This chapter explains how to start using RADIUS with the Netscape Directory Server. It explains the initialization process and the configuration tasks you can perform.
This chapter includes the following sections:
"Initializing RADIUS""Configuring RADIUS""Advanced Configuration of RADIUS Searches""RADIUS Server Statistics""Configuring RADIUS to Use PAM"
A setup script, setup_rad, guides you through the initialization process. The setup_rad script performs the following tasks:
Registers the RADIUS console with the Netscape Console by updating the information in the configuration directory
Configures RADIUS for use with the LDAP directory server by updating information in the user directory
You will need to understand and prepare the information you must supply to the setup_rad script. The script prompts you for:
The full name of the machine on which you will run the RADIUS server The format is hostname.domainName.
The LDAP URL for the configuration directory. This is the URL to the directory that holds the configuration information. It is not necessarily the same as the directory that holds user information. The format of the URL is ldap://hostname.domainName:portNumber/.
The installation directory for the Netscape Directory Server.
The DN of the directory manager for the Netscape Directory Server. The DN you provide must be the same as the one you provided in the setup script for the Netscape Directory Server. This DN has all permissions on the Netscape Directory Server. By default, it is cn=Directory Manager.
The password of the directory manager for Netscape Directory Server.
The name of the administration domain managed by the server.
The LDAP URL for the user directory. If you use the same directory to hold configuration information and user information, this URL is the same as the one you supplied earlier.
The password and DN of the directory manager for the user directory if different from the configuration directory.
The DN of the subtree under which the RADIUS server must perform searches for remote user and NAS authentication.
Make sure that the SUNWdsrad and SUNWdsutl packages are installed. For example, type: % pkginfo SUNWdsrad SUNWdsutl
This command should return the name and description of the packages. If you need to install the packages, refer to Solaris Extensions Installation Guide.
Make sure that the directory server daemon ns-slapd and the admin server daemon ns-admin are running. For example, type: % ps -ef | grep ns-
The listing returned by this command should contain the following lines: root 8371 1 0 16:03:13 ? 0:00 ./ns-admin -d /usr/netscape/server4/admin-serv/config
The listing returned by this command should contain the following lines:
root 8375 1 0 16:03:42 ? 0:05 ./ns-slapd -f /usr/netscape/server4/slapd-faerie/config/slapd.conf -i /usr/nets
If it doesn't you must start the ns-slapd daemon, as explained in the Netscape Directory Server Administrator's Guide.
Run the RADIUS setup script, setup_rad. As root, type: # /opt/SUNWconn/ldap/sbin/setup_rad
Start the Netscape Console.
In the left pane of the Console, browse down the tree to the RADIUS server, and double click on the icon to open the RADIUS console.
In the RADIUS console window, from the Task tab, select Start RADIUS Server.
From the RADIUS consoleBy editing the configuration files radius.mapping, and dsradiusd.conf
To start the RADIUS console:
In the left pane of the Console, browse down the tree to the RADIUS server, and double click on the icon to open the RADIUS console. The RADIUS console is displayed
Information on how to perform advanced configuration tasks from the RADIUS console is provided with each task description in this chapter.
Editing RADIUS Configuration Files
The RADIUS configuration is stored in the following files:
/etc/opt/SUNWconn/ldap/current/mapping/radius.mapping
/etc/opt/SUNWconn/ldap/current/dsradiusd.conf
radius.mapping File
The following configuration parameters are defined in the radius.mapping file:
Max_allowed_failures This parameter determines blocking mode. It defines the number of permitted consecutive failures to authenticate a user based on the password provided. Any further attempt is systematically blocked, even if the connection parameters supplied are correct. The count is reset on first success. The default value for this parameter is 4. To disable blocking mode, set this parameter to 0. When a user account is blocked, you must manually enable it again by setting the authFailedAccess attribute in the remote user's entry to zero.
Dynamic This parameter determines whether dynamic accounting data is recorded in the LDAP directory (see "Configuring Dynamic Accounting"). It can have one of two values, on or off. By default, dynamic accounting is off.
