RADIUS Server Configuration

Introduction

RADIUS server files are stored in the raddb (RADIUS database) directory, typically /etc/raddb. This directory contains files and subdirectories as shown:

/etc/raddb/clients
	  /dictionary
	  /menus/menu1
	  	/menu2
		/...
	  /users

The RADIUS server uses the UDP protocol, and listens for UDP packets on port 1645. When the radiusd daemon is executed to start the RADIUS server, the RADIUS accounting server is spawned as a child process; it listens for UDP packets on port 1646.

To configure RADIUS user information, see "Configuring User Information." To configure RADIUS accounting, see "RADIUS Accounting."

RADIUS Installation

RADIUS may be installed with or without the pminstall utility. pminstall is shipped on the PortMaster Software CD; it is designed to automate the installation of PortMaster software.

Installation with pminstall

To install RADIUS using pminstall, complete the following steps.

  1. Log into the selected RADIUS server as root.
  2. Mount the CD using the instructions inside the CD cover.
  3. Install the PortMaster software by running /cdrom/lei/unix/setup (or by following the instructions inside the CD cover).
  4. Enter the pminstall command at the UNIX prompt. 
    % /usr/portmaster/pminstall

1. PortMaster Internet Address Setup
2. Host Installation
3. PortMaster Upgrade
4. Host Upgrade
5. Install RADIUS
6. Exit

Please select an option from above: 5
  5. Choose the Install RADIUS option to install all RADIUS files.
  6. When prompted, enter the appropriate directories for each of the files. To place the files in the default directories, press the Return key as each option appears. 
    Database installation directory (/etc/raddb):
RADIUS accounting log directory (/usr/adm/radacct):
Directory to install radiusd in (/etc):
  7. When RADIUS installation is complete, select the Exit option to quit pminstall.
  8. Edit the clients and users files in /etc/raddb.
  9. Enter the following command to start the RADIUS server: 
    /etc/radiusd

    For a list of optional flags for the radiusd command, see Table 2-1.

  10. Continue to "Configuring Client Information".

Note - radiusd is a stand-alone process; it cannot be run from /etc/inetd.conf.

Installation without pminstall

To install RADIUS without pminstall, complete the following steps.

  1. If you are running NIS or NIS+, add the lines in Step 4 to the services NIS map on your NIS master and push the maps.

    Note - Pushing the maps updates the database to include recently-entered information. Use the make mapname command on the NIS Master. For more details, consult your UNIX system documentation.

  2. Log into the selected RADIUS server as root.
  3. Mount the CD on /cdrom using the instructions inside the CD cover.
  4. If you are not running NIS or NIS+, add the following lines to the /etc/services file: 
    radius	 1645/udp	 	radiusd
radacct	 1646/udp
  5. As root, enter the following commands on the RADIUS server: 
    umask 022
mkdir /etc/raddb /usr/adm/radacct
chmod 700 /etc/raddb /usr/adm/radacct

    The above commands create two directories, raddb and radacct. All RADIUS files (except the radiusd executable) are stored in the /etc/raddb directory. The radacct directory is used to store RADIUS accounting logs.

    The umask and chmod commands affect the raddb and radacct directory permissions; root access is required for read, write, and execute privileges.

    Caution - If you are upgrading from an existing installation of RADIUS 2.0, save the files in /etc/raddb before performing Step 6.

  6. In RADIUS version 1.16, the raddb directory contains 3 files: users, clients, and dictionary. In RADIUS version 2.0, the raddb directory contains an additional directory named menus. Copy all files in /cdrom/lei/unix/radius/raddb to the /etc/raddb directory. 
    cp -r /cdrom/lei/unix/radius/raddb/* /etc/raddb
  7. Copy the radiusd file to the /etc directory (or if you prefer, to another directory such as /usr/sbin). Copy the builddbm utility to /etc/raddb/builddbm. Replace platform with the name of your operating system, for example, sun4_4.1. 
    cp /cdrom/lei/unix/platform/radiusd /etc/radiusd
cp /cdrom/lei/unix/platform/builddbm /etc/raddb/builddbm
  8. Use the radiusd command to start RADIUS. radiusd spawns the RADIUS accounting server as a child process. For more information about RADIUS accounting, see "RADIUS Accounting." 
    /etc/radiusd

    Note - radiusd is a stand-alone process; it cannot be run from /etc/inetd.conf.

  9. Continue to "Configuring Client Information".

    radiusd may be used with any of the following flags:

    -a
    Specifies an alternate directory for RADIUS accounting. The default directory is /usr/adm/radacct.
    -b
    Uses the DBM version of the users file. See "RADIUS DBM Database" for more information.
    -d
    Specifies an alternate directory for RADIUS configuration files. The default directory is /etc/raddb.
    -l
    Specifies a RADIUS logfile to use instead of syslog.
    -s
    Runs RADIUS in single-threaded mode without spawning a child process to handle each authentication request.
    -v
    Displays the version of RADIUS without starting the radiusd daemon.
    -x
    Debug mode. To send debug output to syslog, use -x -l syslog.

  10. To start the radiusd daemon each time the RADIUS server is booted, place radiusd in the /etc/rc.local file as shown in the example below. On some systems this may be /etc/rc2.d/S99radiusd or another file; consult your UNIX system documentation for more information. 
    #
# Start RADIUS
#
if [ -f /etc/radiusd ]; then
	echo "RADIUS"
	/etc/radiusd
fi

    Note - radiusd does not need to be restarted each time the clients or users files are modified. The daemon only needs to be restarted when the dictionary file is modified.

  11. Continue to "Configuring Client Information".

Configuring Client Information

The /etc/raddb/clients file stores information about RADIUS clients, including each client's name or IP address and its shared secret.

clients is a flat text file; to add a client, enter the client's name or IP address and the shared secret. To add a comment, preface the desired line with the # sign.

Shared secrets must consist of 15 or fewer alphanumeric characters. There is no limit to the number of clients that may be added to this file.

Examples of client names and shared secrets are displayed below.

#Client Name		Key
#--------------------------------------
portmaster1		wP40cQ0
portmaster2		A3X445A
192.168.1.2		wer369st

As the clients file contains the shared secrets for the RADIUS clients, only root should have read and write access to the file.

-rw-------  1 root daemon 802 Jul 15 00:21 /etc/raddb/clients

Continue to "RADIUS Client Configuration" to configure the PortMaster as a RADIUS client.

/ Prev / Next / TOC / Preface / Overview / Server / Client / User / Menu / SecurID / Accounting / Troubleshooting /

© Copyright 1996, Livingston Enterprises, Inc. Revised Friday September 25, 1998 17:29 PDT