Thanks for your input; your descriptions of limitations you ran into is helpful. I think I will stick with using rlm_perl for now; I definitely don't want to tackle writing my own stripped down RADIUS server. If performance or scale become problems I will investigate other options at that time.
On Sun, Feb 17, 2013 at 5:35 PM, Alexandr Kovalenko < alexandr.kovale...@gmail.com> wrote: > On Sun, Feb 17, 2013 at 11:05 PM, Walter Goulet <wgou...@gmail.com> wrote: > > I'm looking for some input from the experts to help validate a solution > > approach that I've come up with. The problem I'm trying to solve is that > > allow NAS equipment and other RADIUS clients to authenticate users > against a > > proprietary authentication service that uses REST APIs over HTTP. > > > > The solution that I've put together is to use rlm_perl which allows me to > > use standard Perl modules to interact with the authentication service. > I'm > > pretty happy with the results so far in that I am able to build exactly > what > > I need and authentication against the webservice works just fine. > > > > The question to the list, are there other solution approaches that might > be > > better? Any significant disadvantages to using rlm_perl as I've > described? > > Would it be better to write a custom module instead, hoping that by > doing so > > there may be some performance improvements? > > > > Any input is greatly appreciated. > > Not exactly your case, but. Here is my story. > > I had a need to proxy/convert DHCP requests from equipment (and later > - end user's routers/computers (I worked @ISP)) to RADIUS. > > First version was using FreeRADIUS's rlm_perl for handling incoming > DHCP requests and it did work pretty cool, while sometimes it had > problems with duplicated requests, didn't scale well (probably my > fault, but I didn't wish to find this out) and so on, so I analyzed > request patterns, read RFC 2131, and reimplemented DHCP server on pure > perl, without using FreeRADIUS's DHCP feature. As a backend RADIUS > client (to connect to closed source commercial billing system) I used > Authen::Radius first (leftover from quick-n-dirty rlm_perl version), > but it didn't work well for me and was not powerful enough, so I used > Net::Radius::Packet/Net::Radius::Dictionary and implemented stripped > down radius client myself. > > So, as for your question, besides using rlm_rest (which is devel as of > now, as I understand) you may try writing stripped down RADIUS server > combined with REST client for your auth service. > But for that you either have to reimplement full radius server (which > is not an option, I think), or implement just a subset, which works > only for your specific equipment. It may be an option. > > Cheers, > > Just my $0.02. > > -- > Alexandr Kovalenko > http://uafug.org.ua/ >
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html