[Serusers] newbie radius questions

Tue Apr 20 12:55:58 CEST 2004

On Tue, 20 Apr 2004, Klaus Darilion wrote:

> > On (19.04.04 16:59), Klaus Darilion wrote:
> >>As in the tutorial, I used freeradius and put the SIP users into the
> >>raddb/users file. Do I have to make this manually for every user or are
> >>there any tools do to this? Can radius be used with a backend database
> >>for storing user data? If yes, why not directly use the database without
> >>radius?
> >
> >
> > The usual way (as even most ISPs did up to a few years ago) would be to
> > dump customer database into a raddb file regularly via cron.
> up to a few years ago? What do they use now?

They use radiator :)

Seriously, there are some big radius platforms that use sql backends to
obtain AAA information. Vendors like Lucent, Nortel, Alcatel, etc have their
own radius platforms which can work with backends like LDAP, Oracle, etc.

> > Asnychronous,
> > though, but independent of the availability of your main customer
> > database.
>
> Is radius more available than mysql? This can also be done with 2
> databases, just filling the auth-db regularly with data from the main
> costumer database.

Personally i think that Radius can be much more available than mysql. Anyway,
if you use a database as backend, you need availability in both radius and
database.

There are some features in radius servers that allow, for example,
authenticate all requests if backend goes down or the opposite, deny all.

The ideal world would be, for example, to have some kind of load balancer as
front end, some radius servers to forward the requests and a redundant backend
(mysql with replication, LDAP, Oracle or any other system). Radiator, for
example, supports more than one backend and if all backend fails, you can
forward (proxy) the radius request to another radius or, finally, write (for
accounting) the information to a file so you can export it later to your
backend.

> >>Is there any functionality within ser+radius that can't be done with
> >>ser+mysql?
> >
> > Yes. Being able to re-use existing radius servers (e.g. of ISP's and
> > universities [hint!]), and being able to split and proxy authentication
> > requests based on request domain (e.g. handle domainA by ispA's radius server,
> > and handle domainB by ispB's radius server).
>
> How can this be done? I guess this must done somewhere in the
> radiusclient, the client has to lookup the domain in the From: header
> (INVITE) and then choose the proper radius server?
>
> ...just a moment, I will take a look at at43...
>
> Oh! You have a radius server which forwards the request to the
> appropriate radius server. So, all the split/forwarding logic is in the
> main radius server?

You don't need to have a all logic in a mail radius server. You can setup a
radius proxy server which just forwards the requests (based in any received
attribute) to other radius servers that make the real AAA... distributed logic
:)

> > Imagine that you want to connect a ISP who has already several thousand
> > subscribers. He has already a radius server in place, because that's how
> > he authenticates dial in / dsl access. If you can reuse that
> > autentication facility for just another service (e.g. SIP), the ISP has
> > no hassle because of managing just another user database. He can
> > continue to use his existing authentication servers for the new
> > protocol, and just opens up access to the radius servers be SER.
>
> When I take a look into the users file of freeradius, the entries for
> PPP ... authentication look different as the one for SIP (Auth-Type :=
> Digest instead of local). Furthermore, some attributes must be added
> (eg. Sip_Rpid). Therefore, I assume it's not that easy.

You just need a right dictionary. The same way, you need a right
table/database in mysql... is the same.

Rpid is only used if needed/wanted, as other parameters you can use.

> >>The only point I see for using radius is that many PSTN-gateways support
> >>writing CDRs into radius and billing systems will query these CDRs - but
> >>why use radius for ser?
> >
> >
> > well, to put it into one sentence: Because it's the world most
> > popular authentication mechanism for internet-access related authentication
> > and accounting.
>
> So, if I don't have to deal with ISPs, there is no need to use radius?

mmmm... i think this is a good reason :)

But, you can use radius together mysql to compare and consolidate all
accounting information from SER and gateways (if you use radius accouting for
your gateways).

Saludos
JesusR.

-------------------------------
Jesus Rodriguez
VozTelecom Sistemas, S.L.
jesusr at voztele.com
http://www.voztele.com
Tel. 902360305
-------------------------------