83 lines
3.1 KiB
Plaintext
83 lines
3.1 KiB
Plaintext
|
Here are some notes about RADIUS extension to ipppd.
|
||
|
|
||
|
1. Current extensions are based on Lars's radiusclient-0.3-alpha-4. Don't be
|
||
|
scared because of aplha in the name. So before enabling RADIUS features in
|
||
|
configuration please install those. You can more information at:
|
||
|
http://www.cityline.net/~lf/radius/ and get the libraries at
|
||
|
ftp://ftp.cityline.net/pub/systems/linux/network/radiusclient
|
||
|
|
||
|
2. When compiled ipppd need libradiusclient.so shared library installed in
|
||
|
apropriate library path. If You prefered static libraries put -static in
|
||
|
Makefile.
|
||
|
|
||
|
3. in make config You will find few new options under:
|
||
|
Options for ipppd --->
|
||
|
[ ] Support for RADIUS protocol
|
||
|
[ ] Support for RADIUS wtmp logging
|
||
|
"" radiusclient config file path
|
||
|
[ ] Support for parsing .TTY file first
|
||
|
|
||
|
Support for RADIUS protocol and radiusclient config file path are
|
||
|
mandatory if You want to work with RADIUS server. Config file path is for
|
||
|
unchaged radiuscilent library: /usr/local/lib/radiusclient/radiusclient.conf
|
||
|
|
||
|
RADIUS wtmp logging does also loging into wtmp base, so one can see loged in
|
||
|
users with w and other tools.
|
||
|
|
||
|
Support for parsing .TTY file first has no meaning in ipppd since parsing
|
||
|
of files with tty suffix is disabled by default.
|
||
|
|
||
|
|
||
|
4. How does it work:
|
||
|
There are two new important options for using radius:
|
||
|
- radius
|
||
|
- radacct
|
||
|
With first (radius) one enables authentication thru RADIUS server.
|
||
|
With second (radacct) one enables accounting thru RADIUS server.
|
||
|
|
||
|
Those options are not interchanged in any way. So only specifying radius
|
||
|
will enable ONLY authentication and not accounting.
|
||
|
|
||
|
There is also one not so important option:
|
||
|
- session-limit
|
||
|
With this option one can limit session time unconditionaly. It is
|
||
|
introduced for the case, where in RADIUS server one specifies session-limit
|
||
|
for specific user.
|
||
|
|
||
|
5. Setup
|
||
|
There are some important issues when invoking ipppd. One should always
|
||
|
specify IP adresses on command line. If not, static IP assignement via
|
||
|
RADIUS server would not work correctly (remote IP adress will stay unchanged
|
||
|
and next user will get someone elses static IP).
|
||
|
|
||
|
If one uses proxy arp feature and has subnet for ippp connection one shuld
|
||
|
also specify netmask at command line.
|
||
|
|
||
|
6. Notes on accounting
|
||
|
This version send all basic information needed for RADIUS accounting server
|
||
|
plus:
|
||
|
|
||
|
- Input-octets
|
||
|
- Input-packets
|
||
|
- Output-octets
|
||
|
- Output-packets
|
||
|
- Caller-station-id
|
||
|
- NAS-port-type = ISDN-SYNC
|
||
|
|
||
|
In order to get traffic information one should have kernel compiled with IP
|
||
|
accounting.
|
||
|
|
||
|
When accounting-START record is sent to RADIUS accounting rules for used ippp
|
||
|
interface are inserted into accounting chain.
|
||
|
|
||
|
When accounting-STOP record is to be sent to RADIUS, information from above
|
||
|
mentioned accounting rules are read and accounting rules are deleted from
|
||
|
accounting chain.
|
||
|
|
||
|
So no admin setup is necessary for this setup to work. However there are
|
||
|
some thing to remember. If someone manualy zeroes accounting information IP
|
||
|
traffic between the session measurement won't be acurate. (Unfortunately with
|
||
|
current iimplementation all information in accounting chain is zeroed when
|
||
|
one issues command ipfwadm -A -z).
|
||
|
|