Authentication_Port The authentication port number for RADIUS processes. The default port number is 1645. Due to later standardization, the standard port number is 1812. This port number is defined in the radius.mapping file but is commented out.
Accounting_Port The accounting port number for RADIUS processes. The default port number is 1646. Due to later standardization, the standard port number is 1813. This port number is defined in the radius.mapping file but is commented out.
Acounting_dir The directory where accounting information is stored. The default directory is /var/opt/SUNWconn/ldap/radacct. Note that there is a typographical error in this variable in the radius.mapping file. Do not correct it because the RADIUS server would be unable to read it.
Max_wait_b4_reject This parameter defines a client timeout on a RADIUS request. It determines the maximum time a client will wait for a response from the RADIUS server. By default it is 58 seconds.
Time_limit This parameter defines a RADIUS server timeout on LDAP search operations. It must be strictly less than the value of the Max_wait_b4_reject parameter. By default it is 50 seconds.
Whenever you modify the radius.mapping file, you must run the dejasync utility to copy the modifications you made to the Deja.properties file. Your modifications will not be reflected in Deja if you don't use dejasync.
dsradiusd.conf File
The following configuration parameters are defined in dsradiusd.conf:
The hostname for the LDAP server This parameter is stored in the LDAP_Server configuration variable. Its default value is localhost.
The TCP port number that the LDAP server runs on This parameter is stored in the LDAP_Port configuration variable. Its default value is 389.
The DN used to bind to the LDAP directory for performing searches and modifying the LDAP database This parameter is stored in the LDAP_Bind_dn configuration variable. A placeholder value of cn=radiusadmin is provided as an example.
The password used to bind to the LDAP directory for performing searches and modifying the LDAP database This parameter is stored in the LDAP_Password configuration variable. A placeholder value of secret is provided as an example.
The log level This parameter is stored in the LogLevel configuration variable. You can select one of the following log levels:
0 = none1 = trace2 = trace and translation3 = trace, translation, and other debug information The default is 0.
The number of kilobytes before the log file automatically changes over to the next log file. This parameter is stored in the LogSize configuration variable. Its default value is 1000.
The log directory where dsradius.log is located This parameter is stored in the LogDir configuration variable. Its default value is # /opt/SUNWconn/ldap/sbin/setup_rad .
Provide temporary access to a remote user whose entry is not in the subtree normally searched to find users
Associate remote users with a particular NAS, and grant access through that NAS only
Combine the options above to provide temporary access through a specified NAS
Manage remote users connecting from a virtual domain
The subtrees searched by the RADIUS server are specified in the radius.mapping file by the BaseDN variable. The BaseDN variable for remote users is located in the Common section under the USERS table. The BaseDN variable for NAS devices is located in the Common section under the RAS table.
For example, in the Common section of the Users table, the BaseDN is similar to:
BaseDN= o=airius, c=us
The actual value of this attribute is supplied during the setup_rad process.
The object classes and attributes that are used in RADIUS searches are specified in the mapping file by the FILTER variable. The FILTER variable for remote users is located in the Dynamic section under the USERS table. The FILTER variable for NAS devices is located in the Dynamic section under the RAS table.
For example, in the Dynamic section of the USERS table, the FILTER is:
FILTER=(&(Objectclass=remoteUser)(uid=$UserID))
In these examples, the RADIUS server searches for the userid passed in the request from the NAS in the subtree o=airius, c=us among all entries with an object class of remoteUser.
Note. The syntax of filters is described in RFC 2254 The String Representation of LDAP Search Filters.
Providing Temporary Access to Users
The basic configuration for RADIUS searches on remote users is defined in the radius.mapping file, under the USERS table. The variables that define the search criteria are:
BaseDN= search_base
Where:
search_base is the subtree that is searched for entries with the remoteUser object class. $UserID represents the actual userid passed in the request from the NAS. Without changing your basic configuration, you can allow temporary access to a remote user whose entry is in a different subtree.
