[Serusers] newbie radius questions

Klaus Darilion klaus.mailinglists at pernau.at
Tue Apr 20 00:30:37 CEST 2004 

Thanks for the detailed explanations!
comments inline

Alexander Mayrhofer wrote:

> On (19.04.04 16:59), Klaus Darilion wrote:
>>As in the tutorial, I used freeradius and put the SIP users into the 
>>raddb/users file. Do I have to make this manually for every user or are 
>>there any tools do to this? Can radius be used with a backend database 
>>for storing user data? If yes, why not directly use the database without 
>>radius?
> 
> 
> The usual way (as even most ISPs did up to a few years ago) would be to
> dump customer database into a raddb file regularly via cron. 
up to a few years ago? What do they use now?

> Asnychronous,
> though, but independent of the availability of your main customer
> database.

Is radius more available than mysql? This can also be done with 2 
databases, just filling the auth-db regularly with data from the main 
costumer database.

>>Is there any functionality within ser+radius that can't be done with 
>>ser+mysql?
> 
> Yes. Being able to re-use existing radius servers (e.g. of ISP's and
> universities [hint!]), and being able to split and proxy authentication 
> requests based on request domain (e.g. handle domainA by ispA's radius server,
> and handle domainB by ispB's radius server).

How can this be done? I guess this must done somewhere in the 
radiusclient, the client has to lookup the domain in the From: header 
(INVITE) and then choose the proper radius server?

...just a moment, I will take a look at at43...

Oh! You have a radius server which forwards the request to the 
appropriate radius server. So, all the split/forwarding logic is in the 
main radius server?

> 
> Imagine that you want to connect a ISP who has already several thousand
> subscribers. He has already a radius server in place, because that's how
> he authenticates dial in / dsl access. If you can reuse that
> autentication facility for just another service (e.g. SIP), the ISP has
> no hassle because of managing just another user database. He can
> continue to use his existing authentication servers for the new
> protocol, and just opens up access to the radius servers be SER.

When I take a look into the users file of freeradius, the entries for 
PPP ... authentication look different as the one for SIP (Auth-Type := 
Digest instead of local). Furthermore, some attributes must be added 
(eg. Sip_Rpid). Therefore, I assume it's not that easy.
> 
> Additionally, i doubt he will ever hand you over any of his
> subscriber's credentials ... 

That's true in case of the ISP outsources the phone services.
> 
> 
>>The only point I see for using radius is that many PSTN-gateways support 
>>writing CDRs into radius and billing systems will query these CDRs - but 
>>why use radius for ser?
> 
> 
> well, to put it into one sentence: Because it's the world most
> popular authentication mechanism for internet-access related authentication 
> and accounting.

So, if I don't have to deal with ISPs, there is no need to use radius?

regards,
klaus

More information about the sr-users mailing list