A tool to help you setup FreeRADIUS


#1

If you’re interested in setting up PPPoE integrated with Sonar, one of the first steps is to get a functional FreeRADIUS server. This can be a challenge if you’ve never set it up before, so we built a tool called FreeRADIUS Genie to make it easier.

Hope you find it useful!


#2

This is awesome. I’ll have to get this setup in our lab asap.


#3

Thanks, Simon! Since your script is defining NAS entries using the nas table (I presume), how much of the Sonar documentation regarding COA is still relevant? I’m reluctant to change the free radius config files (per the guide) without fully understanding what’s going on.

Other than that you’re right, it is quick and easy.


#4

That’s a good question, I need to dig into this still. I think you would still have to define the CoA configuration in flat files, as it’s not possible to do things like that directly in SQL, but I think it will still work. My understanding of how the nas table functions is that it is read at runtime and stored the same way as if you’d defined it in clients.conf… but I have not totally tested that theory.


#5

So if I understand it correctly, if I use the conf files, I can use the genie tool to remove NAS table entries, and suffer no pain or conflicting config? I’m going to try it.


#6

I believe so, but don’t quote me on it :wink: I think it will just ignore the CoA configuration at that point, since it is not for a defined NAS, but I’ve been surprised by FreeRADIUS behavior before!


#7

I’ll try to automate the CoA configuration as part of the tool later… probably after 0.6 though!


#8

I meant that if I define the NAS using the .conf files rather than the database, then I could still use COA? Will try and report.


#9

I think it will work even if they are in the database, to be honest.


#10

Is mysql master-master replication useful in this context?

I assume I’d set up DB replication, and then point Sonar at the primary only; and set RADIUS clients (PPPoE, DHCP) at both primary and secondary?


#11

I would use something like keepalived and share an IP between them, if you can. That way, Sonar will communicate with whichever server is active.


#12

I can IP share locally, but I was inclined to host master locally and slave offsite. Can VPN, of course, just adds some complexity.


#13

The upside of the shared IP is Sonar can flip seamlessly between them. The downside is what you mentioned. If you don’t share an IP, you’d have to manually flip Sonar to the new system (and make sure that accounting data is synced between them when the master recovers.)


#14

I’m agreeing. I talked to a larger carrier, and that definitely is the right approach. At a large enough scale you do load balancing… but simple IP sharing should be sufficient. It also makes it easy to configure the clients. Thanks again.


#15

Yeah, and you could always replicate your data to a third, offsite data center as a final safeguard. The upside of the Sonar method is if you had to spin up a new RADIUS server, Sonar can re-push all the authentication and attribute information, so it’s probably not really a big deal if you were to lose both servers in the long run, it would just suck during the outage.


#16

All we’d lose would be historical data, I presume. I hadn’t thought of three replicas — but this makes sense, as it should be easy to make two copies. I’ll need to get a bit more familiar with mysql replication. One could use the third offsite as a warm spare — changing Sonar to point to it if needed. I like this, it avoids the VPN (other than for replication).


#17

We pull all that into Sonar, so it wouldn’t matter. The data usage and IP assignment histories are all pulled pretty regularly.


#18

Keepalived was a great tip — three-way VRRP and mariadb+galera cluster is the current setup. Should be easy enough to add another server offsite.


#19

I note that the genie no longer works under Ubuntu 18 bionic; there are some structure changes to the freeradius 3.0 config. Heads up for those interested in upgrading for security purposes or otherwise.


#20

I’m going to work on a new version for Ubuntu 18 before the v2 release, but yeah, stick with 16 for the time being if you want to use this.