Hi!
After using radius for the first time, I came up with several questions about "why and how" to use radius. Please comment my questions:
As in the tutorial, I used freeradius and put the SIP users into the raddb/users file. Do I have to make this manually for every user or are there any tools do to this? Can radius be used with a backend database for storing user data? If yes, why not directly use the database without radius?
Using mysql for user authentication, adding new user is simple - serctl or serweb. I miss such a simple solution for radius.
Can/will radius also be used for location contacts - or is it a must to use mysql(postgres) for persistent user location?
Is there any functionality within ser+radius that can't be done with ser+mysql?
The only point I see for using radius is that many PSTN-gateways support writing CDRs into radius and billing systems will query these CDRs - but why use radius for ser?
thanks klaus
On (19.04.04 16:59), Klaus Darilion wrote:
As in the tutorial, I used freeradius and put the SIP users into the raddb/users file. Do I have to make this manually for every user or are there any tools do to this? Can radius be used with a backend database for storing user data? If yes, why not directly use the database without radius?
The usual way (as even most ISPs did up to a few years ago) would be to dump customer database into a raddb file regularly via cron. Asnychronous, though, but independent of the availability of your main customer database.
OTOH, there are a few other radius servers out there which can directly fetch user data from e.g. a database server - the most flexible one seems to be Radiator (www.open.com.au): It seems that it could even use a kitchen sink as backend database ;)
It's written in Perl, so adapting ot to a new data source is rather easy. Most data sources you can imagine are already supported:
http://www.open.com.au/radiator/technical.html#auth
It's commercial software, but it's worth every cent - support is excellent, too.
Using mysql for user authentication, adding new user is simple - serctl or serweb. I miss such a simple solution for radius.
Well, you directly modify a raddb file just for hack value. You really wnat to keep you customer's accounts somewhere else, and just regenerate the raddb file from there once you get approx the 100 user barrier. vi'ing raddb files is the hardcore approach (especially if you go without rcs ;)
Can/will radius also be used for location contacts - or is it a must to use mysql(postgres) for persistent user location?
radius was never designed for that. it's not made for updating information, just for looking up and verifying account attributes (hence "Remote Authentication and Dial-In User Service"). There no facility to store or modify any attributes of an user account via radius, so you still have to use one of the supported location storage methods.
Is there any functionality within ser+radius that can't be done with ser+mysql?
Yes. Being able to re-use existing radius servers (e.g. of ISP's and universities [hint!]), and being able to split and proxy authentication requests based on request domain (e.g. handle domainA by ispA's radius server, and handle domainB by ispB's radius server).
Imagine that you want to connect a ISP who has already several thousand subscribers. He has already a radius server in place, because that's how he authenticates dial in / dsl access. If you can reuse that autentication facility for just another service (e.g. SIP), the ISP has no hassle because of managing just another user database. He can continue to use his existing authentication servers for the new protocol, and just opens up access to the radius servers be SER.
Additionally, i doubt he will ever hand you over any of his subscriber's credentials ...
The only point I see for using radius is that many PSTN-gateways support writing CDRs into radius and billing systems will query these CDRs - but why use radius for ser?
well, to put it into one sentence: Because it's the world most popular authentication mechanism for internet-access related authentication and accounting.
cheers
axelm
Thanks for the detailed explanations! comments inline
Alexander Mayrhofer wrote:
On (19.04.04 16:59), Klaus Darilion wrote:
As in the tutorial, I used freeradius and put the SIP users into the raddb/users file. Do I have to make this manually for every user or are there any tools do to this? Can radius be used with a backend database for storing user data? If yes, why not directly use the database without radius?
The usual way (as even most ISPs did up to a few years ago) would be to dump customer database into a raddb file regularly via cron.
up to a few years ago? What do they use now?
Asnychronous, though, but independent of the availability of your main customer database.
Is radius more available than mysql? This can also be done with 2 databases, just filling the auth-db regularly with data from the main costumer database.
Is there any functionality within ser+radius that can't be done with ser+mysql?
Yes. Being able to re-use existing radius servers (e.g. of ISP's and universities [hint!]), and being able to split and proxy authentication requests based on request domain (e.g. handle domainA by ispA's radius server, and handle domainB by ispB's radius server).
How can this be done? I guess this must done somewhere in the radiusclient, the client has to lookup the domain in the From: header (INVITE) and then choose the proper radius server?
...just a moment, I will take a look at at43...
Oh! You have a radius server which forwards the request to the appropriate radius server. So, all the split/forwarding logic is in the main radius server?
Imagine that you want to connect a ISP who has already several thousand subscribers. He has already a radius server in place, because that's how he authenticates dial in / dsl access. If you can reuse that autentication facility for just another service (e.g. SIP), the ISP has no hassle because of managing just another user database. He can continue to use his existing authentication servers for the new protocol, and just opens up access to the radius servers be SER.
When I take a look into the users file of freeradius, the entries for PPP ... authentication look different as the one for SIP (Auth-Type := Digest instead of local). Furthermore, some attributes must be added (eg. Sip_Rpid). Therefore, I assume it's not that easy.
