On Sun, Feb 17, 2013 at 11:05 PM, Walter Goulet <[email protected]> wrote: > I'm looking for some input from the experts to help validate a solution > approach that I've come up with. The problem I'm trying to solve is that > allow NAS equipment and other RADIUS clients to authenticate users against a > proprietary authentication service that uses REST APIs over HTTP. > > The solution that I've put together is to use rlm_perl which allows me to > use standard Perl modules to interact with the authentication service. I'm > pretty happy with the results so far in that I am able to build exactly what > I need and authentication against the webservice works just fine. > > The question to the list, are there other solution approaches that might be > better? Any significant disadvantages to using rlm_perl as I've described? > Would it be better to write a custom module instead, hoping that by doing so > there may be some performance improvements? > > Any input is greatly appreciated.
Not exactly your case, but. Here is my story. I had a need to proxy/convert DHCP requests from equipment (and later - end user's routers/computers (I worked @ISP)) to RADIUS. First version was using FreeRADIUS's rlm_perl for handling incoming DHCP requests and it did work pretty cool, while sometimes it had problems with duplicated requests, didn't scale well (probably my fault, but I didn't wish to find this out) and so on, so I analyzed request patterns, read RFC 2131, and reimplemented DHCP server on pure perl, without using FreeRADIUS's DHCP feature. As a backend RADIUS client (to connect to closed source commercial billing system) I used Authen::Radius first (leftover from quick-n-dirty rlm_perl version), but it didn't work well for me and was not powerful enough, so I used Net::Radius::Packet/Net::Radius::Dictionary and implemented stripped down radius client myself. So, as for your question, besides using rlm_rest (which is devel as of now, as I understand) you may try writing stripped down RADIUS server combined with REST client for your auth service. But for that you either have to reimplement full radius server (which is not an option, I think), or implement just a subset, which works only for your specific equipment. It may be an option. Cheers, Just my $0.02. -- Alexandr Kovalenko http://uafug.org.ua/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
