File: radius.info, Node: Top, Next: Distrib, Up: (dir) The GNU Radius ************** Radius is a suite of programs for performing user authentication and accounting using RADIUS protocol. This Info file documents the version 0.96 of the package. * Menu: * Distrib:: How to get the radius distribution. * Copying:: The GNU General Public License gives you permission to redistribute the program on certain terms. * Intro:: An introduction to radius concepts. * Glossary:: The glossary. The radius daemon * Naming Conventions:: Conventions about naming files and directories. * Operation:: How radius operates. * Invocation:: How to start the daemon. * Configuration Files:: Radius configuration files. * Authentication:: How the users are authenticated. * Accounting:: Accounting methods. * Logging:: What gets logged and where. * Debugging:: An extensive logging information. * Extensions:: Extending radiusd. * Utility Programs:: * Client Package:: Radius Attributes * Attribute List:: Some frequently used attributes. Reporting Bugs and getting information * Bugs:: How to report a bug. * Info:: Where to get info about GNU radius. Indices * Program Index:: Index of programs. * Keyword Index:: Index of keywords. * Example Index:: Index of examples. * Variable Index:: Index of variables. * Attribute Index:: Index of RADIUS attributes. * Concept Index:: Index of concepts. File: radius.info, Node: Distrib, Next: Copying, Prev: Top, Up: Top Distribution ************ GNU Radius is "free software"; this means that everyone is free to use it and free to redistribute it on certain conditions. GNU Radius is not in the public domain; it is copyrighted and there are restrictions on its distribution, but these restrictions are designed to permit everything that a good cooperating citizen would want to do. What is not allowed is to try to prevent others from further sharing any version of GNU Radius that they might get from you. The precise conditions are found in the GNU General Public License that comes with Radius and also appears following this section. One way to get a copy of GNU Radius is from someone else who has it. You need not ask for our permission to do so, or tell any one else; just copy it. If you have access to the Internet, you can get the latest distribution version of GNU Radius by anonymous FTP. It is available at File: radius.info, Node: Copying, Next: Intro, Prev: Distrib, Up: Top GNU GENERAL PUBLIC LICENSE ************************** Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 675 Mass Ave, Cambridge, MA 02139, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble ======== The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a. You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b. You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c. If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a. Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b. Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c. Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs ============================================= If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. ONE LINE TO GIVE THE PROGRAM'S NAME AND AN IDEA OF WHAT IT DOES. Copyright (C) 19YY NAME OF AUTHOR This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) 19YY NAME OF AUTHOR Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. SIGNATURE OF TY COON, 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License. File: radius.info, Node: Intro, Next: Glossary, Prev: Copying, Up: Top Introduction to Radius ********************** Radius is a system serving for authentication and accounting. The acronym RADIUS stands for Remote Authentication in Dial-In User Service and usually denotes the underlying protocol name. Historically, radius servers were used as a means to authenticate the user coming from a dial-in connection, but GNU Radius is much more than an authentication system: it is an advanced, customizable and extensible system for controlling access to the network. GNU Radius has several built-in authentication and accounting methods. When these methods are not enough, it allows administrator to implement any new method he deems convenient. GNU Radius includes radius server program capable of serving authentication and accounting requests, and a set of accompanying programs designed to monitor the activity of the server and analyze the information it provides. File: radius.info, Node: Glossary, Next: Naming Conventions, Prev: Intro, Up: Top Radius Glossary *************** Throughout this document the following terms are used: RADIUS (All capitals) The Remote Authentication in Dial-In User Service protocol as described in RFC 2138, 2865 and 2866. NAS NAS stands for Network Access Server. It is a computer or a special device designed to provide access to the network. For example, it can be a computer connected to the network and equipped with several modems. Such NAS would allow the user connecting to one of its modems to access the network. Service A service, such as PPP, SLIP, telnet, etc., provided to a user by the NAS. Session Every single instance of a service. Session starts when the service was first provided and ends when the service is ended. A user may have multiple sessions active simultaneously if he is allowed to. Session ID Session Identifier. A string of characters uniquely identifying the session. A/V pair Stands for Attribute-Value pair *Note Attributes::. Dial-In or Dial-Up user A user connecting to a service through the modem line. User Database A database in which Radius server keeps information about users, their authentication information, etc. User's Profile A record in the User Database describing a particular user. User's Profile keeps the authentication and authorization information for that user, i.e. it contains data describing how this user should be authenticated as well as which services he is allowed to be provided and parameters of these services. File: radius.info, Node: Naming Conventions, Next: Operation, Prev: Glossary, Up: Top Naming Conventions ****************** This chapter describes file naming conventions used throughout this document. Programs from the GNU Radius package use the following directories to store various configuration and log files: "Configuration or database directory" A directory where all configuration files are stored. "Log directory" A directory where `radiusd' stores its log files. "Accounting directory" A directory where `radiusd' stores accounting detail files *Note Detailed Request Accounting::. The default locations of these directories are determined at compile time. By default these are: Directory Short Name Default location Configuration directory raddb /usr/local/etc/raddb Log directory radlog /var/log Accounting directory radacct /var/log/radacct These location may differ depending on your local site configuration. Throughout this document we will refer to these directories by their short names, e.g. saying ... this information is contained in file `raddb/sqlserver' we actually mean `/usr/local/etc/raddb/sqlserver'. If necessary, locations of these directories can be overridden by specifying appropriate command line options to a program. For example, any program from the GNU Radius package accepts command line option `-d' or `--directory', which introduces the configuration directory path. File: radius.info, Node: Operation, Next: Invocation, Prev: Naming Conventions, Up: Top How Radius Operates ******************* The main purpose of Radius is to centralize authentication of users coming from various network stations. Its primary usage is for dial-in users, though it can be used for any kind of network connection. Radius uses the Client/Server model. The main server keeps the centralized user database. Each user's profile in this database determines which services are allowed for this particular user. The Network Access Server (NAS in short) is a machine that actually provides a service for the user. It can do so, e.g. by running a pool of modems the users can connect to. Otherwise, it can be a machine connected to the network and allowing some form of remote access, like telnet or ssh. It can even be a workstation allowing console logins to it. Whichever service it provides the NAS sends the request to the central Radius server in order to determine whether the user trying to access the service is allowed to do so. Such request carries information about user's login name, password, NAS identifier (such as its IP address), etc. On receiving such request Radius server retrieves from its database a profile corresponding to the user's login name. The profile basically consists of two parts: a checklist used for authentication and a reply list used for authorization. The server checks the authenticity of the user using first part of the retrieved profile. If this check succeeds, it uses second part of the profile to authorize the user, i.e. to determine which service he should be provided. Then, the server responds with the parameters of the service, such as connection speed, framed IP address, etc. If any of the described checks had failed, the server sends the negative response. If the server needs some additional information in order to process the request, it asks the NAS to supply such information. Thus, for example, if the user is allowed to use several services, he can be asked which one of them he wishes to use, etc. When NAS receives the positive authentication response, it initiates the connection. The NAS can be configured to notify Radius server about such events as session start, session stop or changing some parameters during the session. It can also notify the server about other events, such as NAS shutdown or startup. This is called "accounting" and the radius server responsible for processing this information is called an "accounting server". * Menu: * Attributes:: Attributes. * Requests:: Radius requests. * Matching Rule:: Rules for request processing. * Request processing:: How Radius processes incoming requests. File: radius.info, Node: Attributes, Next: Requests, Up: Operation Attributes ========== The information the Radius requests carry is stored as a list of "Attribute-Value pairs". Each pair consists of "Attribute number" and "Attribute value". The "Attribute number" identifies the type of information the pair carries and the "Attribute Value" keeps the actual data. The Value part of an attribute can contain the data of one of the following types: Integer A 32-bit unsigned integer value. IP-number An IPv4 IP-number. String A character string up to 253 characters long. For convenience, the attributes and the values of some frequently used integer attributes are given symbolic names. These names are assigned to attributes and values in the dictionary file *Note dictionary file::. The attribute numbers range from 1 to 255. The attributes with the numbers greater than 255 are used internally by the sever and cannot be sent to the NAS. The special attribute 26, "Vendor-Specific", is available to allow vendors of the NAS hardware or software to support their own extended attributes. *Note Vendor-Specific attribute: Vendor-Specific. Each attribute has a set of properties associated with it. The properties are: "usage flags" These flags determine usage of the attribute in configuration files `huntgroups', `hints' and `users'. "propagation" When a radius server functions in proxy mode, it uses the "propagation" bit to determine which attributes from the reply packet should be passed back to the requesting NAS (*note Proxy Service::). "additivity" Some configuration rules may cause addition of new A/V pairs to the incoming request. Before addition of a new pair, `radiusd' scans the request to see if it already contains a pair with the same attribute. If it does, the value of "additivity" determines the further actions: None The old pair is retained in the request, the new pair is not added to it. Replace The old pair is retained in the request, but its value is replaced with that of the new pair. Append The new pair is appended to the end of the pair list. The attributes are declared in `raddb/dictionary' file. For a detailed description of it, *Note ATTRIBUTE::. For information about particular attributes, *Note Attribute List::. File: radius.info, Node: Requests, Next: Matching Rule, Prev: Attributes, Up: Operation Radius Requests =============== The term "request" means both the authentication/accounting request from NAS to a Radius server and the response that the server sends back to the NAS. Each request contains the following fields `Code' The code field identifies the type of the request. `Identifier' The number in the range 0-255 used to match the request with the reply. `Length' The length of the request packet. `Authenticator' The 16-byte hash value used to authenticate the packet. `Attributes' The list of attribute/value pairs carrying actual information about the request. * Menu: * Authentication Requests:: * Accounting Requests:: File: radius.info, Node: Authentication Requests, Next: Accounting Requests, Up: Requests Authentication Requests ----------------------- A NAS sends authentication requests (packets with code Access-Request) to a RADIUS server when a user is trying to connect to that NAS. Such requests convey information used to determine whether a user is allowed access to the NAS, and any special services requested for that user. An Access-Request must contain a `User-Name' attribute *Note User-Name::. It should contain either a `NAS-IP-Address' attribute or `NAS-Identifier' attribute, or both of them. It also must contain either a `Password' attribute or `CHAP-Password' attribute. These attributes are passed encoded using a method based on the RSA Message Digest Algorithm MD5. The Access-Request should contain a `NAS-Port' or `NAS-Port-Type' attribute or both unless the type of access being requested does not involve a port or the NAS does not distinguish among its ports. Upon receiving Access-Request packet for a particular user and authenticating that user, Radius server replies to the NAS that has sent the packet with either of the following packets: * Access-Accept * Access-Reject * Access-Challenge Radius replies with Access-Accept packet when it has successfully authenticated the user. Such reply packet provides specific configuration information necessary to begin delivery of service to the user. Radius replies with Access-Reject packet when it was unable to authenticate the user. Such packet may contain a descriptive text encapsulated in one or more `Reply-Message' attributes. The NAS may display this text along with its response to the user. Radius replies with Access-Challenge packet when it desires to obtain more information from the user in order to determine its authenticity or to determine the kind of service to be provided to the user. An Access-Challenge packet may include one or more `Reply-Message' attributes, and may also include a single `State' attribute, or none. No other Attributes are permitted in an Access-Challenge. On receipt of an Access-Challenge, the Identifier field is matched with a pending Access-Request. Additionally, the Response Authenticator field must contain the correct response for the pending Access-Request. Radius discards invalid packets and issues appropriate log message. If the NAS does not support challenge/response, it treats an Access-Challenge as though it had received an Access-Reject instead. Otherwise, upon receipt of a valid Access-Challenge the NAS prompts the user for a response, possibly displaying the text message provided in `Reply-Message' attributes of the request. It then sends its original Access-Request with a new request ID and Request Authenticator, with the `Password' attribute replaced by the encrypted user's response, and including the `State' attribute from the Access-Challenge, if any. File: radius.info, Node: Accounting Requests, Prev: Authentication Requests, Up: Requests Accounting Requests ------------------- Accounting-Request packets are sent from a NAS to a Radius server to allow for accounting of a service provided to a user. Upon receipt of an Accounting-Request, the server attempts to record the accounting packet *Note Accounting::, and if it succeeds in doing so it replies with an Accounting-Response packet. Otherwise it sends no reply, which then causes the NAS to retransmit its request within a preconfigured interval of time. Such retransmits will continue until either the server responds with an Accounting-Response packet or a preconfigured number of retransmits is reached, whichever occurs first. Any attribute valid in an Access-Request or Access-Accept packet is also valid in an Accounting-Request packet, except the following attributes, which are never present in an Accounting-Request packet: * User-Password * CHAP-Password * Reply-Message * State Either `NAS-IP-Address' or `NAS-Identifier' must be present in an Accounting-Request. It should contain a `NAS-Port' or `NAS-Port-Type' attribute or both unless the service does not involve a port or the NAS does not distinguish among its ports. If the Accounting-Request packet includes a Framed-IP-Address, that attribute _must_ contain the actual IP address of the user. There are five types of accounting packets, which differ by the value of `Acct-Status-Type' attribute. These are: "Session Start Packet." The session start packet is sent after the user has successfully passed the authentication and has started to receive the requested service. It must contain at least following attributes: * Acct-Status-Type = Start * User-Name * Acct-Session-Id * NAS-IP-Address * NAS-Port-Id "Session Stop Packet." The Session Stop Packet is sent after the user has disconnected. It conveys the information about the duration of the session, number of octets transferred, etc. It must contain at least the following attributes: * Acct-Status-Type = Stop * User-Name * NAS-IP-Address * Acct-Session-Id The last three of them are used to find the corresponding "Session Start Packet". "Keepalive Packet" The keepalive packet is sent by the NAS when it obtains some new information about the user's session, e.g. it has determined its IP address or has changed the connection speed, etc. The packet must contain at least following attributes: * Acct-Status-Type = Alive * User-Name * NAS-IP-Address * Acct-Session-Id "Accounting Off Packet" By sending this packet NAS requests that radius mark all sessions registered from this NAS as finished. Receiving this packet usually means that the NAS is to be shut down, or is about to change its configuration in a way that requires all currently opened sessions to be shut down. The packet must contain at least the following attributes: * Acct-Status-Type = Accounting-Off * NAS-IP-Address "Accounting On Packet" By sending this packet, the NAS informs radius that it is ready to accept the incoming connections. Usually this packet is sent after startup, or after a major reconfiguration of the NAS. It must contain at least the following attributes: * Acct-Status-Type = Accounting-Off * NAS-IP-Address File: radius.info, Node: Matching Rule, Next: Request processing, Prev: Requests, Up: Operation Matching Rule ============= A record in the radius database describing a particular rule for matching an incoming request is called a "Matching Rule". Each such rule defines an action to be taken when the match occurs. The "Matching Rule" consists of three distinct parts: "Label" This is used to identify the rule. The special usernames `DEFAULT' and `BEGIN' are reserved. These will be described in detail below. "Left-Hand Side (LHS)" The list of attribute-value pairs used for matching the profile against an incoming request. "Right-Hand Side (RHS)" The list of attribute-value pairs that define the action to be taken if the request matches LHS. The following radius configuration files keep data in a "Matching Rule" format: `hints', `huntgroups' and `users'. Although they keep data in similar format, the rules that are used to match incoming requests against contents of these files differ from file to file. The following section describes these rules in detail. File: radius.info, Node: Request processing, Prev: Matching Rule, Up: Operation Processing Requests =================== Upon receiving a request Radius applies to it a number of checks to determine whether the request comes from an authorized source. If these checks succeed, the request is processed and answered. Otherwise, the request is dropped and corresponding error message is issued (*note Logging::). The following checks are performed: Check if the username is supplied If the packet lacks `User-Name' attribute it is not processed Check if the NAS is allowed to speak The source IP address of the machine that sent the packet is looked up in the `clients' file (*note clients file::). If no match is found, the request is rejected. Compute the encryption key Using the data from the packet and the shared key value from the `clients' file, Radius computes the MD5 encryption key that will be used to decrypt the value of the `Password' attribute. Process user-name hints. "User-name hints" are special rules that modify the request depending on user name and his credentials. These rules allow to divide users into distinct groups, each group having its own authentication and/or accounting methods. The user-name hints are stored in `raddb/hints' (*note hints file::). Process huntgroup rules. "Huntgroup rules" allow to segregate incoming requests depending on the NAS and/or port number they came from. These rules are stored in `raddb/huntgroups' (*note huntgroups file::). Determine whether the request must be proxied to another radius server The requests pertaining to another realm are immediately forwarded to the remote radius server for further processing. *Note Proxying::, for the description of this process. Process individual user profiles. This step applies only to authentication requests. * Menu: * Proxying:: * Hints:: * Huntgroups:: * User Profiles:: File: radius.info, Node: Proxying, Next: Hints, Up: Request processing Proxying -------- "Proxying" is a mode of operation when a radius server forwards an incoming requests from a NAS to another radius server, waits for the latter to reply, and forwards the reply back to the requesting NAS. A common use for such operation mode is to provide "roaming" between several Internet Service Providers (ISPs). Roaming permits the ISPs to share their resources, allowing each other's users to connect to other party's equipment. Thus, users traveling outside the area of one ISP's coverage are still able to access their services through another ISP. * Menu: * Proxy Service:: * Realms:: File: radius.info, Node: Proxy Service, Next: Realms, Up: Proxying Proxy Service ............. Suppose the ISP `Local' has a roaming arrangement with the ISP `Remote'. When the user of `Remote' dials in to the NAS of `Local', the NAS sends the authentication request to `Local' radius server. The server then determines that this is a roaming user, stores a copy of the request in its internal queue, and forwards the request to `Remote' radius server for processing. Thus, `Local' radius acts as a client for `Remote' radius. When `Remote' radius responds, the `Local' receives the response, and passes it back to the NAS. The copy of the request from the server's queue serves to determine which NAS originated the request. Before passing the request back to the NAS, radius removes from it the information, specific for `Remote' site, such as `Framed-IP-Address', `Framed-Netmask', etc. Only the attributes marked with `propagate' flag (*note Attributes::) are passed back to the NAS. After removing site-specific attributes, `Local' radius passes the request through its user profiles (*note User Profiles::) to insert any local site-specific information that might be needed. Finally, it passes the reply back to the NAS. The accounting requests are processed in the similar manner, except that no attribute filtering takes place, as the accounting responces do not carry any A/V pairs. This example illustrates the simplest "proxy chain", consisting of only two servers. The proxy chains may consist of several servers. In our example, the `Remote' radius server may also act as a proxy and forward the request to still another radius server, etc. _Note_, that when the accounting request passes through a chain of forwarding servers, the accounting records are stored on all servers in the chain. File: radius.info, Node: Realms, Prev: Proxy Service, Up: Proxying Realms ...... Radius server determines which server a request must be forwarded to by request's "authentication realm". There are three kinds of realms: 1. A "Named Realm" is the part of a user name following the `at sign' (`@'). For example, if the user name is `jsmith@this.net', then `this.net' is the realm. The named realms can be cascaded, e.g. a request with user name `jsmith@this.net@remote.net' will first be forwarded to the radius server of realm `remote.net', which in turn will forward it to `this.net'. 2. A "Default Realm" defines the server to which the requests for realms, not mentioned explicitly in the configuration, are forwarded. 3. An "Empty Realm" defines the server to which the requests _without_ explicit named realm are forwarded. If the configuration does not define the empty realm, such requests are processed by the server itself. GNU Radius keeps the information about the realms it serves in configuration file `raddb/realms' (*note realms file::). File: radius.info, Node: Hints, Next: Huntgroups, Prev: Proxying, Up: Request processing Hints ----- "User-name hints" are special rules that modify the incoming request depending on user name and his credentials. Hints are stored as a list of "Matching Rules" (*note Matching Rule::). Upon receiving a request, `radiusd' scans the hints entries sequentially, comparing each rule's "Label" with the value of `User-Name' attribute from the request. If they coincide, then `radiusd' appends the contents of the rule's RHS to the request pair-list. Both user names must match exactly in order for a hint to take effect, unless the hint's checklist contains either `Prefix' or `Suffix' attribute. The special name `DEFAULT' or `DEFAULT%d' (where %d denotes any decimal number), used as hint's "Label" match any username. The two special attributes, `Prefix' and `Suffix', may be used in LHS to restrict the match to a specified part of a user-name. Both are string attributes. The `Prefix' instructs radius to accept the hint only if the username begins with the given prefix. Similarly, `Suffix' instructs radius to accept the hint only if the username ends with the given suffix. A hint may contain both `Prefix' and `Suffix' attributes. In addition to these two attributes, a hint's LHS may contain `User-ID' and `Group' attributes. The following attributes, when used in a hint's RHS have special meaning. They are not appended to the request pair-list. Instead, they are removed after completing their function: `Fall-Through' If this attribute is present, and is set to `Yes', `radiusd' continues scanning the hints, after processing current entry. This allows for applying several hints to a single packet. `Rewrite-Function' If this attribute is present, the specified rewrite function is invoked. `Replace-User-Name' The value of this attribute is expanded (*note Macro Substitution::), and replaces the value of `User-Name' attribute from the request. The hints rules are defined in `raddb/hints' file (*note hints file::). File: radius.info, Node: Huntgroups, Next: User Profiles, Prev: Hints, Up: Request processing Huntgroups ---------- Huntgroups are special rules, that allow to alter processing of incoming requests, depending on NAS IP address and port number they come from. The rules are stored as a list of "Matching Rules" (*note Matching Rule::). Upon receiving a request, `radiusd' scans this list sequentially until it finds an entry, such that the conditions set forth in its LHS are matched by the request. If such an entry is found, `radiusd' verifies that the request meet the conditions described by RHS. If it does not, the request is rejected. In short, a huntgroup requires that any request matching its LHS must match also its RHS. The "Label" part of the rule is not used in comparisons, instead it is used to label huntgroups. All entries with the same label form a single huntgroup. The special attribute `Huntgroup-Name' can be used to request a match against a particular huntgroup (*note Huntgroup-Name::). The huntgroups rules are defined in `raddb/huntgroups' file (*note huntgroups file::). File: radius.info, Node: User Profiles, Prev: Huntgroups, Up: Request processing User Profiles ------------- "User Profiles" are the per-user matching rules (*note Matching Rule::). Any incoming authentication request is compared with the "User Profiles" after it has passed both "Hints" and "Huntgroups". `Radiusd' selects from the "User Profiles" those rules, whose "Label" matches the value of `User-Name' attribute from the incoming request. The selected profiles form the list of authentication rules for the request. In order for a profile to be selected, its label must either coincide literally with the `User-Name' value, or it must be one of special labels `DEFAULT' and `BEGIN'. The rules in the authentication list are ordered as follows: first go all the profiles with `BEGIN' label, they are followed by the profiles, whose labels match the `User-Name' literally, and, finally, these are followed by rules labeled with `DEFAULT'. (1) Within each of the three sub-lists the rules preserve the order in which they appear in `raddb/users' file. Once the list is constructed, it is scanned sequentially until the rule is found, whose LHS matches the incoming request. If no such rule is found, then the authentication fails. Otherwise, the contents of its RHS is appended to "Reply List" being constructed. If the RHS of the matched rule contains attribute `Fall-Through' with the value `Yes', the matching continues. When the list is exhausted, the authentication result is sent back to the NAS along with the A/V pairs collected in the "Reply List". The user profiles are defined in `raddb/users' file (*note users file::). ---------- Footnotes ---------- (1) For compatibility with other implementations of radius, GNU Radius treats profile labels in the form `DEFAULT%d', where `%d' represents a decimal number, in the same way it treats `DEFAULT' labels. The same applies to `BEGIN' labels. File: radius.info, Node: Invocation, Next: Configuration Files, Prev: Operation, Up: Top How to Start the Daemon. ************************ When started `radiusd' uses the configuration values from the following sources (in order of increasing precedence): * Compiled-in defaults * `raddb/config' file. * Command line arguments Whenever a command line options has its equivalent in config file the use of this equivalent should be preferred (*note config file::). The following command line options are accepted: `-A' `--log-auth-detail' Enable detailed authentication logging. When this option is specified each authentication request is logged to the file `radacct/NASNAME/detail.auth', where NASNAME is replaced by the short name of the NAS from `raddb/naslist' *Note Naming Conventions::. Config file equivalent: `auth { detail yes; };'. `-a DIR' `--acct-directory DIR' Specify accounting directory. Config file equivalent: `option { acct-dir DIR; };'. `-b' `--dbm' Enable DBM support. Config file equivalent: `usedbm yes;'. `-d DIR' `--config-directory DIR' `--directory D' Specify alternate configuration directory. Default is `/usr/local/etc/raddb'. `-f' `--foreground' Stay in foreground. We recommend to use it for debugging purposes only. `-i IP' `--ip-address' Specifies the IP address `radiusd' will listen on. If this option is not specified, the program will listen on all IP addresses, assigned to the machine it runs on. Config file equivalent: `option { source-ip IP; };'. _Please note_, that `listen' statement in `raddb/config' provides a better control over IP addresses to listen on (*Note auth::, and *note acct::). `-L' `--license' Display GNU General Public License and exit. `-l DIR' `--logging-directory DIR' Specify alternate logging directory. Config file equivalent: `option { log-dir DIR; };'. `-mb' `--mode b' "Builddbm" mode. Builds a DBM version of a plaintext users database. *Note Builddbm::. `-mc' `--mode c' Check configuration files and exit. All errors are reported via usual log channels. `-mt' `--mode t' Test mode. In this mode `radiusd' starts an interactive interpreter which allows to test various aspects of its configuration. `-n' `--auth-only' Process only authentication requests. `-p PORTNO' `--port PORTNO' Listen the UDP port PORTNO. The accounting port is computed as PORTNO + 1. `-P DIR' `--pid-file-dir DIR' Specifies the alternate path for the pidfile. `-S' `--log-stripped-names' Log usernames stripped off any prefixes/suffixes. Config file equivalent: `auth { strip-names yes };'. `-s' `--single-process' Run in single process mode. This is for debugging purposes only. We strongly recommend _against_ using this option. Use it only when absolutely necessary. `-v' `--version' Display program version and compilation options. `-x DEBUG_LEVEL' `--debug DEBUG_LEVEL' Set debugging level. DEBUG_LEVEL is a comma-separated list of assignments in the forms MODULE MODULE = LEVEL where MODULE is the module name or any non-ambiguous assignment thereof, LEVEL is the debugging level in the range 0-100. *Note Debugging:: Config file equivalent: logging { category debug { level DEBUG_LEVEL; }; }; `-y' `--log-auth' Log authentications. With this option enabled, Radius will log any authentication attempt into its logfile *Note Logging::. Config file equivalent: `logging { category auth { detail yes; }; }; '. `-z' `--log-auth-pass' Log passwords along with authentication information. _Do not use_ this option. It is _very_ insecure, since all users' passwords will be echoed in the logfile. This option is provided only for debugging purposes. Config file equivalent: logging { category auth { print-pass yes; }; }; *Note config file::. File: radius.info, Node: Configuration Files, Next: Authentication, Prev: Invocation, Up: Top Radius Configuration Files ************************** This chapter describes the configuration files used by GNU Radius package. These files are normally found in /usr/local/etc/raddb directory, which is defined at configuration time, although their location can be specified at runtime. In the discussion below we will refer to this directory by `raddb'. *Note Naming Conventions::. * Menu: * config file:: Run-time configuration options. * dictionary file:: Radius dictionary. * clients file:: Clients lists the NASes that are allowed to communicate with radius. * naslist file:: The naslist file keeps general information about the NASes. * nastypes file:: Information about how to query the NASes about active user sessions. * hints file:: Important user information that is common for the users whose names match some pattern. * huntgroups file:: Group users by the NAS (and, possibly, a port number) they come from. * realms file:: Communication with remote radius servers * users file:: User profile. * access.deny file:: List of users which are denied access. * sqlserver file:: SQL server configuration. * rewrite file:: Rewrite functions allow to change the input packets. * menus file:: Menus allow user to select the type of service. * Macro Substitution:: Macros which are expanded by the actual attribute values. File: radius.info, Node: config file, Next: dictionary file, Up: Configuration Files Run-Time Configuration Options -- `raddb/config' ================================================ `radiusd' uses the configuration values from the following sources (in order of increasing precedence): 1. Compiled-in defaults 2. `raddb/config' file. 3. Command line arguments This order of precedence applies only on startup. When re-reading of the configuration is initiated either by `SIGHUP' signal or by SNMP channel any changes in the config file take precedence over command line arguments, since `raddb/config' is the only way to change configuration of the running program. This chapter discusses the `raddb/config' file in detail. The `raddb/config' consists of statements and comments. Statements end with a semicolon. Many statements contain a block of sub-statements which also terminate with a semicolon. Comments can be written in shell, C, or C++ constructs, i.e. any of the following represent a valid comment: # A shell comment /* A C-style * multi-line comment */ // A C++-style comment These are the basic statements: * Menu: * option:: `Option' block: set the global program options. * logging:: Fine-tune the logging. * auth:: Configure authentication service. * acct:: Configure accounting service. * proxy:: Configure proxy service. * usedbm:: Enable the DBM feature. * snmp:: Configure SNMP service. * guile:: Configure Guile interface. * message:: Configure server reply messages. File: radius.info, Node: option, Next: logging, Up: config file `option' block -------------- Syntax: ------- option { [ source-ip NUMBER ; ] [ max-requests NUMBER ; ] [ exec-program-user STRING ; ] [ username-chars STRING ; ] [ log-dir STRING ; ] [ acct-dir STRING ; ] } ; Usage ----- The `option' block defines the global options to be used by `radiusd'. Numeric statements ------------------ `source-ip' Sets the source IP address. When this statement is not present, the IP address of the first available network interface on the machine will be used as source. `max-requests' Sets the maximum number of the requests in queue. String statements ----------------- `exec-program-user' Sets effective user id for the programs executed as a result of `Exec-Program' and `Exec-Program-Wait'. The effective group id will be retrieved from the `/etc/passwd' entry for the given user. `username-chars' Determines characters that are valid within a username. The alphanumeric characters are always allowed in a username, it is not necessary to specify them in this statement. By default the following characters are allowed in a username: `.-_!@#$%^&\/"'. `log-dir' Specifies the logging directory. `acct-dir' Specifies the accounting directory. File: radius.info, Node: logging, Next: auth, Prev: option, Up: config file `logging' block --------------- Syntax: ------- logging { [ category category_spec { [ channel channel_name ; ] [ print-auth BOOL ; ] [ print-pass BOOL ; ] [ print-failed-pass BOOL ; ] [ level DEBUG_LEVEL ; ] } ; ] [ channel channel_name { ( file STRING ; | syslog facility . priority ; ) [ print-pid BOOL ; ] [ print-category BOOL ; ] [ print-cons BOOL ; ] [ print-level BOOL ; ] [ print-priority BOOL ; ] }; ] } ; Usage ----- The `logging' statement describes the course followed by `radiusd''s logging information. * Menu: * category:: `category' statement. * channel:: `channel' statement. * logging example:: Example of the `logging' statement. File: radius.info, Node: category, Next: channel, Up: logging `category' statement .................... Each line of logging information generated by `radiusd' has an associated "category". The `logging' statement allows each category of output to be controlled independently of the others. The logging category is defined by "category name" and a "severity". "category name" determines what part of radiusd daemon is allowed to send its logging information to this channel. It can be any of `main', `auth', `acct', `proxy', `snmp'. "priority" determines the minimum priority of the messages displayed by this channel. The priorities in ascending order are: `debug', `info', `notice', `warn', `err', `crit', `alert', `emerg'. The full category specification, "category_spec", can take any of the following three forms: category_name Print the messages of given category. priority Print messages of all categories, abridged by given priority. If the priority is prefixed with `=', only messages with given priority will be displayed. If it is prefixed with `!', the messages with priority other than the specified will be displayed. Otherwise, the messages with priorities equal to or greater than the specified will be displayed. category_name . priority Print the messages of given category, abridged by given priority. The priority may be prefixed with either `=' or `!' as described above. Additional category options valid for `auth' category are: `print-auth' Log individual authentications. `print-pass' Include passwords for successful authentications. It is _very_ insecure, since all users' passwords will be echoed in the logfile. This option is provided only for debugging purposes. `print-failed-pass' Include passwords for failed authentications. File: radius.info, Node: channel, Next: logging example, Prev: category, Up: logging `channel' statement ................... Channels represent methods for recording logging information. Each channel has a unique name, and any categories which specify that name in a `channel' statement will use that channel. `radiusd' can write logging information to files or send it to syslog. The `file' statement sends the channel's output to the named file (*note Naming Conventions::). The `syslog' statement sends the channel's output to syslog with the specified facility and severity. Channel options modify the data flowing through the channel: `print-pid' Add the process ID of the process generating the logging information. `print-cons' Also send the logging information to the system console. `print-category' Add the category name to the logging information. `print-priority' `print-level' Add the priority name to the logging information. File: radius.info, Node: logging example, Prev: channel, Up: logging Example of the `logging' statement .................................. logging { channel default { file "radius.log"; print-category yes; print-priority yes; }; channel info { file "radius.info"; print-pid yes; print-cons yes; print-priority yes; }; channel notice { syslog auth.notice; }; category auth { print-auth yes; print-failed-pass yes; }; category notice { channel notice; }; category info { channel info; }; category debug { channel info; level radiusd=1,files; }; category *.!debug { channel default; }; }; File: radius.info, Node: auth, Next: acct, Prev: logging, Up: config file `auth' statement ---------------- Syntax: ------- auth { [ listen ADDR-LIST ; ] [ port NUMBER ; ] [ spawn BOOL ; ] [ max-requests NUMBER ; ] [ time-to-live NUMBER ; ] [ request-cleanup-delay NUMBER ; ] [ detail BOOL ; ] [ strip-names BOOL ; ] [ checkrad-assume-logged BOOL ; ] [ password-expire-warning NUMBER ; ] } ; Usage: ------ The `auth' statement configures the parameters of the authentication service. listen statement ---------------- This statement determines on which addresses radiusd will listen for incoming authentication requests. Its argument is a comma-separated list of items in the form IP:PORT-NUMBER. IP can be either an IP address in familiar "dotted-quad" notation or a hostname. :PORT-NUMBER part may be omitted, in which case the default authentication port is assumed. If the `listen' statement is omitted, radiusd will accept incoming requests from any interface on the machine. Numeric statements ------------------ `port' Sets the number of UDP port to listen on for the authentication requests. `max-requests' Sets the maximum number of authentication requests in the queue. Any surplus requests will be discarded. `time-to-live' Sets the request time-to-live in seconds. The time-to-live is the time to wait for the completion of the request. If the request job isn't completed within this interval of time it is cleared, the corresponding child process killed and the request removed from the queue. `request-cleanup-delay' Sets the request cleanup delay in seconds, i.e. determines how long will the completed authentication request reside in the queue. `password-expire-warning' Sets the time interval for password expiration warning. If user's password expires within given number of seconds, radiusd will send a warning along with authentication-acknowledge response. Default is 0. Boolean statements ------------------ `spawn' Determines if `radiusd' should spawn a child to process the request. `detail' When set to true, `radiusd' will produce the detailed log of each received packet in the file `radacct/NASNAME/detail.auth'. (*note Naming Conventions::). `strip-names' Determines whether `radiusd' should strip any prefixes/suffixes off the username before logging. `checkrad-assume-logged' `radiusd' consults the value of this variable when the NAS does not responds to checkrad queries (*note Checking Simultaneous Logins::). If this variable is set to `yes', the daemon will proceed as if the NAS returned "yes", i.e. it will assume the user is logged in. Otherwise `radiusd' assumes the user _is not_ logged in. File: radius.info, Node: acct, Next: proxy, Prev: auth, Up: config file `acct' statement ---------------- Syntax: ------- acct { [ listen ADDR-LIST ; ] [ port NUMBER ; ] [ spawn BOOL ; ] [ detail BOOL; ] [ max-requests NUMBER ; ] [ time-to-live NUMBER ; ] [ request-cleanup-delay NUMBER ; ] } ; Usage: ------ The `acct' statement configures the parameters of the accounting service. listen statement ---------------- This statement determines on which addresses radiusd will listen for incoming accounting requests. Its argument is a comma-separated list of items in the form IP:PORT-NUMBER. IP can be either an IP address in familiar "dotted-quad" notation or a hostname. :PORT-NUMBER part may be omitted, in which case the default accounting port is assumed. If the `listen' statement is omitted, radiusd will accept incoming requests from any interface on the machine. Numeric statements ------------------ `port' Sets the port number to listen for the authentication requests. `max-requests' Sets the maximum number of accounting requests in the queue. Any surplus requests will be discarded. `time-to-live' Sets the request time-to-live in seconds. The time-to-live is the time to wait for the completion of the request. If the request job isn't completed within this interval of time it is cleared, the corresponding child process killed and the request removed from the queue. `request-cleanup-delay' Sets the request cleanup delay in seconds, i.e. determines how long will the completed account request reside in the queue. Boolean statements ------------------ `spawn' Determines if `radiusd' should spawn a child to process the request. `detail' When set to `false', disables detailed accounting (*note Detailed Request Accounting::). File: radius.info, Node: proxy, Next: usedbm, Prev: acct, Up: config file `proxy' statement ----------------- Syntax: ------- proxy { [ max-requests NUMBER ; ] [ request-cleanup-delay NUMBER ; ] } ; Usage: ------ The `proxy' statement configures the parameters of the proxy service. Numeric statements ------------------ `max-requests' Sets the maximum number of accounting requests in the queue. Any surplus requests will be discarded. `request-cleanup-delay' Sets the request cleanup delay in seconds, i.e. determines how long will the completed account request reside in the queue. File: radius.info, Node: usedbm, Next: snmp, Prev: proxy, Up: config file `usedbm' statement ------------------ Syntax: ------- usedbm ( yes | no ) ; Usage ----- The `usedbm' statement determines whether the DBM support should be enabled. `no' Do not use DBM support at all. `yes' Use only the DBM database and ignore `raddb/users'. File: radius.info, Node: snmp, Next: guile, Prev: usedbm, Up: config file `snmp' statement ---------------- Syntax: ------- snmp { [ port PORTNO ; ] [ spawn BOOL ; ] [ max-requests NUMBER ; ] [ time-to-live NUMBER ; ] [ request-cleanup-delay NUMBER ; ] [ ident STRING ; ] [ community NAME ( rw | ro ) ; ] [ network NAME NETWORK [ NETWORK ... ] ; ] [ acl { [ allow NETWORK_NAME COMMUNITY_NAME ; ] [ deny NETWORK_NAME ; ] } ; ] }; Usage ----- The `snmp' statement configures the SNMP service. Numeric statements ------------------ `port' Sets the port number to listen for the SNMP requests. `max-requests' Sets the maximum number of SNMP requests in the queue. Any surplus requests will be discarded. `time-to-live' Sets the request time-to-live in seconds. The time-to-live is the time to wait for the completion of the request. If the request job isn't completed within this interval of time it is cleared, the corresponding child process killed and the request removed from the queue. `request-cleanup-delay' Sets the request cleanup delay in seconds, i.e. determines how long will the completed SNMP request reside in the queue. Boolean statements ------------------ `spawn' Determines if `radiusd' should spawn a child to process the SNMP request. String statements ----------------- `ident' Sets the SNMP server identification string. Community and network definitions --------------------------------- `community NAME ( rw | ro )' Defines the community NAME as read-write (`rw') or read-only (`ro'). `network NAME NETWORK [ NETWORK ... ]' Groups several networks or hosts under one logical network name. Access-Control List definitions ------------------------------- `allow NETWORK_NAME COMMUNITY_NAME' allow hosts from the group NETWORK_NAME access to community COMMUNITY_NAME. `deny NETWORK_NAME' Deny access to SNMP service from any host in the group NETWORK_NAME. File: radius.info, Node: guile, Next: message, Prev: snmp, Up: config file `guile' statement ----------------- The `guile' statement allows to configure server interface with Guile. Syntax ------ guile { [ debug BOOL ; ] [ load-path STRING ; ] [ load STRING ; ] }; Usage ----- Boolean statements ------------------ `debug' When set to yes, enables debugging evaluator and backtraces on Guile scripts. String statements ----------------- `load-path' Add specified pathname to `%load-path' variable. `load' Load the specified source file on startup. For the detailed description of Guile extensions interface, *Note Guile::. File: radius.info, Node: message, Prev: guile, Up: config file `message' statement ------------------- The `message' statement allows to set up the messages that are returned to the user with authentication-response packets. Syntax ------ message { [ account-closed STRING ; ] [ password-expired STRING ; ] [ password-expire-warning STRING ; ] [ access-denied STRING ; ] [ realm-quota STRING ; ] [ multiple-login STRING ; ] [ second-login STRING ; ] [ timespan-violation STRING ; ] }; All variables in `message' block take a string argument. In STRING you can use the usual C backslash notation to represent non-printable characters. The use of %C{} and %R{} sequences is also allowed (*note Macro Substitution::). String statements ----------------- `account-closed' This message will be returned to the user whose account is administratively closed. `password-expired' This message will be returned to the user whose password has expired. `password-expire-warning' This is a warning message that will be returned along with an authentication-acknowledge packet for the user whose password will expire in less than N seconds. The value of N is set by `password-expire-warning' variable in `auth' block. *Note auth::. In this string, you can use the %R{Password-Expire-Days} substitution, to represent the actual number of _days_ left to the expiration date. The default is Password Will Expire in %R{Password-Expire-Days} Days\r\n `access-denied' This message is returned to the user who supplies an incorrect password or a not-existent user-name as his authentication credentials. `realm-quota' This message is returned when the user is trying to log in using a realm, and number of users that are currently logged in from this realm reaches maximum value. For a description of realms, *Note Realms::. `multiple-login' This message is returned to the user, who has logged in more than allowed number of times. For description of how to set the maximum number of concurrent logins, see *Note Simultaneous-Use::. `second-login' This is a special case of `multiple-login', which is used when the user's login limit is 1. `timespan-violation' This message is returned to the user who is trying to login outside of allowed time interval. For description of how to limit user's login time, see *Note Login-Time::. File: radius.info, Node: dictionary file, Next: clients file, Prev: config file, Up: Configuration Files Dictionary of Attributes -- `raddb/dictionary' ============================================== The dictionary file `raddb/dictionary' defines the symbolic names for radius attributes and their values (*note Attributes::). The file consists of a series of statements. Each statement occupies one line. In the detailed discussion below we use the following meta-syntactic characters: NUMBER Denotes a decimal, octal or hexagesimal number. Usual C conventions are honored, i.e. if NUMBER starts with `0x' or `0X' it is read as a hex number, if it starts with `0' it is read as an octal number, otherwise it is read as a decimal one. TYPE Denotes an attribute type. These are valid attribute types: `string' A string type. `integer' An integer type. `ipaddr' IP address in a dotted-quad form. `date' A date in the format: "MON DD CCYY", where MON is the usual three-character abbreviation, DD is day of month (1-31), CCYY is the year, including the century. There are following kinds of statements: * Menu: * Comment:: Introducing a comment line. * $INCLUDE:: Include a file. * VENDOR:: Define a vendor-id. * ATTRIBUTE:: Define an attribute translation. * VALUE:: Define a value translation. File: radius.info, Node: Comment, Next: $INCLUDE, Up: dictionary file Comments -------- Comments are introduced by a pound sign (`#'). Everything starting from the first occurrence of `#' up to the end of line is ignored. File: radius.info, Node: $INCLUDE, Next: VENDOR, Prev: Comment, Up: dictionary file $INCLUDE Statement ------------------ Syntax ------ $INCLUDE `filename' Usage ----- The `$INCLUDE' statement causes the contents of the file `filename' to be read in and processed. The file is looked up in the Radius database directory. *Note Configuration Files::. File: radius.info, Node: VENDOR, Next: ATTRIBUTE, Prev: $INCLUDE, Up: dictionary file VENDOR Statement ---------------- Syntax ------ VENDOR Vendor-Name NUMBER Usage ----- A `VENDOR' statement defines the symbolic name for a Vendor-Id. This name can subsequently be used in `ATTRIBUTE' statements to define Vendor-Specific attribute translations. *Note Vendor-Specific::. Example ------- VENDOR Livingston 307 File: radius.info, Node: ATTRIBUTE, Next: VALUE, Prev: VENDOR, Up: dictionary file ATTRIBUTE statement ------------------- Syntax ------ ATTRIBUTE NAME NUMBER TYPE [VENDOR [FLAGS]] Usage ----- The `ATTRIBUTE' statement defines the translation for an attribute. Its parts have the following meaning: NAME The attribute name. NUMBER The attribute ID (number). TYPE The attribute type. VENDOR Vendor name for vendor-specific attributes. For usual attributes this field is empty or contains a dash (`-'). FLAGS Flags, defining attribute properties (*note Attributes::). The "attribute property flags" consist of a sequence of letters, whose meaning is determined by the following rules: (1) 1. The attribute usage is described by three pairs of symbols, enclosed in square brackets. Each pair describes how the attribute can be used in each of three configuration files. The first pair corresponds to `raddb/users', the second one corresponds to `raddb/hints', and the third one corresponds to `raddb/huntgroups'. Within each pair, the letter `L' in first position means that the attribute is allowed in LHS of a rule. The letter `R' in second position means that the attribute is allowed in RHS of a rule. The absense of any of these letters is indicated by dash (`-'). Thus, the following usage specification: [L--RLR] means that the attribute may be used in LHS of a rule in `raddb/users', in RHS of a rule in `raddb/hints', and in both sides of a rule in `raddb/huntgroups'. 