On 8/19/07, Peter Nixon <[EMAIL PROTECTED]> wrote: > > On Sun 19 Aug 2007, Douglas Lane wrote: > > Hi All, > > > > I have a little project for a small ISP that I would like to execute, > > however, am just wondering about the infrastructure. > > > > Currently, the core radius server is hosted in a secure datacenter that > > has ample bandwidth available. > > > > Now the issue I have is the "cells" where the Cisco Concentrators are > have > > slow links to the core radius server (these would be around 64 - 512kb). > > Now I know that radius packets are small, however, the other issue is > > these links will be used for internet access aswell. Currently each > router > > controlling the cell links have a VPN link over the internet to the core > > radius server. > > > > Now steps have been taken to enable QoS on these links so the VPN > traffic > > gets highest priority, however, what I wanna ask is the following: > > > > I'd like to "cache" the usernames and password (effectively radcheck and > > radgroupcheck) on each cell network (each cell has a local RADIUS server > > that proxies the realm to the core radius server). This way, avoiding > the > > possibility that the link may be to slow to auth the user and hence > cause > > a timeout, as well as in case the VPN link itself is down. > > > > The other question I'd like to get your opinion on is I'd like to have > > accounting local to the cell's RADIUS server (for lookups from the > Cisco), > > but also have a way to replicate the accounting data to the core-radius > > server. > > > > I've looked at use MySQL replication, but i feel its not sufficient for > my > > requirements. Perhaps I'm wrong? > > > > Obviously, for this particular situation, I'd like to only "cache" the > > radcheck and radgroupcheck information for valid accounts in the that > > cell. I don't really want to have every cell's users part of the the > other > > cell's. Obviously the idea is if the local RADIUS can't auth the use on > > itself, it must peer to the next available RADIUS server (core radius). > > > > Hope I've been as descriptive as possible. > > > > I appreciate the help. > > Use an LDAP backend for authentication and just replicate the parts of the > tree you need to each remote POP. Use radrelay (or even direct proxying) > to > push your accounting records back to your central radius.. > > -- > > Peter Nixon > http://peternixon.net/ > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html
Hi Peter, Thanks for the reply. Already started setting up my LDAP directory here. I just wanted to confirm something: I can use rlm_ldap for authentication and authorization and the rlm_sql for accounting? (need simultaneous support here). Also when it comes to "peering" the authentication, I'd imagine I'd define a pool of ldap servers. the first being my local radius for the POP, then the next ldap in the heirachy? Also, last question I have is, my users will have at times multiple services available to them (like Shaped/Unshaped ADSL and Hotspot access). In this case, would I have to add multiple users to the organizationalUnit controlling my POP, with different reply messages if the auth is accepted? Or could I have a single entry for my user, say [EMAIL PROTECTED] and under neath that, have multiple services assigned with the correct reply messages show auth succeed? I'd imagine in this case i would have a multiple entries of the same username and password as the parent uid entry, however, with different reply messages? Thanks again for the help Thanks Doug
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
