[Serusers] newbie radius questions

[Alexander Mayrhofer]

On (19.04.04 16:59), Klaus Darilion wrote:
> As in the tutorial, I used freeradius and put the SIP users into the 
> raddb/users file. Do I have to make this manually for every user or are 
> there any tools do to this? Can radius be used with a backend database 
> for storing user data? If yes, why not directly use the database without 
> radius?

The usual way (as even most ISPs did up to a few years ago) would be to
dump customer database into a raddb file regularly via cron. Asnychronous,
though, but independent of the availability of your main customer
database.

OTOH, there are a few other radius servers out there which can directly
fetch user data from e.g. a database server - the most flexible one
seems to be Radiator (www.open.com.au): It seems that it could even use
a kitchen sink as backend database ;)

It's written in Perl, so adapting ot to a new data source is rather
easy. Most data sources you can imagine are already supported:

http://www.open.com.au/radiator/technical.html#auth

It's commercial software, but it's worth every cent - support is
excellent, too.

> Using mysql for user authentication, adding new user is simple - serctl 
> or serweb. I miss such a simple solution for radius.

Well, you directly modify a raddb file just for hack value. You really wnat
to keep you customer's accounts somewhere else, and just regenerate the
raddb file from there once you get approx the 100 user barrier. vi'ing
raddb files is the hardcore approach (especially if you go without rcs
;)

> Can/will radius also be used for location contacts - or is it a must to 
> use mysql(postgres) for persistent user location?

radius was never designed for that. it's not made for updating information,
just for looking up and verifying account attributes (hence "Remote
Authentication and Dial-In User Service").
There no facility to store or modify any attributes of an user account
via radius, so you still have to use one of the supported location
storage methods.

> Is there any functionality within ser+radius that can't be done with 
> ser+mysql?

Yes. Being able to re-use existing radius servers (e.g. of ISP's and
universities [hint!]), and being able to split and proxy authentication 
requests based on request domain (e.g. handle domainA by ispA's radius server,
and handle domainB by ispB's radius server).

Imagine that you want to connect a ISP who has already several thousand
subscribers. He has already a radius server in place, because that's how
he authenticates dial in / dsl access. If you can reuse that
autentication facility for just another service (e.g. SIP), the ISP has
no hassle because of managing just another user database. He can
continue to use his existing authentication servers for the new
protocol, and just opens up access to the radius servers be SER.

Additionally, i doubt he will ever hand you over any of his
subscriber's credentials ... 

> The only point I see for using radius is that many PSTN-gateways support 
> writing CDRs into radius and billing systems will query these CDRs - but 
> why use radius for ser?

well, to put it into one sentence: Because it's the world most
popular authentication mechanism for internet-access related authentication 
and accounting.

cheers

axelm