Testimonials and Success Stories
The following are a just a few of the success stories people have of using the server in production environments
- Nicolas Baradakis - Cegetel
I'm working as a consultant at Cegetel, the second largest telecommunications operator in France: we handle hundreds of thousands ADSL users, Wifi hotspots in main railway stations, and we also rent RADIUS services to companies who connect their agencies or their mobile workers through our network.
My co-worker Thomas Marchesseau designed a setup based on FreeRADIUS, LVS (Linux Virtual Server) and MySQL replication. The main idea is to have the NAS send the requests to a virtual IP owned by a couple of LVS, which distribute the load on the pool of FreeRADIUS servers.
- This setup is redundant, there is no point of failure: the LVS periodically checks whether the servers are alive, and keepalived runs the backup LVS when the master is down.
- This setup is scalable: as the traffic increases,
you can add new machines in the pool without restarting the
service. (the performance will proportionally rise)
- The LVS divides the RADIUS load between more machines.
- The MySQL replication ensures there is no bottleneck on the database.
- This setup is inexpensive: we are using free software and we don't need specific hardware, just ordinary PC are fine. Even if a machine breaks down, the service is still running on the remaining machines.
FreeRADIUS offers not only a high level of performance and availability. It also has more flexibility than any commercial product. You can do a lot of things through the config files, and easily write plugins to do the most esoteric things whithin the server. Thanks to FreeRADIUS we are able to manage complex situations: we have a lot of heterogeneous services which send requests to the same pool of proxies. Some of them requires specific actions on the RADIUS packets.
We were able to match our needs because the project is open source. Indeed, we were able to freely add the features that we found useful. We can also quickly fix some bugs (it happens) without waiting for someone else to write a patch. All contributions from Cegetel are submitted on the project's mailing list, and some of them are now available in the current version of FreeRADIUS.
- Kostas Kalevras - Greek School Network
We have 4500 schools connecting through ISDN lines, 30000 dialup accounts, a lot of ADSL connections and 51 access servers. Two of them are Cisco 5800 and the rest are Cisco 3640/3660. In total around 5000 lines.
We have two radius servers, one serving the South of Greece (including Attika which hosts the main 5800 access server with 600 lines) and the other serving the North of Greece (which includes the other 5800 with 300 lines). Both radius servers act as a backup for the other.
The user database is in LDAP (iPlanet DS5.1) while the accounting is maintained in MySQL+InnoDB databases. Each server replicates the accounting information through radrelay to the other one. That way we maintain full accounting on each server and can enforce national double login detection and also have nice redundancy.
The MySQL databases are hosted on the same machines as are the radius servers (meaning we have 2 MySQL/RADIUS servers). The LDAP servers are hosted on different machines. The machines are Sun V120 with 1GB RAM and Solaris 8 each.
We do a lot of attribute rewriting through the attr_rewrite module and we have also enabled the detail accounting module for radrelay to work.
The schools connect on demand (when there is a request for something from the internet) so we get a *lot* of connections. For weekdays we get around 100000 connections per day. For each connection we get: Access-Request,Accounting-Start,Accounting-Stop. In other words the servers need to handle 3 RADIUS packets per connection.
Here is a typical top output. As you can see freeradius has no problem handling the load.
PID USERNAME THR PRI NICE SIZE RES STATE TIME CPU COMMAND 25361 root 23 58 0 8160K 5448K sleep 35:45 0.34% radiusd 2923 mysql 121 59 0 193M 108M sleep 73.2H 0.28% mysqld 21750 nobody 4 58 0 26M 16M sleep 0:43 0.21% httpd 19294 nobody 3 35 0 3904K 2992K sleep 1:56 0.21% libhttpd.ep
- Jeff Carneal - Apex Internet
Using late-2000 freeradius snapshot to authenticate ~25k ppp users. All users stored in a single file and authenticated via rlm_fastusers. Mysql accounting through direct mysql API in rlm_sql. Currently not doing simultaneous use checks, though it should be easy to implement.
- Adrian Pavlykevych
I'm currently running FreeRadius with rlm_ldap in production environment, with failover setup to use rlm_pam as backup.
- anonymous (For corporate reasons, this
administrator wishes to remain anonymous.)
We chose FreeRADIUS because of it's simplicity, flexibility, and cost. We investigated everything from the older Cistron RADIUS (and all the other RADIUS servers listed on the FreeRADIUS site) to multiple commercial servers, to replace our existing commercial system.Our current comercial RADIUS server has restrictions on it's capabilities, and since our customer base has expanded, we would have to upgrade our license in order to handle our increased load. This upgrade would have cost us several thousand dollars.
With that cost in mind, we decided to look at what else existed. We investigated all the others, freeware and otherwise, and in the end chose FreeRADIUS for several reasons:
- You can't beat the cost. :-)
- In our environment, we had Linux boxes already available and in place which could do double-duty as RADIUS servers. To use a product like our existing server, not only would it cost us money, but we would have to buy additional hardware just to run the software.
- FreeRADIUS, of all the open source products, seemed to be where the future was at. Modular design, simple configuration...of the open source packages, it definitely seemed the way to go.
- The variety of ways in which FreeRADIUS can interface with data stores (e.g., MySQL, PostgreSQL, LDAP, etc.) caught our attention, as we run various platforms here. We have Oracle databases, MySQL databases, LDAP servers, you name it. The fact we had this kind of flexibility with FreeRADIUS appealed to us.
- Our network design involved two RADIUS servers, one in each of our core locations, requiring a method of keeping usernames/passwords in sync. Our customer data resides in an Oracle database running on an AIX node. By running FreeRADIUS hooked into MySQL, we could tap MySQL's replication feature, running a copy of MySQL on the AIX node (acting as master), with the RADIUS servers acting as slaves. This kind of replication/synchronization in the commercial RADIUS world requires several thousand dollar packages. We did it for a sum total of $0.00 USD!
And though some would rightly argue that using 'free' software often costs a company more in man-hours, we are an agency with salaried staff, so there is no additional cost in our case, as the overriding emphasis was on keeping out of pocket expenses to a minimum. Our time is already paid for.
But even if that wasn't the case, I believe I would still use FreeRADIUS, simply because it IS just so darn flexible. The synchronization design mentioned above was not implemented in the end, mostly due to other considerations. That is, our current setup involved sucking data out of the Oracle customer database, then having Perl scripts massage that data for export to both our peers and to our old Kerberos servers (still used for certain dialup functions). To keep conversion time down, the decision was made that, at least for now, the solution would involve simply adjusting the Perl scripts and blowing out the data to the MySQL servers instead.
Using tools such as FreeRADIUS gave us options I do not believe canned, commercial packages offer. Yes, it can be a little more elbow grease. And yes, the lack of a nice GUI for those looking for a canned solution IS a concern. But there is a web front end which is a good start.
- Networld + Interop Las Vegas 2003
FreeRADIUS was used in the InteropNet Labs during the show, in order to demonstrate Wireless LAN security. The overview document does not mention FreeRADIUS in the text, but it is one of the seven RADIUS servers in the green cloud at the bottom of page 1.
The wireless clients used in the demonstration included Cisco, MAC OSX, Windows, etc.