Additionally, i doubt he will ever hand you over any of his subscriber's credentials ...
That's true in case of the ISP outsources the phone services.
The only point I see for using radius is that many PSTN-gateways support writing CDRs into radius and billing systems will query these CDRs - but why use radius for ser?
well, to put it into one sentence: Because it's the world most popular authentication mechanism for internet-access related authentication and accounting.
So, if I don't have to deal with ISPs, there is no need to use radius?
regards, klaus
On Tue, 20 Apr 2004, Klaus Darilion wrote:
On (19.04.04 16:59), Klaus Darilion wrote:
As in the tutorial, I used freeradius and put the SIP users into the raddb/users file. Do I have to make this manually for every user or are there any tools do to this? Can radius be used with a backend database for storing user data? If yes, why not directly use the database without radius?
The usual way (as even most ISPs did up to a few years ago) would be to dump customer database into a raddb file regularly via cron.
up to a few years ago? What do they use now?
They use radiator :)
Seriously, there are some big radius platforms that use sql backends to obtain AAA information. Vendors like Lucent, Nortel, Alcatel, etc have their own radius platforms which can work with backends like LDAP, Oracle, etc.
Asnychronous, though, but independent of the availability of your main customer database.
Is radius more available than mysql? This can also be done with 2 databases, just filling the auth-db regularly with data from the main costumer database.
Personally i think that Radius can be much more available than mysql. Anyway, if you use a database as backend, you need availability in both radius and database.
There are some features in radius servers that allow, for example, authenticate all requests if backend goes down or the opposite, deny all.
The ideal world would be, for example, to have some kind of load balancer as front end, some radius servers to forward the requests and a redundant backend (mysql with replication, LDAP, Oracle or any other system). Radiator, for example, supports more than one backend and if all backend fails, you can forward (proxy) the radius request to another radius or, finally, write (for accounting) the information to a file so you can export it later to your backend.
Is there any functionality within ser+radius that can't be done with ser+mysql?
Yes. Being able to re-use existing radius servers (e.g. of ISP's and universities [hint!]), and being able to split and proxy authentication requests based on request domain (e.g. handle domainA by ispA's radius server, and handle domainB by ispB's radius server).
How can this be done? I guess this must done somewhere in the radiusclient, the client has to lookup the domain in the From: header (INVITE) and then choose the proper radius server?
...just a moment, I will take a look at at43...
Oh! You have a radius server which forwards the request to the appropriate radius server. So, all the split/forwarding logic is in the main radius server?
You don't need to have a all logic in a mail radius server. You can setup a radius proxy server which just forwards the requests (based in any received attribute) to other radius servers that make the real AAA... distributed logic :)
Imagine that you want to connect a ISP who has already several thousand subscribers. He has already a radius server in place, because that's how he authenticates dial in / dsl access. If you can reuse that autentication facility for just another service (e.g. SIP), the ISP has no hassle because of managing just another user database. He can continue to use his existing authentication servers for the new protocol, and just opens up access to the radius servers be SER.
When I take a look into the users file of freeradius, the entries for PPP ... authentication look different as the one for SIP (Auth-Type := Digest instead of local). Furthermore, some attributes must be added (eg. Sip_Rpid). Therefore, I assume it's not that easy.
You just need a right dictionary. The same way, you need a right table/database in mysql... is the same.
Rpid is only used if needed/wanted, as other parameters you can use.
The only point I see for using radius is that many PSTN-gateways support writing CDRs into radius and billing systems will query these CDRs - but why use radius for ser?
well, to put it into one sentence: Because it's the world most popular authentication mechanism for internet-access related authentication and accounting.
So, if I don't have to deal with ISPs, there is no need to use radius?
mmmm... i think this is a good reason :)
But, you can use radius together mysql to compare and consolidate all accounting information from SER and gateways (if you use radius accouting for your gateways).
Saludos JesusR.
------------------------------- Jesus Rodriguez VozTelecom Sistemas, S.L. jesusr@voztele.com http://www.voztele.com Tel. 902360305 -------------------------------
On Mon, 19 Apr 2004, Alexander Mayrhofer wrote:
Hello,
OTOH, there are a few other radius servers out there which can directly fetch user data from e.g. a database server - the most flexible one seems to be Radiator (www.open.com.au): It seems that it could even use a kitchen sink as backend database ;)
It's written in Perl, so adapting ot to a new data source is rather easy. Most data sources you can imagine are already supported:
http://www.open.com.au/radiator/technical.html#auth
It's commercial software, but it's worth every cent - support is excellent, too.
I'm with Alexander... Radiator is one of the best peace of software out there. It's with SER the most flexible thing i've seen... and the best selection you can do is SER+Radiator ;)
Saludos JesusR.
------------------------------- Jesus Rodriguez VozTelecom Sistemas, S.L. jesusr@voztele.com http://www.voztele.com Tel. 902360305 -------------------------------
-
Alexander Mayrhofer -
Jesus Rodriguez -
Klaus Darilion