Installing and Starting RADIUS
This chapter describes how to install and start the RADIUS daemon.This chapter contains:
What is RADIUS?
Remote Authentication Dial-In User Service (RADIUS) is a protocol originally developed by Livingston Enterprises, and extended by Ascend Communications, Inc. Using the Ascend RADIUS daemon, you can perform these tasks:
What you need before you start
To use RADIUS with the MAX, you need the following items:
- A UNIX workstation or PC to run the RADIUS daemon.
- A TCP/IP connection between the RADIUS server and the MAX.
Installing the RADIUS daemon
To install the RADIUS daemon, follow these steps:
- Use anonymous FTP to download the most recent RADIUS files from ftp.ascend.com.
- Decompress (unzip) and separate (tar) the files.
- Read the README file, installation instructions, and makefiles.
The installation instructions on the Ascend FTP server always provide the latest information on installing RADIUS.
- Use the appropriate makefile to compile the Ascend RADIUS daemon on your system.
The keywords ACE, SAFEWORD, and UNIX are reserved words built into the Ascend RADIUS daemon for use with external authentication servers. You can replace these reserved words with other strings by editing the daemon's source file before compiling it.
- Move the file called dictionary to /etc/raddb.
This file is the Ascend RADIUS dictionary, and contains a list of all attributes that the RADIUS server supports.
You must install the dictionary on your RADIUS server in the same directory as the Ascend RADIUS daemon, and it must have the same date as the Ascend RADIUS
daemon. If you find a discrepancy in the dates between the daemon and the dictionary, download the latest dictionary file from ftp.ascend.com, and copy it into the same directory as the daemon.
Note that the RADIUS daemon reads the dictionary when it starts up. If you update the dictionary file while the daemon is running, you must stop the daemon process and then restart it to make the new attributes available.
For further information about the dictionary file, see Dictionary file.
- Use a text editor to open the /etc/services file and add a line identifying the RADIUS
daemon's authentication port.
For example, enter this line:
radius 1645/udp
The port number you specify must match the port number specified by the Auth Port parameter in the Ethernet > Mod Config > Auth menu.
- To enable the RADIUS host and the MAX to communicate on the IP network, make sure
that you include the MAX unit's name and IP address in the /etc/hosts file on the RADIUS
host or in the Yellow Pages database.
- Create a file called clients in the /etc/raddb directory.
The RADIUS server does not simply authenticate incoming calls. It must also authenticate the Network Access Server (NAS) from which it receives requests. The MAX is an NAS and a client of the RADIUS server.
For the RADIUS daemon to respond to requests from the MAX, you must specify the MAX unit's name and password in the clients file.
- For the name, :specify the value of the Name parameter in the System profile.
- For the password, specify the value of the Auth Key parameter in the Ethernet > Mod Config > Auth menu.
For example, add a line to the clients file like this one:
Ascend3 bXSAMpy
The argument Ascend3 is the value specified by the Name parameter. The argument bXSAMpy is the password specified by the Auth Key parameter in the Ethernet > Mod Config > Auth menu. The name you specify must be resolvable on the IP network (through DNS, the Yellow Pages, and so on). Otherwise, you must specify the IP address of the MAX.
If the accounting process of the daemon will be running on the same server as the authentication process (rather than on a separate host), the same password must also serve for the Acct Key parameter in the Ethernet > Mod Config > Accounting menu.
- Create a file called users in the /etc/raddb directory.
A user is a caller that connects to the MAX. The RADIUS users file contains security and configuration information for each user. The full set of information for each user is called a user profile.
The MAX can authenticate an incoming call locally or through RADIUS. Local authentication occurs when the caller's name and password match a Connection profile stored in the MAX unit's memory. RADIUS authentication occurs when the caller's name and password match an entry in the RADIUS users file.
For introductory information on the users file and its format, see Users file. For details on creating user profiles to carry out various tasks, see the remaining chapters in this guide.
- Create the logfile in the /etc/raddb directory.
RADIUS writes error messages to /etc/raddb/logfile. The Syslog daemon does not create the RADIUS log file, so you must create the file yourself.
