How to install RADIUS
Last modified 95/01/06
(Also see the RADIUS Chapter in the manual.)
The below examples assume you're installing RADIUS in /etc/raddb but
you can place it anywhere if you change radius.h and recompile or use
the -d flag to tell it what directory to find its configuration files in.
If you have pminstall and aren't running NIS (Yellow Pages), run
pminstall and choose "Install RADIUS", then as root do
"chmod 700 /etc/raddb", then skip down to SETTING UP CLIENTS.
If you don't have pminstall, do the following:
Add the following 2 lines to /etc/services on your RADIUS server, or
if you're running NIS (Yellow Pages) add these lines to your services
NIS map on your NIS master and push the maps.
radius 1645/udp radiusd
radacct 1646/udp
Now execute the following commands as root:
umask 22
mkdir /etc/raddb /usr/adm/radacct
chmod 700 /etc/raddb /usr/adm/radacct
Copy the contents of /usr/portmaster/radius/raddb into /etc/raddb.
Compile radiusd from /usr/portmaster/radius/src and place it in
/etc/radiusd or wherever you prefer.
SETTING UP CLIENTS
The PortMaster's hostname and the shared secret are placed in
/etc/raddb/clients, separated by a tab. Your user entries are placed
in /etc/raddb/users. Examples of each can be found in clients.example
and users.example. You shouldn't need to change the dictionary file.
Start radiusd (you'll probably want to add this to /etc/rc.local or
some other file that gets run at system boot time).
/etc/radiusd
radiusd -x will produce debugging output which may be helpful if things
don't seem to be working.
If radiusd has problems it'll print to /etc/raddb/logfile or /dev/console
if it can.
Note that Framed-Compression defaults to on if you don't specify it,
so SLIP users who don't want VJ header compression MUST include
Framed-Compression = None.
Configure your PortMaster so that it knows which host the radiusd is
running on and what the shared secret is. On the PortMaster, set the
RADIUS server and the shared secret using the "set authentic" and "set
secret" commands, or from the Edit RADIUS menu on pmconsole. The
secret is case-sensitive and can be up to 16 characters long. Do not
use control characters in the secret. You can configure a backup
RADIUS server with "set alternate" but it's not required. Make sure
all ports have passthrough disabled with "set all security on" followed
by "reset all" (Warning! "reset all" will drop off anyone who's on the
port at the moment.) On older versions of ComOS you'll need to do "set
s0 security on", "set s1 security on", etc. Do a "save all" to save
the changes to nonvolatile memory.
The PortMaster will check its local User Table first, and if it doesn't
find the user there AND passthrough is disabled AND a RADIUS server is
set, it will then query the RADIUS server.
Make sure your DNS has an in-addr.arpa entry for the PortMaster if you're
using Rlogin to Linux.
If you're using Rlogin or PortMaster service and get prompted for the
password twice, you can add the PortMaster's hostname to your
/etc/hosts.equiv file to get rid of the second password prompt.
Do NOT do this if you're using Passthrough and not RADIUS!!!
If you're already in production with the User Table, a good way to
switch over to using RADIUS is first to add a user to RADIUS that's not
in the PortMaster's User Table, test with that, and when everything
checks out use pmreadpass (if on a supported platform) to copy everyone
from the PortMaster to the /etc/raddb/users file, then get rid of the
users in the PortMaster's local User Table. Edit the output from
pmreadpass to remove the ", Client-ID = 192.9.200.1" clause (the IP
address will match your PortMaster's IP address). pmreadpass is
included in release 3.1 of the PortMaster administration software.
You'll also need to modify Framed-Filter-Id if you have any.
Framed-Filter-Id = "std.ppp"
means that the input filter is std.ppp.in (if it exists) and the output
filter is std.ppp.out (if it exists).