Date: Mon, 27 Dec 1999 15:34:12 +0200 From: "Oleg Semyonov" <os@ktpk.dp.ua> To: <freebsd-questions@freebsd.org>, <freebsd-stable@freebsd.org>, <freebsd-isp@freebsd.org> Subject: patches for pppd-2.3.10-radius are here Message-ID: <011801bf506f$16aa1360$0400a8c0@admin.dnepr.com>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Hi all!
I'am receiving many questions about pppd patch for RADIUS
support. So, I decide to make it available via ftp. Briefly,
it is patch to pppd-2.3.10 for using this version with FreeBSD
system (based on currently bundled version) plus optional ability
to use RADIUS authentication and accounting (based on standard
FreeBSD RADIUS library by John Polstra).
readme.txt . . . . . . . . . . . Dec 24 10:43 1k
README.RADIUS. . . . . . . . . . Dec 24 10:29 10k
libradius.tar.gz . . . . . . . . Dec 24 10:19 14k
ppp-2.3.10-radius.diff.gz. . . . Dec 24 10:19 20k
ppp-2.3.10.tar.gz. . . . . . . . Sep 17 06:16 766k
Main ftp site is ftp://ftp.energodar.dp.ua/pub/FreeBSD/RADIUS/
Mirror for patches is at ftp://ftp.slashnet.org/users/shonson/
README.RADIUS is attached to the message.
Try it out!
OS (os@altavista.net), ICQ:31256452
[-- Attachment #2 --]
RADIUS support for PPP Oleg Semyonov <os@altavista.net> 3 November 1999
===============================================================================
1. INTRODUCTION
Long time the pppd exists in FreeBSD as patched 2.3.5 version which has
some bugs (e.g. "*" only in allowed address list with no DNS available
leads to long delays for gethostbyname("*") what prevents the login with
timeout hangup, and so on.).
Just now I've almost done my work with pppd-2.3.10 patches. They are based
on pppd-2.3.5 in FreeBSD 2.2.8 distribution with minor changes for new pppd
features (optional option list in secrets file, etc.). Futuremore, I've
implemented the RADIUS support for authentication and accounting. The support
is based on standard FreeBSD radius library by John Polstra, it may be
compiled-in by request (USE_RADIUS=yes in Makefile or as make argument) with
optional base pppd configuration path (e.g /etc/ppp or /etc/ppp-radius),
and it includes support for:
- new RADIUS-oriented pppd options:
- radius (use RADIUS)
- radius-conf /path/radius.conf (configuration file for RADIUS library)
- radius-only (don't try to auth with secrets or login
methods if radius returns Access-Reject)
- radius-noacct (don't send accounting requests)
- radius-port (device name to port number translation)
- support for PAP authentication (no CHAP or CALLBACK support, sorry);
- new script environment variables (CALLED_STATION_ID, CALLING_STATION_ID,
CONNECT_INFO, PACKETS_SENT, PACKETS_RCVD, and other received from
RADIUS server - see below the PPPD-Script-Env Vendor-Specific attribute);
- ability to specify any number of additional pppd options in RADIUS
Access-Accept packet (see below the PPPD-Option Vendor-Specific attribute);
- supported RADIUS attributes are:
- in Access-Request:
User-Name
User-Password
NAS-IP-Address (gethostname())
NAS-Identifier (gethostbyname())
NAS-Port (from device to port translation)
NAS-Port-Type (Async only)
Service-Type (Framed only)
Framed-Protocol (PPP only)
Framed-IP-Address
Framed-Compression (VJ-TCPIP only, no IPX supported)
Called-Station-Id (from pppd's environment)
Calling-Station-Id (from pppd's environment, passed by mgetty, e.g.)
Connect-Info (from pppd's environment, passed by mgetty, e.g.)
PPPD-Script-Env (pppd script env vars, vendor-specific attribute)
- in Access-Accept/Reject also recognised (with mentioned above):
Framed-IP-Netmask
Framed-Routing (not used yet)
Filter-Id (not used yet)
Framed-MTU
Reply-Message (first message is used only)
Framed-Route (not used yet)
Class (passed through in accounting requests)
Session-Timeout
Idle-Timeout
PPPD-Option (additional pppd options, vendor-specific attribute)
PPPD-Script-Env (additional script env vars, vendor-specific
attribute)
- in Accounting-Request START packet also passed (with mentioned above):
Acct-Status-Type (Start, Stop)
Acct-Session-Id (16 chars ASCII string)
Acct-Authentic (RADIUS only)
- in Accounting-Request STOP packet also passed (with mentioned above):
Acct-Input-Octets
Acct-Output-Octets
Acct-Input-Packets
Acct-Output-Packets
Acct-Session-Time
Acct-Terminate-Cause (not so good but something useful)
- no changes made in manual pages for pppd, sorry (any volunteers?).
Most of RADIUS attributes are passed back in accounting requests (e.g. all
script environment variables and RADIUS-specified additional pppd options).
RADIUS support isn't done as loadable pppd plugin as introduced in 2.3.10.
