Radius Server Configuration
Contents
Introduction
The idenprotect RADIUS server is an implementation of the industry leading Radius Sever.
The Radius server is configured to work with the idenprotect core server and Authentication Portal to support the integration of systems such as VPNs use this protocol
Installation
The installation of the idenprotect Radius Server is via RPM as described in Installing with an RPM.
For the idenprotect Radius Server the package name is idenprotect-radius (eg idenprotect-radius-3.11-21b.el7.noarch.rpm.
The RPM installs the Freeradius and configures it with the defaults required for it to work with idenprotect, so no configuration should be required if the default settings are still set on the idenprotect Core Server.
Configuration
It is highly recommended that a back-up copy of any configuration file is taken before any changes are made
The Radius Server needs to be restarted for new settings to take affect
Port Number
By default the Radius server will run on the standard Radius Port of 1812.
This can be changed by editing /etc/services and changing the entries for Radius and Radius Accounting
eg
radius 1645/udp #Legacy Radius Port
Database
The Radius Server must be able to read data from the idenprotect Database.
The file /etc/raddb/mods-enabled/sql will determine the details that the Radius Server will use to contact the database. The RPM will have created a version of this file with the default values included. If you are using non-default values (eg different database username and password) then this file needs to be amended accordingly.
These values are
server the server hosting the database, default localhost port the port the database is listening on, default 3306 login the username for the database account password the password for the database account
The idenprotect core server writes one-time credentials to a database table. These credentials are only valid for 1 minute.
This time-to-live is set in a file /etc/raddb/mods-config/sql/main/mysql/queries.conf. This time-to-live can be changed by editing the authorize_check_query, eg to change it to 5 minutes
authorize_check_query = "\ SELECT ID, USERNAME, ATTRIBUTE, VALUE, OP \ FROM ${authcheck_table} \ WHERE USERNAME = '%{SQL-User-Name}' \ AND TIME >= CURRENT_TIMESTAMP() - INTERVAL 5 MINUTE \ ORDER BY ID"
Or to make it one hour
authorize_check_query = "\ SELECT ID, USERNAME, ATTRIBUTE, VALUE, OP \ FROM ${authcheck_table} \ WHERE USERNAME = '%{SQL-User-Name}' \ AND TIME >= CURRENT_TIMESTAMP() - INTERVAL 1 HOUR \ ORDER BY ID"
Starting Radius Server
The Radius server is configured to start automatically on boot.
It can also be started and stopped using the system controller, with the service name radiusd
systemctl stop radiusd systemctl start radiusd
For trouble shooting it may be useful to run the Radius Server in debug mode which can be done by
systemctl stop radiusd radiusd -X