[Serusers] newbie radius questions
Klaus Darilion
klaus.mailinglists at pernau.at
Tue Apr 20 00:30:37 CEST 2004
Thanks for the detailed explanations!
comments inline
Alexander Mayrhofer wrote:
> On (19.04.04 16:59), Klaus Darilion wrote:
>>As in the tutorial, I used freeradius and put the SIP users into the
>>raddb/users file. Do I have to make this manually for every user or are
>>there any tools do to this? Can radius be used with a backend database
>>for storing user data? If yes, why not directly use the database without
>>radius?
>
>
> The usual way (as even most ISPs did up to a few years ago) would be to
> dump customer database into a raddb file regularly via cron.
up to a few years ago? What do they use now?
> Asnychronous,
> though, but independent of the availability of your main customer
> database.
Is radius more available than mysql? This can also be done with 2
databases, just filling the auth-db regularly with data from the main
costumer database.
>>Is there any functionality within ser+radius that can't be done with
>>ser+mysql?
>
> Yes. Being able to re-use existing radius servers (e.g. of ISP's and
> universities [hint!]), and being able to split and proxy authentication
> requests based on request domain (e.g. handle domainA by ispA's radius server,
> and handle domainB by ispB's radius server).
How can this be done? I guess this must done somewhere in the
radiusclient, the client has to lookup the domain in the From: header
(INVITE) and then choose the proper radius server?
...just a moment, I will take a look at at43...
Oh! You have a radius server which forwards the request to the
appropriate radius server. So, all the split/forwarding logic is in the
main radius server?
>
> Imagine that you want to connect a ISP who has already several thousand
> subscribers. He has already a radius server in place, because that's how
> he authenticates dial in / dsl access. If you can reuse that
> autentication facility for just another service (e.g. SIP), the ISP has
> no hassle because of managing just another user database. He can
> continue to use his existing authentication servers for the new
> protocol, and just opens up access to the radius servers be SER.
When I take a look into the users file of freeradius, the entries for
PPP ... authentication look different as the one for SIP (Auth-Type :=
Digest instead of local). Furthermore, some attributes must be added
(eg. Sip_Rpid). Therefore, I assume it's not that easy.
>
> Additionally, i doubt he will ever hand you over any of his
> subscriber's credentials ...
That's true in case of the ISP outsources the phone services.
>
>
>>The only point I see for using radius is that many PSTN-gateways support
>>writing CDRs into radius and billing systems will query these CDRs - but
>>why use radius for ser?
>
>
> well, to put it into one sentence: Because it's the world most
> popular authentication mechanism for internet-access related authentication
> and accounting.
So, if I don't have to deal with ISPs, there is no need to use radius?
regards,
klaus
More information about the sr-users
mailing list