Configuring a RADIUS Server   2

  This chapter includes the following topics:

•  "Getting Started" on page 2-1
•  "Installing RADIUS on a UNIX Host" on page 2-3

       Getting Started

  Before installing and configuring RADIUS software, select a host or hosts to use as a RADIUS server and determine one or more shared secrets for authentication.

       Selecting a RADIUS Server Host

  Primary RADIUS Authentication Server.  Select or create a host with the following characteristics to use as a RADIUS authentication server:

•  Secure physical location
•  Root access limited to the security officer or system administrator
•  Limited number of user accounts--preferably none
•  Basic memory and disk space

  Lucent InterNetworking Systems suggests the following additional characteristics for the host:

•  Inaccessibility from outside your local network
•  Absence of public network services such as email, FTP, HTTP, netnews, Telnet, rlogin , and rcp .

    Note ¯ RADIUS performance varies with the number of users being authenticated and with other demands on the server. Running public network services or other applications on the server concurrently with RADIUS can consume most of your CPU resources. You can experience a reduction in RADIUS performance--such as access denials or dropped calls--if you have insufficient CPU resources on the host. Lucent InterNetworking Systems strongly recommends that you do not  run a Web server on the RADIUS for UNIX server. If you do, a sudden increase in hits on the Web server can adversely affect your RADIUS processes, and you might be subject to malicious attacks by this approach.

  Secondary RADIUS Authentication Server.  Lucent InterNetworking Systems recommends the use of a secondary RADIUS server with the same security and performance characteristics as the primary server. The PortMaster always queries the primary RADIUS server first; if the server does not respond, it is queried a second time. Then both the primary and secondary servers are queried up to eight more times at 3-second intervals until one responds or until 3 seconds after the tenth query without a response. At this point, the login attempt fails.

  RADIUS Accounting Server.  If you implement RADIUS accounting, you must also select one or more RADIUS accounting servers. The RADIUS accounting server can be located on the same host as the RADIUS server used for authentication, or on a separate host. See Chapter 8, "Implementing RADIUS Accounting," for more information.

  Secondary RADIUS Accounting Server.  You can define a secondary accounting server to serve as a backup if the primary server cannot be contacted. The PortMaster always sends accounting packets to the primary RADIUS accounting server first, and retries it once every 45 seconds. If the primary server does not respond within 10 minutes, or if more than 50 accounting packets are waiting to be sent, the PortMaster sends the accounting packets to the secondary RADIUS accounting server. This behavior is subject to change in future releases of ComOS.

       Determining a Shared Secret

  Each PortMaster using RADIUS shares an authentication key--called the shared secret --with its RADIUS server(s). The shared secret consists of up to 15 printable, nonspace, ASCII characters. The RADIUS server can have a different shared secret with each PortMaster client, or the RADIUS server can have the same shared secret for multiple PortMaster clients. Different, nontrivial shared secrets are recommended for each PortMaster.

  You configure the shared secret on each RADIUS server and the PortMaster. It is stored as clear text in the clients  file on the RADIUS server and in the nonvolatile memory of the PortMaster. See Chapter 3, "Adding a RADIUS Client", for more information.

       Installing RADIUS on a UNIX Host

  Use one of the following installation methods:

•  Install RADIUS with the pminstall  utility
•  Install RADIUS without pminstall .

    Note ¯ Although pminstall  is shipped on the Lucent InterNetworking Systems PortMaster Software CD, always use the latest version of pminstall , available via anonymous FTP from ftp://ftp.livingston.com/pub/le/software .

       Installation with pminstall

  To install RADIUS using pminstall , complete the following steps:

  1. Log in to the selected RADIUS server as root.

  2. Mount the CD using the instructions in the CD booklet.

  For the instructions here, an example mount point of /cdrom  is used. Change this as needed for your operating system and mount point.

  3. Enter the following command to install the PortMaster software:

  /cdrom/lei/unix/setup

  4. Enter the /usr/portmaster/pminstall command at the UNIX prompt.

  The following list of choices appears:

  % /usr/portmaster/pminstall

 

  1. PortMaster Internet Address Setup

  2. Host Installation

  3. PortMaster Upgrade

  4. Host Upgrade

  5. Install RADIUS

  6. Install ChoiceNet

  7. Exit

 

  Please select an option from above:

  5. Choose the Install RADIUS option to install all RADIUS files.

  The server prompts you for directory names:

  Database installation directory (/etc/raddb):

  RADIUS accounting log directory (/usr/adm/radacct):

  Directory to install radiusd in (/etc):

  6. Provide directory information for RADIUS files by one of the following methods:

  ¯ Select the default directory (shown in parentheses) by pressing the Return  or Enter  key.

  ¯ Enter the appropriate directory.

