OpenRADIUS is a piece of software that links your network access devices
to your user-, service profile-, and usage databases.
As such, OpenRADIUS isn't unique; other servers that speak the RADIUS protocol
do the same. But it is unique in the flexibility it offers you in
building this link, because it puts you in full control of the business rules
used inside the server and the ways it talks to your databases - without
anybody having to hack the source code.
All nice and good, but why does this matter?
Because it gives you unprecedented freedom in service definition. OpenRADIUS
allows you to write your own answer to the open question "how do I want to sell
my dial-up ports", instead of making the question a multiple-choice one.
It gives you freedom in choosing backend systems and accounting solutions,
avoiding vendor lock-in, because it never dictates what the systems and
database tables it uses must exactly look like. It can be adapted easily to the
backend instead of the backend having to be adapted to the RADIUS server.
It helps you to avoid having to go through a painful and costly vendor switch
again when your current RADIUS vendor just doesn't offer that one extra feature
you absolutely need. With OpenRADIUS, you can add your in-house or externally
developed interface modules, and use the built-in business rule definition
language to define how they are to be used by the server.
Can you give some examples?
About the custom business rules: suppose that you want a certain category of
users to be able to only connect between certain times. No problem, you add a
business rule that checks the time before allowing the user to log in, if the
user belongs to this group. It's not this precise feature that is unique, but
the fact that you can define such a feature, without making any changes
to the RADIUS server code.
Now, suppose that you not only want to control when they connect or how long
they are allowed to stay logged in, but you want to ensure that nobody is online
during your service window between 4:00 and 6:00am, without already having to
disallow people access at 2:00 because they may stay online for two hours.
How to solve this? Essentially, you want that somebody who logs in at 3:30 to
be allowed only 30 minutes on-line. With OpenRADIUS it's easy, because you can
write a business rule to do the math before it tells the access server how long
a user may stay logged in!
Other example: say that your usage accounting system only recognises
wholesale customers based on '@'-style suffixes, as in 'firstname.lastname@example.org'. Now
a big reseller comes along, who wants to use a prefix-style identifer, as in
BIGCORPemail@example.com. Now what to do? Switch to that other accounting
package because of one big customer?
OpenRADIUS solves this dilemma: you can add a rule to rewrite the username as
something your existing system understands, putting the customer's ID after the
@ sign again and ignoring your reseller's customer IDs, before it forwards a
usage record to your accounting system.
This thing must cost a fortune!
It doesn't. Even better: the server itself, containing the business rule
definition language and its versatile interface, is available free of charge. A
number of useful modules to interface to plain ASCII, LDAP and SQL data are
You even get the source to the server. Not that I expect that you'll want to
add much functionality there instead of by writing business rules, but security
conscious people think it must be possible for a piece of software that
controls access to their network to get some peer review or even to be audited
in-house. Which makes a lot of sense.
So... what's the catch?
The only catch about the server itself is that although you may freely download
its source code, compile it, put it on a CD and even sell it, its license
requires that if you're distributing any work that's derived from mine, you
will give others (including me) the same freedom as I gave you.
That means that if you create a new version of my software and you
want to redistribute it in any way, you must make its source available free of
charge. But as said, this only applies if you're distributing your version; you
can of course use modified versions in-house without having to publish them.
I think those are reasonable rules, because everyone will benefit in the long
term. What will happen is that I'll probably take your changes and integrate
them in the "official" server. But as the same happens with other people's
changes, you'll benefit too, because the server stays up-to-date that way,
and it makes you less likely to have to re-invent the weel.
This concept is not new. This
license was created in 1989 by the Free
Software Foundation, after they had set out in 1983 to create an operating system that people would not only
be free to use, but free to study, modify and share as well - re-enabling
innovation in systems software after it had become stifled by vendors who
wanted to make a quick buck. (Today, a large software vendor claims that it
is not allowed to innovate anymore when it is required to be less secretive
about how to make other people's software work with theirs. Ironic, isn't it).
Incidentally, the Linux kernel is
distributed under the same license. Today, with Linux as final building block,
the operating system that the FSF wanted to create has become a reality; I have
used the same system to develop OpenRADIUS.
Great story, but doesn't sound like a business case.
You are right, I won't be able to make money from OpenRADIUS itself without
actually doing anything.
But there's plenty of other things that I can make money from:
If you don't want to invest time in figuring out how to write the business
rules for OpenRADIUS, I can work with you to develop a full solution based on
If you need a new external module to interface to a proprietary
database, you can hire me to write one for you. Others can do that too,
because the interface to external programs is fully documented, but as I
have already written the occasional module, I'll probably be done sooner.
If you have the right tools on your system but still would like some help
with the installation, I can do it remotely for you if your system can be
accessed through ssh. This is a tool that
allows people to log on to other systems over the internet using a secure,