On Sun 19 Aug 2007, Douglas Lane wrote: > On 8/19/07, Peter Nixon <[EMAIL PROTECTED]> wrote: > > On Sun 19 Aug 2007, Douglas Lane wrote: > > > Hi All, > > > > > > I have a little project for a small ISP that I would like to execute, > > > however, am just wondering about the infrastructure. > > > > > > Currently, the core radius server is hosted in a secure datacenter > > > that has ample bandwidth available. > > > > > > Now the issue I have is the "cells" where the Cisco Concentrators are > > > > have > > > > > slow links to the core radius server (these would be around 64 - > > > 512kb). Now I know that radius packets are small, however, the other > > > issue is these links will be used for internet access aswell. > > > Currently each > > > > router > > > > > controlling the cell links have a VPN link over the internet to the > > > core radius server. > > > > > > Now steps have been taken to enable QoS on these links so the VPN > > > > traffic > > > > > gets highest priority, however, what I wanna ask is the following: > > > > > > I'd like to "cache" the usernames and password (effectively radcheck > > > and radgroupcheck) on each cell network (each cell has a local RADIUS > > > server that proxies the realm to the core radius server). This way, > > > avoiding > > > > the > > > > > possibility that the link may be to slow to auth the user and hence > > > > cause > > > > > a timeout, as well as in case the VPN link itself is down. > > > > > > The other question I'd like to get your opinion on is I'd like to have > > > accounting local to the cell's RADIUS server (for lookups from the > > > > Cisco), > > > > > but also have a way to replicate the accounting data to the > > > core-radius server. > > > > > > I've looked at use MySQL replication, but i feel its not sufficient > > > for > > > > my > > > > > requirements. Perhaps I'm wrong? > > > > > > Obviously, for this particular situation, I'd like to only "cache" the > > > radcheck and radgroupcheck information for valid accounts in the that > > > cell. I don't really want to have every cell's users part of the the > > > > other > > > > > cell's. Obviously the idea is if the local RADIUS can't auth the use > > > on itself, it must peer to the next available RADIUS server (core > > > radius). > > > > > > Hope I've been as descriptive as possible. > > > > > > I appreciate the help. > > > > Use an LDAP backend for authentication and just replicate the parts of > > the tree you need to each remote POP. Use radrelay (or even direct > > proxying) to > > push your accounting records back to your central radius.. > > > > -- > > > > Peter Nixon > > http://peternixon.net/ > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > Hi Peter, > > Thanks for the reply. Already started setting up my LDAP directory here. > > I just wanted to confirm something: > > I can use rlm_ldap for authentication and authorization and the rlm_sql > for accounting? (need simultaneous support here).
Sure. You can even have multiple LDAP and SQL servers used for AuthX and multiple SQL servers used for Acct if you wish. > Also when it comes to "peering" the authentication, I'd imagine I'd define > a pool of ldap servers. the first being my local radius for the POP, then > the next ldap in the heirachy? If you wish. LDAP also has the capability to refer to other LDAP servers in a hieracy..Or you could proxy the radius request to a parent RADIUS server if the local one cant service it.. Depends on how you prefer to solve the problem > Also, last question I have is, my users will have at times multiple > services available to them (like Shaped/Unshaped ADSL and Hotspot access). > In this case, would I have to add multiple users to the organizationalUnit > controlling my POP, with different reply messages if the auth is accepted? > > Or could I have a single entry for my user, say [EMAIL PROTECTED] and > under neath that, have multiple services assigned with the correct reply > messages show auth succeed? I'd imagine in this case i would have a > multiple entries of the same username and password as the parent uid > entry, however, with different reply messages? You can selectively return attributes from both ldap and sql as you can modify the query.. Thats why we don't hard code queries :-) > Thanks again for the help You're welcome -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
