Hi,
i want to know how to configure two systems as Radius server and Radius client.... I have downloaded freeradius in one system..... wat else has to b downloaded in these two systems... n wats the procedure to test the setup......
thank u......

Hello.

It is not clear to me what exactly you are trying to do... Based on what you need to do is the configuration of your system. Where for example you hold your users information? Database? What database? Flat file? In another radius server? Are you going to implement accounting?

Generally, speaking, the radius client and server share a secret with which they crypt/decrypt the radius packets. Obviously you need to configure the client and server with the same secret. Then you need to go through:

Client sends an authorization request packet
The server sends back an authorization reply

If the reply is "Allow" then accounting-start and accounting-stop packets follow.

You will need a radius client (if I remember correct freeradius includes the source for it) to construct packets with the right attributes, send it to the server and then inspect the reply.

Your question is very general, and so is my answer...

these are the steps i performed....

1.tar -zxvf freeradius-1.1.6.tar.gz
2. extracted it
3../configure
4.make
5.make install - run this command as 6.root
7.radiusd or - start RADIUS server
radiusd -X - start RADIUS server in debug mode

while executing the comand i get the foll err
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "(null)"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/usr/local/etc/raddb/users"
files: acctusersfile = "/usr/local/etc/raddb/acct_users"
files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
radiusd.conf: "PAP" modules aren't allowed in 'authorize' sections -- they have no such method.
radiusd.conf[1788] Failed to parse authorize section.



and so when i do a radtest,
radtest test test localhost 0 testing123
i get the foll o/p
Sending Access-Request of id 212 to 127.0.0.1 port 1812
User-Name = "test"
User-Password = "test"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Re-sending Access-Request of id 212 to 127.0.0.1 port 1812
User-Name = "test"
User-Password = "test"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Re-sending Access-Request of id 212 to 127.0.0.1 port 1812
User-Name = "test"
User-Password = "test"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Re-sending Access-Request of id 212 to 127.0.0.1 port 1812
User-Name = "test"
User-Password = "test"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Re-sending Access-Request of id 212 to 127.0.0.1 port 1812
User-Name = "test"
User-Password = "test"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Re-sending Access-Request of id 212 to 127.0.0.1 port 1812
User-Name = "test"
User-Password = "test"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Re-sending Access-Request of id 212 to 127.0.0.1 port 1812
User-Name = "test"
User-Password = "test"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Re-sending Access-Request of id 212 to 127.0.0.1 port 1812
User-Name = "test"
User-Password = "test"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Re-sending Access-Request of id 212 to 127.0.0.1 port 1812
User-Name = "test"
User-Password = "test"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Re-sending Access-Request of id 212 to 127.0.0.1 port 1812
User-Name = "test"
User-Password = "test"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
radclient: no response from server for ID 212

thanks u.....

Just compiling a radius server, and doing no configuration will never get you any results. You need to configure it carefully if you want a working system.

Look inside all these files that are mentioned in the logs, and pay extra attention especially to:

/usr/local/etc/raddb/clients.conf
/usr/local/etc/raddb/snmp.conf
/usr/local/etc/raddb/sql.conf

and of course look inside

/usr/local/var/log/radius/radius.log

For more details.


At the moment you are in a stage that your radius server does not accept radius requests from your local machine, and there are to reasons for this:

1. Your machine is not inside the (trusted) clients file (/usr/local/etc/raddb/clients.conf)
2. Even if it is, the secret (testing123) is not common.

You need to understand what a radius server does (find a tutorial, the rfc might be too complicated for the beginning) and how it does it. Radius can be very complicated, and don't expect to become an expert if you don't spend a lot of time with it!

Try break the problem into smaller ones. At the stage you are now, I would suggest the following:

1. Print out any docs that freeradius provides (Why not buy the "Freeradius" book from O'Reilly? It is very very good and will help you a lot)
2. Try to understand the structure of the clients file and set the secret to something appropriate.
3. When you use radtest, the radius server must reply with something (most probably with an auth-reject packet - radtest will show it with its attributes to you). At the moment radius is silently dropping your requests (hint: look at the logs to see what exactly why, it might mention the config files you need to change)

When you get at the stage where you get replies back you will need to configure where radius server will authenticate users from: mysql database, flat file, posgressql... There are loads of choices with freeradius and you can even write your own authentication modules!

That is all for now...

Ah! And one more thing! Check for any network anomalies between your radius server and client... In other words if you are running a firewall on your localhost that blocks the radius ports, don't expect to receive an answer... The standard radius ports are 1812 for authorization and 1813 for accounting and I guess freeradius is using them, but it might have as default the older standard ports which are 1645 for auth and 1646 for accounting. And that is UDP.

hi,
first of all, thank u for the explanation...
n as the error says,
radiusd.conf: "PAP" modules aren't allowed in 'authorize' sections -- they have no such method.
radiusd.conf[1788] Failed to parse authorize section

in radius.conf under pap section,
i added the following line,
auth-type = pap;

n now its working fine.....

even able to send packet from another system(in a lan) by editing clients.conf and users files.....

do u have any idea of how to implement radius in a switch..

What exactly do you want to do with radius on a switch? Proxy the radius packets? As far as I know there are some switches that implement radius but you need to make sure that it is exactly as you want it, i.e. the authentication type, the passwords type, the ability to proxy or not etc. that are supported from the raidus on the switch should match exactly your needs.

There are many implementations out there and not all of them follow the already not strict rfc.

I am not sure how I can help you further with radius on a switch but if you send me more details I might be able to give a hand. I have worked with many radius implementations in linux and unix but my experience with switches is a bit limited. But anything out there that has to do with radius, I am interested to hear about it! ;-)

hi,

yes you can do PPPoE on a switch - just make sure your switch knows RADIUS.

unplug your client cable first - the RADIUS and switch is up and running, then plug the cable again. In MS Windows you'll get prompt for authentication.

HTH.

@rossonieri#1
thank you..
@nautilus

hi, first i m trying to analyse the source code of freeradius 1.1.6.
can u help me in any means... can u send me any books that explains the code flow.....
my mail id is av_mahalakshmi@yahoo.co.in

Hello again.

I believe the book you need is here:

http://safari.oreilly.com/0596003226

I don't know if it has a walk through of the code of freeradius but is quite detailed about this implementation and it explains many things about radius protocol. I don't see why you might want to understand the flow of the code, unless you want to develop on it. And if you want to do so, well... I think the best thing to do is first to understand the radius protocol itself and then provided you know C quite well) start experimenting yourself. Developing radius is a long way, but very interesting!

ok..thank you...

Hi
I'm trying to use FreeRadius at my "Fedora Core 6".Actually I'm reading the Ch5 of RADIUS book and trying to configure my files such as clients.conf, but I'm not quite sure what exactly to modify in this file.I have done this:

tar -zxvf freeradius-1.1.5.tar.gz
extracted it
./configure
make
make install
radiusd or - start RADIUS server


Please Can you help me for that and how to test my radius inside my server (with 2 command line terminals).
The idea of want I want to do is: using radius for HotSpot to authenticate the users.

thanks

p.s I'm an engineering student

hi,

first - read the book again and again until you get the point
in meanwhile - for short :
- create a radius client profile (user profile)
- pointing RADIUS client (your AP) to use RADIUS server authentication
- try...

HTH.

Hi Sir ;
I really need help to setup Linux as radius server also to replicate the users id and pass to another linux server if ones goes down. I got to know that Fedora has FDS rite.im not sure how tis works.

Currently we have 1 Win2k server(radius server) without ActiveDirectory

since its expensive hving(CALS)..as radius server to serve more then

1000users. the clients(outsiders) usually will dail using cisco vpn

dialer to get connected to our company Win2k Radius server to do their

work.

Problem:
Since we dont have active directory which cost aloot, so we unable

replicate users Id to backup server or do fail safe.
We planned to do this using linux to act as Radius Server and also

replicate the accounts and Id's to another server. We want it to work

exactly as AD if possible. When 1 server goes down ...another could

handle the authentication of users.

Please tell me hw to do tis ...since im really new to Linux. Pls
do tell me the steps and what i need to do. I really appreciate any1

could help me.