|Last modified: 14-11-2012|
Quick Guide to XTRadius
To begin playing with XTRadius, default options in /etc/raddb/users are fine. This file lists locally-defined user accounts along with a default profile.
Radtest should return Sending request to server radius, port 1812. radrecv: Reply from host 127.0.0.1 code=2, id=77, length=20, and /var/log/radius.log should contain Auth: Login OK: [myuser] (from nas local/S0).
#--------conf.hThe DBUSER/DBPASS must be allowed to create the Accounting database and the Login, Logout, and Users tables within that database. Obviously, this account must allow be allowed to query for users' passwords, and create entries in the Login/Logout tables.
#define DBHOST "localhost"
#define DBUSER "root"
#define DBPASS "test"
#define DBBASE "accounting"
# mysql -u root -ptest accounting
mysql> insert into users values("mysqluser",encrypt("mysqlpassword","AB"),"Just a test account","Active");
As explained on page 546, remember to use a salt if you don't want the generated password to be different every time, and that starting with MySQL 3.22.16, salt can be longer than 2 characters. FYI, Ian's radauth.c reads the first two bytes to extract the salt from the password that it reads in MySQL, generates its own hashed password through the crypt() function, and compares the two strings.
#/etc/raddb/usersNote that the users sample that came with the tarball that Ian sent me still contained Ahmad's original entries, namely accounting and authmysql, respectively.
DEFAULT Acct-Status-Type = "Start"
Exec-Program-Account = "/usr/local/bin/radacct %u"
DEFAULT Acct-Status-Type = "Stop"
Exec-Program-Account = "/usr/local/bin/radacct %u %t %f %i %o"
DEFAULT Auth-Type = External
Exec-Program-Wait = "/usr/local/bin/radauth %u",
Fall-Through = Yes
Pay also attention to the trailing , before the Fall-Through line: You must not use a comma on the first line, but you must use one if you have another statement following. Here, "Exec-Program-Wait" is followed by another line in this section, namely "Fall-Through". Therefore, you must add a comma to show Radius that this section is not over yet. I like Windows' and Samba's INI configuration files better...
Radiator is a Perl-based commercial product about which we have heard nice things. Other commercial products are often bundled with a NAS, eg. Lucent NavisRadius 3.0, Funk, JamRadius, Simple SQL Radius, DTC Radius, IEA Software, Vircom Online Platform (VOP) Radius, Nortel Networks BaySecure Access Control and Preside Radius, Shiva Access Manager .
As a summary of the man page for radiusd, a Radius client can be either an Network Access Server at an ISP (more likely) or an actual PC (less likely.) The Radius server returns "access denied", or "access OK" along with an IP address if need be. The source for users' passwords that is fed to the Radius server ranges from a basic /etc/passwd file all the way to SQL servers like MySQL. Since Radius is known as an Authentication, Authorization, and Accounting (AAA) server, all access are logged (into /var/log/radwtmp) to allow for accounting purposes. Radius uses two processes and two ports, one for authentication, and the other for accounting.
As of August 16th 2K, XTRadius is the only Radius server that I successfully installed and used to authenticate users through MySQL. Other software, either open- or closed-source, would either not install due to missing files or information, or would not work with MySQL right out of the box.
# radtest toto test radius.acme.com localhost testing123Make sure that entries in /etc/hosts match what it says in /etc/raddb/clients, eg. if localhost.localdomain is the first entry in hosts, that's what it should say in clients.
Sending request to server radius.acme.com, port 1812.
(just sitting there...)
[root@linux raddb]# tail /var/log/radius.log
Mon Aug 14 17:21:24 2000: Info: Starting - reading configuration files ...
Mon Aug 14 17:21:24 2000: Info: Ready to process requests.
Mon Aug 14 17:21:44 2000: Error: request from unknown client: linux.acme.com
Mon Aug 14 17:21:44 2000: Error: Authenticate: from client linux.acme.com - Security Breach: toto