Installing radipad for global IP pools
You can use RADIUS to specify pools of IP addresses that a MAX can use to dynamically allocate IP addresses to incoming callers. By default, each MAX handles dynamic IP address allocation individually from a pool of addresses pre-assigned to each MAX. However, you can also set up your system to allocate IP addresses from a global pool of addresses that many units share. To do so, you must install radipad. Follow these steps:
- Install radipad in the same directory in which you installed the RADIUS daemon.
- Add the following lines to /etc/services on the hosts where both radipad and the RADIUS
daemon reside:
radipad 9992/tcp #RADIUS IP address allocation from global pools
The port number 9992 is the default. You can change it as required.
- Modify your startup script to start radipad when the system comes up:
#
# Start up radipad for remote users
#
if [ -f /usr/local/bin/radipad ]; then
/usr/local/bin/radipad; echo -n ' radipad'
fi
Multiple hosts can run the RADIUS daemon, but only one host on the network should run radipad. Radipad is the central manger for global IP address pools on a network.
You must start up radipad manually the first time. To do so, you must be the user root.
For information on configuring global IP address pools, follow the instructions in Configuring global IP address pools shared by several MAX units.
Configuring the MAX to use the RADIUS server
This section describes how to configure the MAX to communicate with the RADIUS daemon. For additional information on each parameter you set, see the MAX Reference Guide and the MAX Security Supplement.
Note: This section describes the basic configuration procedure. It does not cover how to
configure RADIUS for accounting purposes. For information on setting up accounting, see
Setting up RADIUS accounting.
- Open the Ethernet menu.
- Open the Mod Config menu.
- Open the Auth menu.
- Set the Auth parameter to RADIUS or RADIUS/LOGOUT.
If you set Auth=RADIUS/LOGOUT, RADIUS keeps track of session logouts.
- For each Auth Host parameter, specify the IP address of a RADIUS server.
You can have up to three RADIUS servers on your network. One is the primary server. Two additional servers can serve as backups. If the primary RADIUS server fails, the MAX automatically contacts the secondary RADIUS server to authenticate a user.
The MAX first tries to connect to Auth Host #1. If it receives no response within the time specified by the Auth Timeout parameter, it tries to connect to Auth Host #2. If it again receives no response within the time specified by Auth Timeout, it tries to connect to Auth Host #3. If the MAX unit's request again times out, it reinitiates the process with Auth Host #1. The MAX can complete this cycle of requests a maximum of ten times.
When it successfully connects to an authentication server, the MAX uses that machine until it fails to serve requests. By default, the MAX does not use the first host until the second machine fails, even if the first host has come online while the second host is still servicing requests. However, you can use SNMP to specify that the MAX use the first host again. For details, see Using SNMP to specify the primary RADIUS server.
You can also specify the same address for all three Auth Host parameters. If you do so, the MAX keep trying to create a connection to the same server.
- For the Auth Port parameter, enter the UDP port number you specified for the daemon in
the /etc/services directory.
The MAX and the daemon must agree about which UDP port to use for communication, so make sure that the number you specify for the Auth Port parameter matches the number specified for the daemon.
- To specify the number of seconds the MAX waits for a response to a RADIUS
authentication request, set the Auth Timeout parameter.
If the MAX does not receive a response within the time specified by Auth Timeout, it sends the authentication request to the next authentication server specified by the Auth Host parameter.
By default, if authentication fails on a PPP connection because of a bad password or an authentication server timeout, the Ascend unit gracefully shuts down the PPP connection by sending an LCP-CLOSE request to the dial-up user. When Windows 95 (MSN) receives the LCP-CLOSE during authentication, it assumes a rejected password, and displays a message telling the user that his or her password is invalid. If authentication fails because of a RADIUS timeout, this message gives the user incorrect information.
To specify that the Ascend unit simply hangs up a PPP connection on a RADIUS timeout without closing down cleanly, set Disc on Auth Timeout=Yes in the Answer profile. The resulting message to the user specifies that the network failed.
- For the Auth Key parameter, enter the RADIUS client password exactly as it appears in
the RADIUS clients file.
The password is case sensitive.
- Set the Auth Pool parameter to specify whether the MAX sends the IP address from pool
#1 to the RADIUS server when it requests authentication.
For information on the Auth Pool parameter, see Configuring accounting with dynamic IP addressing.
- If you want to enforce CLID authentication for connections with Id Auth=Require, set
Auth Req=Yes.
