[RADIATOR] MongoDB \ Accounting
Hi Simple question really. I want to introduce MongoDB as a test server for storing accounting and session data. We currently use MSSQL, it works well, but the large amount of data (and related joins into other data islands) can become unwieldy over time - especially for historic reporting. I have done some work with MongoDB and other systems (with relatively straight forward schemas), and storing accounting\session seems well suited for this. Don't get me wrong, its not that MSSQL\MySQL aren't up to the task, I just think this is well suited for NoSQL and I am keen to satisfy my technical curiosity.. I am considering the best ways of getting the accounting data from our RADIUS servers \ SQL databases into MongoDB. Looking for some feedback\comments. Some options; a) Write a accounting hook to break apart the accounting message, construct a JSON request and send it off to a remote application server. * Downside is the risk of blocking\disrupting the main process. b) Spool the messages to disk, have an out-of-process script parse the files, construct a JSON (or MongoDB request) , send it to a remote server and delete the file. Downside is some disk\write IO, nothing too taxing. * Out of process = good. c) At the DB level, clone the accounting messages into another table. Script reads the rows, processes as above, then deletes the rows. * Some extra DB load. d) Possibly silently forwarding (or replicating) the accounting message to another server and doing one of the above Anything I have missed. I am leaning towards b) or c) Is anybody else using NoSQL for this type of application? Any feedback? Regards Joe ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] MongoDB \ Accounting
Hello Joe - I would be inclined to use method d) so you get a copy of the accounting requests in a separate process where you can do whatever you need to without impacting your main process. You would do something like this (assuming you are using Handlers): ….. Handler Request-Type = Accounting-Request AuthByPolicy ContinueAlways AuthBy RADIUS # forward a copy to a separate process …… IgnoreAccountingResponse /AuthBy AuthBy SQL # do normal accounting ….. /AuthBy /Handler Its also a good idea to have separate Radiator processes for authentication and accounting in any case. regards Hugh On 28 Jul 2013, at 18:21, Joe Hughes joeyconcr...@gmail.com wrote: Hi Simple question really. I want to introduce MongoDB as a test server for storing accounting and session data. We currently use MSSQL, it works well, but the large amount of data (and related joins into other data islands) can become unwieldy over time - especially for historic reporting. I have done some work with MongoDB and other systems (with relatively straight forward schemas), and storing accounting\session seems well suited for this. Don't get me wrong, its not that MSSQL\MySQL aren't up to the task, I just think this is well suited for NoSQL and I am keen to satisfy my technical curiosity.. I am considering the best ways of getting the accounting data from our RADIUS servers \ SQL databases into MongoDB. Looking for some feedback\comments. Some options; a) Write a accounting hook to break apart the accounting message, construct a JSON request and send it off to a remote application server. * Downside is the risk of blocking\disrupting the main process. b) Spool the messages to disk, have an out-of-process script parse the files, construct a JSON (or MongoDB request) , send it to a remote server and delete the file. Downside is some disk\write IO, nothing too taxing. * Out of process = good. c) At the DB level, clone the accounting messages into another table. Script reads the rows, processes as above, then deletes the rows. * Some extra DB load. d) Possibly silently forwarding (or replicating) the accounting message to another server and doing one of the above Anything I have missed. I am leaning towards b) or c) Is anybody else using NoSQL for this type of application? Any feedback? Regards Joe ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] PEAP from Radiator via Juniper switches
Hi Alan, The config is pretty straight forward. Here you go: # User check from user file AuthBy FILE Identifier user-file-auth # Location of the users file Filename%D/users # Suppoted EAP Types and session info EAPType PEAP,TLS,MSCHAP-V2 EAPTLS_MaxFragmentSize 1024 EAPTLS_SessionResumptionLimit 60 # Certificate Info EAPTLS_CAFile %D/certs/ca.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/certs/%h.pem EAPTLS_CertificateChainFile %D/certs/%h.pem # This flag tells EAPType MSCHAP-V2 to convert the inner EAP-MSCHAPV2 request into # an ordinary Radius-MSCHAPV2 request and redespatch to to a Handler # that matches ConvertedFromEAPMSCHAPV2=1 EAP_PEAP_MSCHAP_Convert 1 # Deal with MPPE keys AutoMPPEKeys /AuthBy From: Alan Buxey [mailto:a.l.m.bu...@lboro.ac.uk] Sent: Saturday, July 27, 2013 7:22 AM To: Garry Shtern; 'radiator@open.com.au' Subject: Re: [RADIATOR] PEAP from Radiator via Juniper switches config? alan Original message From: Garry Shtern garry.sht...@twosigma.commailto:garry.sht...@twosigma.com Date: 26/07/2013 22:40 (GMT+00:00) To: 'radiator@open.com.au' radiator@open.com.aumailto:radiator@open.com.au Subject: [RADIATOR] PEAP from Radiator via Juniper switches All, I ran into an interesting issue. I am trying to do PEAP/MSCHAPv2 via Juniper EX switch to Radiator. I am seeing the Access-Request come in, and Radiator responds with Access-Challenge which is dropped by the EX. However, I have the same switch pointing to Microsoft NPS and everything works flawlessly. Looking over packet captures and debugs on the Radiator I noticed the following difference in responses: - NPS returns Authenticator and following AVPs: o Session-Timeout oEAP-Message w/ EAP Request 1, Id 1, Type 25 (PEAP), Start Flag and PEAP version 0 o State o Messages-Authenticator - Radiator returns Authenticator and none of the AVPs. I am suspecting that Juniper EX has an issue with this and that's why it's dropping the frames, while Cisco IOS switch is absolutely fine and forwards the traffic back to the client w/o much of a consideration. Is there any easy way to force Radiator to add the same attributes to the Challenge as NPS? Thanks. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator