Testing radius server

Alex Bahoor alexbahoor at sbcglobal.net
Fri Dec 11 06:12:46 CET 2009




Alan,

I don't know what your capacity in freeradius, but I sure hope this product
is comparable to steel belt or Cisco's ACS, which are very costly.

Abstract
I'm not a hacker, and have not used free software in this capacity before.
I'm spoiled in using purchased software, which uses GUIs all the time. So my
expectations are little different. While six years working with Sun
Microsystems, I kept hearing all the time difficulty was the nature of
Solaris, and Unix. The most elegant OS, Solaris, unfortunately did not go
any where, and Sun went under. Why? Because it was not user friendly. You
read man pages written by developers at 3:00 AM in the morning and expect to
make sense out of them. Unfortunately, man pages have not improved at all.
They still lack examples .etc. Freeradius is not an exception. The
documentation is not user friendly at all. 


Document problems:
Here is an example excerpt from a page on the web:

CLIENTS
Make sure the clients (portmasters, Linux with portslave etc) are set up to
use the host FreeRADIUS is running on as authentication and accounting host.
Configure these clients to use a "radius secret password". For every client,
also enter this "secret password" into the file /etc/raddb/clients.conf 

Allow me to tell you where my confusion is:
1-The "clients" becomes confusing, when I see portmasters .etc. Is this
meant the users who want to get access through a NAS or AP?

2-The "host" here meant to be the server? Why is it called host?

3-The "radius secret password" is defined again as "secret password" and
"shared secret", all these meant PSK (preshared key). Why is it not called
so? Instead of adding many different words for the same definition. See I'm
an engineer; definitions are critical to my understanding, and subtle
differences can throw me off. May be I'm too meticulous.

4-I looked up the "secret password" in the clients.conf, it was defined as
"shared secret". All this confusion could have been eliminated by just using
PSK (PreShared Key).

5-Please take a look at this paragraph from the same file:
#
#  You can now specify one secret for a network of clients.
#  When a client request comes in, the BEST match is chosen.
#  i.e. The entry from the smallest possible network.
#
#client 192.168.0.0/24 {
#	secret		= testing123-1
#	shortname	= private-network-1
#}

1-The above tells me, every user will have to be entered into Radius with a
user and password, which is obvious, but why the IP address has to be as
part of this context? A user would use DHCP so this cannot be used.
 
2- The shortname is confusing, when a user login, all he/she has is name not
a FQDN. When I saw this, first thing came to mind that this clients.conf
file is not for my set up, but I used it any way.

Adding to all this confusion is the file /etc/raddb/users which seems to be
used for something, but it's not on the wiki, or at least not in a
conspicuous spot.

It took me quite some time to find out which platform I should have used.
What's in the wiki is vague, not specific to specific versions. And what
packages of freeradious I should have installed. Till Tim clarified this for
me, I was at loss and frustrated. You have to understand, this is free
software, compatibility, and interoperability is at a big question; I don't
have the time test every OS to find out which one is good, soso, or even
bad. It should have been stated clearly in the wiki under "operating
systems", and which version of each OS you have tested. Take a look at this
paragraph which clearly proves my point. The link under "several versions of
Linux" would not bring up a page. And in the same page, all OSes  listed
have links to download the softwar, which is convenient, but did not tell
me, what is there has been tested. 

Snippett from the wiki ------------------

Porting to other unix-like platforms should be easy. Due to the limited
resources of the FreeRADIUS development team, we are not able to test each
version on all platforms before release. In general we test on several
versions of Linux and Solaris and FreeBSD appears to also be a popular
deployment platform for our users so we hear about any issues on those
platforms quickly. 



The website is not helpful in this too: 

You start with http://freeradius.org/list/users.html
Click on the wiki tab
Click on configuration: once you're there you would see a different
configuration file than the one you mailed me
(http://wiki.freeradius.org/CONFIGURATION_FILES), where is that one and how
you get to it from the home page beats me.

A picture is worth a thousand words. Network topologies, samples of
clients.conf and radiusd.conf with various features from basic to complex
security configuration can be downladed and used would save a lot time and
confusion. If there is such samples, you would not hear from me. 

I hope this helps.

Rgrds,

Alex


-----Original Message-----
From: freeradius-users-bounces+alexbahoor=sbcglobal.net at lists.freeradius.org
[mailto:freeradius-users-bounces+alexbahoor=sbcglobal.net at lists.freeradius.o
rg] On Behalf Of Alan Buxey
Sent: Thursday, December 10, 2009 3:18 PM
To: FreeRadius users mailing list
Subject: Re: Testing radius server

Hi,

> I had enough of this.

what? free support pointing out the same suggestions and help every time? 
just a _little_ bit of reading would have informed you of the basics...but
I think there _could_ be issues and am open to suggestions to fix the
docs/guides for newcomers   (and I've used all the alternatives to
FreeRADIUS so know what you face on those platforms)

so - please point out the weaknesses that you faced

alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
 

__________ Information from ESET NOD32 Antivirus, version of virus signature
database 4677 (20091210) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com
 
 

__________ Information from ESET NOD32 Antivirus, version of virus signature
database 4677 (20091210) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com
 




More information about the Freeradius-Users mailing list