IBM®
Skip to main content
    Country/region [select]      Terms of use
 
 
      
     Home      Products      Services & solutions      Support & downloads      My account     

developerWorks > eServer >
developerWorks
AIX RADIUS server, Part 2: Installation and configuration
e-mail it!
Contents:
Software requirements for the RADIUS server
RADIUS configuration files
User authentication locations
Authorization
Debug states
Resources
About the author
Rate this article
Related content:
Part 1: Authentication and accounting protocols
Subscriptions:
dW newsletters
dW Subscription
(CDs and downloads)

Level: Introductory

Denise Genty (genty@us.ibm.com)
AIX Network Security Developer Team Lead, IBM
27 Jan 2005

This is the second of a two-part series on the AIX® Remote Authentication Dial-In-Service (RADIUS) server. In Part 1, Denise Genty discussed the authentication and accounting protocols. Follow along with her now as she focuses on the installation, configuration, user authorization, debugging of the RADIUS server.

Software requirements for the RADIUS server
Installation of the AIX® Remote Authentication Dial-In User Service (RADIUS) server requires the following software:

  • AIX 5L Version 5.3.0.10 or later
  • radius.base
  • bos.msg.LANG.rte
  • bos.help.msg.en_US.smit

You can apply APAR number, IY65978, to find the radius.base fileset.

If you want a centralized user access where the user information is saved in a Lightweight Directory Access Protocol (LDAP), you'll need to install the following IBM Tivoli LDAP Directory Server filesets:

  1. ldap.server
  2. ldap.client

You can install the LDAP server fileset on one central machine; however, you will need to make sure to install the LDAP client software on the same system as the RADIUS server.

RADIUS configuration files
You'll find eight configuration files in /etc/radius. You can edit these files using a UNIX editor (such as, vi) or through the AIX System Management Interface Tool (SMIT). The configuration files alter the way in which the authentication and accounting servers work. Please note, if values are modified in the configuration files, the daemons must be stopped and restarted because all configuration values are stored in memory at daemon start time. Detailed help information is available for each field within a file through the SMIT panels.

radiusd.conf
This is the primary daemon configuration file. This file controls:
  • Where you can access the user authentication information
  • The debug level output verbosity
  • Port(s) the daemon(s) listen on
  • The LDAP server and proxy realm information
This file is the most important file for the server because it controls the authentication and accounting daemon behavior. The radiusd.conf file contains the minimally defined information to get the RADIUS server daemons started. The default values that are configured at installation time are:
  • UNIX® authentication data store (user ids defined to AIX are also RADIUS users) is where the user id and password (sent in an Access-Request packet) will be validated against.
  • Accounting data is turned on and written locally to the /var/radius/data/accounting file.
  • Syslog output is minimal at debug level 3. Access-Accept, Access-Reject, and ERROR information is logged. You can enable syslog in /etc/syslog.conf.
  • Access-Accept, Access-Challenge, or Access-Reject packets can return four different types of reply message strings. The default doesn't return a string. The system administrator must configure the messages.
  • By default, the user password renewal cannot go through the protocol. In order to allow the RADIUS server to update a password through the RADIUS protocol, you must enable this attribute.
  • Every packet does not require a message authenticator attribute. Message authenticator attributes prevent spoofing but requires extra packet processing.
  • The authentication daemon will listen on port 1812.
  • The accounting daemon will listen on port 1813.
  • Nine LDAP attributes need configuration. The system administrator must complete the attributes once configuration of the LDAP server is complete. This is only needed if LDAP is the location of user information.
  • Eight attributes pertain to proxy configuration. The default setting of the proxy is automatically set to off. A system administrator must add the proxy information once the /etc/radius/proxy file is complete.
clients
You must enter the IP address of each client into this file, along with a shared secret. Remember, the shared secret must be the same secret that is configured on the client. The maximum size of the shared secret is 64 bytes. The shared secret is used to hide the password of the user.
dictionary
This file contains the RADIUS attributes as defined in the request for comments (RFCs) standards. The dictionary file allows for the mapping of the attribute name to the number sent in the RADIUS packet and attribute type (string, integer...). The dictionary file validates all incoming and outgoing attributes. You can also add vendor-specific attributes to the dictionary.
proxy
If the radiusd.conf file sets the proxy option to on for packets, then the proxy file contains the realm name. Proxy means to process the authentication or accounting requests at a different RADIUS server than the client initially sent the packet to. If the packets are not locally processed, you must enter the realm name, "next hop" address, and shared secret.
/etc/radius/authorization/default.policy
This file defines the authorization policy for all users that the RADIUS server authenticates. It contains the RADIUS server-wide authorization attributes that will be checked when authentication packets arrive. The system administrator configures the authorization policy and is totally optional. The default.policy validates the attribute value pairs that come in Access-Request packets.
/etc/radius/authorization/default.auth
This file defines the return authorization attributes for all users. It contains the RADIUS server-wide authorization attributes that will be returned when successful authentication data is sent (Access-Accept).
/etc/radius/ldap/IBM.V3.radiusbase.schema.ldif
If using LDAP as the user data store, this file defines the top-level, organizational units that you need to define on the LDAP server. Once you install and configure the LDAP server and define the RADIUS suffix, the system administrator must modify the hierarchy to add (ldapadd command) the organizational units (OU's) that are contained in this file.
/etc/radius/ldap/IBM.V3.radius.schema.ldif
If using LDAP, this file contains the attributes and object classes you need to add to the LDAP Directory schema. The system administrator must do an ldapmodify command to add the RADIUS user object classes and attributes that are defined in this file.

