SMIT Help Information for RADIUS Server

"Note: The information contained in this article is structured as help information for the System Management Interface Tool (SMIT) and is not intended for use as a procedural or conceptual article."

Configure Server

Specify the parameters to be used for a Remote Authentication Dial-In User Service (RADIUS) Server. This action allows you to change the way the RADIUS server operates. The values are written to the RADIUS configuration file, /etc/radius/radiusd.conf


Configure Clients

Provides a menu that allows you to:

This information is stored in the etc/radius/clients file. This file contains sensitive security information. Precautions should be taken to secure access to this file.


Configure Users

Provides a menu that allows you to add or modify network users that will be authenticated on the network. Users can be defined in the UNIX database, local low-end database, or in LDAP.


Configure Proxy Rules

Provides a menu that allows you to add or modify proxy rules. Proxy rules determine whether the RADIUS access request is processed by the local RADIUS server or sent to another RADIUS server on the network.


Advanced Server Configuration

Allows you to configure system-wide RADIUS server authorization policies and attributes.


Start RADIUS Server Daemons

Start the Remote Authentication Dial-In User Service (RADIUS) server daemons. This option starts the authentication and accounting activities between the server and the clients.


Stop RADIUS Server Daemons

Stop the Remote Authentication Dial-In User Service (RADIUS) server daemons. This option stops the authentication and accounting activities between the server and the clients.


RADIUS Directory

The path of the Remote Authentication Dial-In User Service (RADIUS) directory. This is the path to the directory where the RADIUS daemon configuration files are stored. The default is /etc/radius


Database Location

Select the type of server on which to store the user information:


Local AVL Database File Name

Type the file name and extension of the local available database. For example: dbdata.bin. This is used when the Database_Location is configured as "local".


Local Accounting

Turn local accounting on or off. Accounting information is only saved when local accounting is turned on. When this flag is set to ON or TRUE, a file is updated which contains a record of START and STOP packets received from the Network Access Server(NAS). The log filename is /var/radius/data/accounting.


Debug Level

Select the number that identifies the debug level. Valid values are 0, 3, and 9. Errors are logged to syslog. The default is 3. Output is directed to the location specified by *.debug stanza in the /etc/syslog.conf directory.

Each level increases the amount of messages sent to syslog. For example "9" includes the new messages provided by "9" and all messages generated by level 0 and 3.


Accept Reply-Message

Specify the text to be returned from the RADIUS server to the client in an Access Accept message. The maximum number of characters is 256.


Reject Reply-Message

Specify the text to be returned from the RADIUS server to the client in an Access Reject message. The maximum number of characters is 256.


Challenge Reply-Message

Specify the text to be returned from the RADIUS server to the client in a Challenge Reply message. The maximum number of characters is 256.


Password Expired Reply-Message

Specify the text to be returned from the RADIUS server to the client in a Password Expiration message. The maximum number of characters is 256.


Support Renewal of Expired Passwords

Select YES to renew expired passwords. This option allows users to update their expired passwords using the RADIUS protocol. The hardware support of Access-Password-Request packets is required. Select NO to turn off password expiration checking.


Require Message Authenticator

The Message Authenticator is a RADIUS attribute that contains a checksum of the packet combined with the shared secret. Select YES to require message authentication. If the YES option is chosen and the message authenticator attribute is not present in the Access-Request packet, the packet is discarded. Select NO to turn off message authentication.


Authentication Port Number

Type the authentication TCP port number for the port or ports on which the authentication servers will listen. If the field is blank, an authentication daemon will not be started. You can specify more than one port number. Each value is REQUIRED to be separated by a comma (,).

The port number must be a numeric value, like "7777". In this case, a server daemon will listen on "7777". This port number must be different from the Accounting Port Number. There is no check for port conflicts. If another process is currently running on the specified port, the daemon will not run. Be sure to check the syslog output to insure that all servers start without incident.


Accounting Port Number

Type the accounting port number for the port or ports on which the servers will listen. If local accounting is turned on this information is required. If the field is blank an accounting daemon will not be started. The value field may contain more than one value. Each value is REQUIRED to be separated by a comma (,).

The port number must be a numeric value, like "7777". In this case, a server daemon will listen on "7777". This port number must be different from the Authentication Port Number. There is no check for port conflicts. If another process is currently running on the specified port, the daemon will not run. Be sure to check the syslog output to insure that all servers start without incident.


LDAP Server Name

Type the fully-qualified host name of the LDAP Version 3 server that is to use to access directory services on a network. This is used when the Database_Location is configured as "LDAP". User information is added to the LDAP directory that is stored on this server.


LDAP Server Port Number

Type the TCP port number for the LDAP. Lightweight Directory Access Protocol (LDAP) is a protocol used to access directory services on a network. RADIUS user information can be saved in LDAP. The standard port number is 389.


LDAP Server Admin Distinguished Name

Type the User ID that has administrator permission to connect to the remote (LDAP) database. This is the LDAP administrator's Distinguished Name (DN).


LDAP Server Admin Password

Type the password associated with the LDAP administrator's Distinguished Name (DN). A more secure password contains:


LDAP Server Base Distinguished Name

Type the name of the LDAP server base distinguished name where searches will start. For example, cn=root. You can type a maximum of 256 characters.


LDAP Size Limit

Type the size limit. This is the number of entries that the LDAP server will return on a search.


LDAP Hop Limit

Type the LDAP hop limit. This is the maximum number of LDAP referrals that the server will follow in a sequence before stopping.


LDAP wait time limit

Type the LDAP wait time limit. This is the number of seconds the RADIUS server will wait for a response from the LDAP server. If the LDAP server retrieves large amounts of data (For example, 10,000 userids), this time limit needs to be increased.


LDAP debug level

If the value is zero (0), no debug information is logged. If the value is 1, debug information is logged.


Proxy allowed

Indicates whether to allow the RADIUS server to proxy packets to another server. If you select ON, the server can proxy packets to realms that it knows. If you select ON, the following fields must also be configured: Proxy Use Table, Proxy Realm Name, Proxy Prefix Delimiters, Proxy Suffix Delimiters, Proxy Remove Hops, Proxy Retry Count, and Proxy Timeout. You must also configure proxy addresses in the /etc/radius/proxy file.


Proxy Use table

Indicates whether to allow a proxy use table for the server. ON allows the server to use the "Proxy Table" for faster processing of duplicate requests. You can use the "Proxy Table" without proxy ON, but the "Proxy Table" is required to be ON if Proxy Allowed is set to ON.


Proxy Realm Name

Type the realm name that this server will process. The realm name is the text placed before or after the user ID that contains information that identifies a RADIUS proxy server to other Remote Authentication Dial-In User Service (RADIUS) servers. The realm name, next Hop IP address and shared secret are stored in the /etc/radius/proxy file. The name can contain up to twelve characters. If proxy capabilities are turned on, the User-Name attribute is checked for this realm name. When proxying RADIUS packets, the realm name is part of the User-Name attribute/value pair such as user_id@AUSTIN@TEXAS, where AUSTIN and TEXAS are 2 separate realms. The name needs to be unique in the Proxy chain so care must be used by the system administrator when configuring the proxy hops. They are directly-related to the realm names.


Proxy Prefix Delimiters

Type the proxy prefix delimiters. This is a list of separators for parsing realm names added to the beginning of the User-Name. This list must be mutually exclusive of the Suffix delimiters. Do not separate the delimiters with spaces. For example, "$/". If proxy is enabled, the User-Name attribute is checked for the delimiters that separate the realm name.


Proxy Suffix Delimiters

Type the proxy suffix file delimiters. This is a list of separators for parsing realm names added to the end of the User-Name attribute. This list must be mutually exclusive of the prefix delimiters. Do not separate the delimiters with spaces. For example, "@."


Proxy Remove Hops

Indicates whether to remove proxy hop realm names. YES removes the realm name, the realm names of any previous hops, and the realm name of the next server to which the packet will proxy.


Proxy Retry Count

Type the number that indicates how many times the proxy should attempt to send the request packet. The default is two times. Depending on network conditions, the retry count can be increased.


Proxy Timeout

Type the number of seconds to wait in between send attempts. The default is thirty seconds.


List All Clients

Displays a list of the RADIUS clients that are already configured to the RADIUS server.


Add a Client

Create a client for the Remote Authentication Dial-In User Service (RADIUS) server.


Change or Show Characteristics of a Client

Displays characteristics of an existing client. You can make any necessary changes to the displayed characteristics.


Remove a Client

Removes a client from the list of clients used by the RADIUS server. If you remove a client, the RADIUS server cannot process authentication or accounting requests from the client.


Client IP Address

Type the Internet address of the client that you want to add to the list of clients that will be sending packets to the RADIUS server. Use dotted decimal form. For example, 101.64.2.1 Each client must have a unique Internet address. This is the IP address of the hardware client.


Shared Secret

Type the shared secret. The shared secret must be configured on the NAS hardware and be known to the RADIUS server. Shared secrets are effective first lines of defense against unauthorized entry into a system. Suggestions for a proper shared secret are as follows:


Client IP Address (dotted decimal)

Type the Internet address of the client that you want to add to the list of clients. Use dotted decimal form. For example, 101.64.2.1 Each client must have a unique Internet address.


UNIX

Select UNIX to configure the user information for a user who will authenticate to a RADIUS server through a UNIX database.


Local Database

Select Local Database to configure the user information for a user who will authenticate to a RADIUS server through a local database. If you select Local Database, the access requests are authenticated against user IDs stored in a local database file. This file is /etc/radius/dbdata.bin and is administered through the raddbm command. The benefit of the local database is that it is fast.


LDAP Directory

Select LDAP Directory to configure the user information for a user who will authenticate to a RADIUS server from an LDAP directory. If you select LDAP Directory, the access requests are authenticated against user IDs stored in the RADIUS LDAP schema. The benefit of LDAP is that the user ID information is centralized and can be administered more easily on large networks.


List All Users

Displays a list of the users that already exist on the UNIX system. This list displays all defined UNIX users regardless of whether they are RADIUS users.


Add Authorization Policy

Creates an authorization policy for a user. A user's authorization policy is checked on each access request. If the user's policy does not exactly match the attributes on the incoming packet, authentication is rejected. An editor is opened so that you can change the userid.policy file. After you make the necessary changes, you must save the file before you close the editor. Authorization policies are optional.


Add Authorization Attributes

Opens an editor where you can create an authorization attribute file for a user. An authorization file contains RADIUS attribute/value pairs that are returned to the client in an access accept packet. The attributes are combined with any attributes found in the RADIUS default attributes file. Any overlap of attributes is overridden by the user's values. Authorization attributes for users are optional.


Change or Show Authorization Policy

This action brings you to an editor where the authorization attributes previously defined for a user are displayed. Make any necessary changes to the file and save it. A user's authorization policy is checked on each access request.


Change or Show Authorization Attributes

Opens an editor where you can view the contents of an authorization attribute file for a user or make changes to the contents. An authorization file contains RADIUS attribute/value pairs that are returned to the client in an access accept packet. The attributes are combined with any attributes found in the system-wide default attributes file. Any overlap is overridden by the user's values. Authorization attributes for users are optional.


List All Users

Display the RADIUS users that already exist on the system.


Add a User

Create a user account with the user name and other attributes that you specify. You will be prompted to enter the password. A more secure password contains:


Change a User's Password

Provides a list of user IDs. Select the user ID for which you want to change the password. Then, type the new password twice. A password is a string of characters used to gain access to the network. It is usually sent in an Access-Accept packet for authentication. A more secure password contains:


Change or Show Characteristics of a user

Shows the attributes for a specific user. If you have the correct access privilege, you can change attribute values for the specific user.


Remove a User

Remove a user account from the RADIUS system.


Clear Active LDAP User Login

Displays a list of Lightweight Directory Access Protocol (LDAP) directory user IDs that are defined to the RADIUS server. You can select the user ID that you want to disconnect from the RADIUS Server and clear the LDAP directory objects. This action is usually done when the authentication information is out of sync with the accounting information.


Clear All Active LDAP User Logins

Disconnect and clear the LDAP directory of all user IDs currently logged in to the RADIUS server. This action is usually done when the authentication information is out of sync with the accounting information.


List All Rules

Displays a list of all the proxy rules for the RADIUS server.


Add a Proxy

Adds a proxy and establishes the information for the proxy services.


Change or Show Characteristics of a Proxy

Displays the rules for the proxy. You can make any necessary changes to the displayed characteristics.


Remove a Proxy

Deletes a proxy from the Remote Authentication Dial-In User Service (RADIUS) server. The proxy and its rules cannot be restored. You can add the proxy back again and establish its information again.


Next Hop IP Address (dotted decimal)

Type the next hop IP address. This is the IP address to which the packet will be forwarded.


Configure Default Authorization Policy

Configures the default authorization policy. Provides options for configuring the default authorization policy. Opens an editor where you enter attribute-value pairs. The attribute-value pairs are checked on each incoming packet.


Configure Default Authorization Attributes

Configure the default authorization attributes. Opens an editor where you enter attribute-value pairs. The attribute-value pairs are returned on each outgoing ACCEPT packet.


Login User ID

Type a unique string of characters for the user ID. You must type at least 2 characters, but you cannot type more than 256 characters. Spaces and special characters are not allowed.


EAP Type

Indicates whether the EAP Type should be None or MD5-challenge. The default is "none". Extensible Authentication Protocol (EAP) is a general protocol for Point-to-Point (PPP) authentication that supports multiple authentication mechanisms. RADIUS provides support for EAP through the following attributes: EAP-Message and Message-Authenticator. The EAP-Message attribute is a RADIUS wrapper attribute that encapsulates an EAP packet and allows clients to pass the EAP packets directly to RADIUS servers without having to either understand EAP authentication or how to parse EAP data packets. In the reverse direction, clients can forward EAP responses from RADIUS servers.


Password MAX. Age

The age in weeks that a password can reach before expiring. You can specify a maximum of 52 weeks. The default age is zero weeks. If the age is zero, the user's password is not checked for expiration.


Maximum allowed login times

Select the number of times a user ID can attempt to log in to the Remote Authentication Dial-In User Service (RADIUS) server without being rejected. The maximum number of times you can choose is 5.


Type

The type indicates whether to process EAP authentication type packets. Select to indicate None or MD5-challenge. If none is selected, the RADIUS server does not process EAP authentication type packets. If MD5-challenge is selected, the RADIUS Server uses the MD5 algorithm to authenticate the user information. The default is None.


RADIUS Server

A Remote Authentication Dial-in User Service (RADIUS) Server provides centralized network authentication, authorization, and accounting services. RADIUS is a communications protocol that is based on Internet Engineering Task Force (IETF) standards. A RADIUS server: