筆記： THE FREERADIUS TECHNICAL GUIDE

note from :

networkradius.com/doc/FreeRAD…

#Chapter Two - How RADIUS works

2.0 What is AAA?

AAA stands for 「Authenication, Authorization, and Accounting」. It defines an architecture that authenticates and grants authorization to users and accounts for their activity.

defination

Authentication 身份認證

Authentication refers to the process of validating the identity of the user by matching the credentials supplied by the user (for example, name, password) to those configured on the AAA server (for example, name, password). If the credentials match, the user is authenticated and gains access to the network. If the credentials do not match, authentication fails, and network access is denied.

2.1.2 Authorization 受權

Authorization refers to the process of determining what permissions are granted to the user. For example, the user may or may not be permitted certain kinds of network access or allowed to issue certain commands.

The NAS sends a 「request」 - a packet of information about the user - and the RADIUS server either grants or denies authorization based solely on information in the 「request」 sent by the NAS.In each case,

For example, the NAS may send the RADIUS server a 「request」 containing the following user information:

「user name is Bob」 「password is Hello」 「ip address is 192.02.34」

Once the server receives the request, it uses that information to figure out what properties the user should have.The server then sends a reply to the NAS. The reply contains a series of statements about what properties.the user should have:

"user name is Bob" "ip address is 192.0.2.78"

2.1.3 Accounting

Accounting refers to the recording of resources a user consumes during the time they are on the network.The information gathered can include the amount of system time used, the amount of data sent, or the quantity of data received by the user during a session.

During a network session, the NAS periodically sends an accounting of user activity to the server. This accounting is a summary, rather than a complete copy of all traffic. This data is used for billing purposes.

ISPs are a large consumer of accounting data, because each user is billed for every minute of network access.

However, corporations have not,historically, relied on network accounting information gathered by RADIUS because employees were not traditionally billed for network access. As their need for ongoing network monitoring increases, though, so does the need to store and process accounting information.

The accounting summary sent by the NAS to the server does not include detailed information such as web sites visited or even how many bytes were transferred using a particular protocol (SMTP, HTTP, and so forth). That type of detailed information is only available to the NAS, and it does not send that data to the server.

If detailed information about user activity is required, network administrators can obtain it through other protocols such as sFlow or NetFlow. However, those protocols are not integrated into RADIUS systems.

Network administrators often find it difficult to tie the pieces together to get a more comprehensive understanding of user activity

2.1.4 Auditing 審計

Auditing refers to the proactive analysis of accounting logs and other data (such as sFlow or NetFlow data). This analysis is a long-term process and is part of ongoing maintenance and monitoring. Auditing provides information about the user’s post-authentication behavior. It can provide insight on when to update local site policy to best match user behavior.

2.2 RADIUS System Components

RADIUS is a network protocol, a system that defines rules and conventions for communication between network device. Like many protocols, RADIUS uses a client-server model. A RADIUS client (also called a Network Access Server, or NAS) sends requests to a RADIUS server. The RADIUS server then processes the request and sends back a response.Common NAS products include wireless access points such as the Linksys WRT54G and dial-up equipment commonly available from large network manufacturers. Common RADIUS server products include Cisco ACS, Microsoft IAS, Funk (now Juniper) Steel Belted RADIUS, Open Systems Radiator, and FreeRADIUS.While the RADIUS protocol shares the general concept of client-server communication with many other protocols such as HTTP and SMTP, the specifics of RADIUS communications differ. This section describesthe RADIUS system in more detail, including the specific roles of the NAS, the server, and databases such as MySQL and Lightweight Directory Access Protocol (LDAP). See Table 2.1 for a list of RADIUS components and their descriptions.

Chapter 4 - Configuration Requirements

This chapter describes the configuration FreeRADIUS file structure and the purpose of the configuration file types:

• Core configuration files • The radiusd.conf file • File format • The packet processing sections • The users file

The /etc/raddb directory contains the configuration files. The main configuration file, which is named

radiusd.conf
複製代碼

references the other configuration files. The FreeRadius package contains a large number of files, but many of the configuration files are examples; the rest of the configuration files ensure that the server functions correctly out of the box.

which are listed below. The list below identifies the most important configuration files.

• radiusd.conf Defines the configuration parameters for the RADIUS server. It includes references to all of the other configuration files. • clients.conf Defines information necessary to configure the RADIUS client, including IP addresses and shared secrets. This file is referenced from the radiusd.conf file. • users The traditional RADIUS configuration file for users. This file format is similar to the format defined in 1993. • dictionary Defines local attributes for the RADIUS server. This file references the default dictionary files. The default dictionary files include thousands of attribute definitions for over one hundred vendors. • proxy.conf Defines upstream home servers, including information on IP addresses and shared secrets. It also defines Realms. • sites-enabled/default This is the default virtual server. This file handles authentication and accounting requests. It contains a configuration designed to work with the largest number of authentication protocols. • sites-enabled/inner-tunnel This virtual server handles authentication methods that are carried inside of a TLS tunnel, as part of PEAP or EAP-TTLS authentication.