The configuration files included in the installp images have the defaults set to AIX /etc/password authentication, port 1812 for authentication, and 1813 for accounting. The password expiry and proxy is set to "off", and the authorization policies are empty. For quick configuration, the system administrator needs only to add IP addresses to the client file (the IP addresses of the authenticating hardware) to use RADIUS server. With UNIX authentication, you can add the defined UNIX users through SMIT or mkuser command. If you use local or LDAP authentication, make sure you add the user information to the local database or LDAP directory. The easiest way to do this is to add users through the RADIUS SMIT panels.

User authentication locations
You can store user information in one of three locations; however, multiple data stores per RADIUS server is not allowed.

UNIX users
The RADIUS server allows users to authenticate against an AIX user database, such as the /etc/passwd file. This feature allows for ease of system administration with users already defined to AIX. The default location in /etc/radiusd.conf is UNIX. The SMIT paths or AIX mkuser command define the users.

When creating a user ID, you can enforce a user's password expiration value by entering it in the user "Password MAX AGE" field. Keep in mind that RADIUS will not check the password date if the default value is set at zero. In order for the password checking to occur, you must enter a value for the number of weeks that the password is valid. You can enter the password for an AIX user either by the "passwd" command or through SMIT.

An example of the SMIT flow:

>smitty users
	> Add a User
------------------------------------------------------------------------------------
                                                 Add a User

Type or select values in entry fields.
Press Enter AFTER making all desired changes.
  
[TOP]                                            [Entry Fields]
* User NAME                                          [] 
  User ID                                            []
  ADMINISTRATIVE USER?                              false   
  Primary GROUP                                      []      
  Group SET                                          []     
  ADMINISTRATIVE GROUPS                              []    
  .
  .
  Password MAX. AGE                                  [0]
  .
------------------------------------------------------------------------------------

Local RADIUS database users
The RADIUS server software provides a mechanism to use a local, stand-alone database for authentication purposes. Do not confuse the local database with UNIX users or the LDAP directory. It is for RADIUS use only. The local database is a simple, non-relational database, and contains the information required to validate a user attempting to access the service (that is, username and password). At authentication daemon startup, the local database entries are read into memory for fast access. A recommendation is to use the local database for RADIUS installations with less than 1,000 users.

To use the local database, configure the Database_location of "Local" in the radiusd.conf configuration file or through "smitty radius", Server Configuration. Enter user information into the local database by using the raddbm command or SMIT. Remember, when using the raddbm command, you must stop the RADIUS daemons.

Local user information consists of user name and password, optional Extended Authentication Protocol-type (EAP-type) and number of weeks a password is valid. Use the EAP-type only if EAP/ MD5-challenge is the authentication method. If the password expiration isn't desired, set the number of weeks a password is valid to zero. When adding a user, a password is prompted and you must enter a confirmation password.

An example of the SMIT flow to add a local user:

>smitty radius
	> Configure Users
		>Local Database
			>Add a User
------------------------------------------------------------------------------------

                                                   Add a User

Type or select values in entry fields.
Press Enter AFTER making all desired changes.
  
                                                   [Entry Fields]
* Login User ID                                        []
  EAP Type                                             [none]
  Password MAX. AGE                                    [0]  
  
------------------------------------------------------------------------------------

LDAP users
The third choice for authentication store for RADIUS users is to store the user data into an LDAP directory. If LDAP is used, you need to install and configure the LDAP server on a central machine and add a LDAP suffix along with the RADIUS specific schema. The benefit of LDAP is that it is scalable and provides for a central repository for many RADIUS servers to access user data. User data is common and entered only once which makes user administration easier.

To use the LDAP directory, configure the Database_location to be LDAP in the radiusd.conf configuration file or through smitty radius, Server Configuration. Also, you must complete the LDAP server information. See the LDAP data example below.

  LDAP Server Name                                   []
  LDAP Server Port Number                            [389]                       
  LDAP Server Admin Distinguished Name               [cn=root]
  LDAP Server Admin Password                         []
  LDAP Base Distinguished Name                       [cn=aixradius]           
  LDAP Size Limit                                    [0]                     
  LDAP Hop Limit                                     [0]                    
  LDAP wait time limit                               [10]                  
  LDAP debug level                                   [0]    

Notice how most of the fields are default and require no further input (see the SMIT help text for a description of each field). However, you must enter the field of the LDAP server name to contain a fully-qualified LDAP server node. You will also have to enter the LDAP administration password. Enter the same password as you would when installing and configuring the LDAP server. The password is used to bind securely to the LDAP server in order to add and update LDAP user objects.

LDAP user information consists of username, password, optional EAP-type, and the number of weeks a password is valid. Only use the EAP-type if EAP/ MD5-challenge is the authentication method. If the password expiration isn't checked, set the number of weeks a password is valid to zero. When adding the user, a password is prompted and you must enter a confirmation password. Then, a user will be entered into the LDAP directory.

An example of the SMIT flow to add an LDAP user:

>smitty radius
	> Configure Users
		>LDAP Directory
			>Add a User
------------------------------------------------------------------------------------
  
                                                     Add a User

Type or select values in entry fields.
Press Enter AFTER making all desired changes.
  
