron RADIUS, and FreeRADIUS was the natural > progression. I also found FreeRADIUS simple but flexible, modular and > graceful in design. The fact that it is open source wasn't a minor factor > in my decision, either. > > It is often remarked that documentation for FreeRADIUS is lacking. > While perhaps there aren't exactly volumes filled with endless pegagogical > examples, what _does_ exist is extremely concise and accurate in its > description of FreeRADIUS functions. If you're willing to read, test, read > again, test again, read once more and repeat ad nauseum, it does contain > everything you need to know to create just about every possible > configuration > for any sceinero. If nothing else, the debug output from the server is > _exceptionally_ verbose and useful for, well, debugging. > > As for the issue with Client-IP-Address, I was faced with a situation > where I needed to assign Ascend-Data-Filters to all sessions, both those > handled locally and those proxied, when coming from a certain set of NAS > > I investiated doing this via Radiator. I had "inherited" the Radiator > installation in question, and it's almost exclusively reliant on a > rather poorly designed Microsoft SQL database. Every solution to this > problem that Radiator was able to provide was either clumsy, not > completely effective, or both. I found myself pushing down bubbles on > wallpaper. > > Eventually, I used hints, user files, and the configurable failover > functionality of FreeRADIUS to achieve my objective. Although it worked, I > was particularly pleased with the fact that configurable failover gave me > the ability to configure FreeRADIUS such that the Ascend-Data-Filters were > assigned to all the right Access-Reply packets _AND_ no packets were > processed by any modules that did not need to process them. No wasted > processor cycles, memory, time, etc. > > As far as hardware... > > All my FreeRADIUS servers run on Compaq DL380', DL360's, and 1850R's using > Intel P3 Xeon-class processors, ranging from 500MHz to 800MHz. All have > 512 to > 1024MB RAM and SCSI disks on RAID 5. The lowest-end of the servers handles > tens of thousands of requests a day and never breaks a sweat. > > All the servers are running FreeBSD 4.6-STABLE or 4.7-STABLE. > > Alright, that's enough gushing for one day. > > Franklin > > -- > Franklin Trumpy, NFA, MNGS, GSc | Say not, "I have found the truth," > Sr. UNIX Systems Administrator | but rather, "I have found a truth." > Lighthouse Communications | > [EMAIL PROTECTED] | Say not, "I have found the path of the > soul." > (515)244-1115 | Say rather, "I have met the soul walking > (888)953-3278 | upon my path." > http://www.lh.net | > | -Kahlil Gibran, _The Prophet_, > 1923 > | > > On Tue, 29 Oct 2002, Zack W Kneisley wrote: > > > Date: Tue, 29 Oct 2002 13:07:23 -0500 > > From: Zack W Kneisley <[EMAIL PROTECTED]> > > Reply-To: [EMAIL PROTECTED] > > To: [EMAIL PROTECTED] > > Subject: RE: Experience > > > > > > > > Very Interesting. I have been evaluating Radiator off and on and find it > > interesting that you would prefer FreeRADIUS over a $700 Radius > > solution. Could you give me more insight into this switch? More details > > on the AV pairs to certain proxy requests based on Client-IP-Address? > > Could you provide any details on the hardware that your setup is running > > on? > > > > Zack > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > [mailto:freeradius-users- > > > [EMAIL PROTECTED]] On Behalf Of Franklin Trumpy > > > Sent: Tuesday, October 29, 2002 12:31 PM > > > To: Freeradius-Users > > > Subject: Re: Experience > > > > > > I am running three implementations of FreeRADIUS for three different > > > purposes. Primarily, I use FreeRADIUS to authenticate, authorize, and > > > account for about 750 PPP dial users via SQL(including the session > > > database), with authentication and authorization failover to a users > > file. > > > These same two RADIUS servers also proxy requests for about 15,000 > > users > > > to a set of Radiator RADIUS servers, which are, incidentially, > > scheduled > > > to be replaced by FreeRADIUS servers in the next month. > > > > > > All told, the 16,000 users arrive from any of about 99 RADIUS clients, > > > 80 of which are the proxy RADIUS servers of three wholesale dial > > vendors > > > (AT&T, QWest, and UUNet). Those 80 clients proxy requests for about > > 500 > > > NAS. The remaining 19 RADIUS clients are NAS controlled by my > > organization. > > > FreeRADIUS also serves to add several AV pairs to certain proxy > > requests > > > based on Client-IP-Address, a function Radiator RADIUS cannot easily > > > handle. > > > > > > My second implementation, using two other servers, does AAA for about > > > 500 L2TP users via SQL, also failing over to a flatfile in the event > > > of loss of database connectivity. There are about 15 "virtual" RADIUS > > > clients configured on the one "real" NAS, a Redback SMS 1800. > > > > > > The third and final implementation, on its own, single server, > > provides > > > AAA for about 200 PPTP users via SQL. Once again, it fails over to a > > > flatfile if necessary. The single RADIUS client is a Cisco 3000-series > > VPN > > > concentrator where authentication is handled by MS-CHAPv2. > > > > > > Three services, five servers, all running a FreeRADIUS CVS snapshot > > from > > > last week, and running just fine. > > > > > > Franklin > > > > > > -- > > > Franklin Trumpy, NFA, MNGS, GSc | Say not, "I have found the truth," > > > Sr. UNIX Systems Administrator | but rather, "I have found a truth." > > > Lighthouse Communications | > > > [EMAIL PROTECTED] | Say not, "I have found the path of > > the > > > soul." > > > (515)244-1115 | Say rather, "I have met the soul > > walking > > > (888)953-3278 | upon my path." > > > http://www.lh.net | > > > | -Kahlil Gibran, _The > > Prophet_, > > > 1923 > > > | > > > > > > On Tue, 29 Oct 2002, Zack W Kneisley wrote: > > > > > > > Date: Tue, 29 Oct 2002 08:12:38 -0500 > > > > From: Zack W Kneisley <[EMAIL PROTECTED]> > > > > Reply-To: [EMAIL PROTECTED] > > > > To: Freeradius-Users <[EMAIL PROTECTED]> > > > > Subject: Experience > > > > > > > > I've been watching this list for some time now, and it seems that > > > > Freeradius is much more robust than I previously thought. Could some > > > > users of this list give me some configuration examples (users > > served, > > > > how many NAS's using, Hardware & OS's being used, using sql, how > > long > > > > you have been using it ect. ) I have been looking into several > > different > > > > radius packages and it seems Freeradius can do almost everything the > > > > others can. If you could provide me with successful read-world > > > > deployments, the pros & cons, I encourage you to post them. > > > > > > > > Zack Kneisley > > > > > > > > > > > > > > > > > > > > - > > > List info/subscribe/unsubscribe? See > > > http://www.freeradius.org/list/users.html > > > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
