Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
The Internet

Radius w/ MySQL? 34

nightrav asks: "I'm one of the systems administrators at a small ISP (about 20k customers) and we're currently looking on moving to a different Radius solution. Currently we are using Merit with LDAP which is proving to be extremely slow and causes a great deal of authentication issues if a Total Control chassis reboots or experiences some other problem that causes it to dump its users. We would like to use some sort of Radius/MySQL solution for authentication and accounting and were wondering what solutions the Slashdot community would recommend."
This discussion has been archived. No new comments can be posted.

Radius w/ MySQL?

Comments Filter:
  • Radiator. (Score:2, Informative)

    by ¡ ( 97947 )
    I can wholeheartedly recommend Radiator. It's written in Perl, which makes it really easy to extend to your own needs, etc. It's got built in modules to both log to and authenticate from Radius. It just works... and works quite well. It's not free, however, which a lot of people don't like; it's worth every penny you'll pay for it though. link. []
    • I'll definitely agree with that. (Did you mean 'built in modules to log to and authenticate from MySQL' maybe? Although what you say is correct of course :-) Really flexible, and it's supplied supporting an amazing number of authentication sources. Helpful people too.
  • by routerwhore ( 552333 ) on Tuesday September 10, 2002 @09:33PM (#4233908) Homepage
    Cheap? FreeRADIUS

    Wanna Pay? Steelbelted RADIUS

    • by Anonymous Coward
      Free (as in speech)
      • Just my .2 cents:

        We just tested a steel-belted radius (funk(r)) working with Iplanet (Sun(r)), and go about 600 processed radius requests per seconds, which is largerly enough for you.

        I'm not disclosing the full study here (wanna keep my job, guys), but since radius is mainly network/cpu intensive, and because any Database is througput intensive, it make sense to split them over two boxes and to tune those boxes differently.

        Besides, it helps if you ever want redundancy, which is probably quite desirable as an ISP.

        Which raises a question: what LDAP implementation are you using ?

        Another point: why use a stacking of DB, like [Whatever]LDAP over [Whatever]SQL, it is just a waste of ressources, because an LDAP schema is not made to fit into a relationnal database.

        Stick to Radius/Ldap, and test your prototype performance. Here is a free test scripts [], though I do not know if it will work with your choice of radius.

  • by Mordant ( 138460 ) on Tuesday September 10, 2002 @09:33PM (#4233910) .pl?p=Software:Cisco_Secure_ACS_UNIX


  • LDAP is awful (Score:2, Insightful)

    by 0x0d0a ( 568518 )
    Anything except LDAP.

    When it comes to performance, LDAP is a bad protocol, and OpenLDAP is an even worse implementation.
  • If you're using OpenLDAP, you can rebuild it with ODBC support and run it on top of MySQL. I've tried running it with PostgreSQL, but have had no luck with it yet. The configure flag for this is --enable-sql.


  • FreeRadius seems to be able to deal with datasource changes better than the GNU Radius Server. You can set up user auth info in OpenLDAP for FreeRadius and set up OpenLDAP in a Master-Slave cluster for scalability and robustness.

    Postgres can also be used to store both auth and accounting info from FreeRadius and has the ability to live in a cluster for reliability purposes, I know their also working on scalability clusters, but I don't know how far along it is.

    Having your user auth info in OpenLDAP will prolly get that info out faster than Postgres, but it can only be used to store auth info. It will most likely be easier to store all the data in Postgres.

    Don't use MySQL if you want scalability, speed and robustness all in one package. Postgres has got much better features when it comes to this, it also has native data-types for ip addresses and such.

    OpenLDAP might make your migration easier, with any new data you want to store going to Postgres.

    I'd recommend thouroughly testing these setups first. Especially the clustering.
  • I have been using Cistron for 2 years now, atleast.
    Cistron Radius []
    RPMS for Cistron with MySQL []
  • by abulafia ( 7826 ) on Wednesday September 11, 2002 @12:03AM (#4234701)
    I did this at my last company with Oracle+openLDAP for > 1,000,000 users. Worked great, after some tuning. Which, admittedly, took some time. If that is an issue, don't be headstrong like I was and hire someone who knows how to do it the first time through, rather than learning as you go.

    Doing things now at my current job (typically for much smaller user bases), I use postgres in place of Oracle, unless the client has a preference. It just works, it is fast, it doesn't chew off a limb when it has a problem. You can do more interesting queries if you need to. It is enterprise class, Mysql is not, yet. Sorry.

