Presentation is loading. Please wait.

Presentation is loading. Please wait.

Scaling RADIUS to Support a Nationwide Network Access Infrastructure Kostas Kalevras NTUA Network Operations Centre.

Published byLoren Lynch Modified over 9 years ago

Similar presentations

Presentation on theme: "Scaling RADIUS to Support a Nationwide Network Access Infrastructure Kostas Kalevras NTUA Network Operations Centre."— Presentation transcript:

1 Scaling RADIUS to Support a Nationwide Network Access Infrastructure Kostas Kalevras NTUA Network Operations Centre

2 RADIUS Protocol Used in Wireless Hotspots Wireless Hotspots 802.1X network authentication 802.1X network authentication Dialup authentication Dialup authentication DSL/Broadband DSL/Broadband Services AAA Services AAA

3 Need for High Performance User Population Increase Used for authenticating Schools access

4 Key issues in scaling RADIUS Performance Redundancy + Failover with full accounting + double login detection High Availability High Availability Load spread between servers Load spread between servers Scalable, Replicated user database Scalable Accounting Infrastructure Encrypted authentication requests (EAP-TTLS/TLS/PEAP) Ease of server maintainance/delegated administration

5 Guidelines Accounting is more important than authentication. It is also much larger Don’t use a single server. Distribute/Replicate

6 Guideline #1: Multiple RADIUS Servers Use multiple RADIUS server with replicated accounting data

7 Guideline #2: Tune SQL Accounting Index fields Spread the load between multiple server threads, don’t serialize accounting Use a connection pool instead of per request connections

8 Guideline #3: User Database Use a high performance database like SQL/LDAP Ease of administration Ease of administration Configure replication. Ideally, each radius server should have a dedicated user authentication server

9 Guideline #4: Only service live requests On memory table for online users – Use an on-disk buffer and a separate process for permanent accounting storage Advantages Guaranteed low service time Guaranteed low service time Complex operations are performed on each request rather than grouped Complex operations are performed on each request rather than grouped

10 Guideline #5: Server Configuration on a database Certain parts of server configuration should be kept on a database Client Configuration Client Configuration Realm Configuration Realm ConfigurationAdvantages Ease of administration (web interface) Ease of administration (web interface) No access required to radius servers No access required to radius servers Delegated administration Delegated administration Single point of administration, automated procedure Single point of administration, automated procedure

11 Case Study Greek School Network

12 GSN Structure 52 Access Servers 5000 Schools 50.000 Dialup Accounts 100.000 sessions/day LDAP authentication Database (2 fully replicated LDAP servers)

13 RADIUS Server Solution FreeRADIUS was chosen as the preferred platform Reasons for this choise Scalable, multithreaded, in active development Scalable, multithreaded, in active development Open source, participation in server development Open source, participation in server development Supports all features wanted Supports all features wanted

14 Scaling Steps Preauthentication New server Structure Caching module

15 Preauthentication Preauthentication of school access based on Caller-Id Advantages Lower overhead Lower overhead Rejection on call setup (no aditional costs) Rejection on call setup (no aditional costs)

16 New Server Structure Maintain an On-Memory Live accounting table. Permanent accounting performed by a separate process Advantages Lower and guaranteed accounting service time Lower and guaranteed accounting service time Statistics generation can be performed real- time Statistics generation can be performed real- time

17 Caching Module Cache Server responses based on a configurable key Advantages Lower service time Lower service time Combined with preauthentication most requests are serviced from cache Combined with preauthentication most requests are serviced from cache No queries are performed to the directory service No queries are performed to the directory serviceDisadvantages Cache entries must be erased on changes Cache entries must be erased on changes

18 Conclusions RADIUS still is at the core of AAA infrastructures Can still scale to accommodate current and future needs Is being used with success in large scale installations

19 Thank you! Any questions?

Download ppt "Scaling RADIUS to Support a Nationwide Network Access Infrastructure Kostas Kalevras NTUA Network Operations Centre."

Similar presentations

POC Security System High security system combining PIN-on-Card, information security, physical access, control and alarm – all in one system.

POC Security System High security system combining PIN-on-Card, information security, physical access, control and alarm – all in one system.
Chapter 4 Infrastructure as a Service (IaaS)

Chapter 4 Infrastructure as a Service (IaaS)
The State of the Art in Distributed Query Processing by Donald Kossmann Presented by Chris Gianfrancesco.

The State of the Art in Distributed Query Processing by Donald Kossmann Presented by Chris Gianfrancesco.
Take your CMS to the cloud to lighten the load Brett Pollak Campus Web Office UC San Diego.

Take your CMS to the cloud to lighten the load Brett Pollak Campus Web Office UC San Diego.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Overview of the technology that comprises Attendance Enterprise.

Overview of the technology that comprises Attendance Enterprise.
1 ITEC810 An Application Suite for a Student Database Project Supervisor: Abhaya Nayak Student Id: 41064755 Andrew Johnson.

1 ITEC810 An Application Suite for a Student Database Project Supervisor: Abhaya Nayak Student Id: Andrew Johnson.
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
Toolbox Mirror -Overview Effective Distributed Learning.

Toolbox Mirror -Overview Effective Distributed Learning.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Online Magazine Bryan Ng. Goal of the Project Product Dynamic Content Easy Administration Development Layered Architecture Object Oriented Adaptive to.

Online Magazine Bryan Ng. Goal of the Project Product Dynamic Content Easy Administration Development Layered Architecture Object Oriented Adaptive to.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.

Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.
SQL Forms Engine Koifman Eran Egri Ozi Supervisor: Ilana David.

SQL Forms Engine Koifman Eran Egri Ozi Supervisor: Ilana David.
VTS INNOVATOR SERIES Real Problems, Real solutions.

VTS INNOVATOR SERIES Real Problems, Real solutions.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
Passage Three Introduction to Microsoft SQL Server 2000.

Passage Three Introduction to Microsoft SQL Server 2000.
Microsoft Load Balancing and Clustering. Outline Introduction Load balancing Clustering.

Microsoft Load Balancing and Clustering. Outline Introduction Load balancing Clustering.
Understanding Active Directory

Understanding Active Directory
H-1 Network Management Network management is the process of controlling a complex data network to maximize its efficiency and productivity The overall.

H-1 Network Management Network management is the process of controlling a complex data network to maximize its efficiency and productivity The overall.

Similar presentations

Ads by Google