Re: Decent docs

Chad Miller Wed, 28 Nov 2001 14:35:06 -0800

Hi, Chris.

On Wed, Nov 28, 2001 at 01:42:02PM -0600, Chris Parker wrote:
> However, in order to use it, I have to learn a whole new markup language.
> 
> Irony of ironies, the documentation for JADE ( the editor recommended
> on the docbook site ) sucks.


Ugh.  That site must really suck, if it led you to believe jade is an editor.
'jade' is a renderer.  It will render the DocBook SGML to any format that it
has a backend for (usually HTML, PDF, and RTF).  

Docbook really is nice.  Please try it.  An excellent site is
 URL: http://www.oreilly.com/catalog/docbook/chapter/book/docbook.html
.  Here's how useful DocBook is:  O'Reilley's authors use Docbook (usually).
ORA used jade on the very same source to render it to ROFF for the print-house
and HTML for the webmonster.  Both look really good.

I'm becomming to grok the Buddha-nature of DSSSL (we use it at work), so feel
free to ask me to make the rendering phase do what you want.

Attached is the single-page HTML rendering of what I have so far.

                                                        - chad

-- 
Chad Miller <[EMAIL PROTECTED]>   <url: http://web.chad.org/home/>
  ``Is it wrong to donate Kool-Aid to one's favorite kook organizations 
  when The Comets come around?''   - C. M.

Title: FreeRADIUS Operating Manual

FreeRADIUS Operating Manual

Table of Contents

1. Overview

1.1. Compilation and Installation
1.2. Execution

2. Configuration Concepts and Files

2.1. Configuration Structure and Parsing

2.2. Actual Sections and Variables

2.2.1. Five Execution Sections
2.2.2. Top-level Variables
2.2.3. Proxy Section
2.2.4. Thread Pool Section
2.2.5. Clients Section
2.2.6. Module Section

3. Troubleshooting

A. Format of the users file

B. Username Collision Handling

B.1. Authentication
B.2. Accounting

C. String Translation

Index

List of Examples
1-1. Compiling and Installing FreeRADIUS
2-1. Sections, Subsections, and Comments
2-2. Defining proxy realms
2-3. Listing for a RADIUS client
B-1. Collision in a users file
B-2. Collision information in a passwd file

Chapter 1. Overview

FreeRADIUS is an implementation of the RADIUS protocol. It aims to be a free, fast, robust, feature-rich server.

Livingston's RADIUS server, the first decent free (libre) RADIUS server, is the basis of most RADIUS implementations today. From it grew many attempts at improvement and redesign. One of those reimplementations, Cistron's, became popular for its features and rapid development and it became a staple for those in the ISP business who were dissatisfied with other servers. Eventually, Cistron's server was well entrenched, and development and redesign issues begat The FreeRADIUS Project. Cistron's server is still in usage, but active development on it has ceased and been moved to development of FreeRADIUS

The RADIUS protocol is a means of authentication and accounting sessions, usually of dialin users, but feasably of any kind of session. It does not address other concerns like billing, user organization, or data management. A RADIUS server listens on a network for authentication requests, and upon receipt of requests, either answers with a rejection or with confirmation and optional session attribute suggestions. Upon recipt of an accounting packet, it can store evidence of the session starting or terminating.

1.1. Compilation and Installation

The FreeRADIUS server is written in the C programming language, and a POSIX environment with a ANSI C compiler and GNU Make is necessary to create an executable from source code. There are plenty of optional features of the server that require additional software to be installed for one to use those features.

At present, The FreeRADIUS Project does not distribute binary packages; you might get some from your OS vendor or by asking the freeradius-users email list. All the components necessary to build a binary are freely available, though, so you should be able to build it yourself.

One should get the server's source code by reading the instructions at http://www.freeradius.org/getting.html.

The steps for compiling and installing from FreeRADIUS source (in an example ~/freeradius directory) should be something like...

Example 1-1. Compiling and Installing FreeRADIUS

foo:~/freeradius$  ./configure --help
(browse the options)
foo:~/freeradius$  ./configure [options]
loading cache ./config.cache
checking for gcc... gcc
checking whether the C compiler (gcc  ) works... yes
checking whether the C compiler (gcc  ) is a cross-compiler... no
checking whether we are using GNU C... yes
checking whether gcc accepts -g... yes
checking how to run the C preprocessor... gcc -E
[...]
foo:~/freeradius$  make
make[1]: Entering directory `/home/bar/freeradius'
[...]
foo:~/freeradius$  su
Password:
foo:~/freeradius#  make install
make[1]: Entering directory `/home/bar/freeradius'
[...]

1.2. Execution

The server executable should be at sbin/radiusd after installation. When executed, parameters given on the command line should override any corresponding setting in the server's configuration file. The configuration file is described in Chapter 2. Execution parameters are each single letter ``short'' paremeters, some with words that specify values where appropriate.

radiusd [-a accounting directory] [-d configuration directory] [-l log location] [-i ip address] [-p port number] [-A] [-f] [-h] [-s] [-S] [-v] [-X] [-x] [-y] [-z]

The -a option sets ....

Chapter 2. Configuration Concepts and Files

After installation, the files that configure the server are typically installed under etc/raddb/, at some installion root. The root is usually at / (if installed with a FHS-compliant package) or /usr/local/ (if you install it yourself), unless you set prefix to something else when you ran the ./configure program before compiling. (See Section 1.1.)

2.1. Configuration Structure and Parsing

Almost every file in the configuration directory is in the same format. There are four kinds of ``things'' in the config files: Sections, Assignments, Directives, and Comments. The parser of the files is pretty simple, and doesn't allow more than one ``thing'' per line, so if you start a section, you can not put a comment on the same line, for instance. You can have any amount of whitespace before or after "things" in the config files, including entirely blank lines, so you should use indention to help visually group items.

Comments are the easiest to understand; they are lines that begin with an octothorpe, #. Everything up to the end of that line is ignored by the parser.

Assignments are variable names, followed by an equals-sign (=), followed by a value for that variable.

Sections are used to group ``things'' together under a common name. They start with a word that tells the server what kind of Section it is. The server will need to refer to the Section by a name, and you can give one after the first word, or if you don't specify one, the server will assume the name is the same as the Section type. (Thus, foo foo is the same as foo.) After the Section's type and optional name is an opening brace ``{'', and on a later line is the brace' closing sister, ``}''.

Example 2-1. Sections, Subsections, and Comments

					# this section has a type of "pigments" and an appropriate name of "dumbexample"
					pigments dumbexample {
					    # This section has a name of "azure"
					    blue azure {
					        # Azure is nice
					    }
					
					    # This section has a name of "blue"
					    blue {
					        # (this comment intentionally left blank)
					    }
					}
					
					danube blue {
					    # This "blue" is distinct from the dumbexample "blue", above,
					    # as it's in another namespace.  Another top-level "blue" wouldn't
					    # be allowed, now would another "blue" under "pigments".
					}

Directives are single words that have some meaning for the server. These are pretty rare outside a few particular areas that are discussed in just a moment.

One can mix Comments, Assignments, Directives, and Sections in any manner one wishes. The FreeRADIUS server cares about only five sections, when it starts up. If those five sections refer to other things (and they most certainly will!), then the server goes looking for the referenced information. The parser is "lazy" that way, in that if you have something misspelled, and if the server doesn't require it in order to run (perhaps it has a sane default value), then you will never hear a complaint from the server. It treats the config files as a bag full of information from which it can pull what it needs, rather than like a list of instructions (each of which would be important). If an entry isn't there, spelled as the server is expecting, then the server isn't alarmed. Think ``phone book'' rather than ``cooking recipe.''

If the server isn't behaving at all as you expect after a configuration change, double check the spelling of your variables and sections. A simple slip-up won't necessarily be caught by the server.

What are the magical five sections that the server really cares about, and requires them in order to run? They are authorization, authentication, preaccounting, accounting, and session and they contain only Directives. These Directives are module names that piece together the flow of execution for the running server. Each module that is referenced in one of the five magical sections has to be the name of a subsection inside a section in the top-level, called ``modules''. What each of the five sections does will be described later, in Section 2.2.1.

Because a lot can go into the configuration of a RADIUS server, there is a way to split out blocks of configuration into different files, and refer to them in the main etc/raddb/radiusd.conf file. One can use the $INCLUDE tag on an empty line to have the parser read that file as if it were part of the current file. The $INCLUDE tag is not recursive, though, so included files can not include others, and all $INCLUDE tags must occur in the etc/raddb/radiusd.conf file.

Sure, there are a few other files in the etc/raddb/ directory that don't follow these guidelines, but their purporse and format will be described later, when the code that uses them is discussed.

2.2. Actual Sections and Variables

2.2.1. Five Execution Sections

There are five sections that the FreeRADIUS server cares about when starting up, the main five sections described below. When those are parsed, the information contained in them may induce the server to look in other parts of the config files for information on how to behave.

Their contents directly translate into execution paths of the server.

2.2.1.1. The `authorization` Section

When the server receives an authentication request from a known client, it eventually intends to reply to it. Before the authorization section begins, the server takes the attribute-value pairs that the auth-request provides and builds a ``request-list'' from it. It also creates two empty lists, one that will contain attributes that it will use to decide if the user is allowed a session (a ``check-list'') and one that contains session attributes that it will send to the client (a ``reply-list'') if the session is allowed.

The authorization section is a stage used to set up values in the check-list, in preparation for the next stage in processing the request, authentication.

Execution passes through the authorization section until the end of the list of declarations, or when a module returns reject, ok, or handled.

2.2.1.2. The `authentication` Section

In this section,

2.2.1.3. The `session` Section

2.2.1.4. The `preaccounting` Section

2.2.1.5. The `accounting` Section

2.2.2. Top-level Variables

There are a lot of variables outside any section that set the behavior of the server:

prefix = directory, exec_prefix = directory, sysconfdir = directory, localstatedir = directory, sbindir = directory, logdir = directory, libdir = directory, raddbdir = directory, radacctdir = directory, confdir = directory, rundir = directory: Most of these settings are convenience variables that later declarations use to express the location of things in a general way. A few of them are used directly by the server, too, so keep them around.
pidfile = filename: A filename that is used to store the process-ID of the currently-running server. It should be in a place writable by the server user, as defined below, in the user and group variables.
user = username, group = groupname: The username and groupname must be entries that exist in the system files at the time of startup. The server runs as that user for its entire lifespan, excepting the first few instructions at startup. It's probably wise to make a new user to own the server, so it can't accidently stomp on anything valuable.
max_request_time = decimal integer: The number of seconds after receipt of a request that the server considers that it's not making progress towards handling it. In response to such a situation, the server kills the attempt and returns a rejection for that request. Useful values are between 5 and 120, and 30 is usually best.
delete_blocked_requests = yes/no: Tells the server to delete request information for requests that take more than max_request_time seconds.
cleanup_delay = decimal integer: The number of seconds the server stores the reply of a particular request, in the expectation that since RADIUS uses a protocol that doesn't guarantee delivery of the reply, it might get lost, and we can immediately reply if we hear the same request in a few moments. If you have a flaky network, it's probably worth the extra memory to keep these around, especially if you're using some computationally expensive authentication methods. If your network is great, or if authentication is very cheap, then you might set this very low, so you can handle more requests.
max_requests = decimal integer: The maximum number of requests that the server can hold. It should be about 256 multiplied by the number of clients. It's better to set this too high, and waste memory, than too low and drop packets.
bind_address = dotted-quad IP address: The IP address on which the server should listen for requests, and more importantly reply using as a source address. If you have multiple addresses on the same box, and the one to which your RADIUS clients are sending isn't the ``primary'' one, then you might have to set this to the real address. Else, you should use "*", and listen on all addresses, for simplicity's sake. (Yes, this is IPv4-specific for now.)
port = decimal integer: If nonzero, it is the port the server listens uses to listen for authentication requests, and N+1 for accounting, and N+2 for proxying. If zero, the port is taken from the system services file, /etc/services, or its moral equivalent used by getservbyname().
checkrad = filename: The location of the checkrad program.
hostname_lookups = yes/no: Translate addresses to DNS names of clients we speak to. This is safe if you're certain that you will never receive a packet from a client of which your nameserver doesn't know; if you do get one, then the server can pause for up to 30 seconds waiting for the nameserver to reply! When in doubt, leave this set to no.
allow_coredumps = yes/no: A core-file can contain password information, so unless you're debugging the server, you should set this to no, so that a possible core-dump won't result in leakage of sensitive information.
regular_expressions = yes/no, extended_expressions = yes/no: These are set at compile-time to fit the state of your machine, so if you opt to set these to no, then you turn off regex usage. If they're set to no by the config-generator, then setting them to yes won't work, of course.
log_stripped_names = yes/no: Whether usernames are logged as received, or as stripped down to the real username (minus capitalization and realm, et cetera).
log_auth = yes/no: Log all authentication requests to the log file?
log_auth_goodpass = yes/no, log_auth_badpass = yes/no: Log passwords if accepted, and if rejected. Set log_auth_goodpass to no, unless you don't mind leaking sensitive information into the log file.
usercollide = yes/no: User collision is the ability to uniquely authenticate duplicate usernames in RADIUS. In addition, it provides resources to correctly identify each duplicate user in the accounting logs. See Appendix B.
lower_user = no/before/after, lower_pass = no/before/after, nospace_user = no/before/after, nospace_pass = no/before/after: Crush to lowercase when authenticating a user, or remove surrounding spaces. If set to before, then the altered version is tried first, and on failure, the pristine version is tried. On after, the pristine version is tried first, and then the altered version. This actually does two seperate authentications for unmatched users, so it's usually best to leave this set to no.
proxy_requests = yes/no: Allows proxying of requests. It's safe to leave this on, as it doesn't really save many resources in a running server to disable it. (See Section 2.2.3.)
snmp_write_access = yes/no, smux_password = string: If you compiled the server with SNMP support, then you may set these variables. They determine whether an SNMP agent may reload the server's configuration. If in doubt, you should leave these unset.

