Radius Server Configuration

From iDENprotect Knowledge Base
Jump to: navigation, search


Introduction

The idenprotect RADIUS server is an implementation of the industry leading Radius Sever.

The Radius server is configured to work with the idenprotect core server and Authentication Portal to support the integration of systems such as VPNs use this protocol


Installation

The installation of the idenprotect Radius Server is via RPM as described in Installing with an RPM.

For the idenprotect Radius Server the package name is idenprotect-radius (eg idenprotect-radius-3.11-21b.el7.noarch.rpm.

The RPM installs the Freeradius and configures it with the defaults required for it to work with idenprotect, so no configuration should be required if the default settings are still set on the idenprotect Core Server.


Configuration

It is highly recommended that a back-up copy of any configuration file is taken before any changes are made

The Radius Server needs to be restarted for new settings to take affect


Port Number

By default the Radius server will run on the standard Radius Port of 1812.

This can be changed by editing /etc/services and changing the entries for Radius and Radius Accounting

eg

radius       1645/udp        #Legacy Radius Port


Database

The Radius Server must be able to read data from the idenprotect Database.

The file /etc/raddb/mods-enabled/sql will determine the details that the Radius Server will use to contact the database. The RPM will have created a version of this file with the default values included. If you are using non-default values (eg different database username and password) then this file needs to be amended accordingly.

These values are

server the server hosting the database, default localhost port the port the database is listening on, default 3306 login the username for the database account password the password for the database account


The idenprotect core server writes one-time credentials to a database table. These credentials are only valid for 1 minute.

This time-to-live is set in a file /etc/raddb/mods-config/sql/main/mysql/queries.conf. This time-to-live can be changed by editing the authorize_check_query, eg to change it to 5 minutes

authorize_check_query = "\
       SELECT ID, USERNAME, ATTRIBUTE, VALUE, OP \
       FROM ${authcheck_table} \
       WHERE USERNAME = '%{SQL-User-Name}' \
       AND TIME >= CURRENT_TIMESTAMP() - INTERVAL 5 MINUTE \
       ORDER BY ID"


Or to make it one hour

authorize_check_query = "\
       SELECT ID, USERNAME, ATTRIBUTE, VALUE, OP \
       FROM ${authcheck_table} \
       WHERE USERNAME = '%{SQL-User-Name}' \
       AND TIME >= CURRENT_TIMESTAMP() - INTERVAL 1 HOUR \
       ORDER BY ID"


Starting Radius Server

The Radius server is configured to start automatically on boot.

It can also be started and stopped using the system controller, with the service name radiusd

systemctl stop radiusd
systemctl start radiusd

For trouble shooting it may be useful to run the Radius Server in debug mode which can be done by

systemctl stop radiusd
radiusd -X