Thanks for the detailed explanations! comments inline
Alexander Mayrhofer wrote:
On (19.04.04 16:59), Klaus Darilion wrote:
As in the tutorial, I used freeradius and put the SIP users into the raddb/users file. Do I have to make this manually for every user or are there any tools do to this? Can radius be used with a backend database for storing user data? If yes, why not directly use the database without radius?
The usual way (as even most ISPs did up to a few years ago) would be to dump customer database into a raddb file regularly via cron.
up to a few years ago? What do they use now?
Asnychronous, though, but independent of the availability of your main customer database.
Is radius more available than mysql? This can also be done with 2 databases, just filling the auth-db regularly with data from the main costumer database.
Is there any functionality within ser+radius that can't be done with ser+mysql?
Yes. Being able to re-use existing radius servers (e.g. of ISP's and universities [hint!]), and being able to split and proxy authentication requests based on request domain (e.g. handle domainA by ispA's radius server, and handle domainB by ispB's radius server).
How can this be done? I guess this must done somewhere in the radiusclient, the client has to lookup the domain in the From: header (INVITE) and then choose the proper radius server?
...just a moment, I will take a look at at43...
Oh! You have a radius server which forwards the request to the appropriate radius server. So, all the split/forwarding logic is in the main radius server?
Imagine that you want to connect a ISP who has already several thousand subscribers. He has already a radius server in place, because that's how he authenticates dial in / dsl access. If you can reuse that autentication facility for just another service (e.g. SIP), the ISP has no hassle because of managing just another user database. He can continue to use his existing authentication servers for the new protocol, and just opens up access to the radius servers be SER.
When I take a look into the users file of freeradius, the entries for PPP ... authentication look different as the one for SIP (Auth-Type := Digest instead of local). Furthermore, some attributes must be added (eg. Sip_Rpid). Therefore, I assume it's not that easy.
Additionally, i doubt he will ever hand you over any of his subscriber's credentials ...
That's true in case of the ISP outsources the phone services.
The only point I see for using radius is that many PSTN-gateways support writing CDRs into radius and billing systems will query these CDRs - but why use radius for ser?
well, to put it into one sentence: Because it's the world most popular authentication mechanism for internet-access related authentication and accounting.
So, if I don't have to deal with ISPs, there is no need to use radius?
regards, klaus