Chapter 10: Managing the RADIUS Servers
Authorization and configuration groups
222
The DEFAULT user record
The record in the
Users
file that specifies the username as “DEFAULT”
deserves special attention. It is used to handle all users whose names do not
match the names of any other user records in the
Users
file. Thus, the
DEFAULT record can be set up to demand SafeWord authentication and is
sometimes the only user record in the
Users
file. Most administrators take full
advantage of this mechanism to simplify their administrative duties. The
sample
Users
file on page 230 illustrates this type of setup. This arrangement
minimizes the need to edit the
Users
file.
Although the RADIUS Server supports all of the features of the Livingston
users file, in practice the
Users
file in RADIUS Server situations is generally
much simpler than the corresponding file used by Livingston RADIUS Servers.
This is because the high-performance SafeWord database can better handle
user authentication, assigns each user to an appropriate group record, and can
supplement the group record attributes with any required user-specific
attributes. Therefore, a typical
Users
file might contain only one “DEFAULT”
user record and a small number of group records that are rarely changed.
Configuring the RADIUS proxy
The RADIUS Server supports the proxy mechanism to another RADIUS
Server. The
authfile
is used in support of the increasingly popular “RADIUS
proxy forwarding” mechanism.
When present, the
authfile
defines the relationships between cooperating pairs
of RADIUS Servers so that they can use “RADIUS proxy forwarding” to send
RADIUS requests and replies to one another. Aladdin’s interpretation of the
contents of
authfile
is a compatible subset of the well-known conventions
established by Merit Networks Incorporated and has been distributed as a part
of their free enhanced RADIUS Server since they introduced RADIUS proxy
forwarding to the RADIUS community.
Understanding RADIUS proxy forwarding and the
authfile
requires prior
understanding of the following concepts and definitions:
•
Specially formatted usernames
If a username contains an embedded @ sign, then the RADIUS Server will
interpret it in two separate portions in support of RADIUS proxy forwarding.
Any text to the left of the @ will be interpreted as the SafeWord-compatible
user name. Any text to the right of the @ represents what Merit calls a
“realm” and, after an
authfile
lookup, leads to the location of another
RADIUS Server, which should know how to proceed further. Thus, if the
RADIUS username field contained “Bob@NYC,” then the name of the
realm is “NYC.” You can override the default site character by running
RADIUS with the argument
-r <char>
. By default, it is “
-r @
”.