File: README

package info (click to toggle)
xtradius 1.1-pre2-1
  • links: PTS
  • area: main
  • in suites: woody
  • size: 880 kB
  • ctags: 803
  • sloc: ansic: 8,719; perl: 651; sh: 219; makefile: 116; sql: 21
file content (302 lines) | stat: -rw-r--r-- 12,914 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
 

0. WARNING!

  Since version 1.5.4 of the Cistron RADIUS server the `clients'
  file has been broken up into 2 seperate files: `clients' and `naslist'.
  See 4a. and 4b. !!

1. INTRO

  This is version 1.6 of the Cistron Radius daemon. Most of
  the code was taken from radius-1.16 by Livingston Enterprises,
  available from ftp.livingston.com.  It is taken from the 1.5.4.3
  release, with a few patches.

  The server is mostly compatible with livingston radiusd-2.01
  (no menus or s/key support though) but with more feautures, such as:

    o Can limit max. number of simultaneous logins on a per-user basis!
    o Multiple DEFAULT entries, that can optionally fall-through.
    o In fact, every entry can fall-through
    o Deny/permit access based on huntgroup users dials into
    o Set certain parameters (such as static IP address) based on huntgroup
    o Extra "hints" file that can select SLIP/PPP/rlogin based on
      username pattern (Puser or user.ppp is PPP, plain "user" is rlogin etc).
    o Can execute an external program when user has authenticated (for example
      to run a sendmail queue).
    o Can use `$INCLUDE filename' in users and dictionary files
    o Can act as a proxy server, relaying requests to a remote server
    o Supports Vendor-Specific attributes
    o No good documentation at all, just like the original radiusd 1.16!

  Work on real manual pages is progressing slowly. For a large part you
  can use the documentation of the Livingston 2.01 server. Just remember
  that using Prefix and Suffix in both the "users" and the (cistron-radiusd
  specific) "hints" file will give unpredictable results. Well actually
  it will result in Prefix and Suffix probably not working in the "users"
  file if you already stripped them off in the "hints" file.

  The documentation of the Livingston server is available on the web at:
  http://www.livingston.com/Tech/Docs/RADIUS/guide/

  Extra command line flags:
  o -y: log all login attempts in /var/log/radius.log, include (wrong)
        password for failed logins.
  o -z: log the password of successful logins too (STRONLY discouraged).

2. COMPILE

  Ignore this section (2) if you have a pre-installed binary package.

  You will need to:

  o Edit src/conf.h to adjust the paths for the logfiles.
  o If you have Ascend gear, adjust ASCEND_CHANNELS_PER_LINE
    in src/conf.h to be correct for your ISDN connection!
  o Edit src/Makefile
    Defines:  DBM             DBM support
              NDBM            NDBM support (mutually exclusive)
                              NOTE: DBM/NDBM support isn't well tested
              NOSHADOW        Don't compile in shadow support
              NT_DOMAIN_HACK  Strip first part of NT_DOMAIN\loginname
              SPECIALIX_JETSTREAM_HACK
                              Fixes for Specialix Jetstream
              NOCASE          Dictionary file is case insensitive

  o Copy the examples in raddb to /etc/raddb and edit+rename the sample files.
  o If you have a Debian system, you might want to install rc.radiusd
    as /etc/init.d/radiusd and install startup symlinks with
    "update-rc.d radiusd defaults".
  o If you use rc.radiusd, also install radwatch in /usr/local/sbin.
  o Read the manual page for radiusd(8rad) and see if you need to
    specify any special options on the command line.
  o Start radiusd (using /etc/init.d/radiusd start if applicable).

3. USAGE

  You can use last -f /var/log/radwtmp to get last info on all users.
  You can use "radwho" at any time to find out who's logged in.
  If you want, you can install "radwho" as /usr/sbin/in.fingerd.
  Also, the "raduse" program can be very useful to monitor your modem pool.

4. CONFIGURATION FILES

  For every file there is a fully commented example file included, that
  explains what is does and how to use it. Read those sample files too!

4a. CLIENTS

  Make sure the clients (portmasters, Linux with portslave etc) are set up to
  use the host radiusd is running on as authentication and accounting host.
  Configure these clients to use a "radius secret password". For every client,
  also enter this "secret password" into the file /etc/raddb/clients.
  See also the manual page for clients(5rad).

4b. NASLIST

  Every NAS (Network Access Server, also known as terminal server) should have
  an entry in this file with an abbreviated name and the type of NAS it is
  (Cisco, Livingston or Portslave). Usually this is the same list as in the
  "clients" file, but not every NAS is a client and not every client is a NAS
  (this will start to make sense if you use radius proxy servers).

  Since version 1.6.4, the defaults in the "naslist" file will be just
  fine for most installations, unless you want to control simultaneous-use
  (see also README.simul).

4c. NASPASSWD

  If ``checkrad'' needs to login on your terminal server to check who
  is online on a certain port (i.e. it's not possible to use SNMP or
  finger) you need to define a loginname and password here.

  This is normally ONLY needed for USR/3Com Total Control terminal servers!

4c. HINTS

  Customize the /etc/raddb/hints file. This file is used to give users a
  different login type based on a prefix/suffix of their loginname. For
  example, logging in as "user" may result in a rlogin session to a Unix
  system, and logging in as "Puser" could start a PPP session.

4d. HUNTGROUPS

  This is the /etc/raddb/huntgroups file. Here you can define different
  huntgroups. These can be used to:

    - restrict access to certain huntgroups to certain users/groups of
      users (define this in the huntgroups file itself)
    - match a loginname with a huntgroup in /etc/raddb/users. One use
      for this is to give a user a static IP address based on the
      huntgroup / Point of Presence  (s)he dials in to.

4e. USERS

  With the original RADIUS server, every user had to be defined in this
  file. There could be one default entry, where you could for example
  define that a user not in the radius file would be checked agains the
  UNIX password file and on succesfull login would get a PPP connection.

  In the new style file, you can define multiple DEFAULT entries. All
  entries are processed in the order as they appear in the users file.
  If an entry matches the username, radiusd will stop scanning the users
  file unless the attribute "Fall-Through = Yes" is set.

  You can uses spaces in usernames by escaping them with \ or by using
  quotes. For example, "joe user" or joe\ user.

  The Cistron Radiusd does not trim any spaces from a username received
  from the portmaster (livingston does, in perl notation, $user =~ s/\s+.*//;)

4f. NEW RADIUS ATTRIBUTES (to be used in the USERS file).

  Name			Type		Descr.
  ----			----		------
  Simultaneous-Use	integer		Max. number of concurrent logins
  Fall-Through		integer		Yes/No
  Exec-Program		string		program to execute after authentication
  Exec-Program-Wait	string		ditto, but wait for program to finish
  					before sending back auth. reply
  Login-Time		string		Defines when user may login.

  Exec-Program can take arguments. You can use macros in the arguments:

  Taken from the original request:
    %p   Port number
    %n   NAS IP address
    %u   User name
    %a   Protocol (SLIP/PPP)
    %s   Speed (connect string - eg "28800/V42.BIS")
    %i   Calling Station ID

  Taken from the reply as defined thusfar:
    %f   Framed IP address
    %c   Callback-Number
    %t   MTU

  For example, use the following entry for someone who has BSMTP (queued
  SMTP) service. "brunq" is the program that runs the SMTP queue.

  robert	Service-Type = Framed-User
  		Exec-Program = "/usr/local/sbin/brunq -h %f delta",
  		Fall-Through = 1

  The output from Exec-Program-Wait is parsed by the radius server. If
  it looks like Attribute/Value pairs, they are decoded and added to the
  reply sent to the NAS. This way, you can for example set Session-Timeout.

  For backwards compatibility, if the output doesn't look like valid
  radius A/V pairs, the output is taken as a message and added to the
  reply sent to the NAS as Port-Message.

  If Exec-Program-Wait returns a non-zero exit status, access will be
  denied to the user. With a zero-exit status, access is granted.


  Login-Time defines the time span a user may login to the system. The
  format of a so-called time string is like the format used by UUCP.
  A time string may be a list of simple time strings separated by "|" or ",".

  Each simple time string must begin with a day definition. That can be just
  one day, multiple days, or a range of days separated by a hyphen. A
  day is Mo, Tu, We, Th, Fr, Sa or Su, or Wk for Mo-Fr. "Any" or "Al"
  means all days.

  After that a range of hours follows in hhmm-hhmm format.

  For example, "Wk2305-0855,Sa,Su2305-1655".

  Radiusd calculates the number of seconds left in the time span, and
  sets the Session-Timeout to that number of seconds. So if someones
  Login-Time is "Al0800-1800" and she logs in at 17:30, Session-Timeout
  is set to 1800 seconds so that she is kicked off at 18:00.


5. LOG FILES

5a. /var/log/radutmp

  In this file the currently logged in users are held. The program "radwho"
  reads this file and gives you a summary. Rogue sessions can be deleted
  from this file with the "radzap" program.

5b. /var/log/radwtmp

  This file is "wtmp" compatible and keeps a history of all radius logins/
  logouts. This file can be read with the "last" program, and other Unix
  accounting programs (such as "ac" and "sac") can be used to produce a
  summary.

  However you should NOT send bills based on this file. It is not really
  accurate. If you do usage-based billing, base it on the "Stop" records
  in the "detail" file(s). And be ware of duplicate stop records.

5c. /var/log/radius.log

  All RADIUS informational. diagnostic and error messages are logged in
  this file.  If radiusd has been started with the "-y" flag, all logins
  attempts will be logged in this file. For failed logins, the wrong password
  will also be logged.  With the "-z" flag, the passwords for successful
  logins will be logged as well. That's pretty dangerous though in case
  anyone unpriviliged ever manages to get access to this file!

5d. /var/log/radacct/<terminal_server>/detail

  This is the original radius logfile, as written by all the livingston
  radius servers. It's only created if the directory /var/log/radacct exists.

  The <terminal_server> name is found by checking the following in order:

  o the "shortname" as defined for this NAS in /etc/raddb/naslist
  o the DEFAULT "shortname" found in /etc/raddb/naslist
  o the name found in the DNS for the IP address of the terminal server
  o the IP address of the terminal server

6.  MORE INFO, SUPPORT

  I know that the documentation provided is sparse. However it is not in
  the scope of the radius server to provide a guide as to how terminal
  servers works and how the RADIUS protocol works and is used.

  Unfortunately I do not have too much time myself to answer all questions
  that might arise through email - you can always try sending me email,
  ofcourse, but I cannot guarantee a reply, depends on how much time I have.

  The latest version of Cistron Radius is always available from either
  http://www.miquels.cistron.nl/radius/ or http://www.freeradius.org/
  Check both of them to be sure, they might not always be in sync.

  There is a majordomo mailing list hosted by Cistron Internet Services. Send
  a message with "help" in the body to cistron-radius-request@info.cistron.nl.
  You can browse the archive of this mailing list at
  http://info.cistron.nl/archives/cistron-radius/

  There are a few other mailing lists that might offer some help:

  The linux-radius list run by miguel a.l. paraz <map@iphil.net> is now
  shut down.  It was very low volume, so the loss might not be traumatic.

  Then, of course, for general RADIUS questions, especially if you are using
  Livingston  / Lucent RABU equipment, there is the portmaster-radius mailing
  list. Send mail to portmaster-radius-request@livingston.com to find
  out how to subscribe.

7. FREERADIUS

  In August 1999 a big rewrite of the Cistron Radius server source code
  was done. The result will not become the next version of Cistron Radius,
  but has been renamed to "FreeRadius".

  Cistron Radius will not be developed anymore, except for bugfixes.
  All development effort is now directed at FreeRadius. The new server
  is licensed under the GNU General Public License (GNU GPL).

  FreeRadius is in Alpha at the time of this writing and is _not_ suited
  for production use. However if you are interested, feel free to have
  a look at http://www.freeradius.org/ or at the mailing list archives
  at http://info.cistron.nl/archives/freeradius-devel/



   README 1.6.4  Miquel van Smoorenburg <miquels@cistron.nl>  05-Jul-2000