We are happy to announce that FreeRADIUS 3 is now fully compliant with the base DHCP standards. Previous versions supported the base DORA exchange, but lacked some features such as handling Decline packets from DHCP clients. The FreeRADIUS server now processes DHCP requests more efficiently, allowing administrators to authenticate users through a unified platform.
With greater flexibility and performance that is as fast or faster than the ISC DHCP server, FreeRADIUS is now a compelling option if you find yourself limited by your current implementation.
For the last twenty years, FreeRADIUS has been known as the world’s leading open source RADIUS server. At InkBridge Networks, we have a long history of leading the maintenance and development of FreeRADIUS. During that time, FreeRADIUS has been focused on the RADIUS standards, with other protocols being a secondary consideration. One of the other protocols it has supported for over a decade is DHCP.
We decided that it was time to take a closer look at the DHCP implementation. Our goal was to evaluate its stability and performance, to meet or exceed industry standards, to make adjustments where necessary, and to beef up support for edge cases in the protocol. The results of our work are included in FreeRADIUS 3.0.22, which is available now.
FreeRADIUS 3 now includes a DHCP server which provides several major benefits over the ISC DHCP solution. These benefits include performance, no limits on the size of IP pools, the ability to use multiple data sources, and finally a much more flexible solution.
Better performance due to multi-threaded implementation
FreeRADIUS is multi-threaded by default and has been for almost two decades. It can robustly support high input packets rates using many threads. For example, our benchmarking tests were using 32 threads, because there was no performance benefit in using more threads. In contrast, ISC DHCP is single threaded, while the more recent Kea implementation is single threaded by default, and only supports up to four threads as an “experimental” feature.
The mature multi-threaded capability of FreeRADIUS translates into higher performance in high load scenarios. While one thread is accessing the database, another thread can be applying complex local policies. The graph below shows how FreeRADIUS significantly outperforms both the ISC and Kea servers.
FreeRADIUS 3 performs 45% faster than ISC Kea 1.7.8
Real-time performance advantages for high-volume network traffic
The multi-threaded implementation allows the server to handle client requests in real time, even during peak usage periods. Unlike single-threaded solutions, FreeRADIUS efficiently manages lease time assignments without performance degradation.
Zero performance impact in High Availability configurations
Many network environments need to accommodate wide fluctuations in device load, and to provision devices that frequently change their network location such as with WiFi. Typical solutions use a High Availability configuration in order to accommodate both the performance and stability needed for high load networks. Both ISC DHCP and Kea incur significant performance penalties in these scenarios. Counterintuitively with these solutions, increasing the size or number of address pools results in slower performance. This limitation means that the performance of those systems gets worse exactly in the situations where you need higher performance.
With FreeRADIUS DHCP, there is zero performance cost to High Availability configurations that load balance traffic across multiple servers. We leverage modern database features, coupled with careful schema design. This design means that the performance of FreeRADIUS is independent of the size or number of address pools. This capability makes FreeRADIUS an obvious choice in environments that need flexibility. And how many environments don’t need flexibility?
Zero performance impact as address pool approaches capacity
In network environments provisioned by ISC DHCP or Kea, there is an additional performance dip as the address pool approaches capacity. Balancing the performance impact of either over provisioning address pools, or not provisioning them enough can make optimization a nightmare for system administrators.
FreeRADIUS DHCP suffers no performance impact in either of these scenarios, dramatically simplifying operational considerations. FreeRADIUS maintains consistent performance by efficiently tracking MAC address assignments and optimal lease time allocation
You just provision the IP addresses you want in your database. The database and FreeRADIUS then work together as efficiently as possible to track IPs in your network.
Adapts to your existing data store strategy - rather than forcing you to adapt to it
Both ISC DHCP and Kea have major limitations around the databases they use. In practice, these limitations mean that there is no way to update or extend the schemas used for DHCP.
In contrast, the built-in modularity and flexibility of FreeRADIUS means that it can be configured to accommodate your existing back-end data store systems, and even doing “mix and match”, where a single configuration file works with data from multiple sources such as LDAP directories, SQL databases, or text files.
This flexibility extends to integration with your existing DNS server infrastructure and access controlled directories.
In short, FreeRADIUS gives you control over your network, whereas other solutions restrict that control.
More network security for your buck
With all these benefits to FreeRADIUS as a DHCP server, it is important to remember that it is also a RADIUS server, and the leading one at that. FreeRADIUS has a more complete policy language than either ISC DHCP or Kea. That language makes it easier to write policies which give you fine-grained control over your network. Which, in our experience, means happier and more productive system administrators.
Need more help?
InkBridge Networks has been at the forefront of network security for over two decades, tackling complex challenges across various protocols and infrastructures. Our team of seasoned experts has encountered and solved nearly every conceivable network security issue. If you're looking for insights from the architects behind some of the internet's most foundational authentication systems, you can request a quote for network security solutions here.
Related Articles
DHCP Enhancements in FreeRADIUS 3
As part of our contributions to the FreeRADIUS community, InkBridge Networks took on the task of overhauling its DHCP support. The result is the same highly flexible and configurable DHCP server, but now easier to configure.
Why you should separate historical data from live data
ISPs and telecoms are often legally required to keep user accounting data for long periods of time. However, keeping these records can result in enormous databases which then affect the performance of your RADIUS system.