As part of a broader organisational restructure, data networking research at Swinburne University of Technology has moved from the Centre for Advanced Internet Architecture (CAIA) to the Internet For Things (I4T) Research Lab.

Although CAIA no longer exists, this website reflects CAIA's activities and outputs between March 2002 and February 2017, and is being maintained as a service to the broader data networking research community.


This page is part of the LIFE project.

RADIUS Client Configuration on the NAS


The NAS acts as the RADIUS client, allowing authorised users to pass onto the network. In our system, when the user PPP's into the NAS, the NAS consults the RADIUS server to authenticate the username/password combination sent by the user. Upon authentication, the NAS allows the user to complete their PPP connection. A PPP tunnel is created and the user communicates with the network through the NAS.

Our NAS has two interfaces, fxp0 and fxp1. The fxp0 interface connects to the switch and is used to communicate with the RADIUS server and ITS. The fxp1 interface is directly connected to the user machine for the PPP connection. This was done in order to separate the client side of the NAS from the network side.

If the client were connected to the same switch as the NAS and RADIUS server this would create a security issue. This security issue could be overcome with assigning VLANs. VLAN 1 would be assigned to the user machine and the fxp1 interface of the NAS. VLAN 2 would be assigned to the RADIUS server, the fxp0 interface of the NAS and ITS. When a client is authenticated it would allow them access to VLAN 2. To keep the system simple it was decided that this approach would not be taken.

tun0

The first step in enabling PPP on a machine is to add the psuedo-device tun into the FreeBSD kernel. This is for the PPP connection to tunnel between the user machine and the NAS. It is done by adding the following line to the file "/usr/src/sys/i386/conf/GENERIC" and recompiling the kernel:

psuedo-device tun N # where N is the number of tunnel devices you want to add, this can be left as blank

ppp.conf

The following is the configuration added to our "/etc/ppp/ppp.conf" file:

ppp-in:
set timeout 0 # never timeout the connection
set ifaddr 10.0.4.1/0 10.0.4.2/0 255.255.255.0 0.0.0.0
add default HISADDR
allow users
enable pap
enable chap
set radius /etc/radius.conf
This configuration specifies the private class A IP addresses that are to be allocated to both sides of the PPP tunnel. It also specifies that both the PAP and CHAP protocols can be used to authenticate the username/password of the user and the location of the radius configuration file.

Between the PAP and CHAP, CHAP is the preferred protocol as it sends passwords in encrypted form and challenges the user at random times to revalidate their identity. Since both PAP and CHAP have been enabled and the user machine supports both protocols the NAS chooses CHAP to authenticate the user in our system.

radius.conf

As specified in the ppp.conf file, the "/etc/radius.conf" file gives the IP address of the RADIUS server and the secret key shared between the NAS and RADIUS server. The following line is the contents of the radius.conf file for our system:

auth 136.186.229.225 mylittlesecret

services

When the NAS receives a request on the ppp-in port, it knows that it must read the "ppp-in:" block in the ppp.conf file by reading the following command that must be added to the "/etc/services" file:

ppp-in 6669/tcp # incoming PPP connections over TCP

ifconfig

The following is the ifconfig of the NAS interfaces fxp0 and fxp1:

fxp0:flags=8843 mtu 1500
inet 136.186.229.238 netmask 0xffffff00 broadcast 136.186.229.255
inet6 fe80::203:47ff:fe74:7417%fxp0 prefixlen 64 scopeid 0x1
ether 00:03:47:74:74:17
media: Ethernet autoselect (100baseTX )
status: active
fxp1: flags=8843 mtu 1500
inet 192.168.10.3 netmask 0xffffff00 broadcast 192.168.10.255
inet6 fe80::202:b3ff:fe0a:af7e%fxp1 prefixlen 64 scopeid 0x2
ether 00:02:b3:0a:af:7e
media: Ethernet autoselect (100baseTX )
status: active


rc.conf

The following is an extract of the "/etc/rc.conf" file for the NAS:

defaultrouter="136.186.229.1"
hostname="bart0.caia.swin.edu.au"
ifconfig_fxp0="inet 136.186.229.238 netmask 255.255.255.0"
ifconfig_fxp1="inet 192.168.10.3 netmask 255.255.255.0"





Swinburne Homepage Site Map Search Index
 

Swinburne Copyright and disclaimer Privacy Feedback

Last Updated: Thursday 19-Feb-2004 12:01:37 AEDT
URL:
Maintained by: Ana Pavlicic apavlicic@groupwise.swin.edu.au
Authorised by: Grenville Armitage garmitage@swin.edu.au

IndexSearchSite MapSwinburne Home Page