Chapter 10: Managing the RADIUS Servers
Authorization and configuration groups
222
The DEFAULT user record
The record in the
Users
file that specifies the username as “DEFAULT”
deserves special attention. It is used to handle all users whose names do not
match the names of any other user records in the
Users
file. Thus, the
DEFAULT record can be set up to demand SafeWord authentication and is
sometimes the only user record in the
Users
file. Most administrators take full
advantage of this mechanism to simplify their administrative duties. The
sample
Users
file on page 230 illustrates this type of setup. This arrangement
minimizes the need to edit the
Users
file.
Although the RADIUS Server supports all of the features of the Livingston
users file, in practice the
Users
file in RADIUS Server situations is generally
much simpler than the corresponding file used by Livingston RADIUS Servers.
This is because the high-performance SafeWord database can better handle
user authentication, assigns each user to an appropriate group record, and can
supplement the group record attributes with any required user-specific
attributes. Therefore, a typical
Users
file might contain only one “DEFAULT”
user record and a small number of group records that are rarely changed.
Configuring the RADIUS proxy
The RADIUS Server supports the proxy mechanism to another RADIUS
Server. The
authfile
is used in support of the increasingly popular “RADIUS
proxy forwarding” mechanism.
When present, the
authfile
defines the relationships between cooperating pairs
of RADIUS Servers so that they can use “RADIUS proxy forwarding” to send
RADIUS requests and replies to one another. Aladdin’s interpretation of the
contents of
authfile
is a compatible subset of the well-known conventions
established by Merit Networks Incorporated and has been distributed as a part
of their free enhanced RADIUS Server since they introduced RADIUS proxy
forwarding to the RADIUS community.
Understanding RADIUS proxy forwarding and the
authfile
requires prior
understanding of the following concepts and definitions:
•
Specially formatted usernames
If a username contains an embedded @ sign, then the RADIUS Server will
interpret it in two separate portions in support of RADIUS proxy forwarding.
Any text to the left of the @ will be interpreted as the SafeWord-compatible
user name. Any text to the right of the @ represents what Merit calls a
“realm” and, after an
authfile
lookup, leads to the location of another
RADIUS Server, which should know how to proceed further. Thus, if the
RADIUS username field contained “Bob@NYC,” then the name of the
realm is “NYC.” You can override the default site character by running
RADIUS with the argument
-r <char>
. By default, it is “
-r @
”.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
