[freeside] export

Dave Burgess burgess at mitre.org
Mon Jan 7 12:29:07 PST 2002 

Dana Hudes wrote:

> huh?
> Why?
> let RADIUS do its thing. Freeside backend. You can pass the realm with the username from RADIUS to Freeside for authentication but is simpler to have a per-realm file.

Hmmm.

I don't want to seem to be talking for Edward, but there doesn't seem to be any kind of 'pollution' between the two, with two exceptions:

1)  We have all the information about the customers that we need to let FreeRadius (for example) authenticate directly against the FreeSide databases.   We keep RADIUS
check and reply items in the database now; we could allow read access from the RADIUS server to the data in the database and be able to skip one whole level of file
indirection.  We just extend the paradigm that we have established by having the RADIUS server files get built by FreeSide.

2)  We can use the RADIUS Accounting tables to track utilization and optionally (as soon as someone writes it) bill for it.

This way, RADIUS will still be the AAA protocol, and FreeSide will still be the customer accounting piece.  The fact that they have a shared data sink shouldn't be any
more egregious than having the user file(s) getting built by FreeSide.  I assumed that this is what he meant by having FreeSide be reponsible for the authentication (data)
and RADIUS be reponsible for the accounting data.  By setting up the RADIUS server to talk straight to the database, we skip a replication and export step and get our
information from the pure source.  In fact, the SQL.conf file in FreeRadius seems to kind of lead one to this end anyway.

Your point about the per-realm user files is interesting - can you do that without relying on huntgroups?  Specifically, can you do multiple per-realm user files on a
single server being fed from 7 NASes?  Like I said, I'm revisiting RADIUS servers again for the first time in several years and could stand a quick refresh.  From what
I've been reading (in FreeRadius, since it was the last one I read), the server ends up with a single, cached user file which has the capability to deconflict 'overloaded'
usernames with unique passwords.  Whether the realms are assumed or specified doesn't seem to matter.  At least, not after the cursory examination I've given it since
Saturday.  If you wouldn't mind, I'd like to pick your brain a little bit 'off list'.

>
> > Probably best way is to do auth for radius from freeside and accounting on
> > different server.
> > like Radiator type... or just change things in icradius/freeradius config
> > files.
> >

More information about the freeside-users mailing list