Testing radius server
Alex Bahoor
alexbahoor at sbcglobal.net
Thu Dec 10 23:18:07 CET 2009
Alan,
Where is the user file? Why the wiki did not list this file. How would I
know about the file. From the wiki, I don't see any talk about this file you
talking about.
Alex
Background
RADIUS is a protocol spoken between an access server, typically a device
connected to several modems or ISDN lines, and a radius server. When a user
connects to the access server, (s)he is asked for a loginname and a
password. This information is then sent to the radius server. The server
replies with "access denied", or "access OK". In the latter case login
information is sent along, such as the IP address in the case of a PPP
connection.
The access server also sends login and logout records to the radius server
so accounting can be done. These records are kept for each terminal server
seperately in a file called detail, and in the wtmp compatible logfile
/var/log/radwtmp.
Command Line Options
radiusd [-a acct_dir] [-d db_dir] [-l log_dir] [-i address] [-p port]
[-AcfnsSvXxyz]
-A
Write a file detail.auth in addition to the standard detail file in the same
directory. This file will contain all the authentication-request records.
This can be useful for debugging, but not for normal operation.
This command line option is accepted only for backwards compatibility. It no
longer does anything. See the configuration for the detail module in
radiusd.conf.
-S
Write the stripped usernames (without prefix or suffix) in the detail file
instead of the raw record as received from the terminal server.
This command line option is deprecated. See the log_stripped_names
configuration item in the radiusd.conf file.
-a accounting directory
This defaults to /var/log/radacct. If that directory exists, radiusd will
write an ascii accounting record into a detail file for every login/logout
recorded. The location of the detail file is
acct_dir/terminal_server/detail.
This command line option is deprecated. See the radacctdir configuration
item in the radiusd.conf file.
-l logging directory
This defaults to /var/log. Radiusd writes a logfile here called radius.log.
It contains informational and error messages, and optionally a record of
every login attempt (for aiding an ISP's helpdesk). The special arguments
stdout and stderr cause the information to get written to the standard
output, or standard error instead. The special argument syslog sends the
information with syslog(3).
This command line option is deprecated. See the log_dir configuration item
in the radiusd.conf file.
-g facility
Specifies the syslog facility to be used with -l syslog. Default is daemon.
Another reasonable choice would be authpriv.
-d config directory
Defaults to /etc/raddb. Radiusd looks here for its configuration files such
as the dictionary and the users files.
-i ip-address
Defines which IP addres to bind to for sending and receiving packets -
useful for multi-homed hosts.
This command line option is deprecated. See the bind_address configuration
item in the radiusd.conf file.
-b
If the radius server binary was compiled with dbm support, this flag tells
it to actually use the database files instead of the flat users file.
This command line option is deprecated, and does not do anything.
-c
This is still an experimental feature. Cache the password, group and shadow
files in a hash-table in memory. This makes the radius process use a bit
more memory, but username lookups in the password file are much faster.
After every change in the real password file (user added, password changed)
you need to send a SIGHUP to the radius server to let it re-read its
configuration and the password/group/shadow files!
This command line option is deprecated. See the cache configuration item for
the unix module in the radiusd.conf file.
-f
Do not fork, stay running as a foreground process.
-p port
Normally radiusd listens on the ports specified in /etc/services (radius and
radacct). With this option radiusd listens on the specified port for
authentication requests and on the specified port +1 for accounting
requests.
This command line option is deprecated. See the port configuration item in
the radiusd.conf file.
-s
Run in "single server" mode. The server normally runs with multiple threads
and/or processes, which can lower its response time to requests. Some
systems have issues with threading, however, so running in "single server"
mode may help to address those issues. In single server mode, the server
will also not "daemonize" (auto-background) itself.
-v
Print server version information and exit.
-x
Debug mode. In this mode the server will print details of every request on
its stderr output. Most useful in combination with -s. You can specify this
option 2 times (-x -x or -xx) to get a bit more debugging output.
-X
Extended debug mode. Equivalent to -sfxx, but simpler to explain.
-y
Write details about every authentication request in the radius.log file.
This command line option is deprecated. See the log_auth configuration item
in the radiusd.conf file.
-z
Include the password in the radius.log file even for successful logins. This
is very insecure!
This command line option is deprecated. See the log_auth_badpass and the
log_auth_goodpass configuration items in the radiusd.conf file.
Configuration
Radiusd uses a number of configuration files. Each file has it's own manpage
describing the format of the file. These files are:
radiusd.conf
The main configuration file, which sets the administrator-controlled items.
dictionary
This file is usually static. It defines all the possible RADIUS attributes
used in the other configuration files. You don't have to modify it. It
includes other dictionary files in the same directory.
clients
[ Deprecated in favor of clients.conf ]
clients.conf
Contains the IP address and a secret key for every client that wants to
connect to the server.
naslist
[ Deprecated in favor of clients.conf ] Contains an entry for every NAS
(Network Access Server) in the network. This is not the same as a client,
especially if you have radius proxy server in your network. In that case,
the proxy server is the client and it sends requests for different NASes.
It also contains an abbreviated name for each terminal server, used to
create the directory name where the detail file is written, and used for the
/var/log/radwtmp file. Finally it also defines what type of NAS (Cisco,
Livingston, Portslave) the NAS is.
hints
Defines certain hints to the radius server based on the users's loginname or
other attributes sent by the access server. It also provides for mapping
user names (such as Pusername -> username). This provides the functionality
that the Livingston 2.0 server has as "Prefix" and "Suffix" support in the
users file, but is more general. Of course the Livingston way of doing
things is also supported, and you can even use both at the same time (within
certain limits).
huntgroups
Defines the huntgroups that you have, and makes it possible to restrict
access to certain huntgroups to certain (groups of) users.
users
Here the users are defined. On a typical setup, this file mainly contains
DEFAULT entries to process the different types of logins, based on hints
from the hints file. Authentication is then based on the contents of the
UNIX /etc/passwd file. However, it is also possible to define all users, and
their passwords, in this file.
See
-----Original Message-----
From: freeradius-users-bounces+alexbahoor=sbcglobal.net at lists.freeradius.org
[mailto:freeradius-users-bounces+alexbahoor=sbcglobal.net at lists.freeradius.o
rg] On Behalf Of Alan Buxey
Sent: Thursday, December 10, 2009 1:43 PM
To: FreeRadius users mailing list
Subject: Re: Testing radius server
Hi,
> Where did you create the user and password cisco?
>
> in the /etc/raddb/clients.conf.
>
> A copy of your users configuration file would be great
>
> Which config files do you need, radiusd.conf, or clients.conf? There is
also, /etc/raddb/users which I have not even touched, cuz I did not see it
readily on the wiki, and I did not know about till now.
no no no (cries!)
cleints.conf is for NAS devices to talk to the FreeRADIUS server
user accounts/passwords go into the users file....this is so clear and well
documented!
please just READ the users file and see - eg 'John Doe' example account in
that file..
once you look you will truly understand!
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
__________ Information from ESET NOD32 Antivirus, version of virus signature
database 4677 (20091210) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
__________ Information from ESET NOD32 Antivirus, version of virus signature
database 4677 (20091210) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
More information about the Freeradius-Users
mailing list