                                                     [Entry Fields]
* Login User ID                                          []
* Maximum allowed login times                            OFF   
  EAP Type                                               [none] 
  Password MAX. AGE                                      [0]   
  
------------------------------------------------------------------------------------

Notice the additional field, "Maximum allowed login times". You can maintain the in-session data of users with LDAP. You can enter the number of times a user can login, up to a maximum of five logins. The maximum number of logins is checked when you receive the authentication request. If the Maximum allowed login times field is left "off", then the RADIUS Server doesn't check. The Accounting-Start and Accounting-Stop packets received for a user determine the in-session data.

Authorization
There are two facets to authorization:

  1. An authorization policy
  2. Return attributes

You can create an authorization policy so that incoming (received) Access-Requests must contain specific data in the attribute value pairs. Authorization policies are optional. A system administrator can permit or deny certain users access to different network resources, such as a particular NAS or NAS port. The system administrator enforces the policy for each packet and defines it at a RADIUS server level or an individual user level. At installation time, a default.policy file is shipped in /etc/radius/authorization. You can modify this file to include attributes and values that must be contained in every Access-Request.

A system administrator can also create a .policy file for each user. If a .policy file is created for a user, then the user's policy is checked first. An exact match must occur, meaning that the same attribute (or multiple attributes) and value must be in the packet as specified in the file. If the comparison is an exact match, policy authorization is complete and the logic proceeds to the return attributes (see below). If there is no user.policy file, the RADIUS Server may make a second check against the default.policy file. Once again, there must have an exact match. If the policy checks fail, the server returns an Access-Reject message. If it passes, the logic proceeds to the return attributes phase.

The second phase of authorization is the return of attribute value pairs in an Access-Accept packet. These attribute/pairs define how the user accesses the network. Just as in the policy side, there are two levels of authorization attributes to return. At installation time, a default.auth file shipped in /etc/radius/authorization. You can modify this file to include attributes and values returned in every Access-Request packet.

The system administrator might also create a .auth file for each user. The return authorization logic behaves differently than the policy. The default.auth and user_id.auth attributes are combined before they are returned. If there are duplicates between the two files, the user_id.auth file attributes override the values from the default.auth file.

A system administrator can configure any combination of authorization phases (policy and/or return values) having: one or the other, both, or none.

An example default.auth file:

# 1  = Login
# 2  = Framed
# 3  = Callback Login
# 4  = Callback Framed
# 5  = Outbound
# 6  = Administrative
# 7  = NAS Prompt
# 8  = Authenticate Only
# 9  = Callback NAS Prompt
# 10 = Call Check
# 11 = Callback Administrative
#
Service-Type  =2
#
# 1  = PPP
# 2  = SLIP
# 3  = ARAP
# 4  = Gandalf proprietary SingleLink/MultiLink protocol
# 5  = Xylogics proprietary IPX/SLIP
# 6  = X.75 Synchronous
Framed-Protocol   =1
Framed-IP-Address =
Framed-IP-Netmask =255.255.255.0
#
# 0  = None
# 1  = Send routing packets
# 2  = Listen for routing packets
# 3  = Send and Listen
Framed-Routing    =
Framed-MTU        =
#
# 0  = None
# 1  = VJ TCP/IP header compression
# 2  = IPX header compression
# 3  = Stac-LZS compression
Framed-Compression    =
.
.
.

An example the genty.auth file:

 #1  = Login
# 2  = Framed
# 3  = Callback Login
# 4  = Callback Framed
# 5  = Outbound
# 6  = Administrative
# 7  = NAS Prompt
# 8  = Authenticate Only
# 9  = Callback NAS Prompt
# 10 = Call Check
# 11 = Callback Administrative
#
Service-Type  =
#
# 1  = PPP
# 2  = SLIP
# 3  = ARAP
# 4  = Gandalf proprietary SingleLink/MultiLink protocol
# 5  = Xylogics proprietary IPX/SLIP
# 6  = X.75 Synchronous
Framed-Protocol   =
Framed-IP-Address =10.10.10.2
Framed-IP-Netmask =
#
# 0  = None
# 1  = Send routing packets
# 2  = Listen for routing packets
# 3  = Send and Listen
Framed-Routing    =
Framed-MTU        =
#
# 0  = None
# 1  = VJ TCP/IP header compression
# 2  = IPX header compression
# 3  = Stac-LZS compression
Framed-Compression    =
.
.
.

The above example uses two .auth files to return authorization data. There will be four attribute value pairs returned in every Access-Accept packet. For every user, the service-type is "framed" using PPP, with a netmask of 255.255.255.0. The IP address is uniquely assigned a value of 10.10.10.2 for the genty user.

Debug states
The RADIUS server daemons write information to the syslog subsystem. Three levels of logging information exist: 0, 3 and 9, with 9 giving the most detailed information. The default is level 3. You can find specifics for the log level in the /etc/radiusd.conf file. Level 9 gives Access-Request, -Accept, -Reject information, and internal program data that you can use to trace the flow of the packet through the software. All output contains a date and time, system name, and the process id with packet number.

Level 0 output


Oct  6 15:34:20 radserver syslog: [0]:
     Monitor process [766206] has started
Oct  6 15:34:20 radserver radiusd[766206]: [0]:
     Local database (AVL) built.
Oct  6 15:34:20 radserver radiusd[766206]: [0]:
     Authentication process started : 
     Pid= 757848 Port = 1812
Oct  6 15:34:20 radserver radiusd[766206]: [0]:
     Accounting process started : Pid = 762092 Port = 1813

When the debug level is set to zero, the information logged is for the process ids of the daemons (in this example, the monitor is 766206, and the other two are 757848 and 762092) and the listening port numbers of the authentication and accounting daemons. In this example, a separate daemon starts for authentication and accounting. Please note that the daemons did not have any errors on initialization. This means that the daemons read all of the configuration information, and are ready to begin accepting packets.

Level 0 error output


Oct  6 16:15:49 radserver syslog: [0]:Monitor process [581688] has started
Oct  6 16:15:49 radserver radiusd[581688]: [0]:Local database (AVL) built.
Oct  6 16:15:49 radserver radiusd[581688]: [0]:Authentication process started : 
     Pid= 602202 Port = 1812
Oct  6 16:15:49 radserver radiusd[581688]: [0]:Accounting process started : 
     Pid= 577598 Port = 1813
Oct  6 16:15:49 radserver radiusd[602202]: [0]:ERROR - 
     connect_to_ldap_server:Error in the ldap_SASL_bind_s:rc = 91.
Oct  6 16:15:49 radserver radiusd[602202]: [0]:ERROR - 
     Authentication process 602202 on port 1812 could not connect to LDAP, 
     notify parent for shutdown
Oct  6 16:15:49 radserver radiusd[577598]: [0]:ERROR - 
     connect_to_ldap_server:Error in the ldap_SASL_bind_s:rc = 91.
Oct  6 16:15:49 radserver radiusd[577598]: [0]:ERROR - 
     Accounting process 577598 on port 1813 could not connect to LDAP, 
     notify parent for shutdown
Oct  6 16:15:49 radserver radiusd[581688]: [0]:PID = [602202] dead
Oct  6 16:15:49 radserver radiusd[581688]: [0]:PID = [577598] dead
Oct  6 16:15:49 radserver radiusd[581688]: [0]:
     All child processes stopped. radiusd parent stopping

If an error occurs during daemon initialization or packet processing, the system logs the error messages, regardless of debug level set. In this example, the configuration is set to LDAP and the LDAP Directory Server was unreachable. Because of the severity of the error, the daemons did not successfully start.

Level 3 authentication output


Oct  6 15:35:30 radserver syslog: [0]:Monitor process [757862] has started
Oct  6 15:35:30 radserver radiusd[757862]: [0]:Local database (AVL) built.
Oct  6 15:35:30 radserver radiusd[741390]: [0]:Socket created [12]
Oct  6 15:35:30 radserver radiusd[741390]: [0]:Bound Authentication socket [12]
Oct  6 15:35:30 radserver radiusd[757862]: [0]:
     Authentication process started : Pid= 741390 Port = 1812
Oct  6 15:35:30 radserver radiusd[762106]: [0]:Socket created [12]
Oct  6 15:35:30 radserver radiusd[762106]: [0]:Bound Accounting socket [12]
Oct  6 15:35:30 radserver radiusd[757862]: [0]:
     Accounting process started : Pid = 762106 Port = 1813
Oct  6 15:35:45 radserver radiusd[741390]: [1]:*** Start Process_Packet() ***
Oct  6 15:35:45 radserver radiusd[741390]: [1]:
     Code 1, ID = 88, Port = 49476 Host = 10.10.10.1
Oct  6 15:35:45 radserver radiusd[741390]: [1]:RC from passwdexpired is: 0
Oct  6 15:35:45 radserver radiusd[741390]: [1]:
     Passed local operating system authentication
Oct  6 15:35:45 radserver radiusd[741390]: [1]:
     Authentication successful for user [genty] using IP [10.10.10.1]
Oct  6 15:35:45 radserver radiusd[741390]: [1]:User verified using default.policy.
Oct  6 15:35:45 radserver radiusd[741390]: [1]:
     Authorization successful for user [genty] using IP [10.10.10.1]
Oct  6 15:35:45 radserver radiusd[741390]: [1]:ACCESS-ACCEPT - 
     sending accept for id 88 to 10.10.10.1 (reddog.ibm.com)
Oct  6 15:35:45 radserver radiusd[741390]: [1]:send_accept() Outgoing Packet:
Oct  6 15:35:45 radserver radiusd[741390]: [1]: Code = 2, Id = 88, Length = 42
Oct  6 15:35:45 radserver radiusd[741390]: [1]:*** Leave Process_Packet() ***

Level 3 debug logs the same output as level 1, with additional packet information. The *** Start Process_Packet() *** denotes the start of processing for the packet. The *** Leave Process_Packet() *** denotes the end of processing for the packet. In this example, the daemon has processed the first packet because of the [1] in packet number. In this example, the authentication daemon:

  • Processes one Access-Request packet (Code = 1)
  • Authenticates the user named "genty" by the AIX authenticate() API
  • Checks the authorization attributes
  • Checks user genty's password for expiration
  • Returns an Access-Accept packet (Code = 2) to the client (10.10.10.1)

