Installing and Starting RADIUS
This chapter describes how to install and start the RADIUS daemon.This chapter contains:
What is RADIUS?
Remote Authentication Dial-In User Service (RADIUS) is a protocol originally developed by Livingston Enterprises, and extended by Ascend Communications, Inc. Using the Ascend RADIUS daemon, you can perform these tasks:
What you need before you start
To use RADIUS with the MAX, you need the following items:
Installing the RADIUS daemon
To install the RADIUS daemon, follow these steps:
The installation instructions on the Ascend FTP server always provide the latest information on installing RADIUS.
The keywords ACE, SAFEWORD, and UNIX are reserved words built into the Ascend RADIUS daemon for use with external authentication servers. You can replace these reserved words with other strings by editing the daemon's source file before compiling it.
This file is the Ascend RADIUS dictionary, and contains a list of all attributes that the RADIUS server supports.
daemon. If you find a discrepancy in the dates between the daemon and the dictionary, download the latest dictionary file from ftp.ascend.com, and copy it into the same directory as the daemon.
For example, enter this line:
radius 1645/udpThe port number you specify must match the port number specified by the Auth Port parameter in the Ethernet > Mod Config > Auth menu.
The RADIUS server does not simply authenticate incoming calls. It must also authenticate the Network Access Server (NAS) from which it receives requests. The MAX is an NAS and a client of the RADIUS server.
Ascend3 bXSAMpyThe argument Ascend3 is the value specified by the Name parameter. The argument bXSAMpy is the password specified by the Auth Key parameter in the Ethernet > Mod Config > Auth menu. The name you specify must be resolvable on the IP network (through DNS, the Yellow Pages, and so on). Otherwise, you must specify the IP address of the MAX.
If the accounting process of the daemon will be running on the same server as the authentication process (rather than on a separate host), the same password must also serve for the Acct Key parameter in the Ethernet > Mod Config > Accounting menu.
A user is a caller that connects to the MAX. The RADIUS users file contains security and configuration information for each user. The full set of information for each user is called a user profile.
RADIUS writes error messages to /etc/raddb/logfile. The Syslog daemon does not create the RADIUS log file, so you must create the file yourself.
Installing radipad for global IP pools
You can use RADIUS to specify pools of IP addresses that a MAX can use to dynamically allocate IP addresses to incoming callers. By default, each MAX handles dynamic IP address allocation individually from a pool of addresses pre-assigned to each MAX. However, you can also set up your system to allocate IP addresses from a global pool of addresses that many units share. To do so, you must install radipad. Follow these steps:
radipad 9992/tcp #RADIUS IP address allocation from global poolsThe port number 9992 is the default. You can change it as required.
#Multiple hosts can run the RADIUS daemon, but only one host on the network should run radipad. Radipad is the central manger for global IP address pools on a network.
# Start up radipad for remote users
if [ -f /usr/local/bin/radipad ]; then
/usr/local/bin/radipad; echo -n ' radipad'
You must start up radipad manually the first time. To do so, you must be the user root.
For information on configuring global IP address pools, follow the instructions in Configuring global IP address pools shared by several MAX units.
Configuring the MAX to use the RADIUS server
This section describes how to configure the MAX to communicate with the RADIUS daemon. For additional information on each parameter you set, see the MAX Reference Guide and the MAX Security Supplement.
If you set Auth=RADIUS/LOGOUT, RADIUS keeps track of session logouts.
You can have up to three RADIUS servers on your network. One is the primary server. Two additional servers can serve as backups. If the primary RADIUS server fails, the MAX automatically contacts the secondary RADIUS server to authenticate a user.
You can also specify the same address for all three Auth Host parameters. If you do so, the MAX keep trying to create a connection to the same server.
The MAX and the daemon must agree about which UDP port to use for communication, so make sure that the number you specify for the Auth Port parameter matches the number specified for the daemon.
If the MAX does not receive a response within the time specified by Auth Timeout, it sends the authentication request to the next authentication server specified by the Auth Host parameter.
The password is case sensitive.
For information on the Auth Pool parameter, see Configuring accounting with dynamic IP addressing.
This setting specifies that the MAX requires a response from the RADIUS server for CLID authentication. If the MAX makes a request to the RADIUS server for the caller's user profile and the request times out, the MAX rejects the call.
For more information, see Configuring the MAX to recognize the APP Server utility.
For more information, see Configuring the MAX to recognize the authentication server.
You can specify either Yes or No.
The MAX can report the number of sessions by class to a RADIUS authentication server when Auth=RADIUS/LOGOUT. The Sess Timer parameter specifies the interval in seconds in which the MAX sends session reports. You can specify a number between 0 and 65535.The default value is 0 (zero), which indicates that the MAX does not send reports on session events.
Specify a port number between 0 and 65535. The default value is 0 (zero). If you accept this value, the Ascend unit can use any port number between 1024 and 2000. You can specify the same source port for authentication and accounting requests.