    I wonder at all the people who have had endless problems with Open LDAP. If you read the docs, think about what they mean for your environment, and implement correctly, it works wonderfully, from stability to performance to features. Of course, lots of people have horror stories about Postgres, too, most of them illustrations of how not to run a real database. All I can say is these tools work for me and my clients.

    My new company is currently about to close, I think, a deal to do what I described above for ~4M users. I'm entirely confident it will work, based on as close to empirical testing as we can emulate. The real world is always different, but that makes it fun. YMMV.

  • FreeRadius + MySQL (Score:2, Insightful)

    by UuCon ( 4853 )
    Freeradius comes with a SQL module to do authentication and accounting through MySQL, PgSQL, etc. My team uses it quite a lot at my place of employment...we ended up using it to replace a SafeWord installation and everybody has been very happy with it.

    See Here [] for more info on the SQL module.

    We also ended up using phpMyAdmin [] to administrate the adding/removing of users, groups, & other attributes.

  • by PhaseBurn ( 44685 ) <> on Wednesday September 11, 2002 @02:20AM (#4235150) Homepage
    I'm the network administrator for an ISP based in California with 10k customers, currently. We use radius + e-mail services authenticated against MySQL, and I can very easily help you configure it...

    First off, we use ICRadius for our RADIUS server... Using MySQL replication, we avoid a single point of failure... ICRadius is free, and based on Cistron Radius... It works for our needs. Secondly, we use the Exim MTA for SMTP, and Courier IMAP for pop3/imap services... Mail is stored on a RAID exported over NFS, so mail servers are quite easily clustered... Lastly, we have a home-grown account management program we wrote, called "Nebula" that manages all aspects of an account...

    If you'd like examples of a config file, implementation suggestions, of even a copy of Nebula (it's open source, free), please let me know. You can e-mail me personally at work at dbauman (at) infostations (dot) net. I even have the origional ICRadius + MySQL howtos from years ago when we migrated away from Cistron, and also the ISP-Planet's ISP-Radius mailing list can be of help to you...

    • Well, since we run this exact setup, too (ICRadius, MySQL replication, Sendmail/Exim/Solid-POP3), I would like to ask you a question (consider it a recursive Ask Slashdot :-) We want to change our network configuration, and this includes replacing our two access servers with a bigger one. Problem is, one of these is currently used partly for our customers and partly for those of a bigger ISP to whom we provide a POP in our region; so, this server queries that ISP's RADIUS servers, not our ones. Since the two E1s will go into a single NAS in the new setup, our RADIUS servers need to be able to forward the queries to the other ISP servers if they don't find an username locally. Is this possible with ICRadius? How?
  • Go with ICRADIUS/MySQL. Works great. You didn't mention what state you are in. But if you are in california, give O-1 (oh-one) communications a call. Ask for Steve.
  • You can do radius with MySQL.

    However it depends what you want to do with your data. I work in a small telco (we have about 100K calls a day) and we are using Radiator with OpenLDAP + MySQL. OpenLDAP took a li'l hammering, but now is quite fine, even tho performance was never much of a problem. On average, our main raidus servers reply in a few (<10) miliseconds.
    WRT MySQL we are using it for our session database and are extremely happy with it. On the other hand, aren't quite as happy with our Accounting Database and will, most likely, move away from MySQL, due to the fact we need to make more complex queries and relationships than we can afford to right now.
    I can only recommend that, as a Radius Server, you use Radiator. It will allow you to move and change datasources (almost) transparently.
  • We use radiator with oracle to support 40,000 users with no problems whatsoever.. the support and software is great.
  • 3 []
    It's cross platform (I've run it on both Solaris and Linux). It's really fast too.
  • When you buy it, it comes with full source. I ended up having to modify it because the ISP I was working for was on a buying craze and picking up tonnes of other smaller ISPs that had conflicting usernames that needed to be dealt with--and nobody was willing to implement Radius realms.

    It was messy but worked perfectly when I left.
  • We run it with Postgres (run away from MySQL, but GNU-RADIUSD can use it) -- it's fast for us (6k+ customers), under active development and stable as hell.

  • Its obvious the solution to your problem is a custom web-based front end to an overly complicated Oracle database. Ideally the schema should make very little since with hundreds of unused columns--many of which are misspellings. (Thanks for the DROP COLUMN command, oracle). In order to ensure maximum benefit, this system should be designed by a couple of guys who are COMPLETELY drunk off their rocker and refuse to document anything. The system will exhibit wild uptimes given that the programmers are drunk during 75-80% of the system's overall development. A solution such as this will provide with you enourmous perceived flexibility, tons of headaches, and job security.

    Oh wait, you already have that in place. ;)

Overflow on /dev/null, please empty the bit bucket.