Editing the Mapping File
In the USERS table, add a BaseDN and FILTER token to the configuration with the prefix TMP_ , and assign temporary values, using the following format: TMP_BaseDN = new_search_base
TMP_FILTER = (&(Objectclass=remoteUser)(uid=$UserID)(uid=userid))
where: new_search_base is the subtree that holds the remoteUser entry for the person to whom you are granting temporary access. If this subtree is stored on a different server, ensure that a referral is defined between the two servers userid is the actual userid of the remote user. This ensures that you grant access to that user alone, and not to all the entries with the object class remoteUser in the new search base
where:
Restart the dsradiusd daemon so that the new configuration file is taken into account. As root, type the following commmands: # /opt/SUNWconn/ldap/sbin/dsradius stop
# /opt/SUNWconn/ldap/sbin/dsradius start
BaseDN= l=Paris, o=airius, c=us
TMP_BaseDN= l=Madrid, o=airius, c=us
TMP_FILTER=(&(Objectclass=remoteUser)(uid=$UserID)(uid=fgonzalez))
This example assumes that a referral exists between the local directory server and the directory server holding the subtree l=Madrid, o=airius, c=US.
If you want to temporarily extend permission to all remote users within the Airius corporation, you would use the following temporary base DN variable:
TMP_BaseDN= o=airius, c=us
This example assumes that there is a default referral from the server that holds the l=Paris, o=airius, c=us subtree to the server that holds the o=airius, c=us subtree. It also assumes that the o=airius, c=us subtree contains referral entries to all subtrees held on other servers.
Using the RADIUS Console
To perform the same operation from the RADIUS console:
In the RADIUS tree view on the left, select Users, then select the Configuration | Common tab.
Add a TMP_BaseDN variable. Do not remove the current BaseDN variable.
Select the Configuration | Dynamic tab.
Add a TMP_FILTER variable . Do not remove the current FILTER variable.
Select the Tasks tab and click Refresh.
Restricting Access through a Specified NAS
You may want to ensure that remote users always connect to a specific NAS. For example, if you want to control communications costs, you can ensure they connect to the NAS that is geographically closest to them.
The basic configuration for RADIUS searches on NAS devices is defined in the radius.mapping file, under the RAS table. The variables that define the search criteria are:
In the USERS table, add a BaseDN and FILTER token to the configuration with the suffix _nasname, and assign temporary values. BASEDN_nasname= search_base
FILTER_ nasname= (&(Objectclass=remoteUser)(uid=$UserID))
search_base is the subtree that holds the directory entries for the remote users to whom you are granting access through the NASnasname is the name of the NAS (value of the cn attribute in the directory entry for the NAS) through which you are granting access For information on the order in which these lines are processed during a RADIUS search, refer to "Processing Order for RADIUS Search Parameters".
You would change the radius.mapping file to include:
BaseDN= l=France, o=airius, c=us
BaseDN_ParisNAS= l=Paris, l=France, o=airius, c=us
BaseDN_LyonNAS= l=Lyon, l=France, o=airius, c=us
BaseDN_ToulouseNAS= l=Toulouse, l=France, o=airius, c=us
When the RADIUS server receives a request from ParisNAS, it checks that the remote user belongs to the naming context l=Paris, l=France, o=airius, c=us.
In the RADIUS tree view on the left, select NAS, then select the Configuration | Common tab.
Add a BaseDN_nasname variable. Do not remove the current BaseDN variable. nasname is the name of the NAS (value of the cn attribute in the directory entry for the NAS) through which you are granting access.
Add a FILTER_nasname variable. Do not remove the current FILTER variable. nasname is the name of the NAS (value of the cn attribute in the directory entry for the NAS) through which you are granting access.
Combining Temporary Access and NAS Restriction
You can combine temporary access permission and restrict access to a particular NAS by combining the TMP_ prefix and _nasname suffix on the BaseDN or the FILTER tokens.
For example, if you want to grant Felipe Gonzalez from Madrid remote access to the Paris NAS just for the duration of a business trip to Paris, you would modify the radius.mapping file to include the following lines in the Dynamic section of the USERS table:
TMP_FILTER_ParisNAS=(&(Objectclass=remoteUser)(uid=$UserID)(uid=fgonzal ez))
In this example, the _nasname suffix is added to the temporary filter rather than to the temporary base DN. The reason is that you may want to grant other people from the Madrid office access through a different NAS from the Paris NAS. In this case, the temporary base DN remains valid, you just need to create the temporary filter with the appropriate _nasname suffix.
