The Radius Server is a daemon that runs radius protocol server, used for a AAA (Authentication, Authorization and Accounting). Authentication - check if user is one who claims to be Authorization - grant access to resources Accounting - track consumption of resources Setup of Radius client (on another machine) is also needed. In this article I am using 'FreeRADIUS' server. Installation of freeradius from sunfreeware.com Get the file from sunfreeware.com and unzip it.
> gunzip freeradius-1.1.7-sol10-sparc-local.gz > pkgtrans freeradius-1.1.7-sol10-sparc-local . The following packages are available: 1 SMCfradius freeradius (sparc) 1.1.7 Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,q]: Transferring |
> /usr/local/sbin/radiusd Thu Apr 15 17:06:19 2010 : Info: Starting - reading configuration files ... |
Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. |
client 127.0.0.1 { secret = mysecret # used to encrypt/sign packets between Client/Radius server shortname = localhost nastype = other # localhost isn't usually a NAS (Network Access Server) |
Usage: radtest user passwd radius-server[:port] nas-port-number secret [ppphint] [nasname] |
> radtest test test localhost 0 test Sending Access-Request of id 24 to 127.0.0.1 port 1812 User-Name = "test" User-Password = "test" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=24, length=20 rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) |
> radtest test test localhost 0 mysecret Sending Access-Request of id 29 to 127.0.0.1 port 1812 User-Name = "test" User-Password = "test" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=29, length=20 |
> radtest root rootpasswd localhost 0 mysecret Sending Access-Request of id 34 to 127.0.0.1 port 1812 User-Name = "root" User-Password = "rootpasswd" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=34, length=20 |
client 192.168.xx.xxx { secret = mysecret shortname = clients_hostname nastype = other } |
# Use this module only for authentication AuthOrder mod_radius.c # Tell module to use Radius, or use off instead of commenting all radius lines RadiusEngine on # Define radius server for authentication, note default port is 1812 # server:port shared-secret and timeout [if omitted, the default is 30 sec] RadiusAuthServer radius-server:1812 mysecret 20 # Define radius server for accounting, note default port is 1813 # server:port shared-secret and timeout [if omitted, the default is 30 sec] RadiusAcctServer radius-server:1813 mysecret 20 # Log file RadiusLog /var/log/proftpd/radius.log # Without this, Radius server can do simple yes/no authentication # This returns additional info to radius client, like UID, GID, home and shell # Syntax: RadiusUserInfo uid gid home shell # $(atribute-id:value) atribute-id are some random numbers RadiusUserInfo $(1:3000) $(2:3001) $(3:/ftpuser) $(4:/usr/bin/tcsh) |
Wed May 12 14:56:25 2010 : Auth: Login OK: [localuser/localpasswd] (from client oryx port 21 cli 135.225.31.12) Wed May 12 14:56:54 2010 : Auth: Login OK: [nisuser/nispasswd] (from client oryx port 21 cli 135.225.31.12) |
mod_radius/0.9[15729]: sending auth request packet mod_radius/0.9[15729]: sending packet to 192.168.20.222:1812 mod_radius/0.9[15729]: receiving auth response packet mod_radius/0.9[15729]: packet receive succeeded mod_radius/0.9[15729]: verifying packet mod_radius/0.9[15729]: authentication successful for user 'nisuser' mod_radius/0.9[15729]: parsing packet for RadiusUserInfo attributes mod_radius/0.9[15729]: packet includes invalid length (0) for attribute type 0, rejecting mod_radius/0.9[15729]: packet lacks 'Unix' Vendor-Specific Attribute 1 for user ID: defaulting to '3000' mod_radius/0.9[15729]: packet includes invalid length (0) for attribute type 0, rejecting mod_radius/0.9[15729]: packet lacks 'Unix' Vendor-Specific Attribute 2 for group ID: defaulting to '3001' mod_radius/0.9[15729]: packet includes invalid length (0) for attribute type 0, rejecting mod_radius/0.9[15729]: packet lacks 'Unix' Vendor-Specific Attribute 3 for home directory: defaulting to '/ftpuser' mod_radius/0.9[15729]: packet includes invalid length (0) for attribute type 0, rejecting mod_radius/0.9[15729]: packet lacks 'Unix' Vendor-Specific Attribute 4 for shell: defaulting to '/usr/bin/tcsh' mod_radius/0.9[15729]: sending start acct request packet mod_radius/0.9[15729]: sending packet to 192.168.20.222:1813 mod_radius/0.9[15729]: receiving acct response packet mod_radius/0.9[15729]: packet receive succeeded mod_radius/0.9[15729]: verifying packet mod_radius/0.9[15729]: accounting started for user 'nisuser' |
# server[:port] shared_secret timeout (s) radiusserver_name:1812 mysecret 3 |