RADIUS Package for Linux Dialin Server

1. If you downloaded the isdn4linux patch before Jan,5th 1998 the file radius.c is missing. Please download the corrected patch.
2. The binary RPM for the Merit RADIUS server was corrupted (cpio checksum errors). I just (1998-01-28) made radiusd-2.4.23-2.i386.rpm ready for download.

This page is under construction. Send comments and correction to me.

Here I'm trying to describe how to configure a Linux System to use RADIUS for authentication and accounting, for modem dialin as well as for ISDN dial in lines.

Here are the links to the various software packages you'll need for all this.

• RADIUS Server RPM Binary RPM for the Merit RADIUS Server
• pppd-2.2.0f patches Patches for the pppd 2.2.0f daemon. RADIUS stuff and Trumpet bug fix.
• radiusclient Library (no RPM available). Necessary to compile the pppd and ipppd program.
• isdn4k patches. They are against the 2.1b1 release. I made a new release which has some quirks but cleans up some other things enourmosly. Therefore i decided to release ist. In the next days, I'll describe the problems and our current workaround. You may get the new patch here

How these whole thing works, is explained on this page. Don't hesitate to send me questions if anything is not clear or the english is too bad (it's not my native language) so that this page can be of some value for other people as well.

RADIUS Server

Because the configuration of the radius server is the same for analog modem lines and the ISDN lines, the setup of the server is described first.

First you need a RADIUS server. We are using the free version of the Merit RADIUS server. I've some patches which enables the server to do CHAP authentication. The original version's CHAP code is broken. Best thing you can do is to get the RPMs i've prepared. There is a source and a binary RPM available. The binary installs in /usr/local, so there shouldn't be any collisions with other software (I hope).

For the package-manager challanged people ;-) a i prepared a tar.gz package of the RADIUS server

Patches, Enhancements

At this page you'll find various patches for the free Merit RADIUS server. I plan to integrate the more useful ones into my RPM package so people can install the package and have the most useful features available.

Since configuration of a RADIUS server still has some black magic components i think for now people using RADIUS should be able to patch source files and recompile the whole thing.

Installation

Should be straightforward, since it's a RPM binary package.

Configuration

Now comes the tricky part. I assume you know the basic principles about RADIUS. In the following examples assume dialin-server is the machine to which the modems and ISDN cards are connected. The machine with the RADIUS server is called radius-server.

First you have to make an entry in the /usr/local/etc/raddb/clientfile on the radius-server. The first word in a line is the hostname or the IP address of a client using this RADIUS server (the machine where the pppd programs are running). The second word is the password for this machine. It has to be in cleartext, so be careful about the permissions of this file and the directory where it is installed.
With our example names there must be a line
dialin-server radiuspassword

The next file you have to modify is the /usr/local/etc/raddb/users file. Here you have to enter the username, password, protcol, and the filter id. I've provided the user test1 with the password test1passwd for testing purposes. Be sure to change the user name and the password or comment this entry, before you put this server in you production environment.
An example entry for the user test-user with the password test-password which enables the user to do a PAP or CHAP login looks like:

          test-user Password="test-password", Framed-Protocol = PPP
              Filter-Id = "anonymous"
    

You may have reckognized that the installation of the RPM also adds one line at the end of your /etc/inetd.conf file. This entry cuases the RADIUS server to be started by the inetd daemon the first time a RADIUS request is received. Then the RADIUS server keeps processing requests. This hybrid approach (not really a standalone server, not really a inetd controlled program) has the advantage that the server is restarted automatically if it crashes.

Testing the Server

The server comes with some testing utilities. The most useful one is the radpwtest program. As a first test call it with the following parameters:
/usr/local/sbin/radpwtst -u PPP -c 1 -s radius-server -x -w test-password test-user
The output should be:

Merit RADIUS 2.4.23C, licensed software
Copyright (c) 1992, 1993, 1994, 1995, 1996 by The
Regents of the University of Michigan and Merit Network, Inc.
Received attribute/value pair(s):
    Filter-Id = anonymous
    Service-Type = Framed
    Framed-Protocol = PPP
    Framed-IP-Netmask = 255.255.255.0
    Framed-Routing = None
    Framed-MTU = 1500
    Framed-Compression = Van-Jacobson-TCP-IP
"test-user" authentication OK

Adding Users

Adding users is straightforward. Just put another entry into the /usr/local/etc/raddb/users file. As an extra feature it's also very simple to give special customers a fixed IP address. Just add Framed-IP-Address=194.42.98.32 in the second line of the user entry.

Why in the second line? Well, RADIUS server generally match the attributes of the request against the attributes in the first line and send back the attributes of all other lines.

RADIUS client library

For the compilation of the clients you need a client library. I'm using the library from Lars Fenneberg. The original package is available here. I've also installed a copy of this library. After unpacking the tarball, compile and install the library. I have been using the /usr/local prefix for all configuration files, so that the library installs into same directory structure as the daemon.

Modem Lines

Basically there are two approaches for this.

1. portslave is a substitute for mgetty and manages the serial line. There's another site dedicated to this approach, so i won't describe it here again.
2. mgetty with AUTOPPP and a patched pppd. This is the approach we are using, mainly because I love mgetty's way to initialize modems and collect connection statistics and we also have UUCP customers using the same dialin lines as the PPP customers. The patched pppd also has the advantage that it can be used for dialout connections as well.

Software you need

First you need a working mgetty program. The installation of this package is straightforward (at least it was for me). Don't forget to set the AUTOPPP flag in the Makefile when compiling the source. Otherwise the PPP packets are not reckognized and the client gets the login prompt.

Then you need the patched pppd program. I'm currently at version 2.2.0f, because it works okay on the server side and i've found no show stoppers (If it ain't broken, don't fix it). I provide patches which not only enable the RADIUS stuff, but also correct a minor bug which is triggered by Trumpet PPP stacks and Windows 3.1 clients.

After getting all this software and patches you are ready to install it.

Compiling

Apply the patch from the <PPPD Patch and compile the package as usual. The resulting pppd daemon understands one more option, radius. If this option is present RADIS authentication and accounting is used.

Modify the /usr/local/etc/radclient/radiusclient.conf. Be very careful, because errors in this file are particularily hard to detect.

That's it. From now on the pppd daemon does not consult it's /etc/ppp/chap-secrets and /etc/ppp/pap-secrets files, but asks the RADIUS server.

ISDN Lines

You have to modify the ipppd daemon if the isdn3linux package.

Software you need

You need the isdn4linux package. Get it from you nearest isdn4linux mirror. Apply the patch. This patch adds the RADIUS calls to the daemon and removes this pesky '^M' characters from some documentation files.

Compiling

After applying the patch, compile the package and install it. When you start the ipppd program use the option radius so that the RADIUS server is used.