Managing Virtual Domains
You can manage remote user connections from users who belong to a virtual domain, that is, a domain that you manage on behalf of another organization.
For example, if ABC corporation decided to use ISP corporation to manage their internet mail service, ABC would be assigned a domain name such as abc.com, and a pool of IP addresses. ISP corporation manages user information, and remote user connections for ABC corporation. When an employee from ABC corporation connects to request remote access, the connection parameters are the user login and the user password.
For example, John Smith logs in with the following parameters:
Login: jsmith@abc.com
Password: secret
Table: USERS
Common:
BaseDN= o=isp, c=us
Dynamic
userID=>$myID@$virtualDomainT || $myID
FILTER=(&(Objectclass=remoteUser)(uid=$myID))
In this configuration example, the userID variable accepts two alternative expressions so that it can handle equally well remote users who have a domain name appended to their user ID, and those who do not.
The domain name must be checked during the authentication procedure, therefore the directory entry of John Smith includes these attributes:
uid: jsmithuserPassword: * (protected)authSuffixName: @abc.comgrpCheckInfo: userPassword, authSuffixName
Processing Order for RADIUS Search Parameters
During a search, the RADIUS server handles the BaseDN and FILTER tokens in the following manner: it first performs an ordinary search, then, if this search fails, it performs a search on temporary tokens.
The ordinary search starts from the most restrictive to the most general:
FILTER_nasname
FILTER
BaseDN_nasname
BaseDN
TMP_FILTER_nasname
TMP_FILTER
TMP_BaseDN_nasname
TMP_BaseDN
The RADIUS server uses a dictionary file to convert numerical values used by the protocol to attribute names used in the radius.mapping file and the RADIUS log files. The dictionary file contains RADIUS attribute and numerical value pairs. A number of these attributes are defined in RFC 2138 Remote Authentication Dial In User Service (RADIUS), and RFC 2139 RADIUS Accounting. However, NAS vendors have also defined proprietary attributes, referred to as vendor-specific attributes or VSAs.
Do not confuse the RADIUS dictionary file with the RADIUS mapping file which provides a translation between RADIUS attributes and LDAP attributes. For information on the RADIUS mapping file, refer to Chapter 4, "RADIUS/LDAP Information Mapping."
Solaris Extensions for Netscape Directory Server 4.11 provide a default dictionary that contains the standard attribute and value definitions. It also accepts the dictionaries from the following vendors:
Livingston
Ascend
Cisco
Shiva
Bay Networks
The RADIUS server can support any number of dictionary files from different vendors, but you must specify which dictionary to use with a particular NAS.
To specify a dictionary file for a NAS, use the Deja tool to add the dictionaryFile attribute to the directory entry for the NAS. The value you assign to this attribute must be the filename of the dictionary that the RADIUS server must use for communications with the NAS described by the entry.
If the dictionaryFile attribute is not specified, the default dictionary file is used. This file, called dictionary, is located with all other configuration files under /etc/opt/SUNWconn/ldap/current.
Note. If you use the dictionary provided by the NAS vendor instead of the default dictionary provided with Solaris Extensions for Netscape Directory Server 4.11, you must copy the attributes used internally by the RADIUS server from the default dictionary to the vendor-supplied dictionary. The list of attributes that you must copy is shown in the following file extract.
