Transcript Slide 1
Scaling RADIUS to Support a Nationwide Network Access Infrastructure Kostas Kalevras NTUA Network Operations Centre RADIUS Protocol Used in Wireless Hotspots 802.1X network authentication Dialup authentication DSL/Broadband Services AAA Need for High Performance User Population Increase Used for authenticating Schools access Key issues in scaling RADIUS Performance Redundancy + Failover with full accounting + double login detection High Availability Load spread between servers Scalable, Replicated user database Scalable Accounting Infrastructure Encrypted authentication requests (EAP-TTLS/TLS/PEAP) Ease of server maintainance/delegated administration Guidelines Accounting is more important than authentication. It is also much larger Don’t use a single server. Distribute/Replicate Guideline #1: Multiple RADIUS Servers Use multiple RADIUS server with replicated accounting data Network Users Accounting Relay SQL Database RADIUS Server LDAP Server RADIUS Server SQL Database LDAP Server Guideline #2: Tune SQL Accounting Index fields Spread the load between multiple server threads, don’t serialize accounting Use a connection pool instead of per request connections Guideline #3: User Database Use a high performance database like SQL/LDAP Ease of administration Configure replication. Ideally, each radius server should have a dedicated user authentication server Guideline #4: Only service live requests On memory table for online users – Use an on-disk buffer and a separate process for permanent accounting storage Advantages Guaranteed low service time Complex operations are performed on each request rather than grouped Guideline #5: Server Configuration on a database Certain parts of server configuration should be kept on a database Client Configuration Realm Configuration Advantages Ease of administration (web interface) No access required to radius servers Delegated administration Single point of administration, automated procedure Case Study Greek School Network GSN Structure 52 Access Servers 5000 Schools 50.000 Dialup Accounts 100.000 sessions/day LDAP authentication Database (2 fully replicated LDAP servers) RADIUS Server Solution FreeRADIUS was chosen as the preferred platform Reasons for this choise Scalable, multithreaded, in active development Open source, participation in server development Supports all features wanted Scaling Steps Preauthentication New server Structure Caching module Preauthentication Preauthentication of school access based on Caller-Id Advantages Lower overhead Rejection on call setup (no aditional costs) New Server Structure Maintain an On-Memory Live accounting table. Permanent accounting performed by a separate process Advantages Lower and guaranteed accounting service time Statistics generation can be performed realtime Caching Module Cache Server responses based on a configurable key Advantages Lower service time Combined with preauthentication most requests are serviced from cache No queries are performed to the directory service Disadvantages Cache entries must be erased on changes Conclusions RADIUS still is at the core of AAA infrastructures Can still scale to accommodate current and future needs Is being used with success in large scale installations Thank you! Any questions?