4 Cistron Radius now uses autoconf - some of the default directories
5 have changed! Configuration is now by default in /usr/local/etc/raddb,
6 and logfiles are in /usr/local/var/log/ ....
11 This is version 1.6-alphaX of the Cistron Radius daemon.
13 *** THIS IS AN ALPHA VERSION! IT MIGHT NOT WORK ***
15 All code in this server was written from scratch.
17 The server is mostly compatible with livingston radiusd-2.01
18 (no menus or s/key support though) but with more feautures, such as:
20 o Can limit max. number of simultaneous logins on a per-user basis!
21 o Multiple DEFAULT entries, that can optionally fall-through.
22 o In fact, every entry can fall-through
23 o Deny/permit access based on huntgroup users dials into
24 o Set certain parameters (such as static IP address) based on huntgroup
25 o Extra "hints" file that can select SLIP/PPP/rlogin based on
26 username pattern (Puser or user.ppp is PPP, plain "user" is rlogin etc).
27 o Can execute an external program when user has authenticated (for example
28 to run a sendmail queue).
29 o Can use `$INCLUDE filename' in users and dictionary files
30 o Can act as a proxy server, relaying requests to a remote server
31 o Supports Vendor-Specific attributes
32 o No good documentation at all, just like the original radiusd 1.16!
34 Work on real manual pages is progressing slowly. For a large part you
35 can use the documentation of the Livingston 2.01 server. Just remember
36 that using Prefix and Suffix in both the "users" and the (cistron-radiusd
37 specific) "hints" file will give unpredictable results. Well actually
38 it will result in Prefix and Suffix probably not working in the "users"
39 file if you already stripped them off in the "hints" file.
41 The documentation of the Livingston server is available on the web at:
42 http://www.livingston.com/Tech/Docs/RADIUS/guide/
44 Extra command line flags:
45 o -y: log all login attempts in /var/log/radius.log, include (wrong)
46 password for failed logins.
47 o -z: log the password of successful logins too (STRONLY discouraged).
51 Ignore this section (2) if you have a pre-installed binary package.
53 Radiusd now has autoconf support. This means you have to run
54 ./configure --flags, then run make. You can set the following flags:
56 --prefix= Prefix to install (default: /usr/local)
57 --localstatedir= Base prefix for the logfiles. Defaults
59 --with-logdir=DIR Directory for radutmp, radwtmp and radius.log.
60 Defaults to LOCALSTATEDIR/log
61 --with-radacctdir=DIR Directory for the detail files. Defaults to
63 --sysconfdir Base prefix for the raddb directory. Defaults to
65 --with-raddbdir=DIR Configuration files. Defaults to SYSCONFDIR/raddb
66 --with-dbm Include DBM support (Old-style DBM)
67 --with-ndbm Include NDBM support
68 --with-pam Include PAM support
69 --with-ascend-hack Include Ascend hacks
70 --with-ascend-cpl=N Set Ascend Channels Per Line to N
71 --with-ntdomain-hack Include NT Domain hack (strip first part of
72 NT_DOMAIN\loginname if seen)
73 --with-spcj-hack Include Specialix Jetstream hacks
74 --with-dict-nocase Make dictionary case-independant
75 --without-dynamic-modules
76 Turn off dynamic modules even if your
79 To get the defaults that Cistron Radius used up to 1.5.4.3-beta18, use:
81 ./configure --localstatedir=/var --sysconfdir=/etc
83 That means binaries will get installed in /usr/local/{bin,sbin},
84 manpages in /usr/local/man, configuration files in /etc/raddb,
85 and logfiles in /var/log and /var/log/radacct.
87 Now type "make". The binaries will be compiled.
89 Then you do a "make install". That will install JUST the binaries
90 for now. You need to install the rest by hand like this:
92 o Copy the examples in raddb to /etc/raddb and edit+rename the sample files.
93 o If you have a Debian system, you might want to install rc.radiusd
94 as /etc/init.d/radiusd and install startup symlinks with
95 "update-rc.d radiusd defaults".
96 o If you use rc.radiusd, also install radwatch in /usr/local/sbin.
97 o Start radiusd (using /etc/init.d/radiusd start if applicable).
101 You can use last -f /var/log/radwtmp to get last info on all users.
102 You can use "radwho" at any time to find out who's logged in.
103 If you want, you can install "radwho" as /usr/sbin/in.fingerd.
104 Also, the "raduse" program can be very useful to monitor your modem pool.
106 4. CONFIGURATION FILES
108 For every file there is a fully commented example file included, that
109 explains what is does and how to use it. Read those sample files too!
113 Make sure the clients (portmasters, Linux with portslave etc) are set up to
114 use the host radiusd is running on as authentication and accounting host.
115 Configure these clients to use a "radius secret password". For every client,
116 also enter this "secret password" into the file /etc/raddb/clients.
117 See also the manual page for clients(5rad).
121 Every NAS (Network Access Server, also known as terminal server) should have
122 an entry in this file with an abbreviated name and the type of NAS it
123 is. Currently Cistron Radius supports the following NAS types:
125 Terminal Server Type in naslist
127 3Com/USR Hiper Arc Total Control usrhiper
128 3Com/USR NetServer netserver
129 3Com/USR TotalControl tc
130 Ascend Max 4000 family max40xx
131 Cisco Access Server family cisco
132 Cistron PortSlave portslave
133 Computone PowerRack computone
134 Cyclades PathRAS pathras
135 Livingston PortMaster livingston
136 Multitech CommPlete Server multitech
137 Patton 2800 family patton
139 Usually this is the same list as in the "clients" file, but not every
140 NAS is a client and not every client is a NAS (this will start to make
141 sense if you use radius proxy servers).
145 If ``checkrad'' needs to login on your terminal server to check who
146 is online on a certain port (i.e. it's not possible to use SNMP or
147 finger) you need to define a loginname and password here.
149 This is normally ONLY needed for USR/3Com Total Control, NetServer and
150 Cyclades PathRAS terminal servers!
154 Customize the /etc/raddb/hints file. This file is used to give users a
155 different login type based on a prefix/suffix of their loginname. For
156 example, logging in as "user" may result in a rlogin session to a Unix
157 system, and logging in as "Puser" could start a PPP session.
161 This is the /etc/raddb/huntgroups file. Here you can define different
162 huntgroups. These can be used to:
164 - restrict access to certain huntgroups to certain users/groups of
165 users (define this in the huntgroups file itself)
166 - match a loginname with a huntgroup in /etc/raddb/users. One use
167 for this is to give a user a static IP address based on the
168 huntgroup / Point of Presence (s)he dials in to.
172 With the original RADIUS server, every user had to be defined in this
173 file. There could be one default entry, where you could for example
174 define that a user not in the radius file would be checked agains the
175 UNIX password file and on succesfull login would get a PPP connection.
177 In the new style file, you can define multiple DEFAULT entries. All
178 entries are processed in the order as they appear in the users file.
179 If an entry matches the username, radiusd will stop scanning the users
180 file unless the attribute "Fall-Through = Yes" is set.
182 You can uses spaces in usernames by escaping them with \ or by using
183 quotes. For example, "joe user" or joe\ user.
185 The Cistron Radiusd does not trim any spaces from a username received
186 from the portmaster (livingston does, in perl notation, $user =~ s/\s+.*//;)
188 4f. NEW RADIUS ATTRIBUTES (to be used in the USERS file).
192 Simultaneous-Use integer Max. number of concurrent logins
193 Fall-Through integer Yes/No
194 Exec-Program string program to execute after authentication
195 Exec-Program-Wait string ditto, but wait for program to finish
196 before sending back auth. reply
197 Login-Time string Defines when user may login.
199 Exec-Program can take arguments. You can use macros in the arguments:
201 Taken from the original request:
205 %a Protocol (SLIP/PPP)
206 %s Speed (connect string - eg "28800/V42.BIS")
207 %i Calling Station ID
209 Taken from the reply as defined thusfar:
214 For example, use the following entry for someone who has BSMTP (queued
215 SMTP) service. "brunq" is the program that runs the SMTP queue.
217 robert Service-Type = Framed-User
218 Exec-Program = "/usr/local/sbin/brunq -h %f delta",
221 The output from Exec-Program-Wait is parsed by the radius server. If
222 it looks like Attribute/Value pairs, they are decoded and added to the
223 reply sent to the NAS. This way, you can for example set Session-Timeout.
