Radius w/ MySQL?

nightrav asks: "I'm one of the systems administrators at a small ISP (about 20k customers) and we're currently looking on moving to a different Radius solution. Currently we are using Merit with LDAP which is proving to be extremely slow and causes a great deal of authentication issues if a Total Control chassis reboots or experiences some other problem that causes it to dump its users. We would like to use some sort of Radius/MySQL solution for authentication and accounting and were wondering what solutions the Slashdot community would recommend."

FreeRadius plus OpenLDAP or PostgreSQL

[GOD_ALMIGHTY]

FreeRadius seems to be able to deal with datasource changes better than the GNU Radius Server. You can set up user auth info in OpenLDAP for FreeRadius and set up OpenLDAP in a Master-Slave cluster for scalability and robustness.

Postgres can also be used to store both auth and accounting info from FreeRadius and has the ability to live in a cluster for reliability purposes, I know their also working on scalability clusters, but I don't know how far along it is.

Having your user auth info in OpenLDAP will prolly get that info out faster than Postgres, but it can only be used to store auth info. It will most likely be easier to store all the data in Postgres.

Don't use MySQL if you want scalability, speed and robustness all in one package. Postgres has got much better features when it comes to this, it also has native data-types for ip addresses and such.

OpenLDAP might make your migration easier, with any new data you want to store going to Postgres.

I'd recommend thouroughly testing these setups first. Especially the clustering.

despite other comments...

[abulafia]

I did this at my last company with Oracle+openLDAP for > 1,000,000 users. Worked great, after some tuning. Which, admittedly, took some time. If that is an issue, don't be headstrong like I was and hire someone who knows how to do it the first time through, rather than learning as you go.

Doing things now at my current job (typically for much smaller user bases), I use postgres in place of Oracle, unless the client has a preference. It just works, it is fast, it doesn't chew off a limb when it has a problem. You can do more interesting queries if you need to. It is enterprise class, Mysql is not, yet. Sorry.

I wonder at all the people who have had endless problems with Open LDAP. If you read the docs, think about what they mean for your environment, and implement correctly, it works wonderfully, from stability to performance to features. Of course, lots of people have horror stories about Postgres, too, most of them illustrations of how not to run a real database. All I can say is these tools work for me and my clients.

My new company is currently about to close, I think, a deal to do what I described above for ~4M users. I'm entirely confident it will work, based on as close to empirical testing as we can emulate. The real world is always different, but that makes it fun. YMMV.

-j

We run this exact setup

[PhaseBurn]

I'm the network administrator for an ISP based in California with 10k customers, currently. We use radius + e-mail services authenticated against MySQL, and I can very easily help you configure it...

First off, we use ICRadius for our RADIUS server... Using MySQL replication, we avoid a single point of failure... ICRadius is free, and based on Cistron Radius... It works for our needs. Secondly, we use the Exim MTA for SMTP, and Courier IMAP for pop3/imap services... Mail is stored on a RAID exported over NFS, so mail servers are quite easily clustered... Lastly, we have a home-grown account management program we wrote, called "Nebula" that manages all aspects of an account...

If you'd like examples of a config file, implementation suggestions, of even a copy of Nebula (it's open source, free), please let me know. You can e-mail me personally at work at dbauman (at) infostations (dot) net. I even have the origional ICRadius + MySQL howtos from years ago when we migrated away from Cistron, and also the ISP-Planet's ISP-Radius mailing list can be of help to you...