Level 9 authentication output -- UNIX user


Oct  6 15:31:13 radserver syslog: [0]: Monitor process [757842] has started
Oct  6 15:31:13 radserver radiusd[757842]: [0]: Local database (AVL) built.
Oct  6 15:31:13 radserver radiusd[757842]: [0]: Inside client_init()
Oct  6 15:31:13 radserver radiusd[757842]: [0]: Number of client entries read: 1
Oct  6 15:31:13 radserver radiusd[757842]: [0]: Inside read_authorize_policy routine for 
     file: /etc/radius/authorization/default.policy.
Oct  6 15:31:13 radserver radiusd[757842]: [0]: Inside read_authorize_file routine for 
     file: /etc/radius/authorization/default.policy.
Oct  6 15:31:13 radserver radiusd[757842]: [0]: Number of Attribute-Value pairs
read: 1
Oct  6 15:31:13 radserver radiusd[757842]: [0]: read_authorize_file() routine complete.
Oct  6 15:31:13 radserver radiusd[757842]: [0]: Inside read_authorize_file routine for 
     file: /etc/radius/authorization/default.auth.
Oct  6 15:31:13 radserver radiusd[757842]: [0]: Number of Attribute-Value pairs
read: 1
Oct  6 15:31:13 radserver radiusd[757842]: [0]: read_authorize_file() routine complete.
Oct  6 15:31:13 radserver radiusd[745536]: [0]: Socket created [12]
Oct  6 15:31:13 radserver radiusd[745536]: [0]: Bound Authentication socket [12]
Oct  6 15:31:13 radserver radiusd[757842]: [0]: Authentication process started : 
     Pid= 745536 Port = 1812
Oct  6 15:31:13 radserver radiusd[762084]: [0]: Socket created [12]
Oct  6 15:31:13 radserver radiusd[762084]: [0]: Bound Accounting socket [12]
Oct  6 15:31:13 radserver radiusd[757842]: [0]:
     Accounting process started : Pid = 762084 Port = 1813
Oct  6 15:31:22 radserver radiusd[745536]: [1]: *** Start Process_Packet() ***
Oct  6 15:31:22 radserver radiusd[745536]: [1]: Incoming Packet:
Oct  6 15:31:22 radserver radiusd[745536]: [1]: Code = 1, Id = 86, Length = 69
Oct  6 15:31:22 radserver radiusd[745536]: [1]:  
     Authenticator = 0xB545DFFEEE5DFB0AD3938A79C774C3ED
Oct  6 15:31:22 radserver radiusd[745536]: [1]: 
     Type =   1, Length =   7, Value = 0x67656E7479
Oct  6 15:31:22 radserver radiusd[745536]: [1]:   
     Type =   2, Length =  18, Value = 0x********************************
Oct  6 15:31:22 radserver radiusd[745536]: [1]: 
     Type =   4, Length =   6, Value = 0x0A0A0A01
Oct  6 15:31:22 radserver radiusd[745536]: [1]:    
     Type =   5, Length =   6, Value = 0x00000002
Oct  6 15:31:22 radserver radiusd[745536]: [1]:    
     Type =   6, Length =   6, Value = 0x00000002
Oct  6 15:31:22 radserver radiusd[745536]: [1]:   
     Type =   7, Length =   6, Value = 0x00000001
Oct  6 15:31:22 radserver radiusd[745536]: [1]: Starting parse_packet()
Oct  6 15:31:22 radserver radiusd[745536]: [1]:Code 1, ID = 86, 
     Port = 49476 Host = 10.10.10.1
Oct  6 15:31:22 radserver radiusd[745536]: [1]: User-Name = "genty"
Oct  6 15:31:22 radserver radiusd[745536]: [1]:
     NAS-IP-Address = 10.10.10.1
Oct  6 15:31:22 radserver radiusd[745536]: [1]: NAS-Port = 2
Oct  6 15:31:22 radserver radiusd[745536]: [1]:
     Service-Type = Framed-User
Oct  6 15:31:22 radserver radiusd[745536]: [1]: Framed-Protocol = PPP
Oct  6 15:31:22 radserver radiusd[745536]: [1]:
     Leaving parse_packet()
Oct  6 15:31:22 radserver radiusd[745536]: [1]:
     Verifying Message-Authenticator
Oct  6 15:31:22 radserver radiusd[745536]: [1]:
     Message-Authenticator successfully verified
Oct  6 15:31:22 radserver radiusd[745536]: [1]:
     Inside proxy_request_needed() function
Oct  6 15:31:22 radserver radiusd[745536]: [1]: Proxy is not turned on
Oct  6 15:31:22 radserver radiusd[745536]: [1]: Username = [genty]
Oct  6 15:31:22 radserver radiusd[745536]: [1]: Client IP = [10.10.10.1]
Oct  6 15:31:22 radserver radiusd[745536]: [1]: Client port = [2]
Oct  6 15:31:22 radserver radiusd[745536]: [1]: Inside parse_for_login( genty )
Oct  6 15:31:22 radserver radiusd[745536]: [1]:
     User_id remaining after prefix removal = [genty]
Oct  6 15:31:22 radserver radiusd[745536]: [1]:
     User_id remaining after suffix removal = [genty]
Oct  6 15:31:22 radserver radiusd[745536]: [1]:
     Inside rad_authenticate() function
Oct  6 15:31:22 radserver radiusd[745536]: [1]:
     Authentication request received for [reddog.ibm.com]
Oct  6 15:31:22 radserver radiusd[745536]: [1]: Attempting to authenticate user
with the local operating system
Oct  6 15:31:22 radserver radiusd[745536]: [1]:
     Inside get_client_secret routine for ip:10.10.10.1
Oct  6 15:31:22 radserver radiusd[745536]: [1]: Found NAS-IP = [10.10.10.1]
Oct  6 15:31:22 radserver radiusd[745536]: [1]: Found shared secret.
Oct  6 15:31:22 radserver radiusd[745536]: [1]:
     RC from passwdexpired is: 0
Oct  6 15:31:22 radserver radiusd[745536]: [1]:
     Passed local operating system authentication
Oct  6 15:31:22 radserver radiusd[745536]: [1]:
     Authentication successful for user [genty] using IP [10.10.10.1]
Oct  6 15:31:22 radserver radiusd[745536]: [1]: Inside rad_authorize() routine.
Oct  6 15:31:22 radserver radiusd[745536]: [1]:
     Inside read_authorize_policy routine for 
     file: /etc/radius/authorization/genty.policy.
Oct  6 15:31:22 radserver radiusd[745536]: [1]:
     Inside read_authorize_file routine for 
     file: /etc/radius/authorization/genty.policy.
Oct  6 15:31:22 radserver radiusd[745536]: [1]:
     Did not open /etc/radius/authorization/genty.policy file. 
     File might not be found.
Oct  6 15:31:22 radserver radiusd[745536]: [1]:
     Error reading policy file: /etc/radius/authorization/genty.policy.
Oct  6 15:31:22 radserver radiusd[745536]: [1]: Inside verify_attributes routine
.
Oct  6 15:31:22 radserver radiusd[745536]: [1]:
     Inside verify_attributes routine
.
Oct  6 15:31:22 radserver radiusd[745536]: [1]:
     User verified using default.policy.
Oct  6 15:31:22 radserver radiusd[745536]: [1]:
     In create_def_copy() routine.
Oct  6 15:31:22 radserver radiusd[745536]: [1]:
     Successfully made a copy of the master authorization list.
Oct  6 15:31:22 radserver radiusd[745536]: [1]:
     Inside read_authorize_file routine for
     file: /etc/radius/authorization/genty.auth.
Oct  6 15:31:22 radserver radiusd[745536]: [1]:
     Number of Attribute-Value pairs
read: 1
Oct  6 15:31:22 radserver radiusd[745536]: [1]:
     read_authorize_file() routine complete.
Oct  6 15:31:22 radserver radiusd[745536]: [1]:
     Inside build_user_subset() routine.
Oct  6 15:31:22 radserver radiusd[745536]: [1]:
     Successfully created a new authorization list.
Oct  6 15:31:22 radserver radiusd[745536]: [1]:
     Authorization successful for user [genty] using IP [10.10.10.1]
Oct  6 15:31:22 radserver radiusd[745536]: [1]:ACCESS-ACCEPT - 
     sending accept for id 86 to 10.10.10.1 (reddog.ibm.com)
Oct  6 15:31:22 radserver radiusd[745536]: [1]:
     Inside proxy_response_needed() function
Oct  6 15:31:22 radserver radiusd[745536]: [1]:Proxy is not turned on
Oct  6 15:31:22 radserver radiusd[745536]: [1]:
     Inside get_client_secret routine for ip:10.10.10.1
Oct  6 15:31:22 radserver radiusd[745536]: [1]:Found NAS-IP = [10.10.10.1]
Oct  6 15:31:22 radserver radiusd[745536]: [1]:Found shared secret.
Oct  6 15:31:22 radserver radiusd[745536]: [1]:send_accept() Outgoing Packet:
Oct  6 15:31:22 radserver radiusd[745536]: [1]: Code = 2, Id = 86, Length = 42
Oct  6 15:31:22 radserver radiusd[745536]: [1]:send_accept() Outgoing Packet:
Oct  6 15:31:22 radserver radiusd[745536]: [1]:  Code = 2, Id = 86, Length = 42
Oct  6 15:31:22 radserver radiusd[745536]: [1]:  Authenticator = 
     0x60CE75AF40175A600BCA7227453F8D40
Oct  6 15:31:22 radserver radiusd[745536]: [1]:    
     Type =   7, Length =   6, Value = 0x00000001
Oct  6 15:31:22 radserver radiusd[745536]: [1]:    
     Type =   8, Length =   6, Value = 0x0A0A0A09
Oct  6 15:31:22 radserver radiusd[745536]: [1]:   
     Type =  18, Length =  10, Value = 0x676F6F646E657373
Oct  6 15:31:22 radserver radiusd[745536]: [1]:*** Leave Process_Packet() ***