2. The attribute additivity is described by one of the following letters: = Additivity = Replace + Additivity = Append N Additivity = None 3. The presence of letter `P' in property flags raises the propagation bit. Example ------- ATTRIBUTE Service-Type 6 integer - [LR-RLR]=P This statement assigns the translation string `Service-Type' to the attribute number 6. It allows the use of this attribute in any part of matching rules, except in LHS of a `raddb/hints' rule. The additivity of `Service-Type' is set to `Replace'. The attribute will be propagated through the proxy chain. ---------- Footnotes ---------- (1) The FLAGS are optional for compatibility with previous versions of GNU Radius. If they are omitted, the default is `[LRLRLR]+' File: radius.info, Node: VALUE, Prev: ATTRIBUTE, Up: dictionary file VALUE Statement --------------- Syntax ------ VALUE Attribute-Translation Value-Translation NUMBER Usage ----- The `VALUE' statement assigns a translation string to a given value of an integer attribute. `Attribute-Translation' specifies the attribute and the `Value-Translation' specifies the name assigned to the value NUMBER of this attribute. Example ------- The following assigns the translation string `Login-User' to the value 1 of the attribute `Service-Type'. VALUE Service-Type Login-User 1 File: radius.info, Node: clients file, Next: naslist file, Prev: dictionary file, Up: Configuration Files Clients List -- `raddb/clients' =============================== The `raddb/clients' lists NASes which are allowed to make authentication requests. As usual, the `#' character introduces a comment. Each record in the file consists of two fields, separated by whitespace. The fields are: NAS name Specifies a hostname or IP address of the NAS. Key Lists the encryption key shared between the server and this NAS. * Menu: * Example: clients example. An example of clients file. File: radius.info, Node: clients example, Up: clients file Example of `clients' file ------------------------- # This is a list of clients which are allowed to make authentication # requests. # Each record consists of two fields: # i. Valid hostname. # ii. The shared encryption key for this hostname. # #Client Name Key #---------------- ------------------- myhost.dom.ain guessme merlin emrys 11.10.10.10 secRet File: radius.info, Node: naslist file, Next: nastypes file, Prev: clients file, Up: Configuration Files NAS List -- `raddb/naslist' =========================== The `raddb/naslist' file contains a list of NASes known to the Radius server. Each record in the file consist of three fields: NAS name Specifies a hostname or IP address of the NAS. The word `DEFAULT' may be used in this field to match any NAS. (1) Short Name This field defines a short name under which this NAS will be listed in logfiles. The short name is also used as a name of the subdirectory where the detailed logs are stored. Type Specifies the type of this NAS. Using this value `radiusd' determines the way to query NAS about the presence of a given user on it (*note Checking Simultaneous Logins::). The two special types: `true' and `false', can be used to disable NAS querying. When the type field contains `true', `radiusd' assumes the user is logged in to the NAS, when it contains `false', `radiusd' assumes the user _is not_ logged in. Otherwise, the type is used as a link to `nastypes' entry (*note nastypes file::). Arguments Additional arguments describing the NAS. Multiple arguments must be separated by commas. No intervening whitespace is allowed in this field. There are two groups of nas arguments: "nas-specific" arguments and "nas-querying" arguments. "Nas-specific" arguments are used to modify a behavior of `radiusd' when sending or receiving the information to or from a particular NAS. "Nas-querying" arguments control the way `radiusd' queries a NAS for confirmation of a user's session (*note Checking Simultaneous Logins::). These arguments override the ones specified in `nastypes' and can thus be used to override the default values. The "nas-specific" arguments currently implemented are: broken_pass This is a boolean argument that controls the encryption of user passwords, longer than 16 octets. By default, `radiusd' uses method specified by RFC 2865. However some NASes, most notably MAX Ascend series, implement a broken method of encoding long passwords. This flag instructs `radiusd' to use broken method of password encryption for the given NAS. For the list of nas-querying arguments, *Note Full list of allowed arguments: nastypes file. * Menu: * Example: naslist example. Example of `naslist' file. ---------- Footnotes ---------- (1) Logins from DEFAULT NASes are not reported by213.130.0.5 `raduse', neither are they reflected in SNMP variables. File: radius.info, Node: naslist example, Up: naslist file Example of `naslist' file ------------------------- # raddb/naslist: contains a list of Network Access Servers # # Each record consists of following fields: # # i. A valid hostname or IP address for the client. # ii. The short name to use in the logfiles for this NAS. # iii. Type of device. Valid values are `true', `false' and # those defined in raddb/nastypes file. # NAS Name Short Name Type #---------------- ---------- ---- myhost.dom.ain myhost unix merlin merlin max 11.10.10.10 arthur livingston File: radius.info, Node: nastypes file, Next: hints file, Prev: naslist file, Up: Configuration Files NAS Types -- `raddb/nastypes' ============================= The `raddb/nastypes' file describes the ways to query NASes about active user sessions. * Menu: * Syntax: nastypes syntax. Syntax described. * Example: nastypes example. Example of nastypes file. * Predefined NAS Types:: NAS types defined in standard nastypes file. File: radius.info, Node: nastypes syntax, Next: nastypes example, Up: nastypes file Syntax of `raddb/nastypes' -------------------------- Syntax ====== Each record consists of three fields separated by any amount of whitespace. The fields are: Type Type of the NAS which is described in this record. Method Method to use to query a NAS of given type. Arguments Arguments to pass to this method. Each argument is a pair ARG=VALUE, where ARG is its name and VALUE is a value assigned to it. The list of predefined argument names follows. _Please note_, that no intervening whitespace is allowed in this field. Methods ======= Version 0.96 of GNU Radius supports two querying methods: finger and snmp. Arguments ========= In the discussion below N means numeric and S string value. The following arguments are predefined: Common for all methods ---------------------- function=S Specifies the check function to use with this method (*note Login Verification Functions::). This argument must be present. For description of how this function is applied, see *Note Checking Simultaneous Logins::. port=N Use port number N instead of the default for the given method. Method snmp ----------- password=S Use community S instead of the default. This argument must be present. retries=N Retry N times before giving up. timeout=N Timeout N seconds on each retry. Method finger ------------- timeout=N Give up if the NAS does not respond within N seconds. notcp tcp=0 Disable the use of T/TCP for hosts with a broken TCP implementation. arg=SUBST Send SUBST to finger, instead of username. SUBST must be one of "macro variables", described below. Macro variables --------------- The following macro-variables are recognized and substituted when encountered in the VALUE pair of an argument: `%u' Expands to username. `%s' Expands to session id. `%d' Expands to session id converted to decimal representation. `%p' Expands to port number. `%P' Expands to port number + 1. File: radius.info, Node: nastypes example, Next: Predefined NAS Types, Prev: nastypes syntax, Up: nastypes file Example of nastypes file. ------------------------- _Please note_, that in the following example the long lines are broken into several lines for readability. # Type Method Args # ---- ------ ---- unix finger function=check_unix max-f finger function=check_max_finger max snmp oid=.1.3.6.1.4.1.529.12.3.1.4.%d, function=check_snmp_u as5300-f finger function=check_as5300_finger as5300 snmp oid=.1.3.6.1.4.1.9.9.150.1.1.3.1.2.%d, function=check_snmp_u livingston snmp oid=.1.3.6.1.4.1.307.3.2.1.1.1.5.%P, function=check_snmp_s File: radius.info, Node: Predefined NAS Types, Prev: nastypes example, Up: nastypes file Standard NAS types ------------------ The `nastypes' shipped with version 0.96 of GNU Radius defines following NAS types: unix -- UNIX boxes running Finger This type suits for UNIX boxes running finger service able to return information about dial-up users active on them. To enable finger checking of a unix host add following to your `naslist' file: #Hostname Shortname Type #-------- --------- ---- nas.name T unix max-f -- MAX Ascend with Finger Use this type if you have MAX Ascend terminal server that answers finger queries. The `naslist' entry for such NAS will look like: #Hostname Shortname Type Flags #-------- --------- ---- ----- nas.name T max-f broken_pass _Please note_ the use of `broken_pass' flag. It is needed for most MAX Ascend servers (*note naslist file::). max -- MAX Ascend, answering SNMP Use this type if you have MAX Ascend terminal server that answers SNMP queries. The `naslist' entry for such NAS will look like: #Hostname Shortname Type Flags #-------- --------- ---- ----- nas.name T max-f broken_pass,community=COMM Replace COMM with your actual SNMP community name. as5300-f -- Cisco AS5300 running finger as5300 -- Cisco AS5300 answering SNMP livingston -- Livingston Portmaster Type `livingston' queries portmaster using SNMP. File: radius.info, Node: hints file, Next: huntgroups file, Prev: nastypes file, Up: Configuration Files Request Processing Hints -- `raddb/hints' ========================================= The `raddb/hints' file is used to modify the contents of the incoming request depending on the username. For a detailed description of this, *Note Hints::. The file contains data in "Matching Rule" format (*note Matching Rule::). The only attributes that can be used in the check list are: * `Suffix' * `Prefix' * `Group' * `User-ID' * Menu: * Example: hints example. An example of `hints' file. File: radius.info, Node: hints example, Up: hints file Example of `hints' file ----------------------- ## If the username starts with `U', append the UUCP hint DEFAULT Prefix = "U", Strip-User-Name = No Hint = "UUCP" ## If the username ends with `.slip', append the SLIP service data ## and remove the suffix from the user name. DEFAULT Suffix = ".slip", Strip-User-Name = Yes Hint = "SLIP", Service-Type = Framed-User, Framed-Protocol = SLIP File: radius.info, Node: huntgroups file, Next: realms file, Prev: hints file, Up: Configuration Files Huntgroups -- `raddb/huntgroups' ================================ The `raddb/huntgroups' contains the definitions of the huntgroups. For a detailed description of huntgroup concept, *Note Huntgroups::. The file contains data in "Matching Rule" format (*note Matching Rule::). * Menu: * Example: huntgroups example. An example of the `huntgroups' file. File: radius.info, Node: huntgroups example, Up: huntgroups file Example of `huntgroups' file. ----------------------------- ## This defines the packet rewriting function for the server 11.10.10.11 DEFAULT NAS-IP-Address = 11.10.10.11, Rewrite-Function = "max_fixup" NULL File: radius.info, Node: realms file, Next: users file, Prev: huntgroups file, Up: Configuration Files List of Proxy Realms -- `raddb/realms' ====================================== The `raddb/realms' file lists remote Radius servers that are allowed to communicate with the local Radius server (*note Proxying::). Each record consists of up to three fields, separated by whitespace. Two of them are mandatory. The fields are: Realm name Specifies the name of the realm being defined, i.e. part of the login name after the `@' symbol. The special realm name `NOREALM' defines the empty realm, the name `DEFAULT' defines the default realm (*note Realms::). Remote server Specifies the remote server to which the requests for this realm should be forwarded. The syntax for this field is SERVERNAME[:AUTH-PORT[:ACCT-PORT]] Optional AUTH-PORT and ACCT-PORT are the authentication and accounting port numbers. If ACCT-PORT is omitted, it is computed as AUTH-PORT + 1. If AUTH-PORT is omitted, the default authentication port number is used. Flags (optional) The flags meaningful in `raddb/realms' are strip Boolean value. Controls whether the realm name should be stripped off the username before forwarding the request to the remote server. Setting `strip' enables stripping, setting `nostrip' disables it. Default is to always strip user names. quota=NUM Set maximum number of concurrent logins allowed from this realm to the given value (NUM). * Menu: * Example: realms example. An example of `realms' file. File: radius.info, Node: realms example, Up: realms file Example of `realms' file ------------------------ Example 1. ---------- # Realm Remote server[:port] flags #---------------- --------------------- -------- that.net radius.that.net nostrip dom.ain server.dom.ain:3000 strip,quota=20 Example 2. ---------- # Realm Remote server[:port] flags #---------------- --------------------- -------- NOREALM radius.server.net that.net radius.that.net nostrip dom.ain server.dom.ain:3000 strip,quota=20 File: radius.info, Node: users file, Next: access.deny file, Prev: realms file, Up: Configuration Files User Profiles -- `raddb/users' ============================== File `raddb/users' contains the list of "User Profiles". For a description of its purpose, *Note User Profiles::. * Menu: * Example: users example. An example of `users' file. File: radius.info, Node: users example, Up: users file Example of `users' file ----------------------- ## The following entry is matched when the user appends ``.ppp'' to his ## username when logging in. ## The suffix is removed from the user name, then the password is ## looked up in the SQL database. ## Users may log in at any time. They get PPP service. DEFAULT Suffix = ".ppp", Auth-Type = SQL, Login-Time = "Al", Simultaneous-Use = 1, Strip-User-Name = Yes Service-Type = Framed-User, Framed-Protocol = PPP ## This is for SLIP users. ## This entry is matched when the auth request matches ``SLIP'' hint DEFAULT Hint = "SLIP", Auth-Type = Mysql Service-Type = Framed-User Framed-Protocol = SLIP ## The following authenticates users using system passwd files. ## The users are allowed to log in from 7:55 to 23:05 on any weekday, ## except the weekend, and from 07:55 to 12:00 on Sunday. ## Only one login is allowed per user. ## The program telauth is used to further check the authentication ## information and provide the reply pairs ## Note the use of backslashes to split a long line. DEFAULT Auth-Type = System, Login-Time = "Wk0755-2305,Su0755-1200", Simultaneous-Use = 1 Exec-Program-Wait = "/usr/local/sbin/telauth \ %C{User-Name} \ %C{Calling-Station-Id} \ %C{NAS-IP-Address} \ %C{NAS-Port-Id}" ## This particular user is authenticated via PAM. He is presented a ## choice from `raddb/menus/menu1' file. gray Auth-Type = Pam Menu = menu1 File: radius.info, Node: access.deny file, Next: sqlserver file, Prev: users file, Up: Configuration Files List of Blocked Users -- `raddb/access.deny' ============================================ The `raddb/access.deny' file contains a list of user names which are not allowed to log in via Radius. Each user name is listed on a separate line. As usual, the `#' character introduces an end-of-line comment. File: radius.info, Node: sqlserver file, Next: rewrite file, Prev: access.deny file, Up: Configuration Files SQL Configuration -- `raddb/sqlserver' ====================================== The `raddb/sqlserver' file configures the connection to SQL server. The file uses simple line-oriented `KEYWORD --- VALUE' format. Comments are introduced by `#' character. The `sqlserver' statements can logically be subdivided into following groups: "SQL Client Parameters", configuring the connection between SQL client and the server, "Authentication Server Parameters", "Authorization Parameters", and "Accounting server parameters". * Menu: * SQL Client Parameters:: * Authentication Server Parameters:: * Authorization Parameters:: * Accounting server parameters:: File: radius.info, Node: SQL Client Parameters, Next: Authentication Server Parameters, Up: sqlserver file SQL Client Parameters --------------------- These parameters configure various aspects of connection between SQL client and the server. `interface IFACE-TYPE' Specifies the SQL interface to use. Currently supported values for IFACE-TYPE are `mysql' and `postgres'. Depending on this, the default communication port number is set: it is 3306 for `interface mysql' and 5432 for `interface postgres'. Use of this statement is only meaningful when the package was configured with both `--with-mysql' and `--with-postgres' option. `server STRING' Specifies the hostname or IP address of the SQL server. `port NUMBER' Sets the SQL communicaton port number. It can be omitted if your server uses the default port. `login STRING' Sets the SQL user login name. `password PASSWORD' Sets the SQL user password. `keepopen BOOL' Specify whether `radiusd' should try to keep the connection open. When set to no (the default), `radiusd' will open new connection before the transaction and close it right after finishing it. We recommend setting `keepopen' to `yes' for heavily loaded servers, since opening the new connection can take a substantial amount of time and slow down the operation considerably. `idle_timeout NUMBER' Set idle timeout in seconds for an open SQL connection. The connection is closed if it remains inactive longer that this amount of time. File: radius.info, Node: Authentication Server Parameters, Next: Authorization Parameters, Prev: SQL Client Parameters, Up: sqlserver file Authentication Server Parameters -------------------------------- These parameters configure the SQL authentication. The general syntax is: `doauth BOOL' When set to `yes', enables authentication via SQL. All `auth_' keywords are ignored if `doauth' is set to `no'. `auth_max_connections BOOL' Specifies the maximum number of authentication SQL connections to keep open. This parameter is ignored if `keepopen' is set to `no'. `auth_db STRING' Specifies the name of the database containing authentication information. `auth_query STRING' Specifies the SQL query to be used to obtain user's password from the database. The query should return exactly one string value -- the password. `group_query STRING' Specifies the query that retrieves the list of user groups the user belongs to. This query is used when `Group' or `Group-Name' attribute appears in the LHS of a user's or hint's profile. Example of Authentication Server Parameters ------------------------------------------- Let's suppose the authentication information is kept in the tables `passwd' and `groups'. The `passwd' table contains user passwords. A user is allowed to have different passwords for different services. The table structure is: CREATE TABLE passwd ( user_name varchar(32) binary default '' not null, service char(16) default 'Framed-PPP' not null, password char(64) ); Additionally, the table `groups' contains information about user groups a particular user belongs to. Its structure is: CREATE TABLE groups ( user_name char(32) binary default '' not null, user_group char(32) ); The queries used to retrieve the information from these tables will then look like: auth_query SELECT password FROM passwd WHERE user_name = '%C{User-Name}' AND service = '%C{Auth-Data}' group_query SELECT user_group FROM groups WHERE user_name = '%C{User-Name}' It is supposed, that the information about the particular service a user is wishing to obtain, will be kept in `Auth-Data' attribute in LHS of a user's profile. File: radius.info, Node: Authorization Parameters, Next: Accounting server parameters, Prev: Authentication Server Parameters, Up: sqlserver file Authorization Parameters ------------------------ These parameters define queries used to retrieve the authorization information from the SQL database. All the queries refer to the authentication database. `check_attr_query STRING' This query must return a list of triplets: ATTR-NAME, ATTR-VALUE, OPCODE The query is executed before comparing the request with the profile entry. The values returned by the query are added to LHS of the entry. OPCODE here means one of valid operation codes: `=', `!=', `<', `>', `<=', `>='. `reply_attr_query STRING' This query must return pairs: ATTR-NAME, ATTR-VALUE The query is executed after a successful match, the values it returns are added to the RHS list of the matched entry, and are therefore returned to the NAS in the reply packet. Example of Authorization Parameters ----------------------------------- Suppose your attribute information is stored in a SQL table of the following structure: CREATE TABLE attrib ( user_name varchar(32) default '' not null, attr char(32) default '' not null, value char(128), op enum("=", "!=", "<", ">", "<=", ">=") default null ); Each row of the table contains the attribute-value pair for a given user. If `op' field is `NULL', the row describes LHS (check) pair. Otherwise, it describes a RHS (reply) pair. The authorization queries for this table will look as follows: check_attr_query SELECT attr,value,op \ FROM attrib \ WHERE user_name='%u' \ AND op IS NOT NULL reply_attr_query SELECT attr,value \ FROM attrib \ WHERE user_name='%u' \ AND op IS NULL Now, let's suppose the `raddb/users' contains only one entry: DEFAULT Auth-Type = SQL Service-Type = Framed-User And the `attrib' table contains following rows: user_name attr value op `jsmith' `NAS-IP-Address' `10.10.10.1' `=' `jsmith' `NAS-Port-Id' `20' `<=' `jsmith' `Framed-Protocol' `PPP' `NULL' `jsmith' `Framed-IP-Address' `10.10.10.11' `NULL' Then, when the user `jsmith' is trying to authenticate, the following happens: 1. Radius finds the matching entry (`DEFAULT') in the `raddb/users'. 2. It queries the database using the `check_attr_query'. The triplets it returns are then added to the LHS of the profile entry. Thus, the LHS will contain: Auth-Type = SQL, NAS-IP-Address = 10.10.10.1, NAS-Port-Id <= 20 3. Radius compares the incoming request with the LHS pairs thus obtained. If the comparison fails, it rejects the authentication. _Please note_, that the `Auth-Type' attributes itself triggers execution of `auth_query', described in the previous section. 4. After a successful authentication, Radius queries the database, using `reply_attr_query', and adds its return to the list of RHS pairs. The RHS pairs will then be: Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 10.10.10.11 This list is returned to the NAS along with the authentication accept packet. Thus, this configuration allows the user `jsmith' to use only NAS 10.10.10.1, ports from 1 to 20 inclusive. If the user meets these conditions, he is allowed to use PPP service, and is assigned IP address `10.10.10.11'. File: radius.info, Node: Accounting server parameters, Prev: Authorization Parameters, Up: sqlserver file Accounting Parameters --------------------- To perform the SQL accounting `radiusd' needs to know the database where it is to store the accounting information. This information is supplied by the following statements: `doacct BOOL' When set to `yes' enables SQL accounting. All `acct_' keywords are ignored if `doacct' is set to `no'. `acct_db STRING' Specifies the name of the database where the accounting information is to be stored. `acct_max_connections NUMBER' Specifies the maximum number of accounting SQL connections to keep open. This parameter is ignored if `keepopen' is set to `no'. Further, `radiusd' needs to know which information it is to store into the database and when. Each of five accounting request types (*note Accounting Requests::) has a SQL query associated with it. Thus, when radius receives an accounting request, it determines the query to use by the value of `Acct-Status-Type' attribute. Following statemens define the accounting queries: `acct_start_query STRING' Specifies the SQL query to be used when "Session Start Packet" is received. Typically, this would be some `INSERT' statement (*note Queries::). `acct_stop_query STRING' Specifies the SQL query to be used when "Session Stop Packet" is received. Typically, this would be some `UPDATE' statement. `acct_stop_query STRING' Specifies the SQL query to be executed upon arrival of a "Keepalive Packet". Typically, this would be some `UPDATE' statement. `acct_nasup_query STRING' Specifies the SQL query to be used upon arrival of an "Accounting Off Packet". `acct_nasdown_query STRING' Specifies the SQL query to be used when a NAS sends "Accounting On Packet". None of these queries should return any values. * Menu: * Queries:: Writing SQL acounting query templates. File: radius.info, Node: Queries, Up: Accounting server parameters Writing SQL Accounting Query Templates ...................................... Let's suppose you have an accounting table of the following structure: CREATE TABLE calls ( status int(3), user_name char(32), event_date_time datetime DEFAULT '0000-00-00 00:00:00' NOT NULL, nas_ip_address char(17), nas_port_id int(6), acct_session_id char(16) DEFAULT '' NOT NULL, acct_session_time int(11), acct_input_octets int(11), acct_output_octets int(11), connect_term_reason int(4), framed_ip_address char(17), called_station_id char(32), calling_station_id char(32) ); On receiving the "Session Start Packet" we would insert a record into this table with `status' set to 1. At this point the columns `acct_session_time', `acct_input_octets', `acct_output_octets' as well as `connect_term_reason' are unknown, so we will set them to 0: # Query to be used on session start acct_start_query INSERT INTO calls \ VALUES(%C{Acct-Status-Type},\ '%u',\ '%G',\ '%C{NAS-IP-Address}',\ %C{NAS-Port-Id},\ '%C{Acct-Session-Id}',\ 0,\ 0,\ 0,\ 0,\ '%C{Framed-IP-Address}',\ '%C{Called-Station-Id}',\ '%C{Calling-Station-Id}') Then, when the "Session Stop Packet" request arrives we will look up the record having `status' = 1, `user_name' matching the value of `User-Name' attribute, and `acct_session_id' matching that of `Acct-Session-Id' attribute. Once the record is found, we will update it, setting status = 2 acct_session_time = value of Acct-Session-Time attribute acct_input_octets = value of Acct-Input-Octets attribute acct_output_octets = value of Acct-Output-Octets attribute connect_term_reason = value of Acct-Terminate-Cause attribute Thus, every record with `status' = 1 will represent the active session and every record with `status' = 2 will represent the finished and correctly closed record. The constructed `acct_stop_query' is then: # Query to be used on session end acct_stop_query UPDATE calls \ SET status=%C{Acct-Status-Type},\ acct_session_time=%C{Acct-Session-Time},\ acct_input_octets=%C{Acct-Input-Octets},\ acct_output_octets=%C{Acct-Output-Octets},\ connect_term_reason=%C{Acct-Terminate-Cause} \ WHERE user_name='%C{User-Name}' \ AND status = 1 \ AND acct_session_id='%C{Acct-Session-Id}' Upon receiving a "Keepalive Packet" we will update the information stored with `acct_start_query': acct_alive_query UPDATE calls \ SET acct_session_time=%C{Acct-Session-Time},\ acct_input_octets=%C{Acct-Input-Octets},\ acct_output_octets=%C{Acct-Output-Octets},\ framed_ip_address=%C{Framed-IP-Address} \ WHERE user_name='%C{User-Name}' \ AND status = 1 \ AND acct_session_id='%C{Acct-Session-Id}' Further, there may be times when it is necessary to bring some NAS down. To correctly close the currently active sessions on this NAS we will define a `acct_nasdown_query' so that it would set `status' column to 2 and update `acct_session_time' in all records having `status' = 1 and `nas_ip_address' equal to IP address of the NAS. Thus, all sessions on a given NAS will be closed correctly when it brought down. The `acct_session_time' can be computed as difference between the current time and the time stored in `event_date_time' column: # Query to be used when a NAS goes down, i.e. when it sends # Accounting-Off packet acct_nasdown_query UPDATE calls \ SET status=2,\ acct_session_time=unix_timestamp(now())-\ unix_timestamp(event_date_time) \ WHERE status=1 \ AND nas_ip_address='%C{NAS-IP-Address}' We have not covered only one case: when a NAS crashes, e.g. due to a power failure. In this case it does not have a time to send `Accounting-Off' request and all its records remain open. But when the power supply is restored, the NAS will send an "Accounting On packet", so we define a `acct_nasup_query' to set `status' column to 3 and update `acct_session_time' in all open records belonging to this NAS. Thus we will know that each record having `status' = 3 represents a crashed session. The query constructed will be: # Query to be used when a NAS goes up, i.e. when it sends # Accounting-On packet acct_nasup_query UPDATE calls \ SET status=3,\ acct_session_time=unix_timestamp(now())-\ unix_timestamp(event_date_time) \ WHERE status=1 \ AND nas_ip_address='%C{NAS-IP-Address}' File: radius.info, Node: rewrite file, Next: menus file, Prev: sqlserver file, Up: Configuration Files Rewrite functions -- `raddb/rewrite' ==================================== The file `raddb/rewrite' contains definitions of Rewrite extension functions. For information regarding Rewrite extension language *Note Rewrite::. File: radius.info, Node: menus file, Next: Macro Substitution, Prev: rewrite file, Up: Configuration Files Login Menus -- `raddb/menus' ============================ The menus is a way to allow user the choice between various services he could be provided. The menu functionality is enabled when Radius is compiled with `--enable-livingston-menus' option. A user is presented a menu after it is authenticated if the RHS of his profile record consists of a single A/V pair in the form: Menu = The menu files are stored in directory `raddb/menus'. * Menu: * Syntax: menu syntax. A menu file syntax. * Example: menu example. An example of menu files. File: radius.info, Node: menu syntax, Next: menu example, Up: menus file A menu file syntax. ------------------- A menu file is a text file containing a menu declaration and any number of choice descriptions. The menus can be nested to an arbitrary depth. A comment is introduced by a `#' character. All characters from this one up to the end of line are discarded. The menu declaration is contained between the words `menu' and `end'. Each of these must be the only word on a line and must start in column 1. Choice descriptions follow the menu declaration. Each description starts with a line containing choice identifier. A choice identifier is an arbitrary word identifying this choice, or a word `DEFAULT'. It is followed by comma-separated list of A/V pairs which will be returned to the server when a user selects this choice. File: radius.info, Node: menu example, Prev: menu syntax, Up: menus file An example of menu files ------------------------ Single-Level Menu ================= Suppose the following file is stored under `raddb/menus/menu1': menu *** Welcome EEE user! *** Please select an option: 1. Start CSLIP session 2. Start PPP session 3. Quit Option: end # CSLIP choice # Framed-IP-Address of 255.255.255.254 indicates that the NAS should # select an address for the user from its own IP pool. 1 Service-Type = Framed-User, Framed-Protocol = SLIP, Framed-IP-Address = 255.255.255.254, Termination-Menu = "menu1" # PPP choice 2 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Termination-Menu = "menu1" # A special menu EXIT means abort the session 3 Menu = "EXIT" # Return to this menu if no valid choice have been entered DEFAULT Menu = "menu1" Now, suppose the `raddb/users' contains the following profile entry: DEFAULT Auth-Type = System Menu = "menu1" and user `jsmith' has a valid system account and tries to log in from some NAS. Upon authenticating the user, the