"Note: The information contained in this article is structured as help information for the System Management Interface Tool (SMIT) and is not intended for use as a procedural or conceptual article."
Specify the parameters to be used for a Remote Authentication Dial-In User Service (RADIUS) Server. This action allows you to change the way the RADIUS server operates. The values are written to the RADIUS configuration file, /etc/radius/radiusd.conf
Provides a menu that allows you to:
This information is stored in the etc/radius/clients file. This file contains sensitive security information. Precautions should be taken to secure access to this file.
Provides a menu that allows you to add or modify network users that will be authenticated on the network. Users can be defined in the UNIX database, local low-end database, or in LDAP.
Provides a menu that allows you to add or modify proxy rules. Proxy rules determine whether the RADIUS access request is processed by the local RADIUS server or sent to another RADIUS server on the network.
Allows you to configure system-wide RADIUS server authorization policies and attributes.
Start the Remote Authentication Dial-In User Service (RADIUS) server daemons. This option starts the authentication and accounting activities between the server and the clients.
Stop the Remote Authentication Dial-In User Service (RADIUS) server daemons. This option stops the authentication and accounting activities between the server and the clients.
The path of the Remote Authentication Dial-In User Service (RADIUS) directory. This is the path to the directory where the RADIUS daemon configuration files are stored. The default is /etc/radius
Select the type of server on which to store the user information:
This is the default. Access requests are authenticated against user IDs stored in the UNIX database. For example, /etc/passwords.
Access requests are authenticated against user IDs stored in a local database file. This file is /etc/radius/dbdata.bin and is administered through the raddbm command. The benefit of the local database is that it is fast.
Access requests are authenticated against user IDs stored in the RADIUS LDAP schema. The benefit of LDAP is that the user ID information is centralized and can be administered more easily on large networks.
Type the file name and extension of the local available database. For example: dbdata.bin. This is used when the Database_Location is configured as "local".
Turn local accounting on or off. Accounting information is only saved when local accounting is turned on. When this flag is set to ON or TRUE, a file is updated which contains a record of START and STOP packets received from the Network Access Server(NAS). The log filename is /var/radius/data/accounting.
Select the number that identifies the debug level. Valid values are 0, 3, and 9. Errors are logged to syslog. The default is 3. Output is directed to the location specified by *.debug stanza in the /etc/syslog.conf directory.
Each level increases the amount of messages sent to syslog. For example "9" includes the new messages provided by "9" and all messages generated by level 0 and 3.
Provides the minimal output to the syslogd log. It logs start up and end messages for each RADIUS process. It also logs error conditions.
Includes general ACCESS ACCEPT, REJECT and DISCARD messages for each packet. This level provides a general audit trail for authentication.
Provides the maximum amount of log data including specific values of attributes while a transaction is passing through processing and more. This setting is not recommended under normal operations.
Specify the text to be returned from the RADIUS server to the client in an Access Accept message. The maximum number of characters is 256.
Specify the text to be returned from the RADIUS server to the client in an Access Reject message. The maximum number of characters is 256.
Specify the text to be returned from the RADIUS server to the client in a Challenge Reply message. The maximum number of characters is 256.
Specify the text to be returned from the RADIUS server to the client in a Password Expiration message. The maximum number of characters is 256.
Select YES to renew expired passwords. This option allows users to update their expired passwords using the RADIUS protocol. The hardware support of Access-Password-Request packets is required. Select NO to turn off password expiration checking.
The Message Authenticator is a RADIUS attribute that contains a checksum of the packet combined with the shared secret. Select YES to require message authentication. If the YES option is chosen and the message authenticator attribute is not present in the Access-Request packet, the packet is discarded. Select NO to turn off message authentication.
Type the authentication TCP port number for the port or ports on which the authentication servers will listen. If the field is blank, an authentication daemon will not be started. You can specify more than one port number. Each value is REQUIRED to be separated by a comma (,).
The port number must be a numeric value, like "7777". In this case, a server daemon will listen on "7777". This port number must be different from the Accounting Port Number. There is no check for port conflicts. If another process is currently running on the specified port, the daemon will not run. Be sure to check the syslog output to insure that all servers start without incident.
Type the accounting port number for the port or ports on which the servers will listen. If local accounting is turned on this information is required. If the field is blank an accounting daemon will not be started. The value field may contain more than one value. Each value is REQUIRED to be separated by a comma (,).
The port number must be a numeric value, like "7777". In this case, a server daemon will listen on "7777". This port number must be different from the Authentication Port Number. There is no check for port conflicts. If another process is currently running on the specified port, the daemon will not run. Be sure to check the syslog output to insure that all servers start without incident.
Type the fully-qualified host name of the LDAP Version 3 server that is to use to access directory services on a network. This is used when the Database_Location is configured as "LDAP". User information is added to the LDAP directory that is stored on this server.
Type the TCP port number for the LDAP. Lightweight Directory Access Protocol (LDAP) is a protocol used to access directory services on a network. RADIUS user information can be saved in LDAP. The standard port number is 389.
Type the User ID that has administrator permission to connect to the remote (LDAP) database. This is the LDAP administrator's Distinguished Name (DN).
Type the password associated with the LDAP administrator's Distinguished Name (DN). A more secure password contains:
Type the name of the LDAP server base distinguished name where searches will start. For example, cn=root. You can type a maximum of 256 characters.
Type the size limit. This is the number of entries that the LDAP server will return on a search.
Type the LDAP hop limit. This is the maximum number of LDAP referrals that the server will follow in a sequence before stopping.
Type the LDAP wait time limit. This is the number of seconds the RADIUS server will wait for a response from the LDAP server. If the LDAP server retrieves large amounts of data (For example, 10,000 userids), this time limit needs to be increased.
If the value is zero (0), no debug information is logged. If the value is 1, debug information is logged.
Indicates whether to allow the RADIUS server to proxy packets to another server. If you select ON, the server can proxy packets to realms that it knows. If you select ON, the following fields must also be configured: Proxy Use Table, Proxy Realm Name, Proxy Prefix Delimiters, Proxy Suffix Delimiters, Proxy Remove Hops, Proxy Retry Count, and Proxy Timeout. You must also configure proxy addresses in the /etc/radius/proxy file.
Indicates whether to allow a proxy use table for the server. ON allows the server to use the "Proxy Table" for faster processing of duplicate requests. You can use the "Proxy Table" without proxy ON, but the "Proxy Table" is required to be ON if Proxy Allowed is set to ON.
Type the realm name that this server will process. The realm name is the text placed before or after the user ID that contains information that identifies a RADIUS proxy server to other Remote Authentication Dial-In User Service (RADIUS) servers. The realm name, next Hop IP address and shared secret are stored in the /etc/radius/proxy file. The name can contain up to twelve characters. If proxy capabilities are turned on, the User-Name attribute is checked for this realm name. When proxying RADIUS packets, the realm name is part of the User-Name attribute/value pair such as user_id@AUSTIN@TEXAS, where AUSTIN and TEXAS are 2 separate realms. The name needs to be unique in the Proxy chain so care must be used by the system administrator when configuring the proxy hops. They are directly-related to the realm names.
Type the proxy prefix delimiters. This is a list of separators for parsing realm names added to the beginning of the User-Name. This list must be mutually exclusive of the Suffix delimiters. Do not separate the delimiters with spaces. For example, "$/". If proxy is enabled, the User-Name attribute is checked for the delimiters that separate the realm name.
Type the proxy suffix file delimiters. This is a list of separators for parsing realm names added to the end of the User-Name attribute. This list must be mutually exclusive of the prefix delimiters. Do not separate the delimiters with spaces. For example, "@."
Indicates whether to remove proxy hop realm names. YES removes the realm name, the realm names of any previous hops, and the realm name of the next server to which the packet will proxy.
Type the number that indicates how many times the proxy should attempt to send the request packet. The default is two times. Depending on network conditions, the retry count can be increased.
Type the number of seconds to wait in between send attempts. The default is thirty seconds.
Displays a list of the RADIUS clients that are already configured to the RADIUS server.
Create a client for the Remote Authentication Dial-In User Service (RADIUS) server.
Displays characteristics of an existing client. You can make any necessary changes to the displayed characteristics.
Removes a client from the list of clients used by the RADIUS server. If you remove a client, the RADIUS server cannot process authentication or accounting requests from the client.
Type the Internet address of the client that you want to add to the list of clients that will be sending packets to the RADIUS server. Use dotted decimal form. For example, 101.64.2.1 Each client must have a unique Internet address. This is the IP address of the hardware client.
Type the shared secret. The shared secret must be configured on the NAS hardware and be known to the RADIUS server. Shared secrets are effective first lines of defense against unauthorized entry into a system. Suggestions for a proper shared secret are as follows:
Type the Internet address of the client that you want to add to the list of clients. Use dotted decimal form. For example, 101.64.2.1 Each client must have a unique Internet address.
Select UNIX to configure the user information for a user who will authenticate to a RADIUS server through a UNIX database.
Select Local Database to configure the user information for a user who will authenticate to a RADIUS server through a local database. If you select Local Database, the access requests are authenticated against user IDs stored in a local database file. This file is /etc/radius/dbdata.bin and is administered through the raddbm command. The benefit of the local database is that it is fast.
Select LDAP Directory to configure the user information for a user who will authenticate to a RADIUS server from an LDAP directory. If you select LDAP Directory, the access requests are authenticated against user IDs stored in the RADIUS LDAP schema. The benefit of LDAP is that the user ID information is centralized and can be administered more easily on large networks.
Displays a list of the users that already exist on the UNIX system. This list displays all defined UNIX users regardless of whether they are RADIUS users.
Creates an authorization policy for a user. A user's authorization policy is checked on each access request. If the user's policy does not exactly match the attributes on the incoming packet, authentication is rejected. An editor is opened so that you can change the userid.policy file. After you make the necessary changes, you must save the file before you close the editor. Authorization policies are optional.
Opens an editor where you can create an authorization attribute file for a user. An authorization file contains RADIUS attribute/value pairs that are returned to the client in an access accept packet. The attributes are combined with any attributes found in the RADIUS default attributes file. Any overlap of attributes is overridden by the user's values. Authorization attributes for users are optional.
This action brings you to an editor where the authorization attributes previously defined for a user are displayed. Make any necessary changes to the file and save it. A user's authorization policy is checked on each access request.
Opens an editor where you can view the contents of an authorization attribute file for a user or make changes to the contents. An authorization file contains RADIUS attribute/value pairs that are returned to the client in an access accept packet. The attributes are combined with any attributes found in the system-wide default attributes file. Any overlap is overridden by the user's values. Authorization attributes for users are optional.
Display the RADIUS users that already exist on the system.
Create a user account with the user name and other attributes that you specify. You will be prompted to enter the password. A more secure password contains:
Provides a list of user IDs. Select the user ID for which you want to change the password. Then, type the new password twice. A password is a string of characters used to gain access to the network. It is usually sent in an Access-Accept packet for authentication. A more secure password contains:
Shows the attributes for a specific user. If you have the correct access privilege, you can change attribute values for the specific user.
Remove a user account from the RADIUS system.
Displays a list of Lightweight Directory Access Protocol (LDAP) directory user IDs that are defined to the RADIUS server. You can select the user ID that you want to disconnect from the RADIUS Server and clear the LDAP directory objects. This action is usually done when the authentication information is out of sync with the accounting information.
Disconnect and clear the LDAP directory of all user IDs currently logged in to the RADIUS server. This action is usually done when the authentication information is out of sync with the accounting information.
Displays a list of all the proxy rules for the RADIUS server.
Adds a proxy and establishes the information for the proxy services.
Displays the rules for the proxy. You can make any necessary changes to the displayed characteristics.
Deletes a proxy from the Remote Authentication Dial-In User Service (RADIUS) server. The proxy and its rules cannot be restored. You can add the proxy back again and establish its information again.
Type the next hop IP address. This is the IP address to which the packet will be forwarded.
Configures the default authorization policy. Provides options for configuring the default authorization policy. Opens an editor where you enter attribute-value pairs. The attribute-value pairs are checked on each incoming packet.
Configure the default authorization attributes. Opens an editor where you enter attribute-value pairs. The attribute-value pairs are returned on each outgoing ACCEPT packet.
Type a unique string of characters for the user ID. You must type at least 2 characters, but you cannot type more than 256 characters. Spaces and special characters are not allowed.
Indicates whether the EAP Type should be None or MD5-challenge. The default is "none". Extensible Authentication Protocol (EAP) is a general protocol for Point-to-Point (PPP) authentication that supports multiple authentication mechanisms. RADIUS provides support for EAP through the following attributes: EAP-Message and Message-Authenticator. The EAP-Message attribute is a RADIUS wrapper attribute that encapsulates an EAP packet and allows clients to pass the EAP packets directly to RADIUS servers without having to either understand EAP authentication or how to parse EAP data packets. In the reverse direction, clients can forward EAP responses from RADIUS servers.
The age in weeks that a password can reach before expiring. You can specify a maximum of 52 weeks. The default age is zero weeks. If the age is zero, the user's password is not checked for expiration.
Select the number of times a user ID can attempt to log in to the Remote Authentication Dial-In User Service (RADIUS) server without being rejected. The maximum number of times you can choose is 5.
The type indicates whether to process EAP authentication type packets. Select to indicate None or MD5-challenge. If none is selected, the RADIUS server does not process EAP authentication type packets. If MD5-challenge is selected, the RADIUS Server uses the MD5 algorithm to authenticate the user information. The default is None.
A Remote Authentication Dial-in User Service (RADIUS) Server provides centralized network authentication, authorization, and accounting services. RADIUS is a communications protocol that is based on Internet Engineering Task Force (IETF) standards. A RADIUS server: