7 (Also see the RADIUS Chapter in the manual.)
9 The below examples assume you're installing RADIUS in /etc/raddb but
10 you can place it anywhere if you change radius.h and recompile or use
11 the -d flag to tell it what directory to find its configuration files in.
13 If you have pminstall and aren't running NIS (Yellow Pages), run
14 pminstall and choose "Install RADIUS", then as root do
15 "chmod 700 /etc/raddb", then skip down to SETTING UP CLIENTS.
17 If you don't have pminstall, do the following:
19 Add the following 2 lines to /etc/services on your RADIUS server, or
20 if you're running NIS (Yellow Pages) add these lines to your services
21 NIS map on your NIS master and push the maps.
23 radius 1645/udp radiusd
26 Now execute the following commands as root:
29 mkdir /etc/raddb /usr/adm/radacct
30 chmod 700 /etc/raddb /usr/adm/radacct
32 Copy the contents of /usr/portmaster/radius/raddb into /etc/raddb.
33 Compile radiusd from /usr/portmaster/radius/src and place it in
34 /etc/radiusd or wherever you prefer.
40 The PortMaster's hostname and the shared secret are placed in
41 /etc/raddb/clients, separated by a tab. Your user entries are placed
42 in /etc/raddb/users. Examples of each can be found in clients.example
43 and users.example. You shouldn't need to change the dictionary file.
45 Start radiusd (you'll probably want to add this to /etc/rc.local or
46 some other file that gets run at system boot time).
50 radiusd -x will produce debugging output which may be helpful if things
51 don't seem to be working.
53 If radiusd has problems it'll print to /etc/raddb/logfile or /dev/console
56 Note that Framed-Compression defaults to on if you don't specify it,
57 so SLIP users who don't want VJ header compression MUST include
58 Framed-Compression = None.
60 Configure your PortMaster so that it knows which host the radiusd is
61 running on and what the shared secret is. On the PortMaster, set the
62 RADIUS server and the shared secret using the "set authentic" and "set
63 secret" commands, or from the Edit RADIUS menu on pmconsole. The
64 secret is case-sensitive and can be up to 16 characters long. Do not
65 use control characters in the secret. You can configure a backup
66 RADIUS server with "set alternate" but it's not required. Make sure
67 all ports have passthrough disabled with "set all security on" followed
68 by "reset all" (Warning! "reset all" will drop off anyone who's on the
69 port at the moment.) On older versions of ComOS you'll need to do "set
70 s0 security on", "set s1 security on", etc. Do a "save all" to save
71 the changes to nonvolatile memory.
73 The PortMaster will check its local User Table first, and if it doesn't
74 find the user there AND passthrough is disabled AND a RADIUS server is
75 set, it will then query the RADIUS server.
77 Make sure your DNS has an in-addr.arpa entry for the PortMaster if you're
78 using Rlogin to Linux.
80 If you're using Rlogin or PortMaster service and get prompted for the
81 password twice, you can add the PortMaster's hostname to your
82 /etc/hosts.equiv file to get rid of the second password prompt.
83 Do NOT do this if you're using Passthrough and not RADIUS!!!
85 If you're already in production with the User Table, a good way to
86 switch over to using RADIUS is first to add a user to RADIUS that's not
87 in the PortMaster's User Table, test with that, and when everything
88 checks out use pmreadpass (if on a supported platform) to copy everyone
89 from the PortMaster to the /etc/raddb/users file, then get rid of the
90 users in the PortMaster's local User Table. Edit the output from
91 pmreadpass to remove the ", Client-ID = 192.9.200.1" clause (the IP
92 address will match your PortMaster's IP address). pmreadpass is
93 included in release 3.1 of the PortMaster administration software.
94 You'll also need to modify Framed-Filter-Id if you have any.
96 Framed-Filter-Id = "std.ppp"
98 means that the input filter is std.ppp.in (if it exists) and the output
99 filter is std.ppp.out (if it exists).
projects / freeradius.git / blob