Table 2.1 RADIUS Server Internal Attributes
# Non-Protocol Attributes # These attributes are used internally by the server # ATTRIBUTE Expiration 21 date ATTRIBUTE Auth-Type 1000 integer ATTRIBUTE Menu 1001 string ATTRIBUTE Termination-Menu 1002 string ATTRIBUTE Prefix 1003 string ATTRIBUTE Suffix 1004 string ATTRIBUTE Group 1005 string ATTRIBUTE Crypt-Password 1006 string ATTRIBUTE Connect-Rate 1007 integer # # SUN RADIUS Attributes for LDAP Integration # ATTRIBUTE Login-Profile 2000 integer ATTRIBUTE Login-Passwd 2001 string ATTRIBUTE Login-Expiration 2002 date ATTRIBUTE PPP-Profile 2010 integer ATTRIBUTE PPP-Passwd 2011 string ATTRIBUTE PPP-Expiration 2012 date ATTRIBUTE SLIP-Profile 2020 integer ATTRIBUTE SLIP-Passwd 2021 string ATTRIBUTE SLIP-Expiration 2022 date ATTRIBUTE Auth-Failed-Access 2100 integer ATTRIBUTE Dynamic-Session-Counter 2201 integer ATTRIBUTE Dynamic-SessionId 2202 string ATTRIBUTE Dynamic-IPAddress 2203 ipaddr ATTRIBUTE Dynamic-IPAddr-Binding 2204 string ATTRIBUTE PAM-Service-Name 2205 string
You can use the RADIUS server to record connection parameters dynamically in the directory entry of a remote user. To enable dynamic accounting, in the RADIUS Console, set the Dynamic Data option to On.
With dynamic accounting enabled, the following attributes are automatically added to a remote user's entry when the user connects, and removed when the user disconnects:
Dynamic IP address: The IP address assigned to the remote user connection
Dynamic session ID The accounting session ID assigned to a remote user for a given session
Dynamic session counter The number of concurrent open sessions
Dynamic IP address binding The association between the IP address and the accounting session ID for a given session
All other RADIUS attributes listed in the accounting file
A default accounting file is provided with Solaris Extensions for Netscape Directory Server 4.11, called acctattr. You can, if you want, create your own dynamic accounting file. The only requirement is that the file name should end with the attr suffix.
You must make sure that the NAS can provide the accounting parameters listed in the accounting file. This file should be located with other configuration files in /etc/opt/SUNWconn/ldap/current.
The dynamic accounting parameters listed in the default acctattr file are RADIUS attributes that can be contained in RADIUS accounting packets. The corresponding LDAP attributes are shown in Table 4.1.
The default acctattr file contains examples of suitable RADIUS attributes commented out. These are:
Framed-IP-AddressAcct-Session-Id NAS-PortNAS-Port-TypeNAS-IP-Address
At least one NAS can provide these items in an accounting packet.
There is an LDAP attribute for each RADIUS parameter that you want to record. If there isn't, you must create the corresponding LDAP attribute, as explained in "Creating a Dynamic Accounting Attribute".
The mapping between the RADIUS attribute and the LDAP attribute is defined in the radius.mapping file. If it isn't, you must create it as described in "Creating a Dynamic Accounting Attribute".
To create a dynamic accounting attribute, and the RADIUS/LDAP mapping definition:
Create an LDAP attribute for the connection parameter that you want to record. This is a modification of the Netscape Directory Server schema. For information on how to create new attributes in the directory server schema, refer to the Netscape Directory Server Administrator's Guide.
Add the attribute to the list in the radius.mapping file using a text editor. Make sure you add it in both the Import section and the Export section of the mapping file. You need to be logged in as root to perform this operation. Alternatively, you can add the attribute from the RADIUS console: In the RADIUS tree view on the left, select Users, then select the Configuration | Import tab. Add the attribute in the Import section of the radius.mapping file. Then select the Configuration | Export tab to add the attribute to the Export section
Add the attribute to the list in the accounting file using a text editor. You need to be logged in as root to perform this operation. Alternatively, you can add the attribute from the RADIUS console: In the RADIUS tree view on the left, select Users, then select the Configuration | Accounting tab. Select the accounting file that you want to modify and click Load.
Restart the ns-slapd daemon so that the new accounting attribute created in the schema is taken into account and can be recorded dynamically in remote user entries.
Restart the dsradiusd daemon so that the new radius.mapping file is taken into account. To do this from the RADIUS console, from the Tasks tab, select Refresh.
To specify an accounting file for a NAS, use the Deja tool to add the acctattrFile attribute to the directory entry for the NAS. The value you assign to this attribute must be the filename of the dynamic accounting attribute file that the RADIUS server uses to record the dynamic accounting information received from the NAS.
