Module interface
   Packet handling


   Using VSAs
   Installing on OSX

Mailing list...


Other software...

Frequently Asked Questions

What is OpenRADIUS?

OpenRADIUS is a piece of software that links your network access devices to your user-, service profile-, and usage databases.

As such, OpenRADIUS isn't unique; other servers that speak the RADIUS protocol do the same. But it is unique in the flexibility it offers you in building this link, because it puts you in full control of the business rules used inside the server and the ways it talks to your databases - without anybody having to hack the source code.

All nice and good, but why does this matter?

Because it gives you unprecedented freedom in service definition. OpenRADIUS allows you to write your own answer to the open question "how do I want to sell my dial-up ports", instead of making the question a multiple-choice one.

It gives you freedom in choosing backend systems and accounting solutions, avoiding vendor lock-in, because it never dictates what the systems and database tables it uses must exactly look like. It can be adapted easily to the backend instead of the backend having to be adapted to the RADIUS server.

It helps you to avoid having to go through a painful and costly vendor switch again when your current RADIUS vendor just doesn't offer that one extra feature you absolutely need. With OpenRADIUS, you can add your in-house or externally developed interface modules, and use the built-in business rule definition language to define how they are to be used by the server.

Can you give some examples?

About the custom business rules: suppose that you want a certain category of users to be able to only connect between certain times. No problem, you add a business rule that checks the time before allowing the user to log in, if the user belongs to this group. It's not this precise feature that is unique, but the fact that you can define such a feature, without making any changes to the RADIUS server code.

Now, suppose that you not only want to control when they connect or how long they are allowed to stay logged in, but you want to ensure that nobody is online during your service window between 4:00 and 6:00am, without already having to disallow people access at 2:00 because they may stay online for two hours.

How to solve this? Essentially, you want that somebody who logs in at 3:30 to be allowed only 30 minutes on-line. With OpenRADIUS it's easy, because you can write a business rule to do the math before it tells the access server how long a user may stay logged in!

Other example: say that your usage accounting system only recognises wholesale customers based on '@'-style suffixes, as in ''. Now a big reseller comes along, who wants to use a prefix-style identifer, as in BIGCORP/ Now what to do? Switch to that other accounting package because of one big customer?

OpenRADIUS solves this dilemma: you can add a rule to rewrite the username as something your existing system understands, putting the customer's ID after the @ sign again and ignoring your reseller's customer IDs, before it forwards a usage record to your accounting system.

This thing must cost a fortune!

It doesn't. Even better: the server itself, containing the business rule definition language and its versatile interface, is available free of charge. A number of useful modules to interface to plain ASCII, LDAP and SQL data are also included.

You even get the source to the server. Not that I expect that you'll want to add much functionality there instead of by writing business rules, but security conscious people think it must be possible for a piece of software that controls access to their network to get some peer review or even to be audited in-house. Which makes a lot of sense.

So... what's the catch?

The only catch about the server itself is that although you may freely download its source code, compile it, put it on a CD and even sell it, its license requires that if you're distributing any work that's derived from mine, you will give others (including me) the same freedom as I gave you.

That means that if you create a new version of my software and you want to redistribute it in any way, you must make its source available free of charge. But as said, this only applies if you're distributing your version; you can of course use modified versions in-house without having to publish them.

I think those are reasonable rules, because everyone will benefit in the long term. What will happen is that I'll probably take your changes and integrate them in the "official" server. But as the same happens with other people's changes, you'll benefit too, because the server stays up-to-date that way, and it makes you less likely to have to re-invent the weel.

This concept is not new. This license was created in 1989 by the Free Software Foundation, after they had set out in 1983 to create an operating system that people would not only be free to use, but free to study, modify and share as well - re-enabling innovation in systems software after it had become stifled by vendors who wanted to make a quick buck. (Today, a large software vendor claims that it is not allowed to innovate anymore when it is required to be less secretive about how to make other people's software work with theirs. Ironic, isn't it).

Incidentally, the Linux kernel is distributed under the same license. Today, with Linux as final building block, the operating system that the FSF wanted to create has become a reality; I have used the same system to develop OpenRADIUS.

Great story, but doesn't sound like a business case.

You are right, I won't be able to make money from OpenRADIUS itself without actually doing anything.

But there's plenty of other things that I can make money from:

  • If you don't want to invest time in figuring out how to write the business rules for OpenRADIUS, I can work with you to develop a full solution based on your needs.

  • If you need a new external module to interface to a proprietary database, you can hire me to write one for you. Others can do that too, because the interface to external programs is fully documented, but as I have already written the occasional module, I'll probably be done sooner.

  • If you have the right tools on your system but still would like some help with the installation, I can do it remotely for you if your system can be accessed through ssh. This is a tool that allows people to log on to other systems over the internet using a secure, encrypted connection.

You can read more about the possibilities here.

Generated on Sat Jul 2 01:18:04 2011 by /