225 For backwards compatibility, if the output doesn't look like valid
226 radius A/V pairs, the output is taken as a message and added to the
227 reply sent to the NAS as Port-Message.
229 If Exec-Program-Wait returns a non-zero exit status, access will be
230 denied to the user. With a zero-exit status, access is granted.
232 Login-Time defines the time span a user may login to the system. The
233 format of a so-called time string is like the format used by UUCP.
234 A time string may be a list of simple time strings separated by "|" or ",".
236 Each simple time string must begin with a day definition. That can be just
237 one day, multiple days, or a range of days separated by a hyphen. A
238 day is Mo, Tu, We, Th, Fr, Sa or Su, or Wk for Mo-Fr. "Any" or "Al"
241 After that a range of hours follows in hhmm-hhmm format.
243 For example, "Wk2305-0855,Sa,Su2305-1655".
245 Radiusd calculates the number of seconds left in the time span, and
246 sets the Session-Timeout to that number of seconds. So if someones
247 Login-Time is "Al0800-1800" and she logs in at 17:30, Session-Timeout
248 is set to 1800 seconds so that she is kicked off at 18:00.
254 In this file the currently logged in users are held. The program "radwho"
255 reads this file and gives you a summary. Rogue sessions can be deleted
256 from this file with the "radzap" program.
260 This file is "wtmp" compatible and keeps a history of all radius logins/
261 logouts. This file can be read with the "last" program, and other Unix
262 accounting programs (such as "ac" and "sac") can be used to produce a
265 5c. /var/log/radius.log
267 All RADIUS informational. diagnostic and error messages are logged in
268 this file. If radiusd has been started with the "-y" flag, all logins
269 attempts will be logged in this file. For failed logins, the wrong password
270 will also be logged. With the "-z" flag, the passwords for successful
271 logins will be logged as well. That's pretty dangerous though in case
272 anyone unpriviliged ever manages to get access to this file!
274 5d. /var/log/radacct/<terminal_server>/detail
276 This is the original radius logfile, as written by all the livingston
277 radius servers. It's only created if the directory /var/log/radacct exists.
278 The <terminal_server> name is the short name if one is defined in
281 6. MORE INFO, SUPPORT
283 I know that the documentation provided is sparse. However it is not in
284 the scope of the radius server to provide a guide as to how terminal
285 servers works and how the RADIUS protocol works and is used.
287 Unfortunately I do not have too much time myself to answer all questions
288 that might arise through email - you can always try sending me email,
289 ofcourse, but I cannot guarantee a reply, depends on how much time I have.
291 The latest version of Cistron Radius is always available from
292 http://www.www.cistron.nl/radius/
294 There is a majordomo mailing list hosted by Cistron Internet Services. Send
295 a message with "help" in the body to cistron-radius-request@info.cistron.nl.
296 You can browse the archive of this mailing list at
297 http://info.cistron.nl/archives/cistron-radius/
299 There are a few other mailing lists that might offer some help:
301 You can also try the the linux-isp mailing list, which on a lot of sites
302 used to be accessible as the newsgroup linux.admin.isp (not anymore).
303 For the mailing list, send a message with "help" in the body to
304 linuxisp-request@friendly.jeffnet.org. Several people on that list are
305 successfully using this software.
307 There is a linux-radius list run by miguel a.l. paraz <map@iphil.net>.
308 See http://www.iphil.net/~map/radius/ for details.
310 Then ofcourse for general RADIUS questions, especially if you are using
311 Livingston / Lucent RABU equipment, there is the portmaster-radius mailing
312 list. Send mail to portmaster-radius-request@livingston.com to find
313 out how to subscribe.
316 README 1.6-alpha2 Miquel van Smoorenburg <miquels@cistron.nl> 11-Aug-1999