RADIUS service

1. About

TL;DR

The Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service. RADIUS was developed as an access server authentication and accounting protocol.

2. Systems

2.1 Frontend

FQDN IPv6 IPv4
radius.bfh.info
ipv6.radius.bfh.info
ipv4.radius.bfh.info

2.2 Backend

Warning
Always use the frontend DNS record

Never use the backend nodes directly:

  • backend may change without notice at any time (e.g. IP addresses, DNS records, configuration, etc.)
  • backend has no legacy support or grace periods, changes are implemented instantly
  • backend can be rebootet without notice at any time
  • backend access will soon be restricted

FQDN IPv6 IPv4
node1.radius.bfh.info 2a07:6b40::61 147.87.0.61
node2.radius.bfh.info 2a07:6b40::62 147.87.0.62
node3.radius.bfh.info 2a07:6b40::63 147.87.0.63
node4.radius.bfh.info 2a07:6b40::64 147.87.0.64

3. Features

  • TODO

4. Operations

  • TODO

6. Backlog

Legacy

  • retire Windows RADIUS servers

Setup

  • review current setup

  • consolidate all radius requests

  • cleanup accounts and migrate them to IDM

  • ensure propper logging

  • provide access to logs for authorities

  • external config review

  • regenerate containers with Debian 12

  • upgrade to current freeradius

Features

  • anycasting radius.bfh.info

  • test environment

  • benchmarking

Known issues

  • certificate cannot be automatically renewed due to multi-node-same-certificate-fingerprint requirement (could be implemented via dehydrated hook)