If the acctattrFile attribute is not specified, the default acctattr file is used. This file is located with all other configuration files under /etc/opt/SUNWconn/ldap/current.
ACLs on RADIUS Information
RADIUS information in the LDAP directory is protected by a special ACI. The instruction specifies a filter for the RADIUS object classes, the list of RADIUS attributes to which the instruction applies, a name for the instruction, the permission level, and the LDAP URL used by the RADIUS server to perform searches and modifications in the LDAP directory.
The default ACI on RADIUS information is shown below.
# SUN Radius Attribute Control Item
#
aci:
(targetfilter="(|(objectclass=nas)(objectclass=remoteUser))")
(targetattr="*")
(version 3.0;aci "Radius User permissions"; allow(all) userdn="ldap:///cn=radiusAdmin,o=sun.com";)
Note. Note that the default ACI gives the RADIUS administrator all permissions on all attributes (targetattr="*"). You can if you want, restrict the attributes which the RADIUS administrator can access by listing them in the ACI. If you modify the default ACI, make sure that your list of attributes contains at least the userPassword attribute.
Information Collected
The information collected by the dsnmprad SNMP agent is defined in RFC 2619 RADIUS Authentication Server MIB and RFC 2621 RADIUS Accounting Server MIB.
The following RADIUS authentication service information is monitored:
Server identifierUptimeReset timeConfiguration resetTotal access requestsTotal invalid requestsTotal duplicate access requestsTotal access acceptsTotal access rejectsTotal access challengesTotal malformed access requestsTotal bad authenticatorsTotal packets droppedTotal unknown typeClient entry (contains authentication information monitored for every NAS connected to the server)
Client IndexClient AddressClient IDAccess requestsDuplicate access requestsAccess acceptsAccess rejectsAccess challengesMalformed access requestsBad authenticatorsPackets droppedUnknown type
NAS identifierUptimeReset timeConfiguration resetTotal requestsTotal invalid requestsTotal duplicate requestsTotal responsesTotal malformed requestsTotal bad authenticatorsTotal packets droppedTotal no recordTotal unknown typeClient entry (contains accounting information monitored for every NAS connected to the server)
Client IndexClient AddressClient IDPackets droppedRequestsDuplicate requestsResponsesBad authenticatorsMalformed requestsNo recordUnknown type
You cannot display RADIUS server statistics in the RADIUS console. You need a management application such as Solstice Enterprise Manager, Solstice Domain Manager, or Solstice Site Manager. The files required to interoperate with these management applications are provided with Solaris Extensions for Netscape Directory Server 4.11:
The directory /opt/SUNWconn/ldap/snmp/snm contains all files necessary for dsnmprad to report events to a Solstice Domain Manager, or Solstice Site Manager station
The directory /opt/SUNWconn/ldap/snmp/sem contains all files necessary for dsnmprad to report events to a Solstice Enterprise Manager station.
Change directory to the /opt/SUNWconn/ldap/samples/pam directory.
Make the PAM module by typing make in this directory. Ignore the warning messages displayed at the end of the make process.
Copy the PAM module pam_sample.so.1 to /usr/lib/security/ and make sure it is owned by root.
In the RADIUS console, go to the main configuration panel and enable the use of PAM: check the PAM enabled checkbox, and specify a challenge reponse timeout in the Challenge/Resp Timeout field. A reasonable value is 60. Alternatively, you can edit the radius.mapping file in the directory /etc/opt/SUNWconn/ldap/current/mapping/ to add the following lines to the Common section: Pam_Authentication=on
Challenge_Response_Timeout=60
Modify the /etc/pam.conf configuration file to include the following lines: # Radius
radius auth required /usr/lib/security/pam_sample.so.1
radius account required /usr/lib/security/pam_sample.so.1
radius session required /usr/lib/security/pam_sample.so.1
radius password required /usr/lib/security/pam_sample.so.1
Modify the entries of remote users in the directory to include the following attributes and values: pamServiceName: radius grpCheckInfo: pamServiceName The pamServiceName attribute specifies the name of the PAM module to use in /etc/pam.conf. The grpCheckInfo attribute usually also contains the userPassword attribute. If you remove userPassword, then only PAM authentication is used.