First reason was the pppd must work (for me) on 2.2.8 system which does
not support some features required for dynamic linking (-E switch for ld,
for example). Secondly, there is no some hooks and global variables required
for implementing all the features listed.
The code at time of writing this README is slightly tested with Steel-Belted
RADIUS for WinNT and with Cistron radiusd-1.6.1 and seems to work fine for me.
Any feedback is appreciated.
2. INSTALLATION AND CONFIGURATION
If you want to compile it as pppd-2.3.10 without RADIUS support then
use configure/make/make install as usual. Don't forget to backup FreeBSD's
pppd manuals because some of FreeBSD-specific features aren't described in
original pppd documentation which isn't patched by me (sorry for my English,
but I don't wanna to write mans without good language practice :)
All the features described in FreeBSD pppd man page are present. Additional
script variables CALLED_STATION_ID, CALLING_STATION_ID and CONNECT_INFO
will be searched in pppd environment and, if found, will be placed in
child scripts environment untouched. Two latest variables may be found,
for example, in mgetty's environment as CALLER_ID and CONNECT, respectively.
Variables PACKETS_SENT, PACKETS_RCVD will be passed to *-down scripts on
session termination and may be used for external accounting.
For RADIUS support is required to install latest FreeBSD RADIUS client
library, the libradius, which supports the RADIUS accounting. Currently
the library is included in FreeBSD 4.0-CURRENT, but there are chances the
updated for accounting library will be placed in 3.3-STABLE soon.
Before compiling see the pppd/Makefile.bsd for new RADIUS-related options.
RADIUS support was tested on FreeBSD system only. Other system Makefiles were
not touched. Adjust settings as you want or don't forget to specify these on
make command line. After compiling use make install as usual.
See radius.samples/options.radius sample configuration file for new options.
radius Use RADIUS. Without the option pppd doesn't supports
RADIUS at all.
radius-conf /path/file Use /path/file as RADIUS library configuration file.
Without the option default libradius configuration
file will be used (/etc/radius.conf as documented).
radius-only If this option is specified, pppd will reject any
user if RADIUS returns Access-Reject. By default
pppd will try to use secrets file or UNIX password
database (or PAM, if compiled in) in case of RADIUS
failure.
radius-noacct By default pppd will send the accounting requests
after Access-Accept received and on connection
termination. Failure to receive the Accounting-Response
for START packet leads to rejects the user as in case
of Access-Reject with possible fallback to other
authentication methods (see above). With this option
no accounting packets will be sent.
radius-port dev=port This option defines device name to port number
translation. dev is device name (e.g. ttyd5 or
/dev/ttyd5 - the /dev/ prefix is stripped internally).
port is port number for named device. Reserved word
'default' for device name is used as default port number
for unspecified devices. Default value for default
device is 0. When radius-port option isn't used at
all pppd will try to make different port numbers
for different devices but direct translation is
preferred.
debug With this option there are lots of debugging
output in log file. Use it for looking into RADIUS
requests/responses and pppd options passed by
RADIUS. Very useful for initial settings.
After successful installation of binaries and updating the options file
take a look into radius.samples/dictionary.pppd file. This one defines
two additional Vendor-Specific RADIUS attribute for RADIUS server. You
must update your RADIUS server configuration in order to support these
attributes. See your RADIUS server manuals for details.
PPPD-Option may be used for specifying additional pppd options in RADIUS
reply (usually in Access-Accept packet), e.g. for local IP address,
ccp control and more. All options passed will be processed after any
other options and may override it. Subsequently, all PPPD-Option strings
will be passed back in RADIUS accounting requests.
PPP-Script-Env may be used for specifying any external script environment
variables or for changing value of already defined one. All script variables
are also passed to RADIUS in accounting requests as PPP-Script-Env attributes.
Note the parsing of these attributes isn't done too well: one only string in
one Vendor-Specific attribute must exist. If you want for more you are forced
to pass some number of Vendor-Specific attributes with one string per
attribute.
And now is time to check your /etc/radius.conf (check for new syntax with
accounting support) and to configure your RADIUS server for pppd. Use
debug option for first time - all RADIUS-related info in details will
be logged and you will see what happens.
3. ACKNOWLEDGEMENTS
Paul Mackerras <Paul.Mackerras@cs.anu.edu.au> is the author of pppd-2.3.10.
peter@freebsd.org is the maintainer of pppd version used in FreeBSD.
John Polstra <jdp@polstra.com> is the author of FreeBSD RADIUS library.
Oleg Semyonov <os@altavista.net> is the author of RADIUS support for pppd.
This is the alpha test version of pppd-2.3.10-radius for FreeBSD. It was
done for my own internal use and seems to work for me. It may be useful
for others so I want to release it to public. If you have a suggesstions,
bug reports or any other info - feel free to contact me. Thank you for
reading this README ;-)
Regards,
Oleg Semyonov <os@altavista.net>
03-Nov-1999.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?011801bf506f$16aa1360$0400a8c0>