This example shows the processing of one Access-Request packet, with debug level 9 turned on. You'll see that there is more information such as:

  • One entry in the client file
  • Reading and processing of authorization files, default.policy and default.auth
  • Proxy capabilities are turned "off"
  • Attribute/value pairs in the packet

After the *** Start Process_Packet() ***, you'll see the contents of the received packet logged in hexadecimal and text format. Next, the message Attempting to authenticate the user with the local operating system means that UNIX authentication occurred against /etc/passwd file. Once the user authenticates, the next step is authorization. The message Inside rad_authorize() routine means that the authorization policy step occurred and the process checked the .policy and .auth files. Note the message Did not open /etc/radius/authorization/genty.policy file is not an error message because the system administrator did not configure the user-level authorization policy for the user named genty.

The two messages Inside build_user_subset() routine and Successfully created a new authorization list means that there was an overlap of attribute value pairs in the default.auth and genty.auth return authorization files. The two lists were combined with the user's genty.auth file, overlaying any common attribute/value pairs. The combination of the authorization lists returned in the Access-Accept packet, is shown in the example below:

  • send_accept() Outgoing Packet:
  • Code = 2, Id = 86, Length = 42
  • Authenticator = 0x60CE75AF40175A600BCA7227453F8D40
  • Type = 7, Length = 6, Value = 0x00000001
    • Type=7 is "Framed-Protocol" with a value of "1", meaning "PPP"
  • Type = 8, Length = 6, Value = 0x0A0A0A09
    • Type=8 is "Framed-IP-Address" with a value of "10.10.10.9"
  • Type = 18, Length = 10, Value = 0x676F6F646E657373
    • Type=18 is "Reply-Message" with a value of "goodness"

Level 3 accounting output


Oct  6 15:41:02 radserver radiusd[741396]: [1]:*** Start Process_Packet() ***
Oct  6 15:41:02 radserver radiusd[741396]: [1]:Code 4, ID = 92, 
     Port = 49476 Host = 10.10.10.1
Oct  6 15:41:02 radserver radiusd[741396]: [1]:ACCOUNTING-START - 
     sending Accounting Ack to User [ user_id ]
Oct  6 15:41:02 radserver radiusd[741396]: [1]:Sending Accounting Ack of 
     id 92 to 10.10.10.1 (reddog.ibm.com)
Oct  6 15:41:02 radserver radiusd[741396]: [1]:send_acct_reply() Outgoing Packet:
Oct  6 15:41:02 radserver radiusd[741396]: [1]: Code = 5, Id = 92, Length = 20
Oct  6 15:41:02 radserver radiusd[741396]: [1]:*** Leave Process_Packet() ***

Please note the accounting response does not contain any attribute value pairs.

Level 9 accounting stop output


Oct  6 15:48:43 radserver radiusd[757870]: [1]: *** Start Process_Packet() ***
Oct  6 15:48:43 radserver radiusd[757870]: [1]: Incoming Packet:
Oct  6 15:48:43 radserver radiusd[757870]: [1]: Code = 4, Id = 108, Length = 162
Oct  6 15:48:43 radserver radiusd[757870]: [1]:  
     Authenticator = 0x2B66A02F8E5BE27E74D8B6B0AB5DA6E8
Oct  6 15:48:43 radserver radiusd[757870]: [1]:    
     Type =  40, Length =   6, Value = 0x00000002
Oct  6 15:48:43 radserver radiusd[757870]: [1]:    
     Type =   1, Length =   9, Value = 0x757365725F6964
Oct  6 15:48:43 radserver radiusd[757870]: [1]:    
     Type =   4, Length =   6, Value = 0x0A0A0A01
Oct  6 15:48:43 radserver radiusd[757870]: [1]:    
     Type =   5, Length =   6, Value = 0x0000000C
Oct  6 15:48:43 radserver radiusd[757870]: [1]:    
     Type =  61, Length =   6, Value = 0x00000005
Oct  6 15:48:43 radserver radiusd[757870]: [1]:    
     Type =  44, Length =  11, Value = 0x303030303061626364
Oct  6 15:48:43 radserver radiusd[757870]: [1]:    
     Type =  42, Length =   6, Value = 0x00000064
Oct  6 15:48:43 radserver radiusd[757870]: [1]:    
     Type =  43, Length =   6, Value = 0x000000C8
Oct  6 15:48:43 radserver radiusd[757870]: [1]:    
     Type =  30, Length =  10, Value = 0x3833382D30303030
Oct  6 15:48:43 radserver radiusd[757870]: [1]:    
     Type =  31, Length =  10, Value = 0x3833382D31313131
Oct  6 15:48:43 radserver radiusd[757870]: [1]:    
     Type =  46, Length =   6, Value = 0x00001C20
Oct  6 15:48:43 radserver radiusd[757870]: [1]:    
     Type =  49, Length =   6, Value = 0x00000002
Oct  6 15:48:43 radserver radiusd[757870]: [1]:    
     Type =   6, Length =   6, Value = 0x00000002
Oct  6 15:48:43 radserver radiusd[757870]: [1]:    
     Type =   7, Length =   6, Value = 0x00000001
Oct  6 15:48:43 radserver radiusd[757870]: [1]:    
     Type =   8, Length =   6, Value = 0x0A0A0A01
Oct  6 15:48:43 radserver radiusd[757870]: [1]:    
     Type =   9, Length =   6, Value = 0xFFFFFF00
Oct  6 15:48:43 radserver radiusd[757870]: [1]:    
     Type =  10, Length =   6, Value = 0x00000001
Oct  6 15:48:43 radserver radiusd[757870]: [1]:    
     Type =  41, Length =   6, Value = 0x00000258
Oct  6 15:48:43 radserver radiusd[757870]: [1]:    
     Type =  45, Length =   6, Value = 0x00000001
Oct  6 15:48:43 radserver radiusd[757870]: [1]:    
     Type =  47, Length =   6, Value = 0x00001388
Oct  6 15:48:43 radserver radiusd[757870]: [1]:    
     Type =  48, Length =   6, Value = 0x00001770
Oct  6 15:48:43 radserver radiusd[757870]: [1]: Starting parse_packet()
Oct  6 15:48:43 radserver radiusd[757870]: [1]:Code 4, ID = 108, 
     Port = 49476 Host = 10.10.10.1
Oct  6 15:48:43 radserver radiusd[757870]: [1]: Acct-Status-Type = Stop
Oct  6 15:48:43 radserver radiusd[757870]: [1]: User-Name = "user_id" 
Oct  6 15:48:43 radserver radiusd[757870]: [1]: NAS-IP-Address = 10.10.10.1
Oct  6 15:48:43 radserver radiusd[757870]: [1]: NAS-Port = 12
Oct  6 15:48:43 radserver radiusd[757870]: [1]: NAS-Port-Type = Virtual
Oct  6 15:48:43 radserver radiusd[757870]: [1]: Acct-Session-Id = "00000abcd" 
Oct  6 15:48:43 radserver radiusd[757870]: [1]: Acct-Input-Octets = 100
Oct  6 15:48:43 radserver radiusd[757870]: [1]: Acct-Output-Octets = 200
Oct  6 15:48:43 radserver radiusd[757870]: [1]: Called-Station-Id = "838-0000" 
Oct  6 15:48:43 radserver radiusd[757870]: [1]: Calling-Station-Id = "838-1111" 
Oct  6 15:48:43 radserver radiusd[757870]: [1]: Acct-Session-Time = 7200
Oct  6 15:48:43 radserver radiusd[757870]: [1]:
     Acct-Terminate-Cause = Lost-Carrier
Oct  6 15:48:43 radserver radiusd[757870]: [1]: Service-Type = Framed-User
Oct  6 15:48:43 radserver radiusd[757870]: [1]: Framed-Protocol = PPP
Oct  6 15:48:43 radserver radiusd[757870]: [1]: Framed-IP-Address = 10.10.10.1
Oct  6 15:48:43 radserver radiusd[757870]: [1]:
     Framed-IP-Netmask = 255.255.255.0
Oct  6 15:48:43 radserver radiusd[757870]: [1]: Framed-Routing = Broadcast
Oct  6 15:48:43 radserver radiusd[757870]: [1]: Acct-Delay-Time = 
        
Oct  6 15:48:43 radserver radiusd[757870]: [1]: Acct-Authentic = RADIUS
Oct  6 15:48:43 radserver radiusd[757870]: [1]: Acct-Input-Packets = 5000
Oct  6 15:48:43 radserver radiusd[757870]: [1]: Acct-Output-Packets = 6000
Oct  6 15:48:43 radserver radiusd[757870]: [1]: Leaving parse_packet()
Oct  6 15:48:43 radserver radiusd[757870]: [1]:
     Inside proxy_request_needed() function 
Oct  6 15:48:43 radserver radiusd[757870]: [1]: Proxy is not turned on
Oct  6 15:48:43 radserver radiusd[757870]: [1]:
     Inside validate_acct_authenticator() function 
Oct  6 15:48:43 radserver radiusd[757870]: [1]:
     Inside get_proxy_by_ip() function for ip:10.10.10.1
Oct  6 15:48:43 radserver radiusd[757870]: [1]:
     Did not find ip[10.10.10.1] in proxy list
Oct  6 15:48:43 radserver radiusd[757870]: [1]:
     Inside get_client_secret routine for ip:10.10.10.1
Oct  6 15:48:43 radserver radiusd[757870]: [1]:
     Sending Accounting Ack of id 108 to 10.10.10.1 (reddog.ibm.com)
Oct  6 15:48:43 radserver radiusd[757870]: [1]:
     Inside proxy_response_needed() function 
Oct  6 15:48:43 radserver radiusd[757870]: [1]: Proxy is not turned on
Oct  6 15:48:43 radserver radiusd[757870]: [1]:
     Inside get_client_secret routine for ip:10.10.10.1
Oct  6 15:48:43 radserver radiusd[757870]: [1]: Found NAS-IP = [10.10.10.1]
Oct  6 15:48:43 radserver radiusd[757870]: [1]: Found shared secret.
Oct  6 15:48:43 radserver radiusd[757870]: [1]: send_acct_reply() Outgoing Packet:
Oct  6 15:48:43 radserver radiusd[757870]: [1]: Code = 5, Id = 108, Length = 20
Oct  6 15:48:43 radserver radiusd[757870]: [1]: send_acct_reply() Outgoing Packet:
Oct  6 15:48:43 radserver radiusd[757870]: [1]: Code = 5, Id = 108, Length = 20
Oct  6 15:48:43 radserver radiusd[757870]: [1]:  
     Authenticator = 0x6DFFFDCA5AFCFF89912C682D51823502
Oct  6 15:48:43 radserver radiusd[757870]: [1]: *** Leave Process_Packet() ***

This example shows the processing of one Accounting-Request packet, with debug level 9 turned on. You'll see the full RADIUS Accounting-Stop information is written to the log file in hex and text format. As in the previous examples, each attribute/value pair is logged.

After the data is successfully written to the accounting data file, you will see the Accounting-Reply message (Code=5) returned to the client. A reply is only sent if the data was successfully recorded. The reply packet success is denoted by the send_acct_reply() Outgoing packet note in the log file.

Resources

About the author
Denise Genty is a developer and team lead on the IBM AIX Network Security team in the AIX Communications area and has worked in AIX development for twelve years. Current projects include RADIUS, IP Security, and Open Secure Shell. Denise has a BS in Computer Science from Texas A&M University. You can contact her at genty@us.ibm.com.


e-mail it!
Rate this article

This content was helpful to me:

Strongly disagree (1)Disagree (2)Neutral (3)Agree (4)Strongly agree (5)

Comments?



developerWorks > eServer >
developerWorks
    About IBM Privacy Contact