[TriLUG] LDAP/Radius caching solution

Scott Miller scottlinux at gmail.com
Mon Dec 9 09:32:56 EST 2013

I worked at UC Davis in a lowly IT job and they have 802.1x wifi using a
load balanced pool of freeradius servers pointed to LDAP. (A Sun unixy LDAP
product). I was not involved in configuring this, but anyways this setup
worked fine.

~65,000 accounts

Hey LUG,
> I'm looking to poll the audience and gauge a public opinion on this.
> I'm looking to spin up a couple LDAP or Radius servers which will
> function mostly as a cache for authentication requests and keep some
> calls off our main server.  Right now, we're using Active Directory
> for the LDAP with a mix of microsoft's IAS (internet authentication
> services) and NPS (network policy server) to handle radius calls.
> This is just for handling our 802.1x authentication over wifi
> (potentially wired in the future), so peap and mschap are the bare
> minimums for encryption.  I think most of the big boys handle this
> (389, directory services, freeradius, samba, etc.).
> I guess what I'm asking is, how would ya'll tackle this?
> My thinking was just spinning up freeradius, point it to our LDAP and
> call it a day.  But the idea of running samba as an LDAP server is
> also appealing.  Would it really buy me anything to go into a full
> identity management solution like freeipa?
> Also, to help with a scope, our LDAP has ~50,000 OUs and we're
> handling 5-10 radius requests per second.
> Thanks!
> --William

More information about the TriLUG mailing list