As part of a broader organisational restructure, data networking research at Swinburne University of Technology has moved from the Centre for Advanced Internet Architecture (CAIA) to the Internet For Things (I4T) Research Lab.

Although CAIA no longer exists, this website reflects CAIA's activities and outputs between March 2002 and February 2017, and is being maintained as a service to the broader data networking research community.


This page is part of the LIFE project.

RADIUS Server Configuration


FreeRADIUS on a machine running FreeBSD can be used to authenticate and authorise users as well as keep track of their account information. FreeRADIUS is one of many possible RADIUS implementations and is found in the FreeBSD "/usr/ports/net/freeradius" directory for installation. The following commands in the "/usr/ports/net/freeradius" directory will install FreeRADIUS:

radiusServ#make fetch
radiusServ#make build && make install

When we installed FreeRADIUS all files in the "/usr/local/etc/raddb/users" directory ended with the .sample suffix. For our purpose, it was enough to edit some of these files and remove the .sample suffix as we only required a simple configuration.

radius.conf

The first file we edited in the "/usr/local/etc/raddb/" directory was the radius.conf file. In this file general RADIUS settings can be changed depending on the service that is to be offered. Under PROXY CONFIGURATION we changed the following:

proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf

to

proxy_requests = no
# $INCLUDE ${confdir}/proxy.conf


This was because our setup has only one RADIUS server and does not need to consult other RADIUS servers to validate a client, thus the proxy.conf file does not need to be included. This step was not required, but according to the radius.conf file it reduces a portion of resource use.

clients.conf

The "/usr/local/etc/raddb/clients.conf" file is used to specify to the RADIUS server the RADIUS client/clients whose Access-Request messages it is to accept and process. The RADIUS server and its clients validate each other's identity by the use of a secret key that is sent in messages between them. The following values were edited in our clients.conf file:


client 127.0.0.1 {
secret = mylittlesecret # the secret key used between the RADIUS server and the NAS
shortname = localhost
nastype = other # localhost is a FreeBSD machine, not a real NAS
}

client 136.186.229.238/24 { # this is the IP address of the closest and most preffered NAS
secret = mylittlesecret # the secret key shared with this NAS
shortname = bart0 # the name of the NAS
}


users

The "/usr/local/etc/raddb/users" file lists the username/password combinations the RADIUS server may authenticate. In larger environments all usernames, passwords and accounting information would be located in a separate database the RADIUS server would consult. Since we only need a limited number of users for our system, we uncommented and edited the sample user "steve" in the users file.

steveAuth-Type := Local, User-Password == "testing"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 10.0.4.2, # this is the address allocated to the user's side of the PPP tunnel
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
Framed-MTU = 1500


ifconfig

The following is the ifconfig of the RADIUS server interface sis0:

sis0: flags=8843 mtu 1500
inet 136.186.229.225 netmask 0xffffff00 broadcast 136.186.229.255
inet6 fe80::20c:6eff:fed1:4d7d%sis0 prefixlen 64 scopeid 0x1
ether 00:0c:6e:d1:4d:7d
media: Ethernet autoselect (100baseTX )
status: active


rc.conf

The following is an extract of the "/etc/rc.conf" file for the RADIUS server:

defaultrouter="136.186.229.1"
hostname="radiusServ.caia.swin.edu.au"
ifconfig_sis0="inet 136.186.229.225 netmask 255.255.255.0"


As we have seen, configuring the RADIUS server was quite simple and only involved installing FreeRADIUS, renaming the .sample suffix of all FreeRADIUS files and editing a small number of variables in the radius.conf, clients.conf and users files. It is important to remember that the secret key between the RADIUS server and NAS must be specified and must be the same. Also note that although FreeRADIUS supports accounting we did not configure it for our system.

Starting FreeRADIUS

To start FreeRADIUS on the FreeBSD machine we entered the following command on the user prompt:

radiusServ#radiusd

This would start FreeRADIUS on the 1812 port. To specify the historically used RADIUS port 1645 enter the command:

radiusServ#radiusd -p 1645

For more information on RADIUS options see the FreeBSD radiusd man file.





Swinburne Homepage Site Map Search Index
 

Swinburne Copyright and disclaimer Privacy Feedback

Last Updated: Thursday 19-Feb-2004 12:01:38 AEDT
URL:
Maintained by: Ana Pavlicic apavlicic@groupwise.swin.edu.au
Authorised by: Grenville Armitage garmitage@swin.edu.au

IndexSearchSite MapSwinburne Home Page