This setting specifies that the MAX requires a response from the RADIUS server for CLID authentication. If the MAX makes a request to the RADIUS server for the caller's user profile and the request times out, the MAX rejects the call.
If you set Auth Req=No and the RADIUS query times out the MAX accepts the connection, even though Id Auth=Require and the MAX has not verified the user's ID. This type of setup assumes that the MAX performs an additional level of authentication.
If Id Auth=Prefer or Id Auth=Ignore, the MAX ignores the Auth Req parameter.
For detailed information on CLID authentication, see Setting up CLID authentication.
- To specify information about the host running the APP Server utility, set the APP Server,
APP Host, and APP Port parameters.
For more information, see Configuring the MAX to recognize the APP Server utility.
- To configure the MAX to recognize a security-card authentication server, set the Password
Server and Password Port parameters.
For more information, see Configuring the MAX to recognize the authentication server.
- To specify whether the MAX first checks for a local Connection profile when attempting
to authenticate a connection, set the Local Profile First parameter.
You can specify either Yes or No.
- Yes indicates that the MAX checks for a local Connection profile, then a Password profile, and then a remote profile when attempting to authenticate a connection.
- Yes is the default.
- No indicates that the MAX checks for a remote profile, then a local Connection profile, and then a Password profile when attempting to authenticate a connection.
- Set the Sess Timer parameter (if Auth=RADIUS/LOGOUT).
The MAX can report the number of sessions by class to a RADIUS authentication server when Auth=RADIUS/LOGOUT. The Sess Timer parameter specifies the interval in seconds in which the MAX sends session reports. You can specify a number between 0 and 65535.The default value is 0 (zero), which indicates that the MAX does not send reports on session events.
- To specify the source port to use for sending a remote authentication request, set the Auth
Src Port parameter.
Specify a port number between 0 and 65535. The default value is 0 (zero). If you accept this value, the Ascend unit can use any port number between 1024 and 2000. You can specify the same source port for authentication and accounting requests.
- Set the Auth Send Attr 6, 7 parameter.
This parameter specifies whether the MAX sends values for the User-Service (6) and Framed-Protocol (7) attributes in Access-Request packets to the RADIUS server. While some RADIUS servers require these attributes in authentication requests, other RADIUS servers should not receive them.
Set this value to Yes if you want to generate the appropriate values for attributes 6 and 7 for an incoming call and send them in authentication requests to the RADIUS server. For example, if you set Auth Send Attr 6, 7=Yes, the MAX sets User-Service=Framed-User and Framed-Protocol=PPP for incoming PPP calls. The default value is Yes.
Set this value to No if your RADIUS server does not require attributes 6 and 7 in authentication requests.
- Save your changes.
Using SNMP to specify the primary RADIUS server
By default, if the MAX uses a secondary RADIUS authentication server because the primary one goes out of service, the MAX does not use the first host until the second machine fails. This situation occurs even if the first host has come online while the second host is still servicing requests. However, you can use an SNMP set command to specify that the MAX use the first host again. Such a need might arise if you shut down the primary server for service and then make it available again.
Every time you reset the server using the set command, the MAX generates an SNMP trap. The MAX also generates a trap if it changes to the next server because the current server fails to respond. The trap is an Enterprise Specific Trap (18) and is accompanied by the Object ID and IP address for the new server. The Object ID for Authentication Server is 1.3.6.1.4.1.529.13.3.1.11.x. where x is the index of the current server (1-3).
For details, see the Ascend Enterprise MIB. You can download the most up-to-date version of the Ascend Enterprise MIB by logging in as anonymous
to ftp.ascend.com. (No password is required.)
Starting the RADIUS daemon
You can use two different RADIUS daemons:
Because RADIUS must search the flat ASCII file sequentially, you might find that using this type of file slows down access time, especially if you have many users and many authentication requests. If you use the DBM database, RADIUS can locate a record by index with only a few database accesses.
The DBM database is no more difficult to use than the flat ASCII file, and is much faster. However, if you reset passwords, these passwords take effect only after you rebuild the database. If resetting expired passwords is an important component of your system, you may not wish to use the DBM database.