  7. When RADIUS installation is complete, select the Exit option to quit pminstall.

  8. Enter the following command to start the RADIUS server:

  /etc/radiusd

  The radiusd  process spawns RADIUS accounting as a child process.

  Note ¯ radiusd  is a standalone process; it cannot be run from /etc/inetd.conf .

  For usage of options with the radiusd  command, see Appendix C, "RADIUS Options." Running radiusd -b  enables you to use cached user profiles. Lucent InterNetworking Systems recommends caching user profiles when the users  file contains more than 500 users. See "Configuring Database Caching of User Profiles" on page 4-40 for more information.

  9. Go to Chapter 3, "Adding a RADIUS Client."

       Installation without pminstall

  To install RADIUS without pminstall , complete the following steps:

  1. If you are running the Network Information Service (NIS) or NIS+, add the following lines to the services NIS map on your NIS master and push the maps.

  radius 1645/udp radiusd

  radacct 1646/udp

  Note ¯ Pushing the maps updates the database to include recently entered information. Use the make  mapname command on the NIS master. For more details, consult your UNIX system documentation.

  2. Log in to the selected RADIUS server as root.

  3. Mount the CD using the instructions in the CD booklet.

  For the instructions here, an example mount point of /cdrom  is used. Change this as needed for your operating system and mount point.

  Note ¯ RADIUS  server version 1.16 required you to specify the RADIUS ports by adding the lines shown in Step 1 to the /etc/services  file. RADIUS server versions 2.0 and higher use ports 1645 and 1646 by default and do not require modification of /etc/services . However, if nondefault ports are specified in the /etc/services  file, the values assigned override the default values. You can use radiusd  with the -p  option to override both the default RADIUS values and any values specified in the /etc/services  file.

  4. As root, enter the following commands on the RADIUS server:

  umask 022

  mkdir -p /etc/raddb /usr/adm/radacct

  chmod 700 /etc/raddb /usr/adm/radacct

  The commands in this example create two directories, raddb  and radacct . All RADIUS files (except the radiusd  executable) are stored in the /etc/raddb  directory. The radacct  directory is used to store RADIUS accounting logs.

  The umask  and chmod  commands affect the raddb  and radacct  directory permissions; root access is required for read, write, and execute privileges.

  Caution ¯ If you are upgrading from an existing installation of RADIUS, save the files in /etc/raddb  before performing Step 5.

  5. Copy all files in /cdrom/lei/unix/radius/raddb to the /etc/raddb directory:

  cp -r /cdrom/lei/unix/radius/raddb/* /etc/raddb

  In RADIUS for UNIX version 2.0 or later, the raddb  directory contains three files--users , clients , and dictionary --and the menus  directory.

  6. Copy the radiusd file to the  /etc directory (or if you prefer, to another directory such as  /usr/sbin). Replace platform with the name of the CD-ROM directory for your operating system--for example, sun4_4.1: 

  cp /cdrom/lei/unix/platform/radiusd /etc/radiusd

  7. Copy the builddbm utility to  /etc/raddb/builddbm. Replace platform with the name of the CD-ROM directory for your operating system--for example, sun4_4.1:

  cp /cdrom/lei/unix/platform/builddbm /etc/raddb/builddbm

  8. If you are using proxy service, create the /etc/raddb/proxy file.

  See Chapter 9, "Configuring RADIUS Proxy Service," for information on configuring proxy service.

  9. Use the radiusd command to start RADIUS:

  /etc/radiusd

  The radiusd  daemon spawns the RADIUS accounting server as a child process. For more information about RADIUS accounting, see Chapter 8.

  If you are using iPass, run iradiusd  instead of radiusd . If you are using ActivCard authentication, run sradiusd  instead of radiusd .

  Note ¯ radiusd  is a standalone process; it cannot be run from /etc/inetd.conf .

  For usage of options with the radiusd  command, see Appendix C, "RADIUS Options." Running radiusd -b  enables you to use cached user profiles. Lucent InterNetworking Systems recommends caching user profiles when the users  file contains more than 500 users. See "Configuring Database Caching of User Profiles" on page 4-40 for more information.

  10. To start the radiusd daemon each time the operating system is booted, place following script in your system start-up scripts:

  # Start RADIUS

  #

  if [ -x /etc/radiusd ]; then

  echo "RADIUS"

  /etc/radiusd #add flags here

  fi

  Consult your UNIX system documentation for more information. Example start-up scripts are /etc/rc.local  for SunOS 4.1.4, /etc/rc2.d/S99radiusd  for Solaris 2.5.1, or /etc/rc.d/rc.local  for Linux.

  Note ¯ radiusd  does not need to be restarted each time the clients or users files are modified. This daemon needs to be restarted only when the dictionary file is modified.

  11. Go to Chapter 3, "Adding a RADIUS Client."