This parameter specifies whether the MAX sends values for the User-Service (6) and Framed-Protocol (7) attributes in Access-Request packets to the RADIUS server. While some RADIUS servers require these attributes in authentication requests, other RADIUS servers should not receive them.
Using SNMP to specify the primary RADIUS server
By default, if the MAX uses a secondary RADIUS authentication server because the primary one goes out of service, the MAX does not use the first host until the second machine fails. This situation occurs even if the first host has come online while the second host is still servicing requests. However, you can use an SNMP set command to specify that the MAX use the first host again. Such a need might arise if you shut down the primary server for service and then make it available again.
anonymous to ftp.ascend.com. (No password is required.)
Starting the RADIUS daemon
You can use two different RADIUS daemons:
The DBM database is no more difficult to use than the flat ASCII file, and is much faster. However, if you reset passwords, these passwords take effect only after you rebuild the database. If resetting expired passwords is an important component of your system, you may not wish to use the DBM database.
radiusd [-A acct[-a acctdir]] [-c] [-d dbdir] [-p] [-s]To enable call logging using RADIUS, start the RADIUS daemon with the
[-u usrfile] [-v] [-w] [-x]
-Aoption by entering this command line
radiusd -A servicesIf you specify the
argument, the daemon creates the call-logging process, but only if a line defining the UDP port to use for call-logging appears in the
/etc/servicesfile. Otherwise, the daemon does not start.
If you specify the
incrargument, the daemon creates the call-logging process with the UDP port specified as the call-logging port in the
/etc/servicesfile. If you have not defined the port, the daemon increments the UDP port specified for
radiusdand uses that port number. This action is the default if you do not specify the
Table 2-1 lists each argument.
This argument controls the creation of the RADIUS accounting process. You can specify one of these values for acct:|
none-The daemon does not create the accounting process.
services-The daemon creates the accounting process only if a line defining the UDP port to use for accounting appears in the
/etc/services file. Otherwise, daemon does not start.
incr-The daemon creates the accounting process with the UDP port specified as the accounting port in the /etc/services file. If you have not defined the port, the daemon increments the UDP port you specify for radiusd and uses that port number. This action is the default you do not specify the
By default, RADIUS stores accounting records in a file named detail that resides in the /usr/adm/radacct. You can use the -a argument to specify a different directory for the file. acctdir must already exist. |
For example, you might enter this command line:
radiusd -a /home/radacctThe accounting process in the daemon creates a file named detail that contains accounting records in the /home/radacct directory.
This argument enables cache-token authentication in the daemon. |
The default directory for the RADIUS clients, users, dictionary, and log files is /etc/raddb. You can use the -d argument to specify a different directory for the files. dbdir|
This argument enables each user to change his or her own expired password through a dial-in modem connection. |
This argument specifies that the daemon runs in single-process mode. In this mode, the daemon receives, processes, and returns one request before going to the next one. This mode is much slower than the default multiprocess mode, in which the daemon receives, processes, and returns several requests concurrently. |
This argument assigns the file name specified by usrfile|
This argument prints the daemon's version number, extension, date, and the arguments selected in the makefile compilation.|
This argument makes the RADIUS daemon generate warnings about syntax errors it finds in the users file when the daemon is running. RADIUS generates a warning only when the daemon examines the users file profiles during the authentication process. For a more complete scan of the file for syntax errors, use the builddbm command with the -e argument.|
This argument produces debug output.|
Running the daemon with a UNIX DBM database
To run the daemon with a UNIX DBM database, you must carry out three tasks:
Creating the executable files
To create the builddbm and radius.dbm executable files, enter this command:
builddbm [-d dbdir] [-e] [-h] [-u usrfile] [-v]
Table 2-2 lists each argument for the builddbm command.
The default output directory for the database file is /etc/raddb. You can use the -d argument to specify a different directory for the file. dbdir|
builddbm -d /radius/raddbThis command results in two database files-/radius/raddb/users.dir and /radius/raddb/users.pag.
This argument causes the builddbm program to report syntax errors and duplicate entries it finds in the users file during the indexing process. The daemon writes the messages to standard output. |
If you do not specify the -e argument, the daemon writes the entries to standard error output instead.
This argument displays help.|
This argument specifies the RADIUS users file for which a database is being built. The default name is users. If the daemon runs with the -u argument, the name you specify when you run the daemon must be the same name you specify here.|
The users file must already exist in ASCII format. The resulting database files are named users.dir and users.pag.
This argument runs builddbm in verbose mode.|
Starting the RADIUS daemon for a DBM database
To start the RADIUS daemon in DBM mode, enter this command:
radiusd.dbmThe radiusd.dbm command supports the same set of arguments described for the radiusd command in Running the daemon with a flat ASCII users file, with one exception: the -p argument is restricted when the daemon is running in DBM mode. The users file database will not contain the user's new password until you run builddbm again.
If you have enabled call-logging, start RADIUS daemon by entering this command line:
radiusd.dbm -A servicesYou must specify the
servicesargument when you start the daemon in DBM mode.
Copyright © 1998, Ascend Communications, Inc. All rights reserved.