Radius server sees that his reply pairs contain the `Menu' attribute. Radius then sends Access-Challenge packet to the NAS with the text of the menu in it. The `jsmith' then sees on his terminal: *** Welcome EEE user! *** Please select an option: 1. Start CSLIP session 2. Start PPP session 3. Quit Option: He then enters `2'. The NAS sends the Access-Request packet to the server, which sees that user wishes to use option 2 and replies to the NAS with an Access-Accept packet containing the following attributes: Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Termination-Menu = "menu1" The `Termination-Menu' in this list makes sure the same process will continue when `jsmith' logs out, i.e. he will be presented the same menu again until he enters choice `3' which will disconnect him. Nested menus ============ In this example, the `other' choice refers to the menu above. menu *** Welcome here! *** Please enter an option: ppp --- Start PPP session telnet --- Begin guest login session other --- Select other option Enter your choice: end ppp Service-Type = Framed-User, Framed-Protocol = PPP telnet Service-Type = Login-User, Login-IP-Host = 10.11.11.7, Login-Service = Telnet, Login-TCP-Port = 23 other Menu = "menu1" DEFAULT menu = "menu2" File: radius.info, Node: Macro Substitution, Prev: menus file, Up: Configuration Files Macro Substitution ================== Some statements in the configuration files need to use the actual values of the attributes supplied with the request. These are: * `Exec-Program' and `Exec-Program-Wait' assignments in `users' database * SQL query templates in `sqlserver' In these statements the following macros are replaced by the value of corresponding attributes: `%Cnum' (num is a decimal number). This variable is replaced by the value of attribute number `num'. The attribute is looked up in the incoming request pairlist. `%C{attr-name}' This is replaced by the value of attribute named `attr-name'. The attribute is looked up in the incoming request pairlist. `%Rnum' (num is a decimal number). This variable is replaced by the value of attribute number `num'. The attribute is looked up in the reply pairlist. `%R{attr-name}' This is replaced by the value of attribute named `attr-name'. The attribute is looked up in the reply pairlist. `%D' This is replaced by current date/time (localtime). `%G' This is replaced by current date/time in GMT. The "`{}' form" allows to specify default value for the substitution. The default value will be used when no such attribute is encountered in the pairlist. The syntax for specifying the default value resembles that of shell environment variables. The substitution `%C{ATTR-NAME:-DEFVAL}' is expanded to the value of ATTR-NAME attribute, if it is present in the request pairlist, and to DEFVAL otherwise. For example: %C{Acct-Session-Time:-0} will return the value of Acct-Session-Time attribute or 0 if it doesn't exist in the request pairlist. The substitition `%C{ATTR-NAME:=DEFVAL}' is expanded to the value of ATTR-NAME attribute. If this attribute is not present in the request pairlist, it will be created and assigned the value DEFVAL. E.g.: %C{Acct-Session-Time:=0} The substitution `%C{ATTR-NAME:?MESSAGE}' is expanded to the value of ATTR-NAME attribute, if it is present. Otherwise the diagnostic message "ATTR-NAME: MESSAGE" is issued to the log error channel, and string "MESSAGE" is returned. The substitition `%C{ATTR-NAME:+RETVAL}' is expanded to empty string if the attribute ATTR-NAME is present in the referenced pairlist. Othervise it is expanded to RETVAL. You can also use the following shortcuts: `%p' Port number `%n' NAS IP address `%f' Framed IP address `%u' User name `%c' Callback-Number `%i' Calling-Station-Id `%t' MTU `%a' Protocol (SLIP/PPP) `%s' Speed (Connect-Info attribute) File: radius.info, Node: Authentication, Next: Accounting, Prev: Configuration Files, Up: Top Authentication ************** An "Authentication Type" specifies which credentials the user is required to supply in order to be authenticated and where the user's authentication data are stored. It is defined by the value of `Auth-Type' attribute in LHS of a `users' entry. * Menu: * Accept Auth:: Accept unconditionally. * Reject Auth:: Reject unconditionally. * Local Password Auth:: Authenticate using plaintext password. * Encrypted Password Auth:: Authenticate using MD5 encrypted password. * System Auth:: Authenticate using system account. * SQL Auth:: Authenticate using SQL. * PAM Auth:: Authenticate using PAM. * Custom Auth:: Defining Custom Authentication Types. * Checking Simultaneous Logins:: File: radius.info, Node: Accept Auth, Next: Reject Auth, Up: Authentication Accept Authentication Type ========================== "Accept" is the simplest authentication type. Users with this authentication type will be authenticated successfully without checking any credentials. Actually this means that only username is required for authentication. This authentication type is used for each `users' entry, whose LHS contains Auth-Type = Accept This authentication type can be used for guest accounts, e.g. the following profile in `users': guest Auth-Type = Accept, Password != "", Simultaneous-Use = 10 Service-Type = Framed-User, Framed-Protocol = PPP allows up to 10 simultaneous guest PPP accounts. To log in using such guest account it is sufficient to use username `guest' and any non-empty password. File: radius.info, Node: Reject Auth, Next: Local Password Auth, Prev: Accept Auth, Up: Authentication Reject Authentication Type ========================== The "Reject" authentication type causes the request to be rejected unconditionally. It can be used to disable a user account (For another method of disabling user accounts, *note access.deny file::). This authentication type is used for each `users' entry, whose LHS contains Auth-Type = Reject File: radius.info, Node: Local Password Auth, Next: Encrypted Password Auth, Prev: Reject Auth, Up: Authentication Local Password Authentication Type ================================== The "Local Password" authentication type allows to keep plaintext user passwords. Although the use of this authentication type is strongly discouraged for security reasons, this is the only authentication type that can be used with CHAP authentication. There are two ways of using this authentication type Specifying Passwords in users File. ----------------------------------- To keep the plaintext passwords in `users' file, the profile entry must follow this pattern: USER-NAME Auth-Type = Local, Password = PLAINTEXT The PLAINTEXT is the user's plaintext password. Obviously, USER-NAME may not be `DEFAULT' nor `BEGIN'. Specifying Passwords in SQL Database. ------------------------------------- USER-NAME Auth-Type = Local, Password-Location = SQL When the user is authenticated using such profile, its password is retrieved from the authentication database using `auth_query'. The configuration of SQL authentication is described in detail in *Note Authentication Server Parameters::. File: radius.info, Node: Encrypted Password Auth, Next: System Auth, Prev: Local Password Auth, Up: Authentication Encrypted Password Authentication Type ====================================== The "Encrypted Password" type allows to keep user's passwords encrypted via DES or MD5 algorythm. There are two ways of using this authentication type. Specifying Passwords in users File. ----------------------------------- USER-NAME Auth-Type = Crypt-Local, Password = CRYPT-PASS The `Crypt-Password' is a shortcut for the above notation: USER-NAME Crypt-Password = CRYPT-PASS Specifying Passwords in SQL Database. ------------------------------------- USER-NAME Auth-Type = Crypt-Local, Password-Location = SQL Using this profile, the user's password is retrieved from the authentication database using `auth_query'. The configuration of SQL authentication is described in detail on *Note Authentication Server Parameters::. The shortcut for this notation is `Auth-Type = SQL'. In any case, the passwords used with this authentication type must be either DES or MD5 hashed. File: radius.info, Node: System Auth, Next: SQL Auth, Prev: Encrypted Password Auth, Up: Authentication System Authentication Type ========================== The "System" authentication type requires that the user have a valid system account on the machine where the radius server is running. The use of this type is triggered by setting Auth-Type = System in the LHS of a `users' entry. File: radius.info, Node: SQL Auth, Next: PAM Auth, Prev: System Auth, Up: Authentication SQL Authentication Type ======================= Setting `Auth-Type = SQL' or `Auth-Type = Mysql' in the LHS of a `users' entry is a synonim for Auth-Type = Crypt-Local, Password-Location = SQL and is provided as a shortcut and for backward compatibility with previous versions of GNU Radius. For description of SQL authentication, *Note Encrypted Password Auth::. The configuration of SQL subsystem is described in *Note sqlserver file::. File: radius.info, Node: PAM Auth, Next: Custom Auth, Prev: SQL Auth, Up: Authentication PAM Authentication Type ======================= "PAM" authentication type indicates that a user should be authenticated using PAM (Pluggable Authentication Module) framework. The simplest way of usage is: Auth-Type = PAM Any user whose `users' profile contains the above, will be authenticated via PAM, using service name `radius'. If you wish to use another service name, set it using `Auth-Data' attribute, e.g.: Auth-Type = PAM, Auth-Data = PAM-SERVICE File: radius.info, Node: Custom Auth, Next: Checking Simultaneous Logins, Prev: PAM Auth, Up: Authentication Defining Custom Authentication Types ==================================== The are three ways to define custom authentication types: 1. Write a PAM module. 2. Use a Guile procedure. 3. Use an external program You can write a PAM module implementing the new authentication type. Then, specifying `Auth-Type = PAM' allows to apply it (*note PAM Auth::). Alternatively, you may write a Scheme procedure implementing the new authentication type. To apply it, use `Scheme-Procedure' attribute in RHS. The `Auth-Type = Accept' can be used in LHS if the whole authentication burden is to be passed to the Scheme procedure. For example, if one wrote a procedure `my-auth', to apply it to all users, one will place the following profile in his `users' file: DEFAULT Auth-Type = Accept Scheme-Procedure = "my-auth" For a discussion of how to write Scheme authentication procedures, *Note Authentication with Scheme::. The third way to implemement your own authentication method is using an external program. This is less effective than the methods described above, but may be necessary sometimes. To invoke the program, use the following statement in the RHS of `users' entry: Exec-Program-Wait = "PROGNAME ARGS" The PROGNAME must be the full path to the program, ARGS -- any arguments it needs. The usual substitutions may be used in ARGS to pass any request attributes to the program (*note Macro Substitution::). For a detailed description of `Exec-Program-Wait' attribute and an example of its use, *Note Exec-Program-Wait::. File: radius.info, Node: Checking Simultaneous Logins, Prev: Custom Auth, Up: Authentication Checking Simultaneous Logins ============================ The number of sessions a user can have open simultaneously can be restricted by setting `Simultaneous-Use' attribute in the user's profile LHS (*note Simultaneous-Use::). By default the number of simultaneous sessions is unlimited. When a user with limited number of simultaneous logins authenticates himself, Radius first counts the number of the sessions that are already opened by this user. If this number is equal to the value of `Simultaneous-Use' attribute the authentication request is rejected. To determine the number of open sessions, Radius scans the `radlog/radutmp' for any open entries marked with the user's login name *Note UNIX Accounting::. Such entries are created when Radius receives an Accounting-Request packet with `Acct-Status-Type' attribute set to `Start'. An entry is marked closed when a corresponding Accounting-Request packet arrives with `Acct-Status-Type' attribute set to `Stop'. Since an open entry might be a result of missing `Stop' packet, Radius queries the NAS whether the session listed in the entry is currently active. If the NAS replies positive, the session count is incremented, if it replies negative, such entry is marked as closed and is not counted. There may also be cases when the NAS is unreachable due to some reasons. In such cases the Radius behavior is determined by the value of `checkrad-assume-logged' in `config' file *Note auth statement (raddb/config): auth. If the value is `yes', Radius assumes the session is still active and increases the session count, otherwise it proceeds as if the NAS returned negative reply. To query a NAS, Radius first looks up its type and additional parameters in `naslist' file (*note naslist file::). If the NAS type is `true', Radius acts as if the NAS returned 1, if the type is `false', it acts as if the NAS returned 0, otherwise it looks up the entry in the `nastypes' which has matching type (*note nastypes file::). If such entry does not exist, Radius issues the error message and acts accordingly to the value of configuration variable `checkrad-assume-logged'. Otherwise, Radius determines the query method to use from the second field of this entry, and constructs its arguments by appending arguments from the `naslist' entry to those of `nastypes' entry. _Please note_, that the former take precedence over the latter, and can thus be used to override default values specified in `nastypes'. Having determined the query method and its argument, Radius queries NAS and analyzes its output by invoking a user-supplied Rewrite function. The function to use is specified by the `function=' argument to the method. It is called each time a line of output is received from the NAS (for finger queries) or a variable is received (for SNMP queries). The process continues until the function returns 1 or the last line of output is read or a timeout occurs whichever comes first. If the user-function returns 1 it is taken to mean the user's session is now active at the NAS, otherwise, if it replies 0 or if the end of output is reached, it is taken to mean the user's session is not active. The syntax conventions for user-supplied functions are described in detail in *Note Login Verification Functions::. File: radius.info, Node: Accounting, Next: Logging, Prev: Authentication, Up: Top Accounting ********** By default GNU Radius supports three types of accounting. Any additional accounting methods can be defined using extension mechanisms. The accounting methods are applied to a request in a following sequence: 1. UNIX Accounting 2. Detailed Request Accounting 3. SQL Accounting 4. Custom Accounting In this sequence, only "UNIX Accounting" is obligatory, all other methods are applied only when enabled. If any accounting type in this sequence fails, the accounting is deemed to fail and all subsequent methods are not invoked. * Menu: * UNIX Accounting:: UNIX style utmp/wtmp accounting. * Detailed Request Accounting:: Detailed requests. * SQL Accounting:: Accounting to SQL server. * Custom Acct:: Defining Custom Accounting Types. File: radius.info, Node: UNIX Accounting, Next: Detailed Request Accounting, Up: Accounting UNIX Accounting =============== This accounting method is always enabled. Radius keeps files `radutmp' and `radwtmp' in its logging directory and stores the accounting data there. The utilities `radwho' and `radlast' can be used to list information about users' sessions. File: radius.info, Node: Detailed Request Accounting, Next: SQL Accounting, Prev: UNIX Accounting, Up: Accounting Detailed Request Accounting =========================== Radius stores the detailed information about accounting packets it receives in files `radacct/NASNAME/detail' (*note Naming Conventions::), where NASNAME is replaceed with the short name of the NAS from the `raddb/naslist' file (*note naslist file::). By default, this accounting type is always enabled, provided that `radacct' directory exists and is writable (*note Naming Conventions::). To turn the detailed accounting off, use `detail' statement in `config' file. For more information about it, *Note acct::. The accounting detail files consist of a record per each accounting request. A record includes the timestamp and detailed dump of attributes from the packet, e.g.: Fri Dec 15 18:00:24 2000 Acct-Session-Id = "2193976896017" User-Name = "e2" Acct-Status-Type = Start Acct-Authentic = RADIUS Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 11.10.10.125 Calling-Station-Id = "+15678023561" NAS-IP-Address = 11.10.10.11 NAS-Port-Id = 8 Acct-Delay-Time = 0 Timestamp = 976896024 Request-Authenticator = Unverified Fri Dec 15 18:32:09 2000 Acct-Session-Id = "2193976896017" User-Name = "e2" Acct-Status-Type = Stop Acct-Authentic = RADIUS Acct-Output-Octets = 5382 Acct-Input-Octets = 7761 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 11.10.10.125 Acct-Session-Time = 1905 NAS-IP-Address = 11.10.10.11 NAS-Port-Id = 8 Acct-Delay-Time = 0 Timestamp = 976897929 Request-Authenticator = Unverified File: radius.info, Node: SQL Accounting, Next: Custom Acct, Prev: Detailed Request Accounting, Up: Accounting SQL Accounting ============== The SQL accounting method is enabled when Radius is configured with `--enable-sql' option and `sqlserver' file in its configuration directory is properly set up (*note sqlserver file::). This version of GNU Radius (0.96) supports MySQL and PostgreSQL servers. Support for Oracle servers will be added in the nearest future. With this accounting method enabled, `radiusd' will store the information about accounting requests in the configured SQL database. The accounting method is fully configurable: the Radius administrator defines both the types of requests to be accounted and the information to be stored into the database. (*note sqlserver file::). File: radius.info, Node: Custom Acct, Prev: SQL Accounting, Up: Accounting Defining Custom Accounting Types. ================================= If the built-in accounting methods do not meet your requirements, you can implement your own accounting methods. There are two ways for doing so: 1. Using a Guile procedure. 2. Using an external program To use a Guile procedure for accounting, the name of the procedure must be specified as a value to `Scheme-Acct-Procedure' attribute in RHS list of a `hints' entry, e.g.: DEFAULT NULL Scheme-Acct-Procedure = "my-acct" For a detailed description of Scheme accounting procedures, *Note Accounting with Scheme::. Another way of implemementing your own accounting method is using an external program. This is less effective than the methods described above, but may be necessary sometimes. To invoke the program, use the following statement in the LHS of `hints' entry: Acct-Ext-Program = "PROGNAME ARGS" The PROGNAME must be the full path to the program, ARGS -- any arguments it needs. The usual substitutions may be used in ARGS to pass any request attributes to the program (*note Macro Substitution::). For a detailed description of `Acct-Ext-Program', *Note Acct-Ext-Program::. File: radius.info, Node: Logging, Next: Debugging, Prev: Accounting, Up: Top Logging ******* GNU Radius reports every event worth mentioning. The events are segregated by their severity level. Radius discerns the following levels (in order of increasing severity): `Debug' The debug messages *Note Debugging::. `Auth' Under this level every authentication attempt is logged. This is enabled by setting level auth; in `category auth' statement of `config' file. `Proxy' Messages regarding proxy requests (*note Proxying::). `Info' Informational messages. `Notice' Normal, but significant conditions. `Warning' Warning conditions. These mean some deviations from normal work. `Error' Error conditions. Usually these require special attention. `CRIT' Critical conditions due to which Radius is no longer able to continue working. These require urgent actions from the site administrator. By default, all messages in all levels are output to file `radlog/radius.log'. In addition, messages in level `CRIT' are also duplicated to the system console. These defaults can be overridden using `logging' statement in `raddb/config' file (*Note logging statement: logging, for the description of logging statement syntax, *note Naming Conventions:: for information about the locations of different radius configuration files). File: radius.info, Node: Debugging, Next: Extensions, Prev: Logging, Up: Top Debugging ********* GNU Radius provides extensive debugging features. These are enabled either by `-x' command option to the `radiusd' *Note Invocation::, or by `level' statement in debug category *Note logging statement: logging. Both cases require as an argument a valid debug specification. A debug specification sets the module for which the debugging should be enabled and debugging level. The higher the level is, the more detailed information is provided. The module name and level are separated by an equal sign. If the level is omitted, the highest possible level (100) is assumed. The module name may be abbreviated to first N characters, in which case the first matching module is selected. Several such specifications can be specified, in which case they should be separated by a comma. For example, the following is a valid debug specification: proxy.c=10,files.c,config.y=1 It sets debug level 10 for module `proxy.c', level 100 for `files.c', and 1 for `config.y'. The modules and debugging levels are subject to change from release to release. File: radius.info, Node: Extensions, Next: Utility Programs, Prev: Debugging, Up: Top Extensions ********** The use of extension language allows to extend the functionality of GNU Radius without having to modify its source code. The two extension languages supported are Rewrite and Scheme. Use of Rewrite is always enabled. Use of Scheme requires Guile version 1.4 or higher. * Menu: * Rewrite:: The built-in extension language. * Guile:: Using Scheme. File: radius.info, Node: Rewrite, Next: Guile, Up: Extensions Rewrite ======= Rewrite is the GNU Radius extension language. Its name reflects the fact that it was originally designed to rewrite the broken request packets, so they could be processed as usual (*note Rewriting Incoming Requests::). Beside this basic use, however, Rewrite functions are used in verifying the activity of user sessions (*note Checking Simultaneous Logins::). * Menu: * Syntax Overview:: * Quick Start:: * Interaction with Radius:: * Rewriting Incoming Requests:: * Login Verification Functions:: * Attribute Creation Functions:: * Full Syntax Description:: File: radius.info, Node: Syntax Overview, Next: Quick Start, Up: Rewrite Syntax Overview --------------- Rewrite syntax resembles that of C. Rewrite has two basic data types: integer and string. It does not have global variables, all variables are automatic. The only exception are the A/V pairs from the incoming request, which are accessible to Rewrite functions via special notation `%[ATTR]'. File: radius.info, Node: Quick Start, Next: Interaction with Radius, Prev: Syntax Overview, Up: Rewrite Quick Start ----------- As an example, let's consider the following Rewrite function: string foo(integer i) { string rc; if (i % 2) rc = "odd"; else rc = "even"; return "the number is " + rc; } The function takes an integer argument and returns string "the number is odd" or "the number is even", depending on the value of I. This illustrates the fact that in Rewrite the addition operator is defined on the string type. The result of such operation is the concatenation of operands. Another example is a function that adds a prefix to the `User-Name' attribute: integer px_add() { %[User-Name] = "pfx-" + %[User-Name]; return 0; } The function manipulates the contents of the incoming request, its return value has no special meaning. File: radius.info, Node: Interaction with Radius, Next: Rewriting Incoming Requests, Prev: Quick Start, Up: Rewrite Interaction with Radius ----------------------- A Rewrite function can be invoked in several ways, depending on its purpose. There are three major kinds of Rewrite functions: * Functions used to rewrite the incoming requests. * Functions designed for simultaneous login verification. * Functions used to generate RADIUS attribute values. File: radius.info, Node: Rewriting Incoming Requests, Next: Login Verification Functions, Prev: Interaction with Radius, Up: Rewrite Rewriting Incoming Requests --------------------------- The need of rewriting the incoming requests arises from the fact that some NASes are very particular about the information they send with the requests. There are cases when the information they send is hardly usable or even just unusable. For example, a Cisco AS5300 terminal server used as a voice over IP router packs a lot of information into its `Acct-Session-Id' attribute. Though the information stored there is otherwise relevant, it makes proper accounting impossible since the `Acct-Session-Id' attributes in the start and stop packets of the same session become different, and thus Radius cannot determine the "Session Start" to which the given "Session Stop" request corresponds (*note Acct-Session-Id::). In order to cope with such NASes, GNU Radius is able to invoke a Rewrite function upon arrival of the packet and before further processing it. This function can transform the packet so, that it obtains the form prescribed by RFCs and its further processing becomes possible. For example, in the case of AS5300 router, a corresponding rewrite function parses the `Acct-Session-Id' attribute, breaks it down into fields, stores them into proper attributes, creating them if necessary, and, finally replaces `Acct-Session-Id' with its real value, which is the same for start and stop records corresponding to a single session. Thus all the information that came with the packet is preserved, but the packet itself is made usable for proper accounting. A special attribute, `Rewrite-Function', is used to trigger invocation of a Rewrite function. Its value is a name of the function to be invoked. When used in a `naslist' profile, the attribute causes the function to be invoked when the incoming request matches the huntgroup (*note Huntgroups::). For example, to have a function `fixup' invoked for each packet from the NAS `10.10.10.11', the following huntgroup rule may be used: DEFAULT NAS-IP-Address = 11.10.10.11 Rewrite-Function = "fixup" The `Rewrite-Function' attribute may also be used in a `hints' rule. In this case, it will invoke the function if the request matches the rule (*note Hints::). For example, this `hints' rule will cause the function to be invoked for each request containing the username starting with `P': DEFAULT Prefix = "P" Rewrite-Function = "fixup" _Please note_, that in both cases the attribute can be used either in LHS or in RHS pairs of a rule. The packet rewrite function must be declared as having no arguments, and returning integer value: integer fixup() { } The actual return value from such a function is ignored, the integer return type is just a matter of convention. The following subsection present some examples of packet rewriting functions. * Menu: * Example: Rewrite Examples. File: radius.info, Node: Rewrite Examples, Up: Rewriting Incoming Requests Examples of Various Rewrite Functions. ...................................... The examples found in this chapter are working functions that can be used with various existing NAS types. They are taken from the `rewrite' file contained in distribution of GNU Radius. 1. Port rewriting for MAX Ascend terminal servers ------------------------------------------------- Some MAX Ascend terminal servers pack additional information into `NAS-Port-Id' attribute. The port number is constructed as XYYZZ, where X = 1 for digital, X = 2 for analog, YY is line number (1 for first PRI/T1/E1, 2 for second, so on), and ZZ = channel number (on the PRI or Channelized T1/E1). The following rewrite functions are intended to compute the integer port number in the range (1 .. PORTCNT), where PORTCNT represents the real number of physical ports available on the NAS. Such port number can be used, for example, with `Add-Port-To-IP-Address' attribute (*note Add-Port-To-IP-Address::). /* * decode MAX port number * input: P -- The value of NAS-Port-Id attribute * portcnt -- number of physical ports on the NAS */ integer max_decode_port(integer P, integer portcnt) { if (P > 9999) { integer s, l, c; s = P / 10000; l = (P - (10000 * s))/100; c = P - ((10000 * s) + (100 * l)); return (c-1) + (l-1) * portcnt; } return P; } /* * Interface function for MAX terminal server with 23 ports. * Note that it saves the received NAS-Port-Id attribute in the * Orig-NAS-Port-Id attribute. The latter must be defined somewhere * in the dictionary */ integer max_fixup() { %[Orig-NAS-Port-Id] = %[NAS-Port-Id]; # Preserve original data %[NAS-Port-Id] = max_decode_port(%[NAS-Port-Id], 23); return 0; } 2. Session ID parsing for Cisco AS 5300 series ---------------------------------------------- Cisco VOIP IOS encodes a lot of other information into its `Acct-Session-Id'. The pieces of information are separated by `/' character. The part of `Acct-Session-Id' up to first `/' character is the actual session ID. On the other hand, its accounting packets lack `NAS-Port-Id', though they may contain the vendor-specific pair with code 2 (vendor PEC 9), which is the string in the form `ISDN 9:D:999' (`9' represents a decimal digit). The number after the last `:' character can be used as a port number. The following code parses `Acct-Session-Id' attribute and stores the information it contains in various other attributes, generates normal `Acct-Session-Id' and attempts to generate `NAS-Port-Id' attribute. /* * The port rewriting function for Cisco AS5300 used for VoIP. * This function is used to generate NAS-Port-Id pair on the basis * of vendor-specific pair 2. If the latter is in the form * "ISDN 9:D:999" (where each 9 represents a decimal digit), then * the function returns the number after the last colon. This is * used as a port number. */ integer cisco_pid(string A) { if (A =~ ".*\([0-9][0-9]*\):[A-Z0-9][A-Z0-9]*:\([0-9][0-9]*\)") { return (integer)\2; } return -1; } /* * This function parses the packed session id. * The actual sid is the number before the first slash character. * Other possibly relevant fields are also parsed out and saved * in the Voip-* A/V pairs. The latter should be defined somewhere * in the dictionary. * Please note, that the regular expression in this example * spans several lines for readability. It should be on one * line in real file. */ string cisco_sid(string S) { if (S =~ "\(.[^/]*\)/[^/]*/[^/]*/\([^/]*\)/\([^/]*\)/ \([^/]*\)/\([^/]*\)/\([^/]*\)/\([^/]*\) /\([^/]*\).*") { %[Voip-Connection-ID] = \2; %[Voip-Call-Leg-Type] = \3; %[Voip-Connection-Type] = \4; %[Voip-Connect-Time] = \5; %[Voip-Disconnect-Time] = \6; %[Voip-Disconnect-Cause] = \7; %[Voip-Remote-IP] = \8; return \1; } return S; } /* * Normalize cisco AS5300 packets */ integer cisco_fixup() { integer pid; if ((pid = cisco_pid(%[Cisco-PRI-Circuit])) != -1) { if (*%[NAS-Port-Id]) %[Orig-NAS-Port-Id] = %[NAS-Port-Id]; %[NAS-Port-Id] = pid; } if (*%[Acct-Session-Id]) { %[Orig-Acct-Session-Id] = %[Acct-Session-Id]; %[Acct-Session-Id] = cisco_sid(%[Acct-Session-Id]); } return 0; } 3. Username rewriting for NT machines. -------------------------------------- Users coming from Windows NT machines often authenticate themselves as `NT_DOMAIN\username'. The following function selects the username part and stores it in the `User-Name' attribute: integer login_nt(string uname) { integer i; if ((i = index(uname, '\\')) != -1) return substr(uname, i+1, -1); return uname; } integer nt_rewrite() { %[Orig-User-Name] = %[User-Name]; %[User-Name] = login_nt(%[User-Name]); return 0; } File: radius.info, Node: Login Verification Functions, Next: Attribute Creation Functions, Prev: Rewriting Incoming Requests, Up: Rewrite Login Verification Functions ---------------------------- A login verification function is invoked to process the output from the NAS. This process is described in *Note Checking Simultaneous Logins::. The function to be invoked for given NAS is defined by `function' flag in `raddb/nastypes' or `raddb/naslist' files (*note nastypes file::). It must be defined as follows: integer check(string str, string name, integer pid, string sid) { } Its arguments are: STR Input string. If the query method is `finger', this is the string of output received from the NAS with trailing newline stripped off. If the query method is `snmp', this is the received variable value converted to its string representation. NAME User name. PID Port Id of the session. SID Session ID. The function should return non-0 if its arguments match user's session and 0 otherwise. * Menu: * Example: Examples of login verification functions. File: radius.info, Node: Examples of login verification functions, Up: Login Verification Functions Examples of login verification functions ........................................ As an example, let's consider the function for analyzing a line line of output from a standard UNIX finger service. In each line of finger output the first field contains username, the third field -- tty number (Port ID), and the seventh field contains session ID. The function must return 1 if the three fields match the input user name, port and session IDs. integer check_unix(string str, string name, integer pid, string sid) { return field(str, 1) == name && field(str, 3) == pid && field(str, 7) == sid; } Next example is a function to analyze a line of output from an SNMP query returning a user name. This function must return 1 if entire input line matches the user name. integer check_username(string str, string name, integer pid, string sid) { return str == name; } File: radius.info, Node: Attribute Creation Functions, Next: Full Syntax Description, Prev: Login Verification Functions, Up: Rewrite Attribute Creation Functions ---------------------------- These are the functions, used to create RADIUS reply attributes. An attribute creation function can take any number of arguments. The type of its return is determined by the type of RADIUS attribute the value will be assigned to. To invoke the function, write its name in the A/V pair of RHS in `raddb/users' file, e.g.: DEFAULT Auth-Type = SQL Service-Type = Framed-User, Framed-IP-Address = "=get_ip_addr(10.10.10.1)" The function `get_ip_addr' will be invoked after successful authentication and it will be passed IP address `10.10.10.1' as its argument. An example of a useful function, that can be invoked this way: integer get_ip_address(integer base) { return base + %[NAS-Port-Id] - %[NAS-Port-Id]/16; } File: radius.info, Node: Full Syntax Description, Prev: Attribute Creation Functions, Up: Rewrite Full Syntax Description ----------------------- * Menu: * Data types:: * Symbols:: * Identifiers:: * Declarations:: * Statements:: * Built-in Functions:: File: radius.info, Node: Data types, Next: Symbols, Up: Full Syntax Description Rewrite Data Types .................. There are only two data types: `integer' and `string', the two being coercible to each other in the sense that a string can be coerced to an integer if it contains a valid ASCII representation of a decimal, octal or hex number, and the integer can always be coerced to a string, the result of such coercion being the ASCII string with decimal representation of the number. File: radius.info, Node: Symbols, Next: Identifiers, Prev: Data types, Up: Full Syntax Description Rewrite Symbols ............... A symbol is a lexical token. The following symbols are recognized: Arithmetical operators These are `+', `-', `*', `/' representing the basic arithmetical operations and `%' meaning remainder. Comparison operators These are: `==', `!=', `<', `<=', `>', `>=' with the same meaning they have in C. Special operators are provided for regular expression matching. Binary operator `=~' returns true, if its left-hand-side operand matches the regular expression on its right-hand side. `!~' returns true if the left-hand side operand _does not match_ the regexp on right-hand side. The right-hand side operand of `!~' or `=~' must be a literal string, i.e. the regular expression must be known at compile time. Unary operators. Unary operators are `-' and `+' for unary plus and minus, `!' for boolean negation and `*' for testing for the existence of an attribute. Boolean operators. These are: `&&' and `||'. Parentheses `(' and `)' These are used to change the precedence of operators, to introduce type casts (type coercions), to declare functions and to pass actual arguments to functions. Curly braces (`{' and `}') These are used to delimit blocks of code. Numbers Numbers follow usual C convention for integers. A number consisting of a sequence of digits, is taken to be octal if it begins with `0' (digit zero) and decimal otherwise. If the sequence of digits is preceded by `0x' or `0X', it is taken to be a hexadecimal integer. Characters These follow usual C convention for characters, i.e. either an ASCII character or its value enclosed in a pair of single quotes. The character value begins with `\' (backslash) and consists either of three octal or of two hexadecimal digits. A character does not form a special data type, it is represented internally by an integer. Quoted strings These follow usual C conventions for strings. Attribute values The incoming request is passed implicitly to functions, invoked via `Rewrite-Function' attribute. It is kept as an associative array, whose entries can be accessed using the following syntax: `%[' ATTRIBUTE-NAME `]' Thus notation returns the value of the attribute ATTRIBUTE-NAME. ATTRIBUTE-NAME should be a valid Radius dictionary name (*note dictionary file::). Identifiers Identifiers represent functions and variables. These are described in the next section. Regexp group references A sequence of characters in the form: `\NUMBER' refers to the contents of parenthesized group number NUMBER obtained as a result of the last executed `=~' command. The regexp group reference has always string data type. E.g. string basename(string arg) { if (arg =~ ".*/\(.*\)\..*") return \1; else return arg; } This function strips from ARG all leading components up to the last slash character, and all trailing components after the last dot character. It returns ARG unaltered, if it does not contain slashes and dots. Roughly, it is analogous to the system `basename' utility. File: radius.info, Node: Identifiers, Next: Declarations, Prev: Symbols, Up: Full Syntax Description Rewrite Identifiers ................... A valid identifier is a string of characters meeting the following requirements: 1. It starts with either a lower- or uppercase letter of the Latin alphabet or any of the following symbols: `_', `$'. 2. It consists of alphanumeric characters, underscores(`_') and dollar signs (`$'). File: radius.info, Node: Declarations, Next: Statements, Prev: Identifiers, Up: Full Syntax Description Rewrite Declarations .................... Function declarations --------------------- The Rewrite function is declared as follows: TYPE FUNCTION-NAME (PARAMETER-LIST) where TYPE specifies the return type of the function, FUNCTION-NAME declares the symbolic name of the function and PARAMETER-LIST declares the formal parameters to the function. It is a comma-separated list of declarations in the form: TYPE PARM-NAME TYPE being the parameter type, and PARM-NAME being its symbolic name. Both FUNCTION-NAME and PARM-NAME should be valid identifiers. Variable declarations --------------------- There are no global variables in Rewrite. All variables are local. The local variables are declared right after the opening curly brace (`{') and before any executable statements. The declaration syntax is: TYPE IDENT_LIST ; Here IDENT_LIST is either a valid Rewrite identifier, or a comma- separated list of such identifiers. _Please note_ that, unlike in C, no assignments are allowed in variable declarations. File: radius.info, Node: Statements, Next: Built-in Functions, Prev: Declarations, Up: Full Syntax Description Rewrite Statements .................. The Rewrite statements are: expressions, assignments, conditional statements and return statements. A statement is terminated by semicolon. Expressions ----------- An "expression" is: * A variable identifier * A type coercion expression * An arithmetic expression * A boolean expression * An assignment * A function call Type coercion ------------- The type coercion is like a type cast in C. Its syntax is `(' TYPE `)' IDENT the result of type coercion is as follows: TYPE Variable type Resulting conversion integer integer No conversion. This results in the same integer value. integer string If the string value of the variable is a valid ASCII representation of the integer number (either decimal, octal or hex) it is converted to the integer, otherwise the result of the conversion is undefined. string integer The ASCII representation (in decimal) of the integer number. string string No conversion. This results in the same string value. Assignment ---------- An assignment is: IDENT = EXPRESSION ; The variable IDENT is assigned the value of EXPRESSION. Function calls -------------- These take the form: IDENT ( ARG-LIST ) where IDENT is the identifier representing the function, ARG-LIST is a comma-separated list of expressions supplying actual arguments to the function. The function IDENT references can be either a compiled function or a built-in function. _Please note_ that, unlike in C, the mismatch between the number of actual arguments and number of formal parameters in the compiled function declaration is not an error but rather a warning. File: radius.info, Node: Built-in Functions, Prev: Statements, Up: Full Syntax Description Rewrite Built-in Functions .......................... The following built-in functions are provided: - Function: integer length (string S) Returns the length of string S. - Function: integer index (string S, integer C) Returns the index of the first occurrence of the character C in the string S. Returns -1 if no such occurrence is found. - Function: integer rindex (string S, integer I) Returns the index of the last occurrence of the character C in the string S. Returns -1 if no such occurrence is found. - Function: string substr (string S, integer START, integer LENGTH) Returns the at most LENGTH substring of S starting at position START. - Function: integer logit (string MSG) Outputs its argument to the radius log channel `info'. Returns 0. The function is intended for debugging purposes. All character positions in strings are counted from 0. File: radius.info, Node: Guile, Prev: Rewrite, Up: Extensions Guile ===== The name Guile stands for "GNU's Ubiquitous Intelligent Language for Extensions". It provides the Scheme interpreter conforming to R4RS language specification. This section describes use of Guile as an extension language for GNU Radius. It assumes that the reader is sufficiently familiar with the Scheme language. Please, refer to *Note Top: (r4rs)Top, for the information about the language. If you wish to know more about the Guile, *Note Overview: (guile)Top. Scheme procedures can be called for processing both authentication and accounting requests. The invocation of a scheme procedure for an authentication request is triggered by `Scheme-Procedure' attribute, the invocation for an accounting request is triggered by `Scheme-Acct-Procedure' attribute. The following sections address these issues in more detail. * Menu: * Data Representation:: * Authentication with Scheme:: * Accounting with Scheme:: * Radius-Specific Functions:: File: radius.info, Node: Data Representation, Next: Authentication with Scheme, Up: Guile Data Representation ------------------- A/V pair lists are the main object scheme functions operate upon. Scheme is extremely convenient for representation of such objects. A Radius A/V pair is represented by a Scheme pair, e.g. Session-Timeout = 10 is represented in Guile as (cons "Session-Timeout" 10) The CAR of the pair can contain either the attribute dictionary name, or the attribute number. Thus, the above pair may also be written in Scheme as (cons 27 10) (`Session-Timeout' corresponds to attribute number 27). Lists of A/V pairs are represented by Scheme lists. For example, the following Radius pair list User-Name = "jsmith", Password = "guessme", NAS-IP-Address = 10.10.10.1, NAS-Port-Id = 10 is written in Scheme as: (list (cons "User-Name" "jsmith") (cons "Password" "guessme") (cons "NAS-IP-Address" "10.10.10.1") (cons "NAS-Port-Id" 10)) File: radius.info, Node: Authentication with Scheme, Next: Accounting with Scheme, Prev: Data Representation, Up: Guile Authentication with Scheme -------------------------- The Scheme procedure used for authentication must be declared as follows: - Function Template: auth-function request-list check-list reply-list Its arguments are: REQUEST-LIST The list of A/V pairs from the incoming request CHECK-LIST The list of A/V pairs from the LHS of the profile entry that matched the request. REPLY-LIST The list of A/V pairs from the RHS of the profile entry that matched the request. The function return value determines whether the authentication will succeed. The function must return either a boolean value or a pair. The return of `#t' causes authentication to succeed. The return of `#f' causes it to fail. If the function wishes to add something to the reply A/V pairs, it should return a pair in the form: (cons RETURN-CODE LIST) Where RETURN-CODE is a boolean value of the same meaning as described above. The LIST is a list of A/V pairs to be added to the reply list. For example, the following function will always deny the authentication, returning appropriate message to the user: (define (decline-auth request-list check-list reply-list) (cons #f (list (cons "Reply-Message" "\r\nSorry, you are not allowed to log in\r\n")))) As a more constructive example, let's consider a function that allows the authentication only if a user name is found in its internal database. (define staff-data (list (list "scheme" (cons (list (cons "NAS-IP-Address" "127.0.0.1")) (list (cons "Framed-MTU" "8096"))) (cons '() (list (cons "Framed-MTU" "256")))))) (define (auth req check reply) (let* ((username (assoc "User-Name" req)) (reqlist (assoc username req)) (reply-list '())) (if username (let ((user-data (assoc (cdr username) staff-data))) (rad-log L_INFO (format #f "~A" user-data)) (if user-data (call-with-current-continuation (lambda (xx) (for-each (lambda (pair) (cond ((avl-match? req (car pair)) (set! reply-list (avl-merge reply-list (cdr pair))) (xx #t)))) (cdr user-data)) #f))))) (cons #t reply-list))) To trigger the invocation of the Scheme authentication function, assign its name to `Scheme-Procedure' attribute in RHS of a corresponding `raddb/users' profile. E.g.: DEFAULT Auth-Type = SQL Scheme-Procedure = "auth" File: radius.info, Node: Accounting with Scheme, Next: Radius-Specific Functions, Prev: Authentication with Scheme, Up: Guile Accounting with Scheme ---------------------- The Scheme accounting procedure must be declared as follows: - Function Template: acct-function-name request-list Its arguments are: REQUEST-LIST The list of A/V pairs from the incoming request The function must return a boolean value. The accounting succeeds only if it returned `#t'. Here is an example of Scheme accounting function. The function dumps the contents of the incoming request to a file: (define radius-acct-file "/var/log/acct/radius") (define (acct req) (call-with-output-file radius-acct-file (lambda (port) (for-each (lambda (pair) (display (car pair) port) (display "=" port) (display (cdr pair) port) (newline port)) req) (newline port))) #t) File: radius.info, Node: Radius-Specific Functions, Prev: Accounting with Scheme, Up: Guile Radius-Specific Functions ------------------------- - Scheme Function: avl-delete av-list attr Delete from AV-LIST the pairs with attribute ATTR. - Scheme Function: avl-merge dst src Merge SRC into DST. - Scheme Function: avl-match? target list Return `#t' if all pairs from LIST are present in TARGET. - Scheme Function: rad-dict-name->attr name Return a dictionary entry for the given attribute NAME or `#f' if no such name was found in the dictionary. A dictionary entry is a list in the form: - Scheme List: dict-entry name-string attr-number type-number vendor Where NAME-STRING The attribute name VALUE-NUMBER The attribute number TYPE-NUMBER The attribute type VENDOR is the vendor PEC, if the attribute is a Vendor-Specific one, or #f otherwise. - Scheme Function: rad-dict-value->name attr value Returns a dictionary name of the given VALUE for an integer-type attribute ATTR. ATTR can be either an attribute number or its dictionary name. - Scheme Function: rad-dict-name->value attr value Convert a symbolic attribute value name into its integer representation - Scheme Function: rad-dict-pec->vendor pec Convert PEC to the vendor name - Scheme Function: rad-log-open prio Open radius logging to the severity level PRIO. - Scheme Function: rad-log-close Close radius logging channel open by a previous call to `rad-log-open'. - Scheme Function: rad-rewrite-execute-string string Interpret STRING as an invocation of a function in Rewrite language and execute it. Return value: return of the corresponding Rewrite call, translated to the Scheme data type. - Scheme Function: rad-rewrite-execute arglist Execute a Rewrite language function. `(car ARGLIST)' is interpreted as a name of the Rewrite function to execute, and `(cdr ARGLIST)' as a list of arguments to be passed to it. Return value: return of the corresponding Rewrite call, translated to the Scheme data type. - Scheme Function: rad-openlog ident option facility Scheme interface to the system `openlog()' call. - Scheme Function: rad-syslog prio text Scheme interface to the system `syslog()' call. - Scheme Function: rad-closelog Scheme interface to the system `closelog()' call. - Scheme Function: rad-utmp-putent status delay list radutmp_file radwtmp_file Write the supplied data into the radutmp file. If RADWTMP_FILE is not nil the constructed entry is also appended to WTMP_FILE. LIST is: - Scheme List: utmp-entry user-name orig-name port-id port-type session-id caller-id framed-ip nas-ip proto USER-NAME The user name ORIG-NAME Original user name from the request PORT-ID The value of `NAS-Port-Id' attribute. PORT-TYPE A number or character indicating the port type. SESSION-ID Session ID. CALLER-ID The value of `Calling-Station-Id' attribute from the request. FRAMED-IP The framed IP address assigned to the user. NAS-IP The NAS IP address. PROTO Number or character indicating type of the connection. File: radius.info, Node: Utility Programs, Next: Client Package, Prev: Extensions, Up: Top Utility Programs **************** * Menu: Controlling who and when was logged in * Radwho:: Show who is logged in by radius now. * Radlast:: Show the history of logins by radius. * Raduse:: Monitor the users in real time. Maintenance commands * Radzap:: Modify the login records. * Radgrep:: Quickly find the login record. * Radping:: Ping the remote machine by the username. * Radauth:: Check if a user can be authenticated. * Radctl:: Radctl monitor. * Builddbm:: Create DBM version of the `raddb/users' file. Guile interface * Radscm:: A guile interface to radius functions. File: radius.info, Node: Radwho, Next: Radlast, Up: Utility Programs Radwho ====== `Radwho' displays the list of users currently logged in by the Radius server. Default output information is made compatible with that of the standard UNIX finger(1) utility. For each user the following information is displayed: login name, name, connection protocol, NAS port, login date, NAS name, assigned IP address or corresponding network name. When used with `-l' option, the long output format is used. In this format the following information is output: `Login' Login name of the user `SessionID' Unique session ID assigned by the terminal server. `Proto' Connection prototype. `Port' Port number `When' Login date and time `From' The name of NAS that accepted the connection. `Location' Framed IP address or the corresponding network name. `Caller' Caller station ID ad reported by the NAS. `Duration' Duration of the session. * Menu: * Options: radwho options. Command line options. File: radius.info, Node: radwho options, Up: Radwho Radwho Command Line Options --------------------------- The following command line options can be used to modify the behavior of the program: `-A' `--all' Display the information about logged-out users as well. The logged-out users are shown with Proto field set to HUP. `-c' `--calling-id' Display the calling station ID in the second column. `-d NAME' `--directory NAME' Set the radius configuration directory name. `-D {short|abbr|full}' `--date-formap {short|abbr|full}' Set the date representation. By default dates are output as `DOW HH:MM', where DOW means the day of week abbreviation, HH and MM mean hours and minutes respectively. This corresponds to option `-D short'. Other available formats are: `abbr' Abbreviated date: MM/DD HH:MM, where MM is a two-digit month number, DD -- a two-digit day of month. `full' Full data output, like this: Mon Dec 18 12:29:38 EET 2000 `-e STRING' `--empty STRING' Display any empty field as STRING. This is useful when the output of `radwho' is fed to some analyzing program, as it helps to keep the same number of columns on each line of output. `-F' `--finger' Start in fingerd mode. In this mode `radwho' emulates the behavior of fingerd(8) utility. Use this option if starting `radwho' from the /etc/inetd.conf line like this: finger stream tcp nowait nobody /usr/sbin/radwho radwho -fL This mode is also enabled by default if `radwho' notices that its name (argv[0]) is `fingerd' or `in.fingerd'. `-H' `--no-header' Don't display header line. `-i' `--session-id' Display session ID instead of GECOS in the second column. `-I {smart|ip|nodomain}' `--ip-format {smart|ip|nodomain}' Change IP address representation. The meaning of the argument is as follows: `smart' Select the best representation. The following rules apply: 1. For a NAS use its short name from `naslist'. If there is no short name, use its long name. If there is no long name either, go to 2. 2. Resolve IP address to FQDN. 3. If the IP cannot be resolved, use dotted-quad representation of the IP `ip' Display IP in dotted-quad form. `nodomain' If the IP can be resolved to a fully qualified domain name, use the hostname part of it, i.e. any characters up to the first dot. `-u' `--local-also' Display information about local users from the system `utmp' file. May prove useful when running `radwho' as a finger daemon. `-n' `--no-resolve' Do not resolve IP address. It is a synonym for -I ip. `-o FORMAT' `--format FORMAT' Select customized output format. This can also be changed by setting the value of environment variable `RADWHO_FORMAT'. The format string is a comma-separated list of format specifications in one of the following forms: FIELD Output FIELD with its default width, heading and alignment. The field names and corresponding default values are discussed in detail below. FIELD:WIDTH Output FIELD, use column width WIDTH. If WIDTH starts with `+', the field will be right-aligned, if it starts with `-', the field will be left-aligned. Otherwise the default alignment will be used FIELD:WIDTH:HEADING The same as above, but also supplies the heading for the column The field names are: `login' Login name `orig' Original login name as supplied with the request. `port' NAS port number `sid' The Session ID `nas' The NAS name or IP address. `ip' Framed IP address assigned to the user, if it is provided framed service. `proto' Connection protocol. Its possible values are: * `PPP' for a point-to-point link * `SLIP' for a SLIP link * `HUP' for closed session * `shell' for shell user `date' Date/time when the session started `delay' Delay time *Note Acct-Delay-Time::. `type' Entry type in decimal. `ptype' Port type. This is one of the following letters: Type Meaning `L' Local connection `R' Rlogin connection `S' SLIP connection `C' CSLIP connection `P' PPP connection `A' Auto PPP connection `E' Telnet session `T' "Clear TCP" connection `U' TCP login service `!' Console session `X' Shell `time' Total time of the session duration. `clid' The calling station ID. `uname' The GECOS field from local /etc/passwd, corresponding to the login name. If the user does not have a local account, his login name is output. `-s' `--secure' Run in secure mode. Queries without a user name are rejected. File: radius.info, Node: Radlast, Next: Raduse, Prev: Radwho, Up: Utility Programs Radlast ======= The `radlast' utility lists sessions of specified users, NASes, NAS ports and hosts, in reverse time order. By default, each line of output contains the login name, NAS short name and port number from where the session was conducted, host IP address or name, the start and stop times for the session, and the duration of the session. If the session is still continuing, `radlast' will so indicate. When specified the `-l' option, `radlast' produces long output. It includes following fields: * login name * NAS short name * port number * prototype * port type * Session ID * Caller ID * Framed IP address * Session Start Time * Session Stop Time * Duration of the Session * Menu: * Options: radlast options. Command line options. File: radius.info, Node: radlast options, Up: Radlast Radlast Command Line Options ---------------------------- Use following command line options to control the behavior of `radlast' utility: `-NUMBER' `-c NUMBER' `--count NUMBER' When given this option `radlast' will output at most this many lines of information. `-f' `--file NAME' Read the specified file instead of the default `/var/log/radwtmp'. `-h HOSTNAME' `--host HOSTNAME' Report the logins from given host. Host can be either a name or a "dotted quad" internet address. `-n SHORTNAME' `--nas SHORTNAME' Report the logins from given Network Access Server (NAS). `-l' `--long-format' "Long" output format. Report all the information stored in `radwtmp' file. `-p NUMBER' `--port NUMBER' Report the logins on a given port. The port may be specified either fully or abbreviated, e.g. `radlast -p 3' or `radlast -p S03'. `-s' `--show-seconds' Report the duration of the login session in seconds instead of the default days, hours and minutes. `-t' The same as `-p'. This flag is provided for compatibility with last(1). `-w' `--wide' Widen the duration field to show seconds as well as the default days, hours and minutes. If multiple arguments are given, the logical OR operation between them is assumed, i.e. the information selected by each argument is printed. This, however, does not apply to `-c' option. This option is always combined with the rest of command line by logical AND. The pseudo-user `~reboot' logs in on every reboot of network access server. If `radlast' is interrupted, it indicates to what date the search was progressed. File: radius.info, Node: Raduse, Next: Radzap, Prev: Radlast, Up: Utility Programs Raduse ====== The `raduse' utility shows the usage of dialup lines in the realtime. * Menu: * Display: raduse display. What is displayed. * Options: raduse options. Command line options modify the default display. * Commands: raduse commands. Interactive mode commands. File: radius.info, Node: raduse display, Next: raduse options, Up: Raduse Display ------- At the top of output the summary information is displayed. It consists of two lines. First line shows the statistic collection uptime and current date/time. Second line shows total number of lines, number of active lines, number of idle (inactive) lines and load percentage. The dialup statistics is displayed in the area below. For each dialup line three lines of data are shown. First line shows the network access server name, port number on that server, number of logins registered on this line, status of the line, amount of time the line keeps the current status, and date and time where the line has switched to the current status. If the line is currently active, the status field displays login name of the user logged in on this line. If the line is inactive, the word `[Idle]' is displayed. Second and third lines display active and idle usage summary. They show following data: total time the line is in the given state, maximum amount of time in this state, and starting date and time when maximum duration was perceived. The example of default display: uptime 90+20:35 Sun Dec 17 12:21 235 lines, 71 active, 164 idle. Pool load 0.30 max 001 2796 [idle] 00:05 Sun Dec 17 12:16 43+00:17 1+22:39 Fri Sep 22 18:04 - 16:44 47+20:22 06:25 Thu Oct 05 02:24 - 08:50 max 002 2877 [idle] 00:09 Sun Dec 17 12:11 41+06:56 10:55 Sat Oct 28 21:20 - 07:15 49+13:35 05:32 Mon Oct 02 00:33 - 06:05 max 003 3000 [idle] 00:08 Sun Dec 17 12:12 39+14:42 19:44 Thu Nov 02 14:52 - 10:36 50+11:22 07:29 Wed Oct 11 23:30 - 06:59 max 004 2829 jsmith 00:05 Sun Dec 17 12:15 41+21:11 1+00:04 Sun Sep 24 12:17 - 12:21 48+23:28 04:51 Sat Oct 07 03:42 - 08:33 max 005 2913 gray 00:41 Sun Dec 17 11:40 40+12:01 15:24 Mon Dec 11 19:18 - 10:43 50+08:03 11:58 Wed Nov 29 13:43 - 01:41 max 006 3014 roland 00:39 Sun Dec 17 11:41 42+02:10 22:28 Sun Sep 24 13:46 - 12:15 48+17:39 05:30 Fri Nov 24 01:57 - 07:28 max 007 2937 [idle] 00:06 Sun Dec 17 12:15 This default display can be altered using command line options or interactive commands File: radius.info, Node: raduse options, Next: raduse commands, Prev: raduse display, Up: Raduse Raduse Command Line Options --------------------------- The following options modify the behavior of `raduse': `-b' `--brief' Start up in brief mode. In this mode only first line of information for each dialup line is displayed. `-d COUNT' `--display COUNT' Show only count displays, then exit. A display is considered to be one update of the screen. `-D' `--dump' Dump the statistics database to the standard output and then exit. This is for debugging purposes only. `-I' `--no-idle-lines' Do not display idle lines. By default `raduse' displays all dialup lines. `-i' `--interactive' Use interactive mode. In this mode any input is immediately read for processing. *Note raduse commands:: section for the description of commands usable in interactive mode. After processing each command the screen is updated immediately, no matter was the command understood or not. This mode is the default when the standard output is an intelligent terminal. `-n' `--no-interactive' Use non-interactive mode. `-s NUM' `--delay NUM' Specify delay in seconds between screen updates. `-w' `--widen' Widen the time display fields to show the seconds. `-l' `--list-nas' List the names and IP numbers of network access servers and then exit. `-h' `--help' Display short usage summary. File: radius.info, Node: raduse commands, Prev: raduse options, Up: Raduse Raduse Interactive Commands --------------------------- The following commands are understood when `raduse' is in interactive mode. Some commands require an argument. Such commands are followed by the word ARG. When `raduse' gets such command it displays a prompt and waits for user to enter the necessary data. After processing each command the screen is updated immediately, no matter was the command understood or not. `' Refresh the screen immediately `' Refresh the screen immediately `C-l' Clear and redraw the display. `<^>' (Caret) go to the first page. `' Toggle brief display mode. `C-b' Move one page backwards. `C-f' Move one page forwards. `' Toggle idle line display on or off. `' Move one line forwards. `' Move one line backwards. `' `<$>' Move to the last page. `' Quit the program ` ARG' Change the number of seconds to delay between screen updates. ` ARG' Display lines on a given Network Access Servers. The user is prompted to input the NAS names. The names should be separated by whitespace. The word `all' returns to display of all NAS lines. File: radius.info, Node: Radzap, Next: Radgrep, Prev: Raduse, Up: Utility Programs Radzap ====== `radzap' searches the Radius accounting database for matching login records and closes them. At least one of `-n', `-p' options or username must be specified. If they are used in conjunction, they are taken as if joined by logical AND operation. `radzap' operates in two modes: silent and confirm. The silent mode is enabled by default. When run in this mode, radzap deletes every record that matched the search conditions given. In confirm mode `radzap' will ask for a confirmation before zapping each matching record. Every line beginning with a `y' is taken as positive response, otherwise it is taken as negative response. The confirm mode is toggled by the command line option `-c'. Syntax ------ radzap [options] [username] Options are: `-c' `--confirm' Enable confirm mode. `-q' `--quiet' Disable confirm mode. `-h' `--help' Display short help summary and exit. `-n NAME' `--nas NAME' Specify NAS name to zap user from. `-p PORT' `--port PORT' Specify the port number of the session to be zapped. The port number can be specified either in its full form, i.e `radzap -p S02' or in its short form, like `radzap -p 2'. File: radius.info, Node: Radgrep, Next: Radping, Prev: Radzap, Up: Utility Programs Radgrep ======= This utility allows to quickly lookup the user in the radius accounting database using a regular expression match. `radgrep' scans the output of `radwho' utility and outputs only the lines that match given regular expressions. Syntax ------ `radgrep' accepts two sets of options separated by `--' (double-dash) sign. First subset is passed as command line to `radwho' utility. The second one is passed to `grep'. File: radius.info, Node: Radping, Next: Radauth, Prev: Radgrep, Up: Utility Programs Radping ======= This utility is a shell program that determines the user's framed IP address and runs `ping' on that address. Syntax ------ radping USERNAME radping -c CALLING-STATION-ID The second way of invoking the program allows to use calling station ID in order to indicate the user. File: radius.info, Node: Radauth, Next: Radctl, Prev: Radping, Up: Utility Programs Radauth ======= The `radauth' utility sends the Radius server Access-Request packet and displays the result it gets. It can be used to test the configuration files. The usage is: raduse [-v] username password The `-v' or `--verbose' option forces `radauth' to be verbose on output. If you enter `.' (dot) instead of the password, the program will disable echoing on the screen, prompt you to enter the password, and turn the echoing on again, thus preventing the password from being compromised. The program determines which Radius server to use, the authentication port number and shared secret following the procedure common for all client scripts (*note config::). File: radius.info, Node: Radctl, Next: Builddbm, Prev: Radauth, Up: Utility Programs Radctl ====== `Radctl' is a control interface to `radiusd' daemon. It allows user running it to query `radiusd' about various aspects of its work and issue administrative commands to it. radctl -s COMMAND [ARGS] Where COMMAND is a command telling `radctl' which actions to take, and ARGS are optional arguments to the command. Only one command can be specified per invocation. The valid COMMANDs are as follows: `start [ARGS]' If `radiusd' is not running already, it is started. When present, ARGS are passed as the command line to the server. `stop' Stops running `radiusd'. `restart [ARGS]' Stops the server and then starts it again. When present, ARGS are passed as the command line to the server. `reload' Causes running `radiusd' server to re-read its configuration files. `dumpdb' Tells `radiusd' to dump its user hash table into the file `RADLOG/radius.parse'. This can be used for debugging configuration files. `status' `radiusd' reports its memory usage statistics. The information is logged under `Info' log level. `which' Reports the information about the running copy of `radiusd'. File: radius.info, Node: Builddbm, Next: Radscm, Prev: Radctl, Up: Utility Programs Builddbm ======== Usage ----- `Builddbm' converts the plaintext Radius users database into DBM files. Some versions of Radius daemon have used this to speed up the access to the users database. However, with GNU Radius things go the other way around. The server reads entire plaintext database, converts it into internal form and stores into hash table which provides for fast access. Actually, using DBM version of the users database slows down the access unless the machine which runs Radius daemon is short of address space for the daemon to store the users database into. Syntax ------ When used without arguments, `builddbm' utility attempts to convert file `raddb/users' into `raddb/users.db' or `raddb/users.pag', `raddb/users.dir' pair, depending on the version of DBM library used. If used with one argument, the argument is taken as the name of the plaintext database file to operate upon. Use the following command line options to modify the operation of `buildbm': `-d DIR' Specifies alternate directory for the Radius configuration files. This defaults to `/usr/local/etc/raddb'. `-h' Outputs short usage summary and exits with 0 exit code. File: radius.info, Node: Radscm, Prev: Builddbm, Up: Utility Programs Radscm: A guile interface to radius functions. ============================================== `Radscm' is a Scheme interpreter based on Guile with the addition of special functions and variables for communicating with `radiusd'. This chapter concentrates on the special features provided by `radscm'. Please refer to Guile documentation for information about Scheme and Guile *Note Overview: (guile)Top. Variables ========= - Variable: %raddb-path A path to radius configuration directory. - Function: rad-server-list A list of radius servers. Each element of the list is: (list ID-STR HOST-STR SECRET-STR AUTH-NUM ACCT-NUM CNTL-NUM) where: ID-STR Server ID, HOST-STR Server hostname or IP address, SECRET-STR Shared secret key to use, AUTH-NUM Authentication port number, ACCT-NUM Accounting port number, CNTL-NUM Control channel port number. Thus, each entry can be used as an argument to rad-client-set-server or rad-client-add-server. Functions ========= - Function: rad-send-internal PORT-NUMBER CODE-NUMBER PAIR-LIST Sends the request to currently selected server. Arguments are: PORT-NUMBER Port number to use. These values are allowed: 0 Authentication port, 1 Accounting port, 2 Control port. The actual port numbers are those configured for the given server. CODE-NUMBER Request code. PAIR-LIST List of Attribute-value pairs. Each pair is either (cons ATTR-NAME-STR VALUE) or (cons ATTR-NUMBER VALUE) Return: On success (list RETURN-CODE-NUMBER PAIR-LIST) On failure: '() - Function: rad-send PORT-NUMBER CODE-NUMBER PAIR-LIST . VERBOSE Sends a radius request. Actually it does the same work as rad-send-internal but if VERBOSE is specified, the verbose report about interaction with the radius server is printed. - Function: rad-client-list-servers List currently configured servers. Two columns for each server are displayed: Server ID and IP address. - Function: rad-get-server Returns the ID of the currently selected server. - Function: rad-client-set-server LIST Selects for use the server described by LIST. A LIST should be: (list ID-STR HOST-STR SECRET-STR AUTH-NUM ACCT-NUM CNTL-NUM) where: ID-STR Server ID, HOST-STR Server hostname or IP address, SECRET-STR Shared secret key to use, AUTH-NUM Authentication port number, ACCT-NUM Accounting port number, CNTL-NUM Control channel port number. - Function: rad-client-add-server LIST Adds the server described by LIST to the list of active servers. A LIST should be: (list ID-STR HOST-STR SECRET-STR AUTH-NUM ACCT-NUM CNTL-NUM) where: ID-STR Server ID, HOST-STR Server hostname or IP address, SECRET-STR Shared secret key to use, AUTH-NUM Authentication port number, ACCT-NUM Accounting port number, CNTL-NUM Control channel port number. - Function: rad-read-no-echo PROMPT-STR Prints the given PROMPT-STR, disables echoing, reads a string up to the next newline character, restores echoing and returns the string entered. This is the interface to the C getpass(3) function. - Function: rad-client-source-ip IP-STR Sets the IP address to be used as source. IP-STR can be either an IP address in dotted-quad form or a hostname. - Function: rad-client-timeout NUMBER Sets the timeout for waiting to the server reply. - Function: rad-client-retry NUMBER Sets the number of retries for sending requests to a radius server. - Function: rad-format-code DEST-BOOL CODE-NUMBER Format a radius reply code into a human-readable form. DEST-BOOL has the same meaning as in format. - Function: rad-format-pair DEST-BOOL PAIR Format a radius attribute/value pair for output. DEST-BOOL has the same meaning as in format. PAIR is either (cons NAME-STR VALUE) or (cons ATTR-NUMBER VALUE) where VALUE may be of any type appropriate for the given attribute. - Function: rad-print-pairs DEST-BOOL PAIR-LIST Output the radius attribute/value pairs from the PAIR-LIST. DEST-BOOL has the same meaning as in format. PAIR-LIST is a list of pairs in the form (cons NAME-STR VALUE) or (cons ATTR-NUMBER VALUE) where VALUE may be of any type appropriate for the given attribute. All "Reply-Message" pairs from the list are concatenated and displayed as one. - Function: rad-format-reply-msg PAIR-LIST . TEXT Concatenate and print text from all "Reply-Message" pairs from the PAIR-LIST. If TEXT is specified, it is printed before the concatenated text. - Function: rad-list-servers For each server from `rad-server-list' print its ID and hostname or IP address. - Function: rad-select-server ID-STR Select the server identified by ID-STR as a current server. The server data are looked up in rad-server-list variable. - Function: rad-add-server ID-STR Add the server identified by ID-STR to the list of current servers. The server data are looked up in rad-server-list variable. File: radius.info, Node: Client Package, Prev: Utility Programs, Up: Top Client Package ************** Beside the radius server and accompanying utilities, GNU Radius provides a set of utilities to be used as radius clients. Following sections describe in detail the parts of the radius client package. * Menu: * config:: Configuration file is common for all client utilities. * radsession:: Send arbitrary requests to radius server. * nas.scm:: A NAS implementation for GNU/Linux machines. * pam_radius.so:: A PAM module for authentication via radius. File: radius.info, Node: config, Next: radsession, Up: Client Package Client Configuration ==================== All programs from the client package share the same configuration file: `raddb/client.conf'. The file uses simple line-oriented syntax. Empty lines are ignored, the `#' introduces an end-of-line comment. The source IP address is introduced with `source_ip' statement. Its syntax is: source_ip IP-ADDR where IP-ADDR must be the IP address in "dotted-quad" notation. The radius server where to send the requests to is introduced with `server' statement: server NAME IP-ADDR SECRET AUTH-PORT ACCT-PORT Its parts are: NAME The server name. It is reserved for further use. IP-ADDR The server IP address. SECRET The shared secret to be used when sending requests to this server AUTH-PORT Authentication port number. ACCT-PORT Accounting port number. If several `server' statement are present, they are tried in turn until any of them replies to the request. The amount of time a client program waits for the reply from a server is configured using `timeout' statement: timepout NUMBER If the program does not receive any response within NUMBER seconds, it assumes the server does not respond and either retries the transmission or tries next available server. Number of retries is set with `retry' statement: retry NUMBER The example of `raddb/client.conf' follows: server first 10.11.10.1 secret 1645 1646 server second 10.11.10.1 secret 1645 1646 source_ip 127.0.0.1 timeout 3 retry 5 File: radius.info, Node: radsession, Next: nas.scm, Prev: config, Up: Client Package radsession ========== `radsession' is a Guile script that sends authentication and accounting requests to the radius server. To invoke the script, run radsession OPTIONS ACTION Possible actions are: `--auth' Send authentication request. `--start' Send accounting start request. `--stop' Send accounting stop request. Options determine the contents of the request's pairlist. They are: `-l STRING' `--login STRING' Set login name. `-p STRING' `--passwd STRING' Set password. `-n IP' `--nas IP' Set the value of `NAS-IP-Address' attribute. `-s STRING' `--sid STRING' Set the session id (`Acct-Session-Id' attribute). `-P NUMBER' `--port NUMBER' Set the port number (`NAS-Port-Id' attribute). `-h' `--help' Print short usage message and exit. `-v' `--verbose' Verbosely list the contents of the received reply. File: radius.info, Node: nas.scm, Next: pam_radius.so, Prev: radsession, Up: Client Package nas.scm ======= `nas.scm' is a Guile program that allows to convert a GNU/Linux box into a NAS. It requires Guile version 1.4 or better and ppp version 2.3.7 or better. To use it, you will basically need to do the following: 1. Create links: ln -s LIBEXEC/nas.scm /etc/ppp/ip-up ln -s LIBEXEC/nas.scm /etc/ppp/ip-down Here, LIBEXEC denotes the location of your libexec directory, where `nas.scm' is installed. If not overridden at configure time, it defaults to `PREFIX/libexec'. These links assure the `ppp' will invoke `nas.scm' when the user's session starts and ends, thus giving it a possibility to send accounting requests. 2. Configure file `raddb/client.conf' 3. Edit file `raddb/nas.rc'. The supplied `nas.rc' template is tailored to work in most environments. The only variables you may need to change are: `nas-log-facility', specifying the syslog facility to be used for logging and `pppd-args', keeping the arguments to be given to `ppp'. 4. Configure your `/etc/inittab' and `getty'. For example, if you use `mgetty', then the `inittab' entries for dial-up lines will look like: d0:345:respawn:/sbin/mgetty ttyS0 vt100 d1:345:respawn:/sbin/mgetty ttyS1 vt100 ... The mgetty's `login.config' will then contain the following line: * - - /usr/local/libexec/nas.scm If you use `agetty', then the `inittab' will contain (with the long lines split for readability): d0:345:respawn:/sbin/agetty -mt60 \ -l /usr/local/libexec/nas.scm 38400,19200,9600 \ ttyS0 vt100 d1:345:respawn:/sbin/agetty -mt60 \ -l /usr/local/libexec/nas.scm 38400,19200,9600 \ ttyS1 vt100 ... File: radius.info, Node: pam_radius.so, Prev: nas.scm, Up: Client Package pam_radius.so ============= `pam_radius.so' is a PAM module for radius authentication. The module understands following command line options: `audit' Enable audit information. `debug[=LEVEL]' Enable debugging information. The higher LEVEL is, the more debugging info is output. When omitted, LEVEL defaults to 100. _Please note_, that debugging levels equal to or greater than 10 compromise users' passwords, so use them sparingly. `use_authtok' Use authentication token passed from the previous module in stack. `confdir=PATH' Look for configuration files in PATH. Default is `$sysconfdir/etc/raddb'. `service_type=TYPE' Add `Service-Type=TYPE' to the authentication request. TYPE must be a valid value, described in dictionary file. `pam_radius.so' module logs its messages under `LOG_AUTH' syslog facility. File: radius.info, Node: Attribute List, Up: Top Attribute List ************** The following sections describe the most frequently used RADIUS attributes. Each attribute is described as follows: ATTRIBUTE NAME VALUE TYPE Users: `USER-FLAGS' Hints: `HINTS-FLAGS' Huntgroups: `HUNTGROUP-FLAGS' Additivity: ADDITIVITY Proxy propagated: PROP These values have the following meaning: NAME The attribute name. VALUE The attribute number. TYPE The attribute type. USER-FLAGS Syntax flags defining in which part of `raddb/users' entry this attribute may be used. The flags consist of two letters: `L' means the attribute can be used in LHS, `R' means it can be used in RHS. HINTS-FLAGS Syntax flags defining in which part of `raddb/hints' entry this attribute may be used. HUNTGROUP-FLAGS Syntax flags defining in which part of `raddb/huntgroups' entry this attribute may be used. ADDITIVITY "Additivity" of the attribute determines what happens if a rule attempts to add to the pair list the attribute, which is already present in this list. Depending on its value, the actions of the server are: Append New attribute is appended to the end of the list. Replace New attribute replaces the old. Drop New attribute is dropped. The old one remains in the list. PROP Is the attribute propagated back to the NAS if the server works in proxy mode. The value of N/A in any of this fields signifies "not applicable". * Menu: * Authentication Attributes:: * Accounting Attributes:: * Radius Internal Attributes:: File: radius.info, Node: Authentication Attributes, Next: Accounting Attributes, Up: Attribute List Authentication Attributes ========================= These are the attributes the NAS uses in authentication packets and expects to get back in authentication replies. These can be used in matching rules. * Menu: * User-Name:: * Password:: * CHAP-Password:: * NAS-IP-Address:: * NAS-Port-Id:: * Service-Type:: * Framed-Protocol:: * Framed-IP-Address:: * Framed-IP-Netmask:: * Framed-Routing:: * Framed-MTU:: * Framed-Compression:: * Reply-Message:: * Callback-Number:: * Callback-Id:: * Framed-Route:: * State:: * Class:: * Vendor-Specific:: * Session-Timeout:: * Idle-Timeout:: * Termination-Action:: * Called-Station-Id:: * Calling-Station-Id:: * NAS-Identifier:: * NAS-Port-Type:: File: radius.info, Node: User-Name, Next: Password, Up: Authentication Attributes User-Name --------- ATTRIBUTE User-Name 1 string Users: `LR' Hints: `-R' Huntgroups: `LR' Additivity: Replace Proxy propagated: Yes This Attribute indicates the name of the user to be authenticated or accounted. It is used in Access-Request and Accounting attributes. The length of the username is usually limited by some arbitrary value. By default, Radius supports usernames up to 32 characters long. This value can be modified by redefining `RUT_USERNAME' macro in include/radutmp.h file in the distribution directory and recompiling the program. Some NASes have peculiarities about sending long usernames. For example, Specialix Jetstream 8500 24 port access server inserts a `/' character after the 10th character if the username is longer than 10 characters. In such cases, we recommend to apply rewrite functions in order to bring username to its "normal" form (*note rewrite file::). File: radius.info, Node: Password, Next: CHAP-Password, Prev: User-Name, Up: Authentication Attributes Password -------- ATTRIBUTE Password 2 string Users: `L-' Hints: `--' Huntgroups: `--' Additivity: N/A Proxy propagated: No This Password attribute indicates the password of the user to be authenticated, or the user's input following an Access-Challenge. It is only used in Access-Request packets. On transmission, the password is hidden. The password is first padded at the end with nulls to a multiple of 16 octets. A one- way MD5 hash is calculated over a stream of octets consisting of the shared secret followed by the Request Authenticator. This value is XORed with the first 16 octet segment of the password and placed in the first 16 octets of the String field of the Password Attribute. If the password is longer than 16 characters, a second one-way MD5 hash is calculated over a stream of octets consisting of the shared secret followed by the result of the first xor. That hash is XORed with the second 16 octet segment of the password and placed in the second 16 octets of the String field of the Password Attribute. If necessary, this operation is repeated, with each xor result being used along with the shared secret to generate the next hash to xor the next segment of the password, to no more than 128 characters. File: radius.info, Node: CHAP-Password, Next: NAS-IP-Address, Prev: Password, Up: Authentication Attributes CHAP-Password ------------- ATTRIBUTE CHAP-Password 3 string Users: `L-' Hints: `--' Huntgroups: `--' Additivity: N/A Proxy propagated: No This Attribute indicates the response value provided by a PPP Challenge-Handshake Authentication Protocol (CHAP) user in response to the challenge. It is only used in Access-Request packets. The CHAP challenge value is found in the CHAP-Challenge Attribute (60) if present in the packet, otherwise in the Request Authenticator field. File: radius.info, Node: NAS-IP-Address, Next: NAS-Port-Id, Prev: CHAP-Password, Up: Authentication Attributes NAS-IP-Address -------------- ATTRIBUTE NAS-IP-Address 4 ipaddr Users: `L-' Hints: `-R' Huntgroups: `LR' Additivity: Append Proxy propagated: No This Attribute indicates the identifying IP address of the NAS which is requesting authentication of the user. It is only used in Access-Request packets. Each Access-Request packet should contain either `NAS-IP-Address' or `NAS-Identifier' attribute *Note NAS-Identifier::. File: radius.info, Node: NAS-Port-Id, Next: Service-Type, Prev: NAS-IP-Address, Up: Authentication Attributes NAS-Port-Id ----------- ATTRIBUTE NAS-Port-Id 5 integer Users: `LR' Hints: `-R' Huntgroups: `LR' Additivity: Append Proxy propagated: No This attribute indicates the physical port number of the NAS which is authenticating the user. It is only used in Access-Request packets. Note that this is using "port" in its sense of a physical connection on the NAS, not in the sense of a TCP or UDP port number. Some NASes try to encode various information in the `NAS-Port-Id' attribute value. For example MAX Ascend terminal server constructs `NAS-Port-Id' concatenating line type (one-digit), line number (two-digits), and the channel number (two-digits) thus producing a 5-digit port number. In order to "normalize" such encoded port numbers we recommend to use a rewrite function (*note rewrite file::). A rewrite function for MAX Ascend servers is provided in the distribution. File: radius.info, Node: Service-Type, Next: Framed-Protocol, Prev: NAS-Port-Id, Up: Authentication Attributes Service-Type ------------ ATTRIBUTE Service-Type 6 integer Users: `LR' Hints: `-R' Huntgroups: `LR' Additivity: Replace Proxy propagated: Yes VALUE Service-Type Login-User 1 VALUE Service-Type Framed-User 2 VALUE Service-Type Callback-Login-User 3 VALUE Service-Type Callback-Framed-User 4 VALUE Service-Type Outbound-User 5 VALUE Service-Type Administrative-User 6 VALUE Service-Type NAS-Prompt-User 7 VALUE Service-Type Authenticate-Only 8 VALUE Service-Type Call-Check 10 This attribute indicates the type of service the user has requested, or the type of service to be provided. It may be used in both Access-Request and Access-Accept packets. When used in an Access-Request the Service type represents a hint to the Radius server that the NAS has reason to believe the user would prefer the kind of service indicated. When used in an Access-Accept, the Service type is an indication to the NAS that the user must be provided this type of service. The meaning of various service-types is as follows: `Login-User' The user should be connected to a host. `Framed-User' A Framed Protocol should be started for the User, such as PPP or SLIP. The `Framed-IP-Address' attribute (*note Framed-IP-Address::) would supply the IP address to be used. `Callback-Login-User' The user should be disconnected and called back, then connected to a host. `Callback-Framed-User' The user should be disconnected and called back, then a Framed Protocol should be started for the User, such as PPP or SLIP. `Outbound-User' The user should be granted access to outgoing devices. `Administrative-User' The user should be granted access to the administrative interface to the NAS from which privileged commands can be executed. `NAS-Prompt' The user should be provided a command prompt on the NAS from which non-privileged commands can be executed. `Authenticate-Only' Only Authentication is requested, and no authorization information needs to be returned in the Access-Accept `Call-Check' `Callback-NAS-Prompt' The user should be disconnected and called back, then provided a command prompt on the NAS from which non-privileged commands can be executed. File: radius.info, Node: Framed-Protocol, Next: Framed-IP-Address, Prev: Service-Type, Up: Authentication Attributes Framed-Protocol --------------- ATTRIBUTE Framed-Protocol 7 integer Users: `LR' Hints: `-R' Huntgroups: `LR' Additivity: Replace Proxy propagated: Yes VALUE Framed-Protocol PPP 1 VALUE Framed-Protocol SLIP 2 This Attribute indicates the framing to be used for framed access. It may be used in both Access-Request and Access-Accept packets. File: radius.info, Node: Framed-IP-Address, Next: Framed-IP-Netmask, Prev: Framed-Protocol, Up: Authentication Attributes Framed-IP-Address ----------------- ATTRIBUTE Framed-IP-Address 8 ipaddr Users: `LR' Hints: `-R' Huntgroups: `LR' Additivity: Replace Proxy propagated: No This Attribute indicates the address to be configured for the user. It may be used in Access-Accept packets. It may be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that address, but the server is not required to honor the hint. The value `0xFFFFFFFF' (`255.255.255.255') indicates that the NAS should allow the user to select an address. The value `0xFFFFFFFE' (`255.255.255.254') indicates that the NAS should select an address for the user (e.g. assigned from a pool of addresses kept by the NAS). Other valid values indicate that the NAS should use that value as the user's IP address. When used in a RHS, the value of this attribute can optionally be followed by a plus sign. This usage means that the value of NAS-Port-Id must be added to this IP address before replying. For example Framed-IP-Address = 10.10.0.1+ Also *Note Add-Port-To-IP-Address::. File: radius.info, Node: Framed-IP-Netmask, Next: Framed-Routing, Prev: Framed-IP-Address, Up: Authentication Attributes Framed-IP-Netmask ----------------- ATTRIBUTE Framed-IP-Netmask 9 ipaddr Users: `LR' Hints: `-R' Huntgroups: `LR' Additivity: Replace Proxy propagated: No This Attribute indicates the IP netmask to be configured for the user when the user is a router to a network. It may be used in Access-Accept packets. It may be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that netmask, but the server is not required to honor the hint. File: radius.info, Node: Framed-Routing, Next: Framed-MTU, Prev: Framed-IP-Netmask, Up: Authentication Attributes Framed-Routing -------------- ATTRIBUTE Framed-Routing 10 integer Users: `-R' Hints: `-R' Huntgroups: `-R' Additivity: Replace Proxy propagated: No VALUE Framed-Routing None 0 VALUE Framed-Routing Broadcast 1 VALUE Framed-Routing Listen 2 VALUE Framed-Routing Broadcast-Listen 3 This Attribute indicates the routing method for the user, when the user is a router to a network. It is only used in Access-Accept packets. File: radius.info, Node: Framed-MTU, Next: Framed-Compression, Prev: Framed-Routing, Up: Authentication Attributes Framed-MTU ---------- ATTRIBUTE Framed-MTU 12 integer Users: `LR' Hints: `-R' Huntgroups: `-R' Additivity: Replace Proxy propagated: Yes This Attribute indicates the Maximum Transmission Unit to be configured for the user, when it is not negotiated by some other means (such as PPP). It is only used in Access-Accept packets. File: radius.info, Node: Framed-Compression, Next: Reply-Message, Prev: Framed-MTU, Up: Authentication Attributes Framed-Compression ------------------ ATTRIBUTE Framed-Compression 13 integer Users: `LR' Hints: `-R' Huntgroups: `LR' Additivity: Replace Proxy propagated: Yes VALUE Framed-Compression None 0 VALUE Framed-Compression Van-Jacobson-TCP-IP 1 This Attribute indicates a compression protocol to be used for the link. It may be used in Access-Accept packets. It may be used in an Access-Request packet as a hint to the server that the NAS would prefer to use that compression, but the server is not required to honor the hint. More than one compression protocol Attribute may be sent. It is the responsibility of the NAS to apply the proper compression protocol to appropriate link traffic. File: radius.info, Node: Reply-Message, Next: Callback-Number, Prev: Framed-Compression, Up: Authentication Attributes Reply-Message ------------- ATTRIBUTE Reply-Message 18 string Users: `-R' Hints: `--' Huntgroups: `--' Additivity: Append Proxy propagated: Yes This Attribute indicates text which may be displayed to the user. When used in an Access-Accept, it is the success message. When used in an Access-Reject, it is the failure message. It may indicate a dialog message to prompt the user before another Access-Request attempt. When used in an Access-Challenge, it may indicate a dialog message to prompt the user for a response. Multiple `Reply-Message' attributes may be included and if any are displayed, they must be displayed in the same order as they appear in the packet. File: radius.info, Node: Callback-Number, Next: Callback-Id, Prev: Reply-Message, Up: Authentication Attributes Callback-Number --------------- ATTRIBUTE Callback-Number 19 string Users: `-R' Hints: `--' Huntgroups: `--' Additivity: Replace Proxy propagated: No This Attribute indicates a dialing string to be used for callback. It may be used in Access-Accept packets. It may be used in an Access-Request packet as a hint to the server that a Callback service is desired, but the server is not required to honor the hint. File: radius.info, Node: Callback-Id, Next: Framed-Route, Prev: Callback-Number, Up: Authentication Attributes Callback-Id ----------- ATTRIBUTE Callback-Id 20 string Users: `-R' Hints: `--' Huntgroups: `--' Additivity: Replace Proxy propagated: No This Attribute indicates the name of a place to be called, to be interpreted by the NAS. It may be used in Access-Accept packets. File: radius.info, Node: Framed-Route, Next: State, Prev: Callback-Id, Up: Authentication Attributes Framed-Route ------------ ATTRIBUTE Framed-Route 22 string Users: `-R' Hints: `--' Huntgroups: `--' Additivity: Replace Proxy propagated: No This Attribute provides routing information to be configured for the user on the NAS. It is used in the Access-Accept packet and can appear multiple times. File: radius.info, Node: State, Next: Class, Prev: Framed-Route, Up: Authentication Attributes State ----- ATTRIBUTE State 24 string Users: `LR' Hints: `LR' Huntgroups: `LR' Additivity: Append Proxy propagated: No This Attribute is available to be sent by the server to the client in an Access-Challenge and MUST be sent unmodified from the client to the server in the new Access-Request reply to that challenge, if any. This Attribute is available to be sent by the server to the client in an Access-Accept that also includes a Termination-Action Attribute with the value of RADIUS-Request. If the NAS performs the Termination-Action by sending a new Access-Request upon termination of the current session, it MUST include the State attribute unchanged in that Access-Request. In either usage, no interpretation by the client should be made. A packet may have only one `State' Attribute. File: radius.info, Node: Class, Next: Vendor-Specific, Prev: State, Up: Authentication Attributes Class ----- ATTRIBUTE Class 25 string Users: `LR' Hints: `LR' Huntgroups: `LR' Additivity: Append Proxy propagated: No This Attribute is available to be sent by the server to the client in an Access-Accept and should be sent unmodified by the client to the accounting server as part of the Accounting-Request packet if accounting is supported. File: radius.info, Node: Vendor-Specific, Next: Session-Timeout, Prev: Class, Up: Authentication Attributes Vendor-Specific --------------- ATTRIBUTE Vendor-Specific 26 string Users: `LR' Hints: `-R' Huntgroups: `-R' Additivity: Append Proxy propagated: No This Attribute is available to allow vendors to support their own extended Attributes not suitable for general usage. File: radius.info, Node: Session-Timeout, Next: Idle-Timeout, Prev: Vendor-Specific, Up: Authentication Attributes Session-Timeout --------------- ATTRIBUTE Session-Timeout 27 integer Users: `-R' Hints: `--' Huntgroups: `--' Additivity: Replace Proxy propagated: Yes This Attribute sets the maximum number of seconds of service to be provided to the user before termination of the session or prompt. The server may send this attribute to the client in an Access-Accept or Access-Challenge. File: radius.info, Node: Idle-Timeout, Next: Termination-Action, Prev: Session-Timeout, Up: Authentication Attributes Idle-Timeout ------------ ATTRIBUTE Idle-Timeout 28 integer Users: `-R' Hints: `--' Huntgroups: `--' Additivity: Replace Proxy propagated: Yes This Attribute sets the maximum number of consecutive seconds of idle connection allowed to the user before termination of the session or prompt. The server may send this attribute to the client in an Access-Accept or Access-Challenge. File: radius.info, Node: Termination-Action, Next: Called-Station-Id, Prev: Idle-Timeout, Up: Authentication Attributes Termination-Action ------------------ ATTRIBUTE Termination-Action 29 integer Users: `LR' Hints: `-R' Huntgroups: `-R' Additivity: Replace Proxy propagated: No VALUE Termination-Action Default 0 VALUE Termination-Action RADIUS-Request 1 This Attribute indicates what action the NAS should take when the specified service is completed. It is only used in Access-Accept packets. File: radius.info, Node: Called-Station-Id, Next: Calling-Station-Id, Prev: Termination-Action, Up: Authentication Attributes Called-Station-Id ----------------- ATTRIBUTE Called-Station-Id 30 string Users: `L-' Hints: `-R' Huntgroups: `LR' Additivity: Append Proxy propagated: No This Attribute allows the NAS to send in the Access-Request packet the phone number that the user called, using Dialed Number Identification (DNIS) or similar technology. Note that this may be different from the phone number the call comes in on. It is only used in Access-Request packets. File: radius.info, Node: Calling-Station-Id, Next: NAS-Identifier, Prev: Called-Station-Id, Up: Authentication Attributes Calling-Station-Id ------------------ ATTRIBUTE Calling-Station-Id 31 string Users: `L-' Hints: `-R' Huntgroups: `LR' Additivity: Append Proxy propagated: No This Attribute allows the NAS to send in the Access-Request packet the phone number that the call came from, using Automatic Number Identification (ANI) or similar technology. It is only used in Access-Request packets. File: radius.info, Node: NAS-Identifier, Next: NAS-Port-Type, Prev: Calling-Station-Id, Up: Authentication Attributes NAS-Identifier -------------- ATTRIBUTE NAS-Identifier 32 string Users: `L-' Hints: `-R' Huntgroups: `LR' Additivity: Append Proxy propagated: No This Attribute contains a string identifying the NAS originating the Access-Request. It is only used in Access-Request packets. Either `NAS-IP-Address' or `NAS-Identifier' should be present in an Access-Request packet. *Note NAS-IP-Address::. File: radius.info, Node: NAS-Port-Type, Prev: NAS-Identifier, Up: Authentication Attributes NAS-Port-Type ------------- ATTRIBUTE NAS-Port-Type 61 integer Users: `--' Hints: `--' Huntgroups: `--' Additivity: Append Proxy propagated: No VALUE NAS-Port-Type Async 0 VALUE NAS-Port-Type Sync 1 VALUE NAS-Port-Type ISDN 2 VALUE NAS-Port-Type ISDN-V120 3 VALUE NAS-Port-Type ISDN-V110 4 This Attribute indicates the type of the physical port of the NAS which is authenticating the user. It can be used instead of or in addition to the `NAS-Port-Id' *Note NAS-Port-Id:: attribute. It is only used in Access-Request packets. Either `NAS-Port' or `NAS-Port-Type' or both should be present in an Access-Request packet, if the NAS differentiates among its ports. File: radius.info, Node: Accounting Attributes, Next: Radius Internal Attributes, Prev: Authentication Attributes, Up: Attribute List Accounting Attributes ===================== These are attributes the NAS sends along with accounting requests. These attributes can not be used in matching rules. * Menu: * Acct-Status-Type:: * Acct-Delay-Time:: * Acct-Input-Octets:: * Acct-Output-Octets:: * Acct-Session-Id:: * Acct-Authentic:: * Acct-Session-Time:: * Acct-Input-Packets:: * Acct-Output-Packets:: * Acct-Terminate-Cause:: File: radius.info, Node: Acct-Status-Type, Next: Acct-Delay-Time, Up: Accounting Attributes Acct-Status-Type ---------------- ATTRIBUTE Acct-Status-Type 40 integer Users: `--' Hints: `--' Huntgroups: `--' Additivity: N/A Proxy propagated: N/A VALUE Acct-Status-Type Start 1 VALUE Acct-Status-Type Stop 2 VALUE Acct-Status-Type Alive 3 VALUE Acct-Status-Type Accounting-On 7 VALUE Acct-Status-Type Accounting-Off 8 This attribute indicates whether this Accounting-Request marks the beginning of the user service (Start) or the end (Stop). It may also be used to mark the start of accounting (for example, upon booting) by specifying Accounting-On and to mark the end of accounting (for example, just before a scheduled reboot) by specifying Accounting-Off. A special value Alive or Interim-Update indicates the packet that contains some additional data to the initial Start record or to the last Alive record. File: radius.info, Node: Acct-Delay-Time, Next: Acct-Input-Octets, Prev: Acct-Status-Type, Up: Accounting Attributes Acct-Delay-Time --------------- ATTRIBUTE Acct-Delay-Time 41 integer Users: `--' Hints: `--' Huntgroups: `--' Additivity: N/A Proxy propagated: N/A This attribute indicates how many seconds the client has been trying to send this record for, and can be subtracted from the time of arrival on the server to find the approximate time of the event generating this Accounting-Request. (Network transit time is ignored.) File: radius.info, Node: Acct-Input-Octets, Next: Acct-Output-Octets, Prev: Acct-Delay-Time, Up: Accounting Attributes Acct-Input-Octets ----------------- ATTRIBUTE Acct-Input-Octets 42 integer Users: `--' Hints: `--' Huntgroups: `--' Additivity: N/A Proxy propagated: N/A This attribute indicates how many octets have been received from the port over the course of this service being provided, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop. File: radius.info, Node: Acct-Output-Octets, Next: Acct-Session-Id, Prev: Acct-Input-Octets, Up: Accounting Attributes Acct-Output-Octets ------------------ ATTRIBUTE Acct-Output-Octets 43 integer Users: `--' Hints: `--' Huntgroups: `--' Additivity: N/A Proxy propagated: N/A This attribute indicates how many octets have been sent to the port in the course of delivering this service, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop. File: radius.info, Node: Acct-Session-Id, Next: Acct-Authentic, Prev: Acct-Output-Octets, Up: Accounting Attributes Acct-Session-Id --------------- ATTRIBUTE Acct-Session-Id 44 string Users: `--' Hints: `--' Huntgroups: `--' Additivity: N/A Proxy propagated: N/A This attribute is a unique Accounting ID to make it easy to match start and stop records in a log file. The start and stop records for a given session must have the same Acct-Session-Id. An Accounting-Request packet must have an Acct-Session-Id. An Access-Request packet may have an Acct-Session-Id; if it does, then the NAS must use the same Acct-Session-Id in the Accounting-Request packets for that session. File: radius.info, Node: Acct-Authentic, Next: Acct-Session-Time, Prev: Acct-Session-Id, Up: Accounting Attributes Acct-Authentic -------------- ATTRIBUTE Acct-Authentic 45 integer Users: `--' Hints: `--' Huntgroups: `--' Additivity: N/A Proxy propagated: N/A VALUE Acct-Authentic RADIUS 1 VALUE Acct-Authentic Local 2 VALUE Acct-Authentic Remote 3 This attribute may be included in an Accounting-Request to indicate how the user was authenticated, whether by Radius, the NAS itself, or another remote authentication protocol. Users who are delivered service without being authenticated should not generate Accounting records. File: radius.info, Node: Acct-Session-Time, Next: Acct-Input-Packets, Prev: Acct-Authentic, Up: Accounting Attributes Acct-Session-Time ----------------- ATTRIBUTE Acct-Session-Time 46 integer Users: `--' Hints: `--' Huntgroups: `--' Additivity: N/A Proxy propagated: N/A This attribute indicates how many seconds the user has received service for, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop. File: radius.info, Node: Acct-Input-Packets, Next: Acct-Output-Packets, Prev: Acct-Session-Time, Up: Accounting Attributes Acct-Input-Packets ------------------ ATTRIBUTE Acct-Input-Packets 47 integer Users: `--' Hints: `--' Huntgroups: `--' Additivity: N/A Proxy propagated: N/A This attribute indicates how many packets have been received from the port over the course of this service being provided to a Framed User, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop. File: radius.info, Node: Acct-Output-Packets, Next: Acct-Terminate-Cause, Prev: Acct-Input-Packets, Up: Accounting Attributes Acct-Output-Packets ------------------- ATTRIBUTE Acct-Output-Packets 48 integer Users: `--' Hints: `--' Huntgroups: `--' Additivity: N/A Proxy propagated: N/A This attribute indicates how many packets have been sent to the port in the course of delivering this service to a Framed User, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop. File: radius.info, Node: Acct-Terminate-Cause, Prev: Acct-Output-Packets, Up: Accounting Attributes Acct-Terminate-Cause -------------------- ATTRIBUTE Acct-Terminate-Cause 49 integer Users: `--' Hints: `--' Huntgroups: `--' Additivity: N/A Proxy propagated: N/A VALUE Acct-Terminate-Cause User-Request 1 VALUE Acct-Terminate-Cause Lost-Carrier 2 VALUE Acct-Terminate-Cause Lost-Service 3 VALUE Acct-Terminate-Cause Idle-Timeout 4 VALUE Acct-Terminate-Cause Session-Timeout 5 VALUE Acct-Terminate-Cause Admin-Reset 6 VALUE Acct-Terminate-Cause Admin-Reboot 7 VALUE Acct-Terminate-Cause Port-Error 8 VALUE Acct-Terminate-Cause NAS-Error 9 VALUE Acct-Terminate-Cause NAS-Request 10 VALUE Acct-Terminate-Cause NAS-Reboot 11 VALUE Acct-Terminate-Cause Port-Unneeded 12 VALUE Acct-Terminate-Cause Port-Preempted 13 VALUE Acct-Terminate-Cause Port-Suspended 14 VALUE Acct-Terminate-Cause Service-Unavailable 15 VALUE Acct-Terminate-Cause Callback 16 VALUE Acct-Terminate-Cause User-Error 17 VALUE Acct-Terminate-Cause Host-Request 18 This attribute indicates how the session was terminated, and can only be present in Accounting-Request records where the Acct- Status-Type is set to Stop. File: radius.info, Node: Radius Internal Attributes, Prev: Accounting Attributes, Up: Attribute List Radius Internal Attributes ========================== These are attributes, used by GNU Radius during the processing of a request. They are never returned to NAS. Mostly, they are used in matching rules. * Menu: * Auth-Type:: * Auth-Data:: * Menu:: * Termination-Menu:: * Prefix:: * Suffix:: * Group:: * Crypt-Password:: * Huntgroup-Name:: * Simultaneous-Use:: * Strip-User-Name:: * Fall-Through:: * Add-Port-To-IP-Address:: * Exec-Program:: * Exec-Program-Wait:: * Acct-Ext-Program:: * Hint:: * Pam-Auth:: * Login-Time:: * Replace-User-Name:: * Rewrite-Function:: * Match-Profile:: * Scheme-Procedure:: * Scheme-Acct-Procedure:: * Log-Mode-Mask:: * Acct-Type:: File: radius.info, Node: Auth-Type, Next: Auth-Data, Up: Radius Internal Attributes Auth-Type --------- ATTRIBUTE Auth-Type 1000 integer Users: `L-' Hints: `-R' Huntgroups: `-R' Additivity: Append Proxy propagated: No VALUE Auth-Type Local 0 VALUE Auth-Type System 1 VALUE Auth-Type Crypt-Local 3 VALUE Auth-Type Reject 4 VALUE Auth-Type SQL 252 VALUE Auth-Type Pam 253 VALUE Auth-Type Accept 254 This attribute tells the server which type of authentication to apply to a particular user. It can be used in LHS of the user's profile. *Note Authentication::. Radius interprets values of `Auth-Type' attribute as follows: `Local' The value of the `Password' attribute from the record is taken as a cleantext password and is compared against the `Password' value from the input packet. `System' This means that a user's password is stored in a system password type. Radius queries the operating system to determine if the username/password supplied in the incoming packet are OK. `Crypt-Local' The value of the `Password' attribute from the record is taken as an MD5 hash on the user's password. Radius generates MD5 hash on the supplied `Password' value and compares both strings. `Reject' Authentication fails. `Accept' Authentication succeeds. `SQL' `Mysql' The MD5-encrypted user's password is queried from the SQL database *Note SQL Auth::. `Mysql' is an alias maintained for compatibility with other versions of Radius. `Pam' The username/password combination is checked using PAM. File: radius.info, Node: Auth-Data, Next: Menu, Prev: Auth-Type, Up: Radius Internal Attributes Auth-Data --------- ATTRIBUTE Auth-Data 2006 string Users: `L-' Hints: `-R' Huntgroups: `-R' Additivity: Replace Proxy propagated: N/A The `Auth-Data' can be used to pass additional data to the authentication methods that need them. In version 0.96 of GNU Radius, this attribute may be used in conjunction with `SQL' and `Pam' authentication types. When used with `Pam' authentication type, this attribute holds the name of PAM service to use. This attribute is temporarily appended to the authentication request, so its value can be referenced to as `%C{Auth-Data}'. *Note Authentication Server Parameters::, for an example of of using `Auth-Data' attribute in `raddb/sqlserver': File: radius.info, Node: Menu, Next: Termination-Menu, Prev: Auth-Data, Up: Radius Internal Attributes Menu ---- ATTRIBUTE Menu 1001 string Users: `-R' Hints: `--' Huntgroups: `--' Additivity: Replace Proxy propagated: No This attribute should be used in the RHS. If it is used, it should be the only reply item. The `Menu' attribute specifies the name of the menu to be presented to the user. The corresponding menu code is looked up in `RADIUS_DIR/menus/' directory (*note menus file::). File: radius.info, Node: Termination-Menu, Next: Prefix, Prev: Menu, Up: Radius Internal Attributes Termination-Menu ---------------- ATTRIBUTE Termination-Menu 1002 string Users: `-R' Hints: `--' Huntgroups: `--' Additivity: Replace Proxy propagated: No This attribute should be used in the RHS. If it is used, it should be the only reply item. The `Termination-Menu' specifies the name of the menu file to be presented to the user after finishing his session. The corresponding menu code is looked up in `RADIUS_DIR/menus/' directory (*note menus file::). File: radius.info, Node: Prefix, Next: Suffix, Prev: Termination-Menu, Up: Radius Internal Attributes Prefix ------ ATTRIBUTE Prefix 1003 string Users: `L-' Hints: `L-' Huntgroups: `LR' Additivity: Append Proxy propagated: No The `Prefix' attribute indicates the prefix which the username should contain in order for a particular record in the profile to be matched. This attribute should be specified in LHS of the `users' or `hints' file. For example, if the `users' file contained: DEFAULT Prefix = "U", Auth-Type = System Service-Type = Login-User then usernames `Ugray' and `Uyoda' would match this record, whereas `gray' and `yoda' would not. Both `Prefix' and `Suffix' attributes may be specified in a profile. In this case the record is matched only if the username contains both prefix and suffix specified. *Note Suffix:: *Note Strip-User-Name:: File: radius.info, Node: Suffix, Next: Group, Prev: Prefix, Up: Radius Internal Attributes Suffix ------ ATTRIBUTE Suffix 1004 string Users: `L-' Hints: `L-' Huntgroups: `LR' Additivity: Append Proxy propagated: No The `Suffix' attribute indicates the suffix which the username should contain in order for a particular record in the profile to be matched. This attribute should be specified in LHS of the `users' or `hints' file. For example, if the `users' file contained: DEFAULT Suffix = ".ppp", Auth-Type = System, Strip-User-Name = Yes Service-Type = Framed-User, Framed-Protocol = PPP then usernames `gray.ppp' and `yoda.ppp' would match this record, whereas `gray' and `yoda' would not. Both `Prefix' and `Suffix' attributes may be specified in a profile. In this case the record is matched only if the username contains both prefix and suffix specified. *Note Prefix:: *Note Strip-User-Name:: File: radius.info, Node: Group, Next: Crypt-Password, Prev: Suffix, Up: Radius Internal Attributes Group ----- ATTRIBUTE Group 1005 string Users: `L-' Hints: `L-' Huntgroups: `LR' Additivity: Append Proxy propagated: No File: radius.info, Node: Crypt-Password, Next: Huntgroup-Name, Prev: Group, Up: Radius Internal Attributes Crypt-Password -------------- ATTRIBUTE Crypt-Password 1006 string Users: `L-' Hints: `--' Huntgroups: `--' Additivity: Append Proxy propagated: No This attribute is intended to be used in user's profile LHS. It specifies the MD5 hash of the user's password. When this attribute is present, Auth-Type = Crypt-Local is assumed. If both `Auth-Type' and `Crypt-Password' are present, the value of `Auth-Type' is ignored. *Note Auth-Type::. File: radius.info, Node: Huntgroup-Name, Next: Simultaneous-Use, Prev: Crypt-Password, Up: Radius Internal Attributes Huntgroup-Name -------------- ATTRIBUTE Huntgroup-Name 221 string Users: `L-' Hints: `-R' Huntgroups: `LR' Additivity: Append Proxy propagated: No The `Huntgroup-Name' can be used either in LHS of the `users' file record or in RHS of the `huntgroups' file record. When encountered in a LHS of a particular `users' profile, this attribute indicates the huntgroup name to be matched. Radius looks up the corresponding record in the `huntgroups' file. If such record is found, each A/V pair from its reply-list is compared against the corresponding pair from the request being processed. The request matches only if it contains all the attributes from the specified huntgroup, and their values satisfy the conditions listed in the huntgroup pairs. For example, suppose that the authentication request contained the following attributes: User-Name = "john", Password = "guess", NAS-IP-Address = 10.11.11.1, NAS-Port-Id = 24 Let us further suppose that the `users' file contains the following entry: john Huntgroup-Name = "users_group", Auth-Type = System Service-Type = Login and, finally, `huntgroups' contains the following entry: users_group NAS-IP-Address = 10.11.11.1 NAS-Port-Id < 32 Then the authentication request would succeed since it contains `NAS-Port-Id' attribute and its value is less than 32. *Note huntgroups file::. File: radius.info, Node: Simultaneous-Use, Next: Strip-User-Name, Prev: Huntgroup-Name, Up: Radius Internal Attributes Simultaneous-Use ---------------- ATTRIBUTE Simultaneous-Use 1034 integer Users: `L-' Hints: `-R' Huntgroups: `-R' Additivity: Append Proxy propagated: No This attribute specifies the maximum number of simultaneous logins a given user is permitted to have. When the user is logged in this number of times any surplus attempts to log in are rejected. *Note Checking Simultaneous Logins::. File: radius.info, Node: Strip-User-Name, Next: Fall-Through, Prev: Simultaneous-Use, Up: Radius Internal Attributes Strip-User-Name --------------- ATTRIBUTE Strip-User-Name 1035 integer Users: `LR' Hints: `LR' Huntgroups: `-R' Additivity: Append Proxy propagated: No VALUE Strip-User-Name No 0 VALUE Strip-User-Name Yes 1 The value of `Strip-User-Name' indicates whether Radius should strip any prefixes/suffixes specified in the user's profile from the user name. When set to `Yes' the usernames would be logged and accounted without any prefixes/suffixes. A user may have several usernames for different kind of services. In this case differentiating the usernames by their prefixes and stripping them off before accounting would help keeping accounting records consistent. For example, let's suppose the `users' file contains: DEFAULT Suffix = ".ppp", Strip-User-Name = Yes, Auth-Type = SQL Service-Type = Framed-User, Framed-Protocol = PPP DEFAULT Suffix = ".slip", Strip-User-Name = Yes, Auth-Type = SQL Service-Type = Framed-User, Framed-Protocol = SLIP Now, user `johns' having a valid account in SQL database logs in as `johns.ppp'. He then is provided the PPP service, and his PPP session is accounted under username `johns'. Later on, he logs in as `johns.slip'. In this case he is provided the SLIP service and again his session is accounted under his real username `johns'. File: radius.info, Node: Fall-Through, Next: Add-Port-To-IP-Address, Prev: Strip-User-Name, Up: Radius Internal Attributes Fall-Through ------------ ATTRIBUTE Fall-Through 1036 integer Users: `LR' Hints: `LR' Huntgroups: `--' Additivity: Append Proxy propagated: No VALUE Fall-Through No 0 VALUE Fall-Through Yes 1 The `Fall-Through' attribute should be used in reply-list. If its value is set to `Yes' in a particular record, it indicates to Radius that it should continue looking up another records even when this record matches the request. It can be used to provide default values for several profiles. Consider the following example. Let's suppose the `users' file contains the following: johns Auth-Type = SQL Framed-IP-Address = 11.10.10.251, Fall-Through = Yes smith Auth-Type = SQL Framed-IP-Address = 11.10.10.252, Fall-Through = Yes DEFAULT NAS-IP-Address = 11.10.10.1 Service-Type = Framed-User, Framed-Protocol = PPP Then after successful matching of a particular user's record, the matching will continue until it finds the DEFAULT entry, which would add its RHS to the reply pairs for this request. The effect is, that if user `johns' authenticates successfully it gets the following reply pairs: Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 11.10.10.251 whereas user `smith' gets Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 11.10.10.252 _Please note_ that the attribute `Fall-Through' itself is never returned to the NAS. File: radius.info, Node: Add-Port-To-IP-Address, Next: Exec-Program, Prev: Fall-Through, Up: Radius Internal Attributes Add-Port-To-IP-Address ---------------------- ATTRIBUTE Add-Port-To-IP-Address 1037 integer Users: `-R' Hints: `-R' Huntgroups: `--' Additivity: Replace Proxy propagated: No VALUE Add-Port-To-IP-Address No 0 VALUE Add-Port-To-IP-Address Yes 1 If this attribute is present in the RHS and has the value of `Yes', then the value of `NAS-Port-Id' attribute from the authentication request will be added to the value of `Framed-IP-Address' attribute from the RHS, and resulting value will be returned in `Framed-IP-Address' attribute to the NAS. This provides the simplest form of organizing IP address pools. This attribute is implicitly added to the RHS when the value of a `Framed-IP-Address' attribute ends with `+' sign. For example the following: Framed-IP-Address = 10.10.0.1+ is equivalent to Framed-IP-Address = 10.10.0.1, Add-Port-To-IP-Address = Yes File: radius.info, Node: Exec-Program, Next: Exec-Program-Wait, Prev: Add-Port-To-IP-Address, Up: Radius Internal Attributes Exec-Program ------------ ATTRIBUTE Exec-Program 1038 string Users: `-R' Hints: `--' Huntgroups: `--' Additivity: Replace Proxy propagated: No When present in RHS, the `Exec-Program' attribute specifies the full pathname and arguments for the program to be executed when the entry matches. The command line can reference any attributes from both check and reply pairlists using attribute macros (*note Macro Substitution::). Before the execution of the program `radiusd' switches to uid and gid of user `daemon', group `daemon'. You can override these defaults by setting variables `exec-program-user' and `exec-program-group' in configuration file to proper values *Note The option statement: option. The daemon does not wait for the process to terminate. Example ------- Suppose the `users' file contains the following entry: DEFAULT Auth-Type = System, Simultaneous-Use = 1 Exec-Program = "/usr/local/sbin/logauth \ %C{User-Name} \ %C{Calling-Station-Id}" Then, upon successful matching, the program `/usr/local/sbin/logauth' will be executed. It will get as its arguments the values of `User-Name' and `Calling-Station-Id' attributes from the request pairs. File: radius.info, Node: Exec-Program-Wait, Next: Acct-Ext-Program, Prev: Exec-Program, Up: Radius Internal Attributes Exec-Program-Wait ----------------- ATTRIBUTE Exec-Program-Wait 1039 string Users: `-R' Hints: `--' Huntgroups: `--' Additivity: Replace Proxy propagated: No When present in RHS, the `Exec-Program-Wait' attribute specifies the full pathname and arguments for the program to be executed when the entry matches. The command line can reference any attributes from both check and reply pairlists using attribute macros *Note Macro Substitution::. Before the execution of the program `radiusd' switches to uid and gid of user `daemon', group `daemon'. You can override these defaults by setting variable `exec-program-user' in configuration file to a proper value. *Note The option statement: option. The daemon will wait until the program terminates. The return value of its execution determines whether the entry matches. If the program exits with a non-zero code then the match fails. If it exits with a zero code, the match succeeds. In this case the standard output of the program is read and parsed as if it was a pairlist. The attributes thus obtained are added to the entry's reply attributes. Example ------- Suppose the `users' file contains the following entry: DEFAULT Auth-Type = System, Simultaneous-Use = 1 Exec-Program-Wait = "/usr/local/sbin/telauth \ %C{User-Name} \ %C{Calling-Station-Id}" Then, upon successful matching, the program `/usr/local/sbin/telauth' will be executed. It will get as its arguments the values of `User-Name' and `Calling-Station-Id' attributes from the request pairs. The `/usr/local/sbin/telauth' can, for example, contain the following: #! /bin/sh DB=/var/db/userlist if grep "$1:$2" $DB; then echo "Service-Type = Login," echo "Session-Timeout = 1200" exit 0 else echo "Reply-Message = \"You are not authorized to log in\"" exit 1 fi It is assumed that `/var/db/userlist' contains a list of `username':`caller-id' pairs for those users that are authorized to use login service. File: radius.info, Node: Acct-Ext-Program, Next: Hint, Prev: Exec-Program-Wait, Up: Radius Internal Attributes Acct-Ext-Program ---------------- ATTRIBUTE Acct-Ext-Program 2008 string Users: `--' Hints: `-R' Huntgroups: `--' Additivity: Replace Proxy propagated: N/A The `Acct-Ext-Program' attribute can be used in RHS of an `raddb/hints' entry to specify the full path and attributes of an external program to be executed for each accounting request. The command line can reference any attributes from both check and reply pairlists using attribute macros (*note Macro Substitution::). Before the execution of the program `radiusd' switches to uid and gid of user `daemon', group `daemon'. You can override these defaults by setting variables `exec-program-user' and `exec-program-group' in configuration file to proper values *Note The option statement: option. The accounting program must exit with status 0 to indicate a successive accounting. File: radius.info, Node: Hint, Next: Pam-Auth, Prev: Acct-Ext-Program, Up: Radius Internal Attributes Hint ---- ATTRIBUTE Hint 1040 string Users: `L-' Hints: `-R' Huntgroups: `-R' Additivity: Append Proxy propagated: No Use `Hint' attribute to specify additional matching criterium depending on the hint (*note hints file::). Let the `hints' contain: DEFAULT Prefix = "S", Strip-User-Name = No Hint = "SLIP" and the `users' file contain: DEFAULT Hint = "SLIP", NAS-IP-Address = 11.10.10.12, Auth-Type = System Service-Type = Framed-User, Framed-Protocol = SLIP Then any user having a valid system account and coming from NAS `11.10.10.12' will be provided SLIP service if his username starts with `S'. File: radius.info, Node: Pam-Auth, Next: Login-Time, Prev: Hint, Up: Radius Internal Attributes Pam-Auth -------- ATTRIBUTE Pam-Auth 1041 string Users: `L-' Hints: `-R' Huntgroups: `-R' Additivity: Append Proxy propagated: No The `Pam-Auth' attribute can be used in conjunction with Auth-Type = Pam to supply the PAM service name instead of the default `radius'. It is ignored if `Auth-Type' attribute is not set to `Pam'. File: radius.info, Node: Login-Time, Next: Replace-User-Name, Prev: Pam-Auth, Up: Radius Internal Attributes Login-Time ---------- ATTRIBUTE Login-Time 1042 string Users: `L-' Hints: `--' Huntgroups: `--' Additivity: Append Proxy propagated: No The `Login-Time' attribute specifies the time range when the user is allowed to log in. The attribute should be specified in LHS. Format of the `Login-Time' string is the same as that of UUCP time ranges. The following description of time range format is adopted from the documentation for Taylor UUCP package: A time string may be a list of simple time strings separated with a vertical bar `|' or a comma `,'. Each simple time string must begin either with a day of week abbreviation (one of: `Su', `Mo', `Tu', `We', `Th', `Fr', or `Sa'), or `Wk' for any day between Monday and Friday inclusive, or `Any' or `Al' for any day. Following the day may be a range of hours separated with a hyphen using 24 hour time. The range of hours may cross 0; for example `2300-0700' means any time except 7 AM to 11 PM. If no time is given, calls may be made at any time on the specified day(s). The time string may also be the single word `Never', which does not match any time. Here are a few sample time strings with an explanation of what they mean. `Wk2305-0855,Sa,Su2305-1655' This means weekdays before 8:55 AM or after 11:05 PM, any time Saturday, or Sunday before 4:55 PM or after 11:05 PM. These are approximately the times during which night rates apply to phone calls in the U.S.A. Note that this time string uses, for example, `2305' rather than `2300'; this will ensure a cheap rate phone call even if the computer clock is running up to five minutes ahead of the real time. `Wk0905-2255,Su1705-2255' This means weekdays from 9:05 AM to 10:55 PM, or Sunday from 5:05 PM to 10:55 PM. This is approximately the opposite of the previous example. `Any' This means any day. Since no time is specified, it means any time on any day. File: radius.info, Node: Replace-User-Name, Next: Rewrite-Function, Prev: Login-Time, Up: Radius Internal Attributes Replace-User-Name ----------------- ATTRIBUTE Replace-User-Name 2001 string Users: `LR' Hints: `LR' Huntgroups: `--' Additivity: Append Proxy propagated: No VALUE Replace-User-Name No 0 VALUE Replace-User-Name Yes 1 Use this attribute to modify username from the incoming packet. The `Replace-User-Name' can reference any attributes from both LHS and RHS pairlists using attribute macros *Note Macro Substitution::. For example the following `users' entry guest NAS-IP-Address = 11.10.10.11, Calling-Station-Id != "" Auth-Type = Accept Replace-User-Name = "guest#%C{Calling-Station-Id}", Service-Type = Framed-User, Framed-Protocol = PPP Allows usage of PPP service for username guest, coming from NAS `11.10.10.11' with non-empty `Calling-Station-Id' attribute. The string consisting of `#' character followed by `Calling-Station-Id' value is appended to the username. File: radius.info, Node: Rewrite-Function, Next: Match-Profile, Prev: Replace-User-Name, Up: Radius Internal Attributes Rewrite-Function ---------------- ATTRIBUTE Rewrite-Function 2004 string Users: `LR' Hints: `LR' Huntgroups: `LR' Additivity: Append Proxy propagated: No The `Rewrite-Function' attribute specifies the name of the rewriting function to be applied to the request. The attribute may be specified in either pairlist in the entries of `hints' or `huntgroups' configuration files. The corresponding function should be defined in `rewrite' as integer NAME() i.e. it should return integer value and should not take any arguments. *Note Packet rewriting rules: rewrite file. *Note hints file::. *Note huntgroups file::. File: radius.info, Node: Match-Profile, Next: Scheme-Procedure, Prev: Rewrite-Function, Up: Radius Internal Attributes Match-Profile ------------- ATTRIBUTE Match-Profile 2004 string Users: `LR' Hints: `-R' Huntgroups: `-R' Additivity: Append Proxy propagated: No The Match-Profile attribute can be used in LHS and RHS lists of a user profile. Its value is the name of another user's profile (target profile). When Match-Profile is used in the LHS, the incoming packet will match this profile only if it matches the target profile. In this case the reply pairs will be formed concatenating the RHS lists from both profiles. When used in RHS, this attribute causes the reply pairs from the target profile to be appended to the reply from the current profile if the target profile matches the incoming request. For example: IPPOOL NAS-IP-Address = 10.10.10.1 Framed-Protocol = PPP, Framed-IP-Address = "10.10.10.2" IPPOOL NAS-IP-Address = 10.10.11.1 Framed-Protocol = PPP, Framed-IP-Address = "10.10.11.2" guest Auth-Type = SQL Service-Type = Framed-User, Match-Profile = IPPOOL In this example, when user "guest" comes from NAS `10.10.10.1' he is assigned IP address `10.10.10.2', otherwise if he is coming from NAS `10.10.11.1' he is assigned IP address `10.10.11.2'. File: radius.info, Node: Scheme-Procedure, Next: Scheme-Acct-Procedure, Prev: Match-Profile, Up: Radius Internal Attributes Scheme-Procedure ---------------- ATTRIBUTE Scheme-Procedure 2009 string Users: `-R' Hints: `--' Huntgroups: `--' Additivity: Append Proxy propagated: N/A The `Scheme-Procedure' attribute is used to set the name of Scheme authentication procedure. *Note Authentication with Scheme::, for the information about how to write Scheme authentication procedures. File: radius.info, Node: Scheme-Acct-Procedure, Next: Log-Mode-Mask, Prev: Scheme-Procedure, Up: Radius Internal Attributes Scheme-Acct-Procedure --------------------- ATTRIBUTE Scheme-Acct-Procedure 2010 string Users: `--' Hints: `-R' Huntgroups: `--' Additivity: Replace Proxy propagated: N/A The `Scheme-Acct-Procedure' attribute is used to set the name of Scheme accounting procedure. *Note Accounting with Scheme::, for the information about how to write Scheme accounting procedures. File: radius.info, Node: Log-Mode-Mask, Next: Acct-Type, Prev: Scheme-Acct-Procedure, Up: Radius Internal Attributes Log-Mode-Mask ------------- ATTRIBUTE Log-Mode-Mask 2007 integer Users: `L-' Hints: `-R' Huntgroups: `-R' Additivity: Append Proxy propagated: N/A VALUE Log-Mode-Mask Log-Auth 1 VALUE Log-Mode-Mask Log-Auth-Pass 2 VALUE Log-Mode-Mask Log-Failed-Pass 4 VALUE Log-Mode-Mask Log-Pass 6 VALUE Log-Mode-Mask Log-All 7 `Log-Mode-Mask' is used to control the verbosity of authentication log messages for given user or class of users. The meaning of its values is: `Log-Auth' Do not log successful authentications. `Log-Auth-Pass' Do not show password with the log message from a successful authentication. `Log-Failed-Pass' Do not show failed password. `Log-Pass' Do not show plaintext password, either failed or succeeded. `Log-All' Do not log authentications at all. Technical details: After authentication, the server collects all `Log-Mode-Mask' attributes from the incoming request and LHS of the user's entry. The values of these attributes OR'ed together form a mask which is applied via XOR operation to the current log mode. The value thus obtained is used as effective log mode. File: radius.info, Node: Acct-Type, Prev: Log-Mode-Mask, Up: Radius Internal Attributes Acct-Type --------- ATTRIBUTE Acct-Type 2003 integer Users: `L-' Hints: `-R' Huntgroups: `-R' Additivity: Append Proxy propagated: N/A VALUE Acct-Type None 0 VALUE Acct-Type System 1 VALUE Acct-Type Detail 2 VALUE Acct-Type SQL 3 The `Acct-Type' allows to control which accounting methods must be used for a given user or a group of users. In the absense of this attribute, all currently enabled accounting types are used. *Note Accounting::, for more information about accounting types. File: radius.info, Node: Bugs, Next: Info, Up: Top Reporting Bugs ************** It is possible you will encounter a bug in one of Radius programs. If this happens we would like to hear about it. As the purpose of bug reporting is to improve software, please be sure to include maximum information when reporting a bug. The information needed is: * Conditions under which the bug appears. * Version of the package you are using. * Compilation options used when configuring the package. * If the bug is found in `radiusd' daemon, run `radiusd -v' and include the output it produces. * Contents of radius configuration directory (/usr/local/etc/raddb or whatever you have set it to while configuring). * Log messages produced. Send your report to . Allow me a couple of days to answer. File: radius.info, Node: Info, Prev: Bugs, Up: Top Where to Get Info About GNU Radius ********************************** The two places to look for any news regarding GNU Radius are the Radius homepage at , and the Radius project page at . The following mailing lists are related to GNU Radius: This list distributes announcements and progress reports on GNU Radius. This is a moderated list. Please, do not send bug reports or requests for help to this list, there exist special mailing lists for these purposes. To subscribe to the list, visit . This list is the place for users and installers of GNU Radius to ask for help. The list is not moderated, but postings are allowed for list members only. To subscribe to the list, visit . This list distributes bug reports, bugfixes, and suggestions for improvements in Radius. User discussion of Radius bugs also occurs here. The list is not moderated, postings are allowed for anybody. To subscribe to the list, visit . File: radius.info, Node: Program Index, Next: Keyword Index, Up: Top Program Index ************* * Menu: * buildbm: Builddbm. * nas.scm: nas.scm. * pam_radius.so: pam_radius.so. * radauth: Radauth. * radctl: Radctl. * radgrep: Radgrep. * radiusd: Invocation. * radlast: Radlast. * radlast, options: radlast options. * radping: Radping. * radscm: Radscm. * radsession: radsession. * raduse: Raduse. * radwho: Radwho. * radzap: Radzap. File: radius.info, Node: Keyword Index, Next: Example Index, Prev: Program Index, Up: Top Keyword Index ************* * Menu: * $INCLUDE (dictionary): $INCLUDE. * access-denied: message. * account-closed: message. * acct statement: acct. * acct-dir: option. * acl: snmp. * allow: snmp. * ATTRIBUTE: ATTRIBUTE. * auth: auth. * category: category. * channel <1>: channel. * channel: category. * checkrad-assume-logged: auth. * community: snmp. * debug: guile. * deny: snmp. * detail <1>: acct. * detail: auth. * exec-program-user: option. * file: channel. * guile: guile. * ident: snmp. * level: category. * listen <1>: acct. * listen: auth. * load: guile. * load-path: guile. * log-dir: option. * logging: logging. * max-requests <1>: snmp. * max-requests <2>: proxy. * max-requests <3>: acct. * max-requests <4>: auth. * max-requests: option. * message: message. * multiple-login: message. * network: snmp. * option: option. * password-expire-warning <1>: message. * password-expire-warning: auth. * password-expired: message. * port <1>: snmp. * port <2>: acct. * port: auth. * print-auth: category. * print-category: channel. * print-cons: channel. * print-failed-pass: category. * print-level: channel. * print-pass: category. * print-pid: channel. * print-priority: channel. * proxy: proxy. * realm-quota: message. * request-cleanup-delay <1>: snmp. * request-cleanup-delay <2>: proxy. * request-cleanup-delay <3>: acct. * request-cleanup-delay: auth. * second-login: message. * snmp: snmp. * source-ip: option. * spawn <1>: snmp. * spawn <2>: acct. * spawn: auth. * strip-names: auth. * syslog: channel. * time-to-live <1>: snmp. * time-to-live <2>: acct. * time-to-live: auth. * timespan-violation: message. * usedbm: usedbm. * username-chars: option. * VALUE: VALUE. * VENDOR: VENDOR. File: radius.info, Node: Example Index, Next: Variable Index, Prev: Keyword Index, Up: Top Examples Index ************** * Menu: * Analyzing SNMP output: Examples of login verification functions. * Checking UNIX finger output: Examples of login verification functions. * client.conf: config. * clients file: clients example. * Guest accounts, setting up: Accept Auth. * hints file: hints example. * huntgroups file: huntgroups example. * Invoking Scheme authentication function: Authentication with Scheme. * IP pools for MAX Ascend: Attribute Creation Functions. * logging statement: logging example. * Login verification functions: Examples of login verification functions. * menus file: menu example. * naslist file: naslist example. * nastypes file: nastypes example. * realms file: realms example. * Rewrite functions: Rewrite Examples. * Scheme accounting function: Accounting with Scheme. * Scheme authentication function: Authentication with Scheme. * Scheme authentication function, invocation: Authentication with Scheme. * users file: users example. File: radius.info, Node: Variable Index, Next: Attribute Index, Prev: Example Index, Up: Top Index of Functions and Variables ******************************** * Menu: * %raddb-path: Radscm. * acct-function-name: Accounting with Scheme. * auth-function: Authentication with Scheme. * avl-delete: Radius-Specific Functions. * avl-match?: Radius-Specific Functions. * avl-merge: Radius-Specific Functions. * dict-entry: Radius-Specific Functions. * index: Built-in Functions. * length: Built-in Functions. * logit: Built-in Functions. * rad-add-server: Radscm. * rad-client-add-server: Radscm. * rad-client-list-servers: Radscm. * rad-client-retry: Radscm. * rad-client-set-server: Radscm. * rad-client-source-ip: Radscm. * rad-client-timeout: Radscm. * rad-closelog: Radius-Specific Functions. * rad-dict-name->attr: Radius-Specific Functions. * rad-dict-name->value: Radius-Specific Functions. * rad-dict-pec->vendor: Radius-Specific Functions. * rad-dict-value->name: Radius-Specific Functions. * rad-format-code: Radscm. * rad-format-pair: Radscm. * rad-format-reply-msg: Radscm. * rad-get-server: Radscm. * rad-list-servers: Radscm. * rad-log-close: Radius-Specific Functions. * rad-log-open: Radius-Specific Functions. * rad-openlog: Radius-Specific Functions. * rad-print-pairs: Radscm. * rad-read-no-echo: Radscm. * rad-rewrite-execute: Radius-Specific Functions. * rad-rewrite-execute-string: Radius-Specific Functions. * rad-select-server: Radscm. * rad-send: Radscm. * rad-send-internal: Radscm. * rad-server-list: Radscm. * rad-syslog: Radius-Specific Functions. * rad-utmp-putent: Radius-Specific Functions. * rindex: Built-in Functions. * substr: Built-in Functions. * utmp-entry: Radius-Specific Functions. File: radius.info, Node: Attribute Index, Next: Concept Index, Prev: Variable Index, Up: Top Attribute Index *************** * Menu: * Acct-Authentic: Acct-Authentic. * Acct-Delay-Time: Acct-Delay-Time. * Acct-Ext-Program: Acct-Ext-Program. * Acct-Input-Octets: Acct-Input-Octets. * Acct-Input-Packets: Acct-Input-Packets. * Acct-Output-Octets: Acct-Output-Octets. * Acct-Output-Packets: Acct-Output-Packets. * Acct-Session-Id: Acct-Session-Id. * Acct-Session-Time: Acct-Session-Time. * Acct-Status-Type: Acct-Status-Type. * Acct-Terminate-Cause: Acct-Terminate-Cause. * Acct-Type: Acct-Type. * Add-Port-To-IP-Address: Add-Port-To-IP-Address. * Auth-Data: Auth-Data. * Auth-Type: Auth-Type. * Callback-Id: Callback-Id. * Callback-Number: Callback-Number. * Called-Station-Id: Called-Station-Id. * Calling-Station-Id: Calling-Station-Id. * CHAP-Password: CHAP-Password. * Class: Class. * Crypt-Password: Crypt-Password. * Exec-Program: Exec-Program. * Exec-Program-Wait: Exec-Program-Wait. * Fall-Through: Fall-Through. * Framed-Compression: Framed-Compression. * Framed-IP-Address: Framed-IP-Address. * Framed-IP-Netmask: Framed-IP-Netmask. * Framed-MTU: Framed-MTU. * Framed-Protocol: Framed-Protocol. * Framed-Route: Framed-Route. * Framed-Routing: Framed-Routing. * Group: Group. * Hint: Hint. * Huntgroup-Name: Huntgroup-Name. * Idle-Timeout: Idle-Timeout. * Log-Mode-Mask: Log-Mode-Mask. * Login-Time: Login-Time. * Match-Profile: Match-Profile. * Menu: Menu. * NAS-Identifier: NAS-Identifier. * NAS-IP-Address: NAS-IP-Address. * NAS-Port-Id: NAS-Port-Id. * NAS-Port-Type: NAS-Port-Type. * Pam-Auth: Pam-Auth. * Password: Password. * Prefix: Prefix. * Replace-User-Name: Replace-User-Name. * Reply-Message: Reply-Message. * Rewrite-Function: Rewrite-Function. * Scheme-Acct-Procedure: Scheme-Acct-Procedure. * Scheme-Procedure: Scheme-Procedure. * Service-Type: Service-Type. * Session-Timeout: Session-Timeout. * Simultaneous-Use: Simultaneous-Use. * State: State. * Strip-User-Name: Strip-User-Name. * Suffix: Suffix. * Termination-Action: Termination-Action. * Termination-Menu: Termination-Menu. * User-Name: User-Name. * Vendor-Specific: Vendor-Specific. File: radius.info, Node: Concept Index, Prev: Attribute Index, Up: Top Concept Index ************* * Menu: * A/V pair <1>: Attributes. * A/V pair: Glossary. * Accept Authentication Type: Accept Auth. * access.deny file: access.deny file. * Accounting directory: Naming Conventions. * Accounting requests: Accounting Requests. * Accounting service parameters: acct. * Accounting Types: Accounting. * Accounting with Scheme: Accounting with Scheme. * Additivity of an attribute: Attributes. * Attribute <1>: Attributes. * Attribute: Glossary. * Attribute-Value pair <1>: Attributes. * Attribute-Value pair: Glossary. * Authentication: User Profiles. * Authentication requests: Authentication Requests. * Authentication service parameters: auth. * Authentication with Scheme: Authentication with Scheme. * Built-in functions, Rewrite: Built-in Functions. * CHAP: Local Password Auth. * Checking Simultaneous Logins: Checking Simultaneous Logins. * Client Configuration: config. * Client Package: Client Package. * client.conf: config. * clients file: clients file. * Configuration directory: Naming Conventions. * Configuration files (radiusd): Configuration Files. * Custom Accounting Types: Custom Acct. * Custom Authentication Types: Custom Auth. * Customizing accounting service: acct. * Customizing authentication server: auth. * Customizing proxy server: proxy. * Customizing Radiusd Guile interface: guile. * Customizing reply messages: message. * Customizing SNMP server: snmp. * Data types, Rewrite: Data types. * DBM: enabling: usedbm. * Debugging: Debugging. * Declarations, Rewrite: Declarations. * Deleting hung user sessions: Radzap. * Detailed Request Accounting: Detailed Request Accounting. * Dial-In user: Glossary. * Dial-Up user: Glossary. * dictionary file: dictionary file. * Disabling user accounts: Reject Auth. * Display, raduse: raduse display. * Enabling DBM: usedbm. * Encrypted Password Authentication Type: Encrypted Password Auth. * Extensions: Extensions. * Guest accounts, setting up: Accept Auth. * Guile: Guile. * Guile interface: Radscm. * Guile interface configuration: guile. * Guile, representation of Radius data: Data Representation. * Hints <1>: hints file. * Hints: Hints. * hints file: hints file. * Huntgroups <1>: huntgroups file. * Huntgroups: Huntgroups. * huntgroups file: huntgroups file. * Identifiers, Rewrite: Identifiers. * Invoking the radius daemon: Invocation. * Label, Matching Rule: Matching Rule. * LHS, Matching Rule: Matching Rule. * Local Password Auth: Local Password Auth. * Log directory: Naming Conventions. * Logging: Logging. * Logging category: category. * Logging channel: channel. * Logging, config statement: logging. * Matching Rule: Matching Rule. * MAX Ascend, broken passwords: naslist file. * menu, syntax: menu syntax. * menus, configuration subdirectory: menus file. * Messages: configuring: message. * Naming conventions: Naming Conventions. * NAS <1>: Operation. * NAS: Glossary. * NAS types, standard: Predefined NAS Types. * naslist file: naslist file. * nastypes file: nastypes file. * nastypes file, syntax of: nastypes syntax. * Network Access Server <1>: Operation. * Network Access Server: Glossary. * NOREALM, special realm name: realms file. * PAM Authentication Type: PAM Auth. * Processing requests: Request processing. * Propagation of an attribute: Attributes. * Properties of an attribute: Attributes. * Proxy Service: Proxy Service. * Proxy service parameters: proxy. * Proxying: Proxying. * radacct, accounting directory: Naming Conventions. * raddb: Naming Conventions. * raddb/access.deny file: access.deny file. * raddb/client.conf: config. * raddb/clients file: clients file. * raddb/config file: config file. * raddb/hints file: hints file. * raddb/huntgroups file: huntgroups file. * raddb/menus, configuration subdirectory: menus file. * raddb/naslist file: naslist file. * raddb/realms file: realms file. * raddb/rewrite, configuration file: rewrite file. * raddb/sqlserver file.: sqlserver file. * raddb/users file: users file. * Radius daemon invocation: Invocation. * Radius dictionary: dictionary file. * Radius-Specific Scheme Functions: Radius-Specific Functions. * Radiusd configuration: config file. * Radiusd configuration files: Configuration Files. * radlog: Naming Conventions. * raduse display: raduse display. * raduse, command line options: raduse options. * radwho, command line options: radwho options. * Realms: Realms. * realms file: realms file. * Reject Authentication Type: Reject Auth. * Request: Requests. * Requests, accounting: Accounting Requests. * Requests, authentication: Authentication Requests. * Rewrite: Rewrite. * Rewrite identifiers: Identifiers. * Rewrite, applying functions: Interaction with Radius. * Rewrite, attribute creation functions: Attribute Creation Functions. * rewrite, configuration file: rewrite file. * Rewrite, data types: Data types. * Rewrite, login verification functions: Login Verification Functions. * Rewrite, quick start introduction: Quick Start. * Rewrite, symbols: Symbols. * Rewrite, syntax of the language: Full Syntax Description. * Rewrite, syntax overview: Syntax Overview. * Rewrite, usage: Interaction with Radius. * Rewriting incoming requests: Rewriting Incoming Requests. * RHS, Matching Rule: Matching Rule. * Run-time options (radiusd): option. * Service: Glossary. * Session: Glossary. * Session ID: Glossary. * Simultaneous logins, checking for: Checking Simultaneous Logins. * SNMP service parameters: snmp. * SQL Accounting: SQL Accounting. * SQL accounting query templates: Queries. * SQL accounting query templates, writing of: Queries. * SQL Authentication Type: SQL Auth. * sqlserver file.: sqlserver file. * Statements, Rewrite: Statements. * Symbols, Rewrite: Symbols. * Syntax of nastypes: nastypes syntax. * System Authentication Type: System Auth. * UNIX Accounting: UNIX Accounting. * User Profiles: User Profiles. * users file: users file. * Utility Programs: Utility Programs. * Writing SQL accounting query templates: Queries.