freeradius and dynamic ip allocation

Paul Robinson paul at iconoplex.co.uk
Thu May 29 11:52:44 BST 2003 

On Thu, May 29, 2003 at 11:31:13AM +0100, Pete French wrote:

> I've been following the radius discussion here with increasing interest, because
> when it began I didnt really know or care what Radiius was, but now I do!

We've opened a right nasty can of worms now, haven't we... oh dear... so, 
quickly, let's just go over a few things if you're new to it:

- In my very personal and extremely humble opinion, RADIUS is broken. It
goes over UDP and has built-in re-tries that quite often don't work - the
first site I used it large-scale had 20,000 modem ports and 750,000 dial-in
users and we lost somewhere around 15% of accounting packets making them
more or less useless. It did it's job when RAS and NAS kit came onto the
scene but everybody agrees it's a silly protocol for most modern apps. The
only reason why people use it is because there is no alternative on most
modem racks. The accounting stuff, if done properly, can be nice in some
situations, but I used to dream about RADIUS I knew it that well, and I
hated it.

- Cisco tried to compete with TACACS. Avoid this protocol like the plague.  
It fixes loads of problems RADIUS had (it used TCP for a start which made
things a damned site easier to track over 20,000 modem ports) but there is
no decent implementation. Even Cisco abandoned this one and their TACACS
server is like one of those really horrible nasty dogs where the kindest
thing to do is put it down

- RADIUS' IETF-backed successor is DIAMETER (geddit?!??!!) and the last time
I looked in on the working groups it wasn't in too clever a shape. It seems
to have struggled out to an RFC - 2924 - which they claim was written in
September 2000. I've just scanned it, and it aint the same doc I was looking
at in early 2002. Anyway, nobody really supports it yet, but as soon as they
do, for most apps it's worth moving. It might suck, but it sucks a whole lot
less than RADIUS ever did... one of my projects that is on my incredibly big 
to-do list is to play with it more. Oh, there is one thing about DIAMETER - 
it supports both mobile IP and IPv6 in it's current form. 
http://www.diameter.org/ if you're really interested.
 
> It sounds like it could be just what I need - does anyone know of anything
> under FreeBSD that would let me set up VPN's for Windows clients which talks
> to a Radius server ? 

VPN work is it's own area. There are loads of ways of doing it, and if 
you're on Safari, take a look at the O'Reilley book on the subject. It's a 
bit out of date, but at least the solutions work. But yes, most of them will 
allow an auth and accounting packet to be sent via RADIUS to your big server 
that should be called "God" or "Allah" or something, as you've just 
invested it with complete authority over the network. You have been warned.

> I have an 802.11g wireless hub which will talk to
> a Radiius server too - and I am thinking that I could set up one server which
> would athenticate users when they are in range of the LAN or when they
> go roaming the world and want to connect back to home using a VPN and appear
> on the LAN at the same IP address they would have if local.
> 
> Does this sound feasible at all ?

Completely feasible. It will all talk to the same server, and you'll have 
all the information you need - providing the accounting packets don't get 
dropped and you end up with a database that insists your MD has been logged 
in via China for the last 800 hours. I'm not too hot on the Windows VPN 
issues, but I'm sure somebody else will step in on that. But yes, the 
implementations are out there, you'll have problems because the protocol 
sucks, but if you can live with that, go for it. It sounds good for your 
situation.

-- 
Paul Robinson

More information about the Ukfreebsd mailing list