[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Radius recommendation!

Pre-built commercial Radius packages have been discussed extensively in the
past on this list, however there has been little to none regarding other
alternatives.  What follows is a brief discussion of some of the
alternatives.

First some comments regarding "Proxies".  The capability/transparency of
your proxy to your applications behind it generally depends entirely on your
proxy.    I have quite a bit of experience with both Linux based
proxy/firewall solutions as well as many commercial firewall/proxy packages.
Although I do not wish to agitate advocates of "stateful inspection" type
firewalls, or start an academic discussion on the pros/cons of the various
products available, I personally prefer to use Cisco PIX and Cisco Cache
engines for Firewall/ Cache/ solutions and find that at this point in time,
they are one of the few vendors who provide _all_ the capabilities I require
when implementing rapidly deployable, flexible, working solutions.  "Proxy"
type firewalls require special modules to handle particular applications.
The availability of proxy modules is limited to a handful of standard
applications (typically SMTP, Telnet, Passive FTP and a few more) and
getting things working without a specific module for an application that
refuses to work with a standard proxy generally requires falling back to a
packet filtering mode anyway, thus defeating the "stateful inspection"
capabilities of this type of proxy.

On radius: Typically radius is on ports 1645 tcp/udp and radius accounting
is on 1646 tcp/udp.  Some radius are now using 1812 tcp/udp for radius and
1813 rcp/udp for radius accounting but you can normally specify just about
any port you want on your Dial Access Concentrator (if that is the
application here) and match it on using your radius software.  These ports
will need to be open on your proxy/firewall.

For radius server packages, If you are willing to do a little work, I can
recommend to you several free packages.  Livingston (Lucent) radius and
ICRadius are popular.  Livingston has been rock solid dependable, and is
very compatible with just about everything and easy to understand and
implement.  This radius provides no GUI and can utilize either flat text
file or dbm databases.  It is very easily integrated with automatic signup
servers and ISP management packages like Rodopi and the accounting logs are
analyzed by "standard" analysis scripts/programs and easily imported into a
Rodopi-like management package.  I have built these radius with very minor
changes (include/header file locations) on many platforms including Mips,
Sparc, and Intel.

The ICRadius package is a derivative of Cistron radius and utilizes MySQL
for the user database and accounting and has a web enabled management
interface.  This package is well suited to "Custom" solutions and signup
servers because of readily available/easily modifiable perl scripts.
ICRadius home page is at  http://radius.innercite.com .

The Livingston Radius page is available at ftp://ftp.livingston.com and can
be used freely, however the license restricts modification and
redistribution.

Also see http://www.freeradius.org/  http://www.xtradius.com
http://miquels.www.cistron.nl/~miquels/radius/
http://www.merit.edu/aaa  for other "Free" radius packages.

John Burgess
President, Allegro Data Systems
12500 Network, Suite 401
San Antonio, TX  78249
210-558-0709
E-mail <mailto:john.burgess@xxxxxxxxxx>
Fastex.net <http://www.fastex.net/>