Our network setup consists of 5 network access servers in 5 different locations worldwide and it is expected to expand in the coming days to 15 network access servers and more in future. Currently we use scripts for authentication but we are planning to use freeradius based AAA for authentication and accounting with these NAS servers due to many benefits that we can gain from utilizing accounting data. The user load is expected to grow to hundreds of thousands of users in coming days. My question to experts having practical experience of this kind of architecture is from scalability point of view. What is the best freeradius topology to be used in such a setup?
Would a centralized radius based AAA service consisting of multiple radius nodes be better than a distributed radius AAA service.i.e. one radius per NAS and why? We want to utilize accounting data during authorization so a distributed radius service will require synchronization of accounting data as well as user authentication data in almost real time. But with 10s of different locations, synchronization of data in real time seems to be difficult to achieve. I read about radius proxy servers that forward radius queries to a central radius server, however, I fail to understand how would it be more beneficial over directly using a centralized radius service directly from NAS. i.e. all NASs point to same radius service.
If a distributed radius service is considered, radrelays may be a way to go, but rad relays seem to be useful for primary to standby kind of setup where number of radius nodes is mostly two and I am not sure if they will be good to use if the they have to synchronize data between so many different radius servers.
I will be much thankful if some one can point me to the right direction.
Best Answer
If your focus is on reliability
The advantage of a distributed architecture with a locally replicated copy of the data, is redundancy, and reduced latency.
Synchronisation is not difficult to achieve, OpenLDAP's syncrepl protocol does a good job of hub and spoke, or even mesh topologies. It will perform partial and full resyncs of data as required. New instances should synchronize to the master as they start for the first time.
You will have to manage each of those instances though (use ansible or salt), and correct faults should issues arise.
There's increased hardware cost of having to place a server next to each NAS in a 'shared-fate' (if possible) sort of configuration.
You've not really provided enough info about the NAS to say if that would actually be appropriate. Can clients fail between NAS?
If your focus is on ease of management
The advantage of having a single (cluster) of RADIUS servers, behind redundant load balancers (hint hint), is simplified management.
A pair of servers would likely to be sufficient to handle the load of up to a million users. Each FreeRADIUS instance should be able to handle around 20,000-30,000 auth/s on moderate hardware against an OpenLDAP instance running MDB.
Upgrading, monitoring, fixing issues with the database are simpler to do with fewer instances.
The servers in this configuration represent a single point of failure.
If a NAS starts misbehaving and floods the authentication servers with traffic, there's a greater chance of the system being overwhelmed.
If there are disruption to the network links between the NAS and the central servers the NAS will be unable to authenticate users.
Proxy Servers
They're sometimes useful as aggregators, or in federations, but on their own don't really do much in a pass-through configuration.
Caching proxy servers can be useful as they take some of the load off the authentication servers.
In an ISP environment a large portion of the traffic is made up of rejects, as clients will keep re-authenticating.
Caching proxy servers can respond on behalf of the central servers if they've previously seen a reject, or if the central server is offline and they've previously seen an accept.