RADIUS stands for Remote Authentication Dial
In User Service and is a protocol for carrying
authentication, authorization, and configuration information between a
Network Access Server (NAS) which desires to authenticate its links and
a shared Authentication Server.
The protocol originally was designed by the well known terminal server
manufacturer Livingston for use with there Portmaster terminal servers.
Since then it has been implemented by a lot of other vendors and it is
also on it's way to become a Internet Standard.
First it asks the user for his loginname (if not supplied by getty) and his password.
Then it tries to find the loginname either through a RADIUS server query or in the local passwd file or through both methods.
If the user is authenticated locally radlogin calls the local login program to spawn a login enviroment.
If the user is authenticated via RADIUS radlogin calls a special other login program which gets the information that was passed from the RADIUS server in enviroment variables.
In this special login program you can now either start a telnet/rlogin session or start up SLIP/CSLIP or even PPP based on the information from the RADIUS server. Furthermore you can send accounting information to a RADIUS accouting server via a program called radacct which is also part of Radiusclient.
Then unpack it in a directory which you normally use for keeping your source code. For example do:
cd /usr/src gzip -dc radiusclient-x.x.x.tar.gz | tar xvvf -
You now should have a directory called radiusclient-x.x.x in which all the source code of Radiusclient is stored.
First edit the file MCONFIG in the top source directory to change the CFLAGS and LDFLAGS settings to your needs. MCONFIG is also the place to change the location of the installed programs and data. If you have shadow passwords you maybe have to put -lshadow into the LIBSHADOW variable. I say "maybe" here, because it isn't needed any more on newer Linux systems.
Look into include/config.h and make the neccessary changes.
Have a look at src/messages.h if you'd like to change some of the messages there. But normally you shouldn't.
Doing make builds the executables.
Doing make install will install the executables and example version of all the needed config and data files. Be careful the installation process will overwrite existing files without asking you. Try make -n install to see which file gets were if you're unsure.
You will have to customize /bin/login.radius to your needs. At the time of this writing it is not very usefull and it is not even installed. Take a look at the login.radius directory for a start.
You will have to look into radiusclient.conf, especially of you changed the position of some files in MCONFIG. The comments for each config item should explain enough to enable you edit this file.
Add the following two line to /etc/services if you don't already have them:
radius 1645/udp # RADIUS access requests radacct 1646/udp # RADIUS accounting requests
Get your getty to execute radlogin instead of the normal login process. The method of how to do this varies from getty to getty.
* - -/radlogin @
For a Berkeley inetd you might use a line like this:
<port-no> stream tcp nowait root /usr/local/sbin/radloginYou then can telnet to this port and if you login as an outbound user (Service-Type is set to Outbound in your RADIUS server database) you get connected to an outgoing modem.
Unfortunatly telnet is not 8 bit clean. But there is a program called rport in the Radiusclient package which uses a pseudo tty to establish an interface between a normal serial program and the remote modem. Unfortunatly rport isn't working right at the moment.
radlogin tries to find out if it got started from inetd and what
program is on the other side of the network connection (telnet or
rport). It does this by sending telnet options at the start
of the session. If it gets an answer from the remote side, it assumes
telnet.
If you want to disable automatic telnet detection you can disable
it with the -t option of radlogin.
radlogin tries to enable keepalive packets on the network link if possible to better detect link failure. If you want to disable this, specify the -d option on the radlogin command line.
An installed libradclient.a and radius.h is neccessary to compile the patches version pppd.
You have to specify "RADIUS=1" on the make command line of pppd, so that the RADIUS stuff gets compiled in. If you also want utmp/wtmp logging, please define "RADIUS_WTMP_LOGGING=1".
The patched pppd binary has a new command line option radius which enables RADIUS support: This option enables authentication via RADIUS and also activates RADIUS accounting.
If you want to use the CHAP support, you have to patch your RADIUS server to understand the CHAP-Challenge attribute. A patch for the Merit radiusd 2.4.21 is included in the Radiusclient distribution. The patch doesn't work for version 2.4.20 and below, but should work with newer versions of Merit radiusd if my patch hasn't made it into the main source tree of Merit radiusd by then.
The normal Radiusclient configuration file (normally named radiusclient.conf) is used with the exception that the in the configuration file specified authentication order (keyword auth_order) is only honoured if both the login and the radius command line options of pppd are specified. If only the radius option is used, only RADIUS authentication takes place. Of course you have to supply +pap or +chap on the command line as well because without them no authentication takes place.
This patches are not very well tested, furthermore it is not possible to deactivate RADIUS accounting at the moment. The main problem at the moment is that I don't have a test bed for these patches, so any help is greatly appreciated.
RADIUS-Attributes supported by the current patch:
| Service-Type | Must be Framed. Otherwise RADIUS authentication fails. |
| Framed-Protocol | Must be PPP. Otherwise RADIUS authentication fails. |
| Framed-IP-Address | Is only used if it is a real IP address. The special values 0xffffffe (NAS should select IP address) and 0xffffffff (user should be allowed to select IP address) are ignored at the moment, so other pppd options take precedence. |
| Framed-IP-Netmask | Is honoured. |
| Idle-Timeout | Is honoured. Overrides idle-disconnect command line option. |
| Session-Timeout | Not supported at the moment. |
This code is in great parts derived from the Merit RADIUS daemon which is avaiable from ftp.merit.edu under /radius. I can greatly recommend it because it compiles cleanly under Linux and has a lot of features. Unfortunately the documentation is a little bit sparse. But, I am not in the position to complain, just look at this program. Be warned that you need a named without the "Connection refused" bug, if you want to run radiusd under Linux, unless you want radiusd to hang on nameserver queries.
The original RADIUS daemon code is available from ftp.livingston.com under /pub/livingston/radius.
The latest updates on the IETF RADIUS draft are also on the Livingston FTP server.
| Miguel A.L. Paraz <map@iphil.net> (for his testing and suggestions) |
| Matjaz Godec <gody@elgo.si> (for the initial pppd patches) |
If you like the Radiusclient software very much and/or are using it on a production machine please send my a postcard. My postal address is:
|
Lars Fenneberg Boettgerstrasse 29 22851 Norderstedt Germany |
radlogin
|
||||||||||||
radacct
|
||||||||||||
radstatus
|
||||||||||||
rport
|