4 FreeRadius now uses autoconf - some of the default directories
5 have changed! Configuration is now by default in /usr/local/etc/raddb,
6 and logfiles are in /usr/local/var/log/ ....
11 This is version 0.1 of the FreeRadius daemon.
13 *** THIS IS AN ALPHA VERSION! IT MIGHT NOT WORK ***
15 All code in this server was written from scratch.
17 The server is mostly compatible with livingston radiusd-2.01
18 (no menus or s/key support though) but with more feautures, such as:
20 o Can limit max. number of simultaneous logins on a per-user basis!
21 o Multiple DEFAULT entries, that can optionally fall-through.
22 o In fact, every entry can fall-through
23 o Deny/permit access based on huntgroup users dials into
24 o Set certain parameters (such as static IP address) based on huntgroup
25 o Extra "hints" file that can select SLIP/PPP/rlogin based on
26 username pattern (Puser or user.ppp is PPP, plain "user" is rlogin etc).
27 o Can execute an external program when user has authenticated (for example
28 to run a sendmail queue).
29 o Can use `$INCLUDE filename' in users and dictionary files
30 o Can act as a proxy server, relaying requests to a remote server
31 o Supports Vendor-Specific attributes
32 o No good documentation at all, just like the original radiusd 1.16!
34 Work on real manual pages is progressing slowly. For a large part you
35 can use the documentation of the Livingston 2.01 server. Just remember
36 that using Prefix and Suffix in both the "users" and the (FreeRadius
37 specific) "hints" file will give unpredictable results. Well actually
38 it will result in Prefix and Suffix probably not working in the "users"
39 file if you already stripped them off in the "hints" file.
41 The documentation of the Livingston server is available on the web at:
42 http://www.livingston.com/Tech/Docs/RADIUS/guide/
44 Extra command line flags:
45 o -y: log all login attempts in /var/log/radius.log, include (wrong)
46 password for failed logins.
47 o -z: log the password of successful logins, too (STRONGLY discouraged).
51 Ignore this section (2) if you have a pre-installed binary package.
53 Radiusd now has autoconf support. This means you have to run
54 ./configure --flags, then run make. You can set the following flags:
56 --prefix= Prefix to install (default: /usr/local)
57 --localstatedir= Base prefix for the logfiles. Defaults
59 --with-logdir=DIR Directory for radutmp, radwtmp and radius.log.
60 Defaults to ${localstatedir}/log
61 --with-radacctdir=DIR Directory for the detail files. Defaults to
63 --sysconfdir Base prefix for the raddb directory. Defaults to
65 --with-raddbdir=DIR Configuration files. Defaults to ${sysconfdir}/raddb
66 --with-dbm Include DBM support (Old-style DBM)
67 --with-ndbm Include NDBM support
68 --with-ascend-hack Include Ascend hacks
69 --with-ascend-cpl=N Set Ascend Channels Per Line to N
70 --with-ntdomain-hack Include NT Domain hack (strip first part of
71 NT_DOMAIN\loginname if seen)
72 --with-spcj-hack Include Specialix Jetstream hacks
73 --with-dict-nocase Make dictionary case-independant
74 --without-dynamic-modules
75 Turn off dynamic modules even if your
77 --without-attrib-nmc Turn off support for USR-style vendor specific
79 --without-ascend-binary
80 Turn off support for Ascend binary filter attributes.
82 To get the defaults that Cistron Radius used up to 1.5.4.3-beta18, use:
84 ./configure --localstatedir=/var --sysconfdir=/etc
86 That means binaries will get installed in /usr/local/{bin,sbin},
87 manpages in /usr/local/man, configuration files in /etc/raddb,
88 and logfiles in /var/log and /var/log/radacct.
90 Now type "make". The binaries will be compiled.
92 Then you do a "make install". That will install JUST the binaries
93 for now. You need to install the rest by hand like this:
95 o Copy the examples in raddb to /etc/raddb and edit+rename the sample files.
96 o If you have a Debian system, you might want to install rc.radiusd
97 as /etc/init.d/radiusd and install startup symlinks with
98 "update-rc.d radiusd defaults".
99 o If you use rc.radiusd, also install radwatch in /usr/local/sbin.
100 o Start radiusd (using /etc/init.d/radiusd start if applicable).
104 You can use last -f /var/log/radwtmp to get last info on all users.
105 You can use "radwho" at any time to find out who's logged in.
106 If you want, you can install "radwho" as /usr/sbin/in.fingerd.
107 Also, the "raduse" program can be very useful to monitor your modem pool.
109 4. CONFIGURATION FILES
111 For every file there is a fully commented example file included, that
112 explains what is does and how to use it. Read those sample files too!
116 Make sure the clients (portmasters, Linux with portslave etc) are set up to
117 use the host radiusd is running on as authentication and accounting host.
118 Configure these clients to use a "radius secret password". For every client,
119 also enter this "secret password" into the file /etc/raddb/clients.
120 See also the manual page for clients(5rad).
124 Every NAS (Network Access Server, also known as terminal server) should have
125 an entry in this file with an abbreviated name and the type of NAS it
126 is. Currently FreeRadius supports the following NAS types:
128 Terminal Server Type in naslist
130 3Com/USR Hiper Arc Total Control usrhiper
131 3Com/USR NetServer netserver
132 3Com/USR TotalControl tc
133 Ascend Max 4000 family max40xx
134 Cisco Access Server family cisco
135 Cistron PortSlave portslave
136 Computone PowerRack computone
137 Cyclades PathRAS pathras
138 Livingston PortMaster livingston
139 Multitech CommPlete Server multitech
140 Patton 2800 family patton
142 Usually this is the same list as in the "clients" file, but not every
143 NAS is a client and not every client is a NAS (this will start to make
144 sense if you use radius proxy servers).
148 If ``checkrad'' needs to login on your terminal server to check who
149 is online on a certain port (i.e. it's not possible to use SNMP or
150 finger) you need to define a loginname and password here.
152 This is normally ONLY needed for USR/3Com Total Control, NetServer and
153 Cyclades PathRAS terminal servers!
157 Customize the /etc/raddb/hints file. This file is used to give users a
158 different login type based on a prefix/suffix of their loginname. For
159 example, logging in as "user" may result in a rlogin session to a Unix
160 system, and logging in as "Puser" could start a PPP session.
164 This is the /etc/raddb/huntgroups file. Here you can define different
165 huntgroups. These can be used to:
167 - restrict access to certain huntgroups to certain users/groups of
168 users (define this in the huntgroups file itself)
169 - match a loginname with a huntgroup in /etc/raddb/users. One use
170 for this is to give a user a static IP address based on the
171 huntgroup / Point of Presence (s)he dials in to.
175 With the original RADIUS server, every user had to be defined in this
176 file. There could be one default entry, where you could for example
177 define that a user not in the radius file would be checked agains the
178 UNIX password file and on succesfull login would get a PPP connection.
180 In the new style file, you can define multiple DEFAULT entries. All
181 entries are processed in the order as they appear in the users file.
182 If an entry matches the username, radiusd will stop scanning the users
183 file unless the attribute "Fall-Through = Yes" is set.
185 You can uses spaces in usernames by escaping them with \ or by using
186 quotes. For example, "joe user" or joe\ user.
188 The FreeRadius server does not trim any spaces from a username received
189 from the portmaster (livingston does, in perl notation, $user =~ s/\s+.*//;)
191 4f. NEW RADIUS ATTRIBUTES (to be used in the USERS file).