2.2.3. Proxy Section

The FreeRADIUS server can act as a proxy, accepting requests and making its own requests to another RADIUS server, on behalf of its client.

synchronous = yes/no: We can deal with proxied requests in two ways as far as when we resend proxy requests to the upstream RADIUS server. If this is set to yes, then we resend packets every time the client resends a packet to us. If the client is too impatient and you don't want to pass on that impatience to the upstream, you can set this to no, causing the server to ignore unanswered duplicate client requests and retry the upstream on its own schedule. If you set this to yes, then the remaining proxy variables are meaningless.
retry-delay = integer: The number of seconds to wait for a reply before asking the upstream RADIUS server again. A higher value is nicer to the upstream server, but if this is set too high, then the client may give up entirely and reject the user. A value of 5 is a sensible value.
retry-count = integer: The number of times that we query the upstream RADIUS server before we give up.

For realms, it's best to declare top-level realm sections for each realm to use. The secondary name of the section is the realm to be matched against.

Example 2-2. Defining proxy realms

							realm isp2.com {
							    type = radius
							    authhost = 0.auth.radius.isp2.com:1645
							    accthost = 0.acct.radius.isp2.com:1646
							    secret = TheirKey
							    detailfile = /var/log/radacct/isp2/detail
							    nostrip
							    utmpfile = /var/log/radutmp-isp2
							    wtmpfile = /var/log/radwtmp-isp2
							}
							
							realm momandpop.com {
							    type = radius
							    authhost = LOCAL
							    accthost = LOCAL
							    secret = hi-mom
							}
							
							realm NULL {
							    type = radius
							    authhost = radius1.isp4.com:1645
							    accthost = radius2.isp4.com:1646
							    secret = isp4secret
							}
							
							realm DEFAULT {
							    type = radius
							    authhost = 0.auth.radius.isp2.com:1645
							    accthost = 0.acct.radius.isp2.com:1646
							    secret = TheirKey
							    detailfile = /var/log/radacct/isp2/detail
							}

If you're wary of your upstream RADIUS servers, it's a good idea to consider using the attr_filter module or attr_rewrite module to prevent the server to which you're proxying from giving too much privileges to its user using your equipment. See Section 2.2.6.3 and Section 2.2.6.4.

2.2.4. Thread Pool Section

If you have thread pools compiled in to the server, then you should adjust the pool settings to your environment. The section is called thread, and it has several attributes.

start_servers = decimal integer: This determines how many initial threads will be instantiated to handle requests, initially.
min_spare_servers = decimal integer, max_spare_servers = decimal integer: Settings that regulate the size of the thread pool. It doesn't make sense to have start_servers be smaller than min_spare_servers, of course.
max_requests_per_server = decimal integer: It's only with this option set to nonzero that min_spare_servers makes sense. This option set to nonzero would force a thread to be canceled after so many requests. There's no good reason to have this set to anything but zero, which keeps threads forever.

2.2.5. Clients Section

There should be several client sections, one for each client that should use the server. The secondary section name (the first being client) should be the IP address of the client, in dotted-quad notation. Within that section, several variables are useful:

secret = string: The secret that the client shares with the server to encrypt some parts of the RADIUS packets. This must be the same on the client as here.
shortname = string: A convenient name that the server associates with the IP address, when logging. This may not be widely supported in all modules.
vendor = string, type = string, login = string, password = string: Information used by the session-concurrency monitor, "checkrad", which might need to log in to get current user information, so it can keep the session counts up-to-date. The vendor and type variables tell "checkrad" how to communicate with the client.

Example 2-3. Listing for a RADIUS client

						client 123.23.34.45 {
						    secret = "abracadabra"
						    shortname = "45.nas.vldsga"
						    vendor = "cisco"
						    type = "as5300"
						}

2.2.6. Module Section

Modules are independent pieces of code that are designed in the same spirit as the Unix toolkit, in that each thing does only a few things, but does them well.

2.2.6.1. acct_unique module

Applicable Sections. accounting

This module adds a (hopefully) unique session id to an accounting packet based on the RADIUS attributes listed in the module configuration's key value.

Based on the attributes listed in the key, this module will concatenate the attribute name and value received in the accounting request packet, and then calculate a (unique) md5 digest value from that concatenated list of attributes.

After generating the md5 digest value, it adds it to the accounting request packet received from the client. The resultant attribute created by this module is called Acct-Unique-Session-Id, and it's a useful bit of info to have inserted into your accounting log.

Suggested Uses. Useful for keeping long-lasting accounting records, in which one can use the key as an index in some storage system, like an SQL server or detail logs. It's not an expensive operation, so use on a heavily-burdened server should not impact performance much.

If you want the Acct-Unique-Session-Id of the Start and the Stop packet of a particular session to match, you must use values for the key that will stay the same for the Accounting-Start and -Stop packets. Adding 'Acct-Session-Time', for example, would cause a mismatch because that value is not the same on the Start and Stop accounting packets.

key = comma-seperated attribute list: A string of attributes that can be joined together to make a unique identifier for a particular RADIUS session. A common sane value is User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Port-Id. Any attribute you specify that is not known to the 'dictionary' code will cause the server to fail and exit with an error.

2.2.6.2. always module

Applicable Sections. authorize, authenticate, preaccounting, accounting, session

Unconditionally handles requests a predetermined way. This modules is most useful for debugging the server, over anything else. The best way to accept requests unconditionally is though the files module's FOO attribute in its users file, as described in Appendix A.

Suggested Uses. This should almost never be used.

In a catastrophic failure of whatever means you use to authenticate users (say, in a SQL server or LDAP directory), temporarily inserting the Always module into your configuration will allow users to log in while you repair the failure. Don't do this for important services, like using RADIUS to authenticate retreival of email, of course!

rcode = reject/ok

Tells the server how to behave for the current authentication request. ok signals to allow the request. There are really more return codes, but only server developers would find them useful or interesting.

simulcount = decimal integer

Even though we may be ignoring the password information coming from the client, we may still want to disallow more than N simultaneous connections per user.

Using simulcount can be dangerous, in that if some rogue uses Bob's username to connect (and we allow it because we don't care that the rogue didn't know Bob's password), then Bob won't be able to connect as many times as he normally would be able to.

mpp = yes/no

If the user is allowed any access at all, this tells the client whether to allow 2-port multilink access.

2.2.6.3. attr_filter module

Applicable Sections. authorize

This modules is allowed only in the authorize section, and should be placed before use of a Realm module instance.

This module exists for filtering certain attributes and values in received radius packets from remote proxied servers. It gives the proxier (us) a very flexible framework to filter the attributes that proxied servers send us in their replies. This makes sense in an out-sourced dialup situation, for example, where the client's proxy is permitted only certain values for setting the Idle-Timeout.

Filter rules are defined and applied on a per-realm basis, where the realm can be anything you have defined via the rlm_realm module.

Suggested Uses. Use this when you have upstream RADIUS servers controlled by one organization sending information through you to downstream RADIUS clients controlled by a different organization.

attrsfile = filename: The file describes how attributes are filtered. If this variable is unset, it defaults to attrsfile = ${confdir}/attrs

2.2.6.3.1. Format of the `attrsfile` file

The file that defines the attribute filter rules is layed out and parsed very similar to the users file (See Appendix A). There are a couple main differences:

There are no "check items" on the first line of the profile other than the "realm".
There is only one DEFAULT entry. This is due to the fact that there are no "check items" beyond the realm name. Fall-Through does work though, allowing you to put the commonly allowed attribute rules into the DEFAULT entry and only put realm specific rules in the specific realm entry.
The operators used for specifying the attributes are different too, as below.

`=`	NOT ALLOWED If used, it becomes "=="
`:=`	Set (used to ensure a specific A/V pair is present)
`==`	Equal (exact)
`!=`	Not equal
`>=`	Greater than or equal to
`<=`	Less than or equal to
`>`	Greater than
`<`	Less than
`=~`	Regular expression equal
`!~`	Regular expression not equal

See the comments in the default 'attrs' file for examples and additional explanation.

2.2.6.4. attr_rewrite module

Applicable Sections. authorize, authenticate, preaccounting, accounting, session

In authentication and accounting requests, filters out some attributes, as useful to do when proxying to another server or massaging data from clients into a normalized or "standard" form.

searchin = string, attribute = string, searchfor = string, replacewith = string, max_matches = nonnegative decimal integer: In the A/V list indicated by searchin, in the attribute indicated by attribute, replace the first max_matches instances of searchfor with replacewith
ignore_case = boolean: When matching the searchfor string, should the case of the letters be ignored?

2.2.6.5. counter module

Applicable Sections. authorize, accounting

In accounting, sums a user's usage in a GDBM DB. In authentication, creates an attribute in your check-list based on past usage, with which, you can later test to see if this new session is allowed or not.

Suggested Uses. Use this to enforce a limit on usage of your RADIUS-protected resource, for accounts that aren't allowed unlimited usage.

filename = filename: A file writable by the user the server runs as (see Section 2.2.2), in which the usage information will be stored. By the nature of GDBM, it's wise to keep this on a local filesystem (and not NFS, e.g.).
key = dictionary attribute: The key for storing/retreiving data from the DB. This should be set to User-Name, if you want to limit users. It could be anything, like Acct-Unique-Id, if you use usercollision and put the acct-unique module before this in the authorize section and make its key attribute be attributes that uniquely identify the user (like User-Name, Class might).
count-attribute = dictionary attribute: Any decimal integer accounting attribute that you want to count on. Acct-Session-Time is a sensible value for accounting some number of seconds in some period.
reset = period name: The period for which you want to keep the count-attribute per key. Supported values include hourly, daily, weekly, monthly. The count-attribute information is reset at the beginning of each period.
counter-name = new attribute: The name of the attribute to be created in the check-list that will store the current value that the DB has.
check-name = ? , allowed-service-type = ? , cache-size = decimal integer: A file writable by the user the server runs as (see Section 2.2.2), in which the usage information will be stored.

2.2.6.6. detail module

Applicable Sections. accounting

Meaningless in authentication, but accounts to the traditional RADIUS ``detail'' file format. The placement of the file is very powerful, as it can be based on expansion of request attributes (see Appendix C).

Be sure not to use any user-supplied information (User-Name, etc.) in the detailfile, if you value security. A malicious or clumsy user could easily write in a location you don't expect.

detailfile = filename: Location of detail file. Use of %-expansion can make for powerful logging. Usually set to .../%{Client-IP-Address}/detail.
detailperm = octal integer: Permissions for newly-created files. Usually set to 0600

2.2.6.7. dictionary module

Applicable Sections. (none)

2.2.6.8. example module

Applicable Sections. (none)

Useful only as an example for new module developers. Don't enable this in your server.

2.2.6.9. fastusers module

Applicable Sections. authorize, authenticate, preaccounting, accounting

Behaves identically to the files modules, as described in Section 2.2.6.10, with the exceptions that authentications are done in (nearly) constant time (rather than being ``Big-O of N''), and there are additional cache-related settings.

Suggested Uses. Use of this is nice if you have a lot of users and have some source from which you can generate a users-style file from it. It's the successor to the slower files module.

usersfile = filename, acctusersfile = filename: usersfile is the file containing authentication information, and acctusersfile is . Appendix A describes the file format.
hashsize = decimal integer: The number of hash buckets to use. For best performance, approximate the number of users you expect to have, and use that.
hashreload = decimal integer: The number of seconds between reloading the hash. Updates to the users-file are only noticed when this number of seconds have elapsed. 600 is a common value.
stats = boolean: Log the hash efficiency statistics on load or reload.
compat = cistron/: Whether to expect a Cistron-compatible users-file format.

2.2.6.10. files module

Applicable Sections. authorize, preaccounting

Authenticates users from a somewhat Livingstonesque, very Cistronlike ``users'' file. See Appendix A for information about the file format.

usersfile = filename, acctusersfile = filename: The server looks for the users-file at the location given by the usersfile variable (a fully qualified filename, often ${confdir}/users) -- this is the full filename, and it need not be ``users'' of course.
compat = cistron/: Compatibility mode, for whether the users-file is in the old ``Cistron RADIUS'' format.

2.2.6.11. krb5 module

Applicable Sections. authenticate

Authenticates with Kerberos tokens.

2.2.6.12. ldap module

Applicable Sections. authorize, authenticate

Authenticates users via a LDAP tree. Meaningless in accounting.

Suggested Uses. This is an appealing way to authenticate users, but the code is not yet ready for use in an important environment. Feedback is welcome.

server = hostname, port = positive decimal integer, identity = string, password = string, basedn = string: Information used to connect to the LDAP server.
net_timeout = decimal integer
timeout = decimal integer
timelimit = decimal integer
default_profile = string
profile_attribute = string
access_group = string
access_attr = string
dictionary_mapping = filename
ldap_debug = integer

2.2.6.13. mschap module

Applicable Sections. authenticate

2.2.6.14. ns_mta_md5 module

Applicable Sections. authenticate

Suggested Uses. This is a rarely used module. Its use isn't discouraged, but not very well supported by developers.

2.2.6.15. pam module

Applicable Sections. authenticate

Authenticates to any PAM method that your system has available.

Suggested Uses. This is an easy way to add a level of indirection to authentication and gain access to another realm of authentication methods. This is a powerful idea, if only a simple module.

pam_auth = string: The name used by the PAM system, as an identifier for this authentication scheme. Usually, set to "radiusd".

2.2.6.16. preprocess module

Applicable Sections. authorize, preaccounting

A multipurpose module used in both authorization and preaccounting. It prepares a request structure to be handled by other modules.

huntgroups = filename
hints = filename
with-ascend-hack = boolean
ascend-channels-per-line = integer: Optional setting, dependent on with-ascend-hack being set to yes.
with-specialix-jetstream = boolean
with-nt-domain-hack = boolean
with-cisco-vsa-hack = boolean

2.2.6.16.1. Format of huntgroups file

2.2.6.16.2. Format of hints file

2.2.6.17. radutmp module

Applicable Sections. accounting, session

Accounts users to a typical Unix ``utmp'' file. Meaningless in authentication.

Suggested Uses. This is an ugly and discouraged way to account and session-limit. Use a detail file, or SQL DB instead.

filename = filename
perm = integer
callerid = boolean

2.2.6.18. realm module

Applicable Sections. authorize, preaccounting

In authorize and preaccounting, a single character may be a username/realm delimiter.

delimiter = a single character: This must be a single character. It's usually set to "@", as "user@realm" is very common.
format = prefix/suffix: Where is the realm located in relation to the delimiter?

2.2.6.19. sql module

Applicable Sections. authorize, authenticate, accounting

Authenticates and accounts from and to a SQL server. Note that because this module involves several variables, its configuration is often split out to another file, and included into the configuration at runtime with $INCLUDE. See the etc/raddb/radiusd.conf file.

Suggested Uses. This is a great way to account usage. If you already store user information in a DB, then it's also an excellent way to authenticate users.

driver = module name

The server deals with the SQL servers in a general way, and uses drivers specific to your SQL implementation to interact with it properly. The currently available SQL modules are

rlm_sql_iodbc

rlm_sql_mysql

rlm_sql_oracle

rlm_sql_postgresql

All of the other sql variables should be driver-independent, except where noted in the variable description.

server = hostname

The hostname of the SQL server that the RADIUS daemon should connect to.

login = SQL username, password = SQL password

When connecting to the SQL server, this information is used to authenticate the RADIUS daemon to the SQL server.

radius_db = DB instance name

The database instance to which to connect.

acct_table1 = table name, acct_table2 = table name

Poorly named tables to which start and stop packets, respectively, should be logged.

authcheck_table = table name, authreply_table = table name, groupcheck_table = table name, groupreply_table = table name

usergroup_table = table name

deletestalesessions = yes/no

sqltrace = yes/no, sqltracefile = filename

Log verbosely all SQL statements, when in debug mode.

num_sql_sockets = positive decimal integer

The maximum size of the pool of sockets to keep open to the SQL server.

sql_user_name = string

A string that would be reduced to what you would like to be used as the canonical username, after it has been processed by the internal translation function. (See Appendix C.) The result is stored in the %{SQL-User-Name} variable, for use in the upcoming SQL statements. A good default is %{Stripped-User-Name:-%{User-Name}}.

authorize_check_query = SQL statement, authorize_reply_query = SQL statement

authorize_group_check_query = SQL statement, authorize_group_reply_query = SQL statement

authenticate_query = SQL statement

accounting_onoff_query = SQL statement, accounting_update_query = SQL statement

accounting_start_query = SQL statement, accounting_start_query_alt = SQL statement, accounting_stop_query = SQL statement, accounting_stop_query_alt = SQL statement

2.2.6.20. unix module

Applicable Sections. authenticate, accounting

Auths out of the system password database, usually /etc/passwd. Accounts to utmp.

Suggested Uses. If you store user information in your system password files only, then this is a good way to go about using that to auth users. (If you expect to grow past a few thousand accounts (especially more than 2**16), though, use a faster and more robust user database, like SQL or LDAP.)

cache = yes/no

Cache values until the server gets a SIGHUP. This can significantly speed up the server, at the cost of delays in noticing changes.

passwd = filename

Location of a system Unixish password file. Usually /etc/passwd, of course.

shadow = filename

Optional location of the Unix-ish shadow password file. This is often only readable by a privileged user.

If your users can't authenticate, it might be because the user as which the server is running (as specified with the top level user variable) doesn't have sufficient filesystem permission to read this file.

group = filename

Location of the group file. Usually /etc/group.

radwtmp = filename

Chapter 3. Troubleshooting

Use the -X command-line argument. Blah blah. Use gdb. Stack trace. core-dumps=yes. Blah.

Appendix A. Format of the `users` file

A request has initially an empty check list and an empty reply list attached to it. So each incoming authentication request has three attribute-value lists associated with it:

the request list (as originated from the client)

the check list (initially empty)

the reply list (initially empty)

For every entry in the users file, the Username value-pair is compared to it. If an entry in the users-file matches, or if it is a DEFAULT entry, a check pair is created (call it ``tempcheck'') by adding the check list of the current users-file entry to the check list of the request. If an attribute is already present in the check list of the request, then it will not be changed.

Then the request list is compared with the ``tempcheck'' list. If all items match (except for password-related items at this time!) then both of the following actions are taken: The reply list of the users-file entry is appended to the reply list of the request. The check list of the request is replaced by the ``tempcheck'' list.

Then a check is made to see if the reply list contains an attribute-value pair of Fall-Through = yes. If not, we stop processing the users-file. If so, we continue with the users-file's next entry.

Then after all this is done, the authentication information is filtered from the check list, the password of the user is checked, and we send an appropriate reply back to the client.

Appendix B. Username Collision Handling

Many ISPs are acquiring other ISPs in local or remote areas. This causes problems with centralizing services such as RADIUS because of the overlap in usernames between ISPs.

For example:

ISP A (with 10,000 users) acquires ISP B (with 1,000 users).
ISP A determines that 375 of ISP B's 1,000 usernames conflict with usernames already in use at ISP A (eg 'foo' is valid username on both ISPs).
ISP A, therefore, cannot merge its user files with ISP B and centralize RADIUS.

Currently, it only works when authenticating users via the following methods in FreeRADIUS:

'users' file (Auth-Types Local and Crypt-Local only)

cached password (and shadow) file users

rlm_fastusers module

rlm_unix module

That's it so far.

The reason user collision cannot be implemented (efficiently) on a non-cached /etc/passwd file is because getpwnam() will always return the first user it finds with a matching username. Thus, if you're going to use the /etc/passwd file, you MUST set cache = yes in your etc/raddb/radiusd.conf. Or, you could always just put duplicate usernames in the 'users' files, but you should probably be caching anyway if you want a speedy server.

B.1. Authentication

It currently works by using the password of the user to uniquely identify and authenticate them.

Example:

ISP A user 'foo' has password 'bar'

ISP B user 'foo' has password 'bleah'

If the user logs in with 'bar' as their password, their login will be accepted and they will get the reply attributes associated with what you've entered for the user 'foo' password 'bar' entry.

If the user logs in with 'bleah' as the password, again, they'll be authenticated, but they will get the reply attributes associated with user 'foo' password 'bleah'.

So, what happens if more than one user has the same username and the same password? It breaks! Well, ok, it doesn't really break, but those users will get the same reply attributes, causing grief for you. The code does not check for this; that is your job!

User collision authentication depends on passwords being different for users with the same username!

So the security minded among us are now agast. I'm not much for this method myself, but trust me, the corporate folks are gonna love it. And it's not inherently insecure as long as the passwords remain different.

B.2. Accounting

Ok, so now, how can we tell in the accounting logs which user 'foo' logged in? Well, again, you have a little work to do. The code identifies the user via a unique value assigned to the 'Class' reply attribute in the users file.

Example B-1. Collision in a users file

foo Auth-Type := Local, Password == "bar"
    Class = 0x0001

foo Auth-Type := Local, Password == "bleah"
    Class = 0x0002

Now, you'd add other attributes as well, but let's just start with 'Class' by itself as a reply. When a user 'foo' logs in with password 'bar', the 'Class=0x0001' reply item gets sent back to the client they dialed into. The client then adds 'Class=0x0001' to the Accounting 'Start' packet it sends for that user, thus uniquely identifying this 'foo' in the your accounting logs.

If the user 'foo' logs in with password 'bleah', you will get 'Class=0x0002' in your accounting logs.

Now, again, you should note that it is *your job* to make sure the 'Class' values are different for each user. If you don't, I can assure you the phones will ring off the hook when users get their bills.

Obviously, this method works only for users in your 'users' files.

If you are using a cached passwd file, then the "Full name" field in the passwd file you cached will be passed back to the client as the value of 'Class'. Be sure they are set differently!

Example B-2. Collision information in a passwd file

					test:x:500:500:0x1001:/dev/null:/dev/null

In this case, "0x1001" will be passed as the value for the 'Class' attribute when the Auth-Accept packet gets sent back to the client, and then you should see 'Class=0x1001' for that user in your accounting logs.

Once again, it is your job to ensure that these Class values are unique for each user.

Appendix C. String Translation

String translation is a method of embedding logical tokens in strings that the server will expand to their actual values while handling a request. One might wish to set the Detail-module's logfile variable to include the token %s, so that when a request is handled, the name of the file that the detail-entry is written to has the NAS' IP address as part of the filename. In the design of the string translation code, one will see influences from the C language and from Korn Shell scripting.

`%c`	Callback-Number
`%i`	Calling Station ID
`%f`	Framed IP address
`%M`	MTU
`%l`	request timestamp
`%m`	request month (MM)
`%n`	NAS IP address
`%p`	Port number
`%a`	Protocol (SLIP/PPP)
`%s`	Speed (PW_CONNECT_INFO)
`%u`	User name
`%U`	Stripped User name
`%C`	value of `clientname`
`%A`	value of `radacct_dir`
`%R`	value of `radius_dir`
`%L`	value of `radlog_dir`
`%D`	request date (YYYYMMDD)
`%d`	request day (DD)
`%Y`	request year (YYYY)
`%t`	request time in ctime format
`%S`	request timestamp in database format (w/ spaces)
`%T`	request timestamp in database format
`%V`	Request-Authenticator (Verified/None)
`%Z`	All request attributes except password (must have big buffer)
`${AttributeName}`	Corresponding value for AttributeName in request
`${request:AttributeName}`	Corresponding value for AttributeName in request
`${reply:AttributeName}`	Corresponding value for AttributeName in reply

Also available is limited parameter expansion, similar to Korn Shell's. The string ${Y} is the same as %Y. One may also use the ${parameter:-word} syntax to mean that if $parameter is unset, then instead substitute word (which is also subject to parameter expansion). A simple example of this is ${u:-(NoUser)}, and a complex one might be ${U:-${u:-(NoUser)}}.