Today, RADIUS is the dominant AAA (Authentication, Authorization and Accounting) protocol used in all types of network access infrastructures, including wireless hotspots, 802.1X wired networks and dialup/DSL access. The ever growing user population with a need for network access in large academic institutions, the creation of nationwide school networks and the introduction of a pan-european RADIUS server hierarchy with proxy RADIUS servers serving whole countries has created a steady demand for truly large scale AAA infrastructures capable of supporting millions of requests per day and handling endless amounts of accounting data.

This paper describes the main problems faced in deploying such large scale infrastructures, provides general guidelines to overcome these obstacles and describes,with actual numbers, a real life case study of FreeRADIUS deployment in the Greek School Network.

The problems faced nowadays in large-scale installations are mostly related to the following issues:
 Achieving server redundancy and failover while maintaining fully replicated accounting databases and double login detection throughout the network access infrastructure
 The existence of a replicated user database capable of supporting an increasing number of users and subsequent authentication requests while providing scalable, delegated and convenient user administration and maintenance
 The ability of the underlying accounting infrastructure to support a constant flow of high volumes of accounting data and store this data for long periods of time while allowing the administrator to execute complicated queries on the accounting information through a query language like SQL.
 Supporting a high volume of encrypted authentication requests using recently available secure authentication protocols like EAP-TLS,PEAP and EAP-TTLS, especially in wireless network installations.
 Facilitating server maintenance especially in situations where a large number of realms or clients need to be supported and constantly maintained.

This paper, based on the authors long-term experience in such large-scale installations provides a set of guidelines in planning and deploying such installations. These guidelines are mostly focused on:
 Creating multiple redundant RADIUS server points with fully replicated accounting data
 Choosing an appropriate accounting database (primarily focused on SQL databases), tuning for maximum performance and scheduling full replication of the accounting information
 Storing user information on a high performance database like LDAP or SQL. Guidelines on creating a replicated, multi homed user database are provided with a focus on providing delegated, secure and scalable user administration
 Implementing a radius infrastructure so as to solve scaling issues.
 Moving a large part of the RADIUS server configuration (like client definitions) in database tables allowing for ease of maintenance and administration.

Lastly, a case study of a real life large-scale installation is presented. The case study involves a multiple RADIUS server installation for the Greek School Network (GSN) based on the FreeRADIUS free software platform. The GSN structure and RADIUS traffic needs are analyzed in detail (statistical data and numbers are provided) along with the scaling issues related to the network and user size. Afterwards, the use of FreeRADIUS as a solution to these needs is discussed along with the steps taken to achieve the necessary performance required by the network’s needs. More specifically the following steps are covered:
 The introduction of pre-authentication as the primary authentication method for a large percentage of the network connections in order to decrease the overall server overhead.
 The introduction of a new server structure which minimized the accounting processing overhead on the primary RADIUS servers by storing live session data in on-memory data tables and relaying full accounting information to high performance database servers. For this purpose a new relaying program was developed which minimized the overall accounting relay overhead by eliminating the need for a separate RADIUS server running on the accounting collection server. The end result was a large decrease in the mean accounting processing time for the RADIUS service and a subsequent overall performance boost.
 The development of a new high performance-caching module, which, coupled with the introduction of pre-authentication, minimized the mean authentication processing time for the FreeRADIUS server thus multiplying the infrastructure’s request serving capabilities.

Acknowledgments

The authors would like to thank Ntina Sakka of the Network Operations Centre for her valuable comments and assistance as well as the technical support staff of the Greek School Network for their assistance in the FreeRADIUS server deployment.