Client Package

Beside the radius server and accompanying utilities, GNU Radius provides a set of utilities to be used as radius clients.

Following sections describe in detail the parts of the radius client package.

• config: Configuration file is common for all client utilities.
• radsession: Send arbitrary requests to radius server.
• nas.scm: A NAS implementation for GNU/Linux machines.
• pam_radius.so: A PAM module for authentication via radius.

Client Configuration

All programs from the client package share the same configuration file: `raddb/client.conf'. The file uses simple line-oriented syntax. Empty lines are ignored, the `#' introduces an end-of-line comment.

The source IP address is introduced with source_ip statement. Its syntax is:

    source_ip ip-addr

where ip-addr must be the IP address in "dotted-quad" notation.

The radius server where to send the requests to is introduced with server statement:

    server name ip-addr secret auth-port acct-port

Its parts are:

name

The server name. It is reserved for further use.

ip-addr

The server IP address.

secret

The shared secret to be used when sending requests to this server

auth-port

Authentication port number.

acct-port

Accounting port number.

If several server statement are present, they are tried in turn until any of them replies to the request.

The amount of time a client program waits for the reply from a server is configured using timeout statement:

    timepout number

If the program does not receive any response within number seconds, it assumes the server does not respond and either retries the transmission or tries next available server. Number of retries is set with retry statement:

    retry number

The example of `raddb/client.conf' follows:

    server first 10.11.10.1 secret 1645 1646
    server second 10.11.10.1 secret 1645 1646
    source_ip 127.0.0.1
    timeout 3
    retry 5

radsession

radsession is a Guile script that sends authentication and accounting requests to the radius server. To invoke the script, run

    radsession options action

Possible actions are:

--auth

Send authentication request.

--start

Send accounting start request.

--stop

Send accounting stop request.

Options determine the contents of the request's pairlist. They are:

-l STRING

--login STRING

Set login name.

-p STRING

--passwd STRING

Set password.

-n IP

--nas IP

Set the value of NAS-IP-Address attribute.

-s STRING

--sid STRING

Set the session id (Acct-Session-Id attribute).

-P NUMBER

--port NUMBER

Set the port number (NAS-Port-Id attribute).

-h

--help

Print short usage message and exit.

-v

--verbose

Verbosely list the contents of the received reply.

nas.scm

nas.scm is a Guile program that allows to convert a GNU/Linux box into a NAS. It requires Guile version 1.4 or better and ppp version 2.3.7 or better.

To use it, you will basically need to do the following:

1. Create links:

       ln -s libexec/nas.scm /etc/ppp/ip-up
       ln -s libexec/nas.scm /etc/ppp/ip-down
   

   Here, libexec denotes the location of your libexec directory, where nas.scm is installed. If not overridden at configure time, it defaults to `prefix/libexec'. These links assure the ppp will invoke nas.scm when the user's session starts and ends, thus giving it a possibility to send accounting requests.
2. Configure file `raddb/client.conf'
3. Edit file `raddb/nas.rc'. The supplied `nas.rc' template is tailored to work in most environments. The only variables you may need to change are: nas-log-facility, specifying the syslog facility to be used for logging and pppd-args, keeping the arguments to be given to ppp.
4. Configure your `/etc/inittab' and getty. For example, if you use mgetty, then the `inittab' entries for dial-up lines will look like:

       d0:345:respawn:/sbin/mgetty ttyS0 vt100
       d1:345:respawn:/sbin/mgetty ttyS1 vt100
       ...
   

   The mgetty's `login.config' will then contain the following line:

       *       -       -       /usr/local/libexec/nas.scm 
   

   If you use agetty, then the `inittab' will contain (with the long lines split for readability):

       d0:345:respawn:/sbin/agetty -mt60 \
          -l /usr/local/libexec/nas.scm 38400,19200,9600 \
          ttyS0 vt100
       d1:345:respawn:/sbin/agetty -mt60 \
          -l /usr/local/libexec/nas.scm 38400,19200,9600 \
          ttyS1 vt100
       ...
   

pam_radius.so

pam_radius.so is a PAM module for radius authentication. The module understands following command line options:

audit

Enable audit information.

debug[=level]

Enable debugging information. The higher level is, the more debugging info is output. When omitted, level defaults to 100. Please note, that debugging levels equal to or greater than 10 compromise users' passwords, so use them sparingly.

use_authtok

Use authentication token passed from the previous module in stack.

confdir=path

Look for configuration files in path. Default is `$sysconfdir/etc/raddb'.

service_type=type

Add Service-Type=type to the authentication request. type must be a valid value, described in dictionary file.

pam_radius.so module logs its messages under LOG_AUTH syslog facility.

Go to the first, previous, next, last section, table of contents.