Scaling RADIUS to Support a Scaling RADIUS to Support a Nationwide Network Access Nationwide Network Access

InfrastructureInfrastructure

Kostas Kalevras NTUA Network Kostas Kalevras NTUA Network Operations CentreOperations Centre

RADIUS ProtocolRADIUS Protocol

Used inUsed in Wireless HotspotsWireless Hotspots 802.1X network authentication802.1X network authentication Dialup authenticationDialup authentication DSL/BroadbandDSL/Broadband Services AAAServices AAA

Need for High PerformanceNeed for High Performance

User Population IncreaseUser Population IncreaseUsed for authenticating Schools accessUsed for authenticating Schools access

Key issues in scaling RADIUS Key issues in scaling RADIUS PerformancePerformance

Redundancy + Failover with full accounting + Redundancy + Failover with full accounting + double login detectiondouble login detection High AvailabilityHigh Availability Load spread between serversLoad spread between servers

Scalable, Replicated user databaseScalable, Replicated user databaseScalable Accounting InfrastructureScalable Accounting InfrastructureEncrypted authentication requests Encrypted authentication requests (EAP-TTLS/TLS/PEAP)(EAP-TTLS/TLS/PEAP)

Ease of server maintainance/delegated Ease of server maintainance/delegated administrationadministration

GuidelinesGuidelines

Accounting is more important than Accounting is more important than authentication. It is also much largerauthentication. It is also much largerDon’t use a single server. Don’t use a single server. Distribute/ReplicateDistribute/Replicate

Guideline #1: Multiple RADIUS Guideline #1: Multiple RADIUS ServersServers

Use multiple RADIUS server with replicated Use multiple RADIUS server with replicated accounting dataaccounting data

Network Users

RADIUS ServerSQL Database

RADIUS Server

LDAP Server LDAP Server

SQL Database

Accounting Relay

Guideline #2: Tune SQL Guideline #2: Tune SQL AccountingAccounting

Index fieldsIndex fieldsSpread the load between multiple server Spread the load between multiple server threads, don’t serialize accountingthreads, don’t serialize accountingUse a connection pool instead of per Use a connection pool instead of per request connectionsrequest connections

Guideline #3: User DatabaseGuideline #3: User Database

Use a high performance database like Use a high performance database like SQL/LDAPSQL/LDAP Ease of administrationEase of administration

Configure replication. Ideally, each radius Configure replication. Ideally, each radius server should have a dedicated user server should have a dedicated user authentication serverauthentication server

Guideline #4: Only service live Guideline #4: Only service live requestsrequests

On memory table for online users – Use On memory table for online users – Use an on-disk buffer and a separate process an on-disk buffer and a separate process for permanent accounting storagefor permanent accounting storageAdvantagesAdvantages Guaranteed low service timeGuaranteed low service time Complex operations are performed on each Complex operations are performed on each

request rather than grouped request rather than grouped

Guideline #5: Server Configuration Guideline #5: Server Configuration on a databaseon a database

Certain parts of server configuration should be Certain parts of server configuration should be kept on a databasekept on a database Client ConfigurationClient Configuration Realm ConfigurationRealm Configuration

AdvantagesAdvantages Ease of administration (web interface)Ease of administration (web interface) No access required to radius serversNo access required to radius servers Delegated administrationDelegated administration Single point of administration, automated procedureSingle point of administration, automated procedure

Case StudyCase Study

Greek School NetworkGreek School Network

GSN StructureGSN Structure

52 Access Servers52 Access Servers5000 Schools5000 Schools50.000 Dialup Accounts50.000 Dialup Accounts100.000 sessions/day100.000 sessions/dayLDAP authentication Database (2 fully LDAP authentication Database (2 fully replicated LDAP servers)replicated LDAP servers)

RADIUS Server SolutionRADIUS Server Solution

FreeRADIUS was chosen as the preferred FreeRADIUS was chosen as the preferred platformplatformReasons for this choiseReasons for this choise Scalable, multithreaded, in active Scalable, multithreaded, in active

developmentdevelopment Open source, participation in server Open source, participation in server

developmentdevelopment Supports all features wanted Supports all features wanted

Scaling StepsScaling Steps

PreauthenticationPreauthenticationNew server StructureNew server StructureCaching moduleCaching module

PreauthenticationPreauthentication

Preauthentication of school access based Preauthentication of school access based on Caller-Idon Caller-IdAdvantagesAdvantages Lower overheadLower overhead Rejection on call setup (no aditional costs)Rejection on call setup (no aditional costs)

New Server StructureNew Server Structure

Maintain an On-Memory Live accounting Maintain an On-Memory Live accounting table. Permanent accounting performed by table. Permanent accounting performed by a separate processa separate processAdvantagesAdvantages Lower and guaranteed accounting service Lower and guaranteed accounting service

timetime Statistics generation can be performed real-Statistics generation can be performed real-

timetime

Caching ModuleCaching Module

Cache Server responses based on a Cache Server responses based on a configurable keyconfigurable keyAdvantagesAdvantages Lower service timeLower service time Combined with preauthentication most requests are Combined with preauthentication most requests are

serviced from cacheserviced from cache No queries are performed to the directory serviceNo queries are performed to the directory service

DisadvantagesDisadvantages Cache entries must be erased on changesCache entries must be erased on changes

ConclusionsConclusions

RADIUS still is at the core of AAA RADIUS still is at the core of AAA infrastructuresinfrastructuresCan still scale to accommodate current Can still scale to accommodate current and future needsand future needsIs being used with success in large scale Is being used with success in large scale installationsinstallations

Thank you!Thank you!Any questions?Any questions?