195 Simultaneous-Use integer Max. number of concurrent logins
196 Fall-Through integer Yes/No
197 Exec-Program string program to execute after authentication
198 Exec-Program-Wait string ditto, but wait for program to finish
199 before sending back auth. reply
200 Login-Time string Defines when user may login.
202 Exec-Program can take arguments. You can use macros in the arguments:
204 Taken from the original request:
208 %a Protocol (SLIP/PPP)
209 %s Speed (connect string - eg "28800/V42.BIS")
210 %i Calling Station ID
212 Taken from the reply as defined thusfar:
217 For example, use the following entry for someone who has BSMTP (queued
218 SMTP) service. "brunq" is the program that runs the SMTP queue.
220 robert Service-Type = Framed-User
221 Exec-Program = "/usr/local/sbin/brunq -h %f delta",
224 The output from Exec-Program-Wait is parsed by the radius server. If
225 it looks like Attribute/Value pairs, they are decoded and added to the
226 reply sent to the NAS. This way, you can for example set Session-Timeout.
228 For backwards compatibility, if the output doesn't look like valid
229 radius A/V pairs, the output is taken as a message and added to the
230 reply sent to the NAS as Port-Message.
232 If Exec-Program-Wait returns a non-zero exit status, access will be
233 denied to the user. With a zero-exit status, access is granted.
235 Login-Time defines the time span a user may login to the system. The
236 format of a so-called time string is like the format used by UUCP.
237 A time string may be a list of simple time strings separated by "|" or ",".
239 Each simple time string must begin with a day definition. That can be just
240 one day, multiple days, or a range of days separated by a hyphen. A
241 day is Mo, Tu, We, Th, Fr, Sa or Su, or Wk for Mo-Fr. "Any" or "Al"
244 After that a range of hours follows in hhmm-hhmm format.
246 For example, "Wk2305-0855,Sa,Su2305-1655".
248 Radiusd calculates the number of seconds left in the time span, and
249 sets the Session-Timeout to that number of seconds. So if someones
250 Login-Time is "Al0800-1800" and she logs in at 17:30, Session-Timeout
251 is set to 1800 seconds so that she is kicked off at 18:00.
257 In this file the currently logged in users are held. The program "radwho"
258 reads this file and gives you a summary. Rogue sessions can be deleted
259 from this file with the "radzap" program.
263 This file is "wtmp" compatible and keeps a history of all radius logins/
264 logouts. This file can be read with the "last" program, and other Unix
265 accounting programs (such as "ac" and "sac") can be used to produce a
268 5c. /var/log/radius.log
270 All RADIUS informational. diagnostic and error messages are logged in
271 this file. If radiusd has been started with the "-y" flag, all logins
272 attempts will be logged in this file. For failed logins, the wrong password
273 will also be logged. With the "-z" flag, the passwords for successful
274 logins will be logged as well. That's pretty dangerous though in case
275 anyone unpriviliged ever manages to get access to this file!
277 5d. /var/log/radacct/<terminal_server>/detail
279 This is the original radius logfile, as written by all the livingston
280 radius servers. It's only created if the directory /var/log/radacct exists.
281 The <terminal_server> name is the short name if one is defined in
284 6. MORE INFO, SUPPORT
286 We know that the documentation provided is sparse. However it is not in
287 the scope of the radius server to provide a guide as to how terminal
288 servers works and how the RADIUS protocol works and is used.
290 The latest version of FreeRadius is always available through
291 anonymous CVS from cvs.freeradius.org - for more info, see
292 http://www.freeradius.org/
294 There is a majordomo mailing list hosted by Cistron Internet Services.
295 This list is mainly meant for developers of FreeRadius - as soon
296 as we have a BETA version, there will be a freeradius-users list.
297 To subscribe to the developers list, send a message with "help" in the
298 body to freeradius-devel-request@info.cistron.nl.
299 You can browse the archive of this mailing list at
300 http://info.cistron.nl/archives/freeradius-devel/
302 There are a few other mailing lists that might offer some help:
304 There is a linux-radius list run by miguel a.l. paraz <map@iphil.net>.
305 See http://www.iphil.net/~map/radius/ for details.
307 Then ofcourse for general RADIUS questions, especially if you are using
308 Livingston / Lucent RABU equipment, there is the portmaster-radius mailing
309 list. Send mail to portmaster-radius-request@livingston.com to find
310 out how to subscribe.
313 README 0.1-alpha Miquel van Smoorenburg <miquels@cistron.nl> 21-Aug-1999