client.texi

gnu 的radius服务器很好用的

@c This is part of the Radius manual.
@c Copyright (C) 1999,2000,2001,2002,2003,2004 Free Software Foundation, Inc.
@c Written by Sergey Poznyakoff
@c See file radius.texi for copying conditions.
@comment *******************************************************************
@node Client Package, , Utility Programs, Top
@chapter Client Package
@cindex Client Package

Beside the Radius server and accompanying utilities, GNU Radius provides
a set of utilities to be used as Radius clients.

The following sections describe in detail the parts of the Radius client
package.

@menu
* client.conf::   Configuration file is common for all client utilities.
* radtest::       Radius client shell.
* radsession::    Send arbitrary requests to Radius server.
* nas.scm::       A @NAS{} implementation for GNU/Linux machines.
* pam_radius.so:: A PAM module for authentication via Radius.
@end menu

@comment *L2****************************************************************
@node client.conf
@section Client Configuration
@cindex Client Configuration
@cindex @file{client.conf}
@cindex @file{raddb/client.conf}

All programs from the client package share the same configuration file:
@file{raddb/client.conf}. The file uses simple line-oriented syntax.
Empty lines are ignored; the command @samp{#} introduces an end-of-line comment.

The source IP is introduced with the @code{source_ip} statement. Its
syntax is:

@smallexample
source_ip @var{ip-addr}
@end smallexample

@noindent
where @var{ip-addr} must be the IP in dotted-quad notation.

The Radius server to send the requests to is introduced with
@code{server} statement:

@smallexample
server @var{name} @var{ip-addr} @var{secret} @var{auth-port} @var{acct-port}
@end smallexample
@noindent

Its parts are:

@table @var
@item name
The server name. It is reserved for further use.
@item ip-addr
The server IP.
@item secret
The shared secret to be used when sending requests to this server.
@item auth-port
The authentication port number.
@item acct-port
The accounting port number.
@end table

If several @code{server} statement are present, they are tried in
turn until one of them replies to the request.

The amount of time a client program waits for the reply from a
server is configured using the @code{timeout} statement:

@smallexample
timeout @var{number}
@end smallexample
@noindent

If the program does not receive any response within @var{number} seconds,
it assumes the server does not respond and either retries the
transmission or tries the next available server. The number of retries is
set with the @code{