Running the daemon with a flat ASCII users file
To start the RADIUS daemon with a flat ASCII users file, enter this command:
radiusd [-A acct[-a acctdir]] [-c] [-d dbdir] [-p] [-s]
[-u usrfile] [-v] [-w] [-x]
To enable call logging using RADIUS, start the RADIUS daemon with the -A
option by entering this command line
radiusd -A services |
incr
If you specify the services
argument, the daemon creates the call-logging process, but only if a line defining the UDP port to use for call-logging appears in the
/etc/services
file. Otherwise, the daemon does not start.
If you specify the incr
argument, the daemon creates the call-logging process with the UDP port specified as the call-logging port in the
/etc/services
file. If you have not defined the port, the daemon increments the UDP port specified for radiusd
and uses that port number. This action is the default if you do not specify the -A
argument.
Table 2-1 lists each argument.
Table 2-1. List of radiusd arguments
Argument
|
Description
|
---|
-A acct
|
This argument controls the creation of the RADIUS accounting process. You can specify one of these values for acct:
none-The daemon does not create the accounting process.
services-The daemon creates the accounting process only if a line defining the UDP port to use for accounting appears in the /etc/services file. Otherwise, daemon does not start.
incr-The daemon creates the accounting process with the UDP port specified as the accounting port in the /etc/services file. If you have not defined the port, the daemon increments the UDP port you specify for radiusd and uses that port number. This action is the default you do not specify the -A argument.
|
-a acctdir
|
By default, RADIUS stores accounting records in a file named detail that resides in the /usr/adm/radacct. You can use the -a argument to specify a different directory for the file. acctdir must already exist.
For example, you might enter this command line:
radiusd -a /home/radacct
The accounting process in the daemon creates a file named detail that contains accounting records in the /home/radacct directory.
|
-c
|
This argument enables cache-token authentication in the daemon.
|
-d dbdir
|
The default directory for the RADIUS clients, users, dictionary, and log files is /etc/raddb. You can use the -d argument to specify a different directory for the files. dbdir must already exist. For example, you might enter this command line:
radiusd -d /radius/raddb
|
-p
|
This argument enables each user to change his or her own expired password through a dial-in modem connection.
|
-s
|
This argument specifies that the daemon runs in single-process mode. In this mode, the daemon receives, processes, and returns one request before going to the next one. This mode is much slower than the default multiprocess mode, in which the daemon receives, processes, and returns several requests concurrently.
|
-u usrfile
|
This argument assigns the file name specified by usrfile to the RADIUS users file. The default name is users.
|
-v
|
This argument prints the daemon's version number, extension, date, and the arguments selected in the makefile compilation.
|
-w
|
This argument makes the RADIUS daemon generate warnings about syntax errors it finds in the users file when the daemon is running. RADIUS generates a warning only when the daemon examines the users file profiles during the authentication process. For a more complete scan of the file for syntax errors, use the builddbm command with the -e argument.
|
-x
|
This argument produces debug output.
|
Running the daemon with a UNIX DBM database
To run the daemon with a UNIX DBM database, you must carry out three tasks:
- Create two executable files: builddbm and radiusd.dbm.
- The builddbm file enables you to create the DBM database.
- The radiusd.dbm file is the version of the RADIUS daemon that you run when using the DBM database.
- Create the database.
- Start the RADIUS daemon.
Creating the executable files
To create the builddbm and radius.dbm executable files, enter this command:
make dbm
Creating the DBM database
Before running radiusd.dbm, you must create the DBM database. To do so, enter this command line:
builddbm [-d dbdir] [-e] [-h] [-u usrfile] [-v]
Note: You must run builddbm each time you modify the users file. If remote users are able to
change their own expired passwords, you must run builddbm after each password change.
Table 2-2 lists each argument for the builddbm command.
Starting the RADIUS daemon for a DBM database
To start the RADIUS daemon in DBM mode, enter this command:
radiusd.dbm
The radiusd.dbm command supports the same set of arguments described for the radiusd command in Running the daemon with a flat ASCII users file, with one exception: the -p argument is restricted when the daemon is running in DBM mode. The users file database will not contain the user's new password until you run builddbm again.
If you have enabled call-logging, start RADIUS daemon by entering this command line:
radiusd.dbm -A services
You must specify the services
argument when you start the daemon in DBM mode.
techpubs@eng.ascend.com
Copyright © 1998, Ascend Communications, Inc. All rights
reserved.