Slashdot Mirror
Radius w/ MySQL?
nightrav asks: "I'm one of the systems administrators at a small ISP (about 20k customers) and we're currently looking on moving to a different Radius solution. Currently we are using Merit with LDAP which is proving to be extremely slow and causes a great deal of authentication issues if a Total Control chassis reboots or experiences some other problem that causes it to dump its users. We would like to use some sort of Radius/MySQL solution for authentication and accounting and were wondering what solutions the Slashdot community would recommend."
I can wholeheartedly recommend Radiator. It's written in Perl, which makes it really easy to extend to your own needs, etc. It's got built in modules to both log to and authenticate from Radius. It just works... and works quite well. It's not free, however, which a lot of people don't like; it's worth every penny you'll pay for it though. link.
http://www.freeradius.org
Wanna Pay? Steelbelted RADIUS
http://www.funksoftware.com
http://www.cisco.com/pcgi-bin/Support/PSP/psp_view .pl?p=Software:Cisco_Secure_ACS_UNIX
or
http://www.gnu.org/software/radius/radius.html
or
http://www.freeradius.org/
Anything except LDAP.
When it comes to performance, LDAP is a bad protocol, and OpenLDAP is an even worse implementation.
May we never see th
finally someone on SLASHDOT has the sense to give a SENSIBLE REPLY to a STUPID QUESTION. waht the FCUK WARE they TLAKING ABOOT?!
If you're using OpenLDAP, you can rebuild it with ODBC support and run it on top of MySQL. I've tried running it with PostgreSQL, but have had no luck with it yet. The configure flag for this is --enable-sql.
HTH.
In Soviet Russia, Jesus asks: "What Would You Do?"
FreeRadius seems to be able to deal with datasource changes better than the GNU Radius Server. You can set up user auth info in OpenLDAP for FreeRadius and set up OpenLDAP in a Master-Slave cluster for scalability and robustness.
Postgres can also be used to store both auth and accounting info from FreeRadius and has the ability to live in a cluster for reliability purposes, I know their also working on scalability clusters, but I don't know how far along it is.
Having your user auth info in OpenLDAP will prolly get that info out faster than Postgres, but it can only be used to store auth info. It will most likely be easier to store all the data in Postgres.
Don't use MySQL if you want scalability, speed and robustness all in one package. Postgres has got much better features when it comes to this, it also has native data-types for ip addresses and such.
OpenLDAP might make your migration easier, with any new data you want to store going to Postgres.
I'd recommend thouroughly testing these setups first. Especially the clustering.
Arrogance is Confidence which lacks integrity. -- me
I have been using Cistron for 2 years now, atleast.
Cistron Radius
RPMS for Cistron with MySQL
"If you have done 6 impossible things this morning, why not round it off with breakfast at Milliways" -- hhgg
I did this at my last company with Oracle+openLDAP for > 1,000,000 users. Worked great, after some tuning. Which, admittedly, took some time. If that is an issue, don't be headstrong like I was and hire someone who knows how to do it the first time through, rather than learning as you go.
Doing things now at my current job (typically for much smaller user bases), I use postgres in place of Oracle, unless the client has a preference. It just works, it is fast, it doesn't chew off a limb when it has a problem. You can do more interesting queries if you need to. It is enterprise class, Mysql is not, yet. Sorry.
I wonder at all the people who have had endless problems with Open LDAP. If you read the docs, think about what they mean for your environment, and implement correctly, it works wonderfully, from stability to performance to features. Of course, lots of people have horror stories about Postgres, too, most of them illustrations of how not to run a real database. All I can say is these tools work for me and my clients.
My new company is currently about to close, I think, a deal to do what I described above for ~4M users. I'm entirely confident it will work, based on as close to empirical testing as we can emulate. The real world is always different, but that makes it fun. YMMV.
-j
I forget what 8 was for.
Freeradius comes with a SQL module to do authentication and accounting through MySQL, PgSQL, etc. My team uses it quite a lot at my place of employment...we ended up using it to replace a SafeWord installation and everybody has been very happy with it.
See Here for more info on the SQL module.
We also ended up using phpMyAdmin to administrate the adding/removing of users, groups, & other attributes.
ryanc
I'm the network administrator for an ISP based in California with 10k customers, currently. We use radius + e-mail services authenticated against MySQL, and I can very easily help you configure it...
First off, we use ICRadius for our RADIUS server... Using MySQL replication, we avoid a single point of failure... ICRadius is free, and based on Cistron Radius... It works for our needs. Secondly, we use the Exim MTA for SMTP, and Courier IMAP for pop3/imap services... Mail is stored on a RAID exported over NFS, so mail servers are quite easily clustered... Lastly, we have a home-grown account management program we wrote, called "Nebula" that manages all aspects of an account...
If you'd like examples of a config file, implementation suggestions, of even a copy of Nebula (it's open source, free), please let me know. You can e-mail me personally at work at dbauman (at) infostations (dot) net. I even have the origional ICRadius + MySQL howtos from years ago when we migrated away from Cistron, and also the ISP-Planet's ISP-Radius mailing list can be of help to you...
-PhaseBurn Welcome to Linux country. On quiet nights, you can hear windows reboot.
Go with ICRADIUS/MySQL. Works great. You didn't mention what state you are in. But if you are in california, give O-1 (oh-one) communications a call. Ask for Steve.
/* oops I accidentally made a comment, sorry */
It's just a way you know nothing. Use PostgreSQL, which is faster and supports the SQL language.
You can do radius with MySQL.
However it depends what you want to do with your data. I work in a small telco (we have about 100K calls a day) and we are using Radiator with OpenLDAP + MySQL. OpenLDAP took a li'l hammering, but now is quite fine, even tho performance was never much of a problem. On average, our main raidus servers reply in a few (<10) miliseconds.
WRT MySQL we are using it for our session database and are extremely happy with it. On the other hand, aren't quite as happy with our Accounting Database and will, most likely, move away from MySQL, due to the fact we need to make more complex queries and relationships than we can afford to right now.
I can only recommend that, as a Radius Server, you use Radiator. It will allow you to move and change datasources (almost) transparently.
RJS
I'll definitely agree with that. (Did you mean 'built in modules to log to and authenticate from MySQL' maybe? Although what you say is correct of course :-) Really flexible, and it's supplied supporting an amazing number of authentication sources. Helpful people too.
We use radiator with oracle to support 40,000 users with no problems whatsoever.. the support and software is great.
Seconded - once you switch you won't look back. It can handle anything.
http://freshmeat.net/projects/icradius/?topic_id=4 3
It's cross platform (I've run it on both Solaris and Linux). It's really fast too.
When you buy it, it comes with full source. I ended up having to modify it because the ISP I was working for was on a buying craze and picking up tonnes of other smaller ISPs that had conflicting usernames that needed to be dealt with--and nobody was willing to implement Radius realms.
It was messy but worked perfectly when I left.
We run it with Postgres (run away from MySQL, but GNU-RADIUSD can use it) -- it's fast for us (6k+ customers), under active development and stable as hell.
I've been using Cistron since 1997.. it's powerful, easy to configure, and stable (zero downtime since we installed it - including during upgrades.)
I don't notice anyone mentioning PAM .. couldn't you just get a radius server that supports PAM and use a pam_mysql module to authenticate ?? I do this with radius+ldap, radius uses pam which in turn uses ldap ..
...PAM works good for me though(LDAP over SSL/TLS)
sticking to pam would be much more flexible then going for a straight radius+mysql solution.
but maybe its too slow, I don't have a high traffic enviornment
Its obvious the solution to your problem is a custom web-based front end to an overly complicated Oracle database. Ideally the schema should make very little since with hundreds of unused columns--many of which are misspellings. (Thanks for the DROP COLUMN command, oracle). In order to ensure maximum benefit, this system should be designed by a couple of guys who are COMPLETELY drunk off their rocker and refuse to document anything. The system will exhibit wild uptimes given that the programmers are drunk during 75-80% of the system's overall development. A solution such as this will provide with you enourmous perceived flexibility, tons of headaches, and job security.
;)
Oh wait, you already have that in place.
About 4 months due to the lunch of a new product I had to look for a more scalable solution to aaa. The old radiusd had limitations on the user repository and could only store about 63k users. Is worth noting that paying $US+20k for a commercial solution that scaled well beyond 200k users was not an option.
So I started looking for a solution and quickly the search range got reduced to gnuradius, openradius and freeradius. Evaluating them was simple, and their relative disadvantages were easily discovered. Basically gnuradius and openradius devel seemed to be stalled (even today), and were not very feature-rich. On the other side freeradius showed the bigger and cooler feature set as well as a continuous development which now I see as constant.
Currently aaa has been completely migrated and freeradius is runnning with openldap providing service to +100k users.
The next step is to move all the accounting to a database. In order to migrate and keep history of the users time counters I have to load the information of about 6.5 million accounting packets to the database. Preliminary tests show that MySQL definitely is not the solution; it answers to the inserts and updates issued by the radiusd in a timely manner but as soon as I start querying it the global performance of the system is affected, due to I/O it seems. The results of the same tests with pg show a much better performance even with concurrent operations executed by me, radiusd and external scripts.
So, as far as my experience goes, my suggestion is to go with a solution that really scales; you never know when you will have commercial department telling you 'hey, I need to create some hundreds of thousands user ids i just sold', or when a merger will take place.
I have benchmarked freeradius against openLDAP with 50k different users and was able to authenticate them at almost 80 per second on a dell poweredge 1550.
I wouldn't dare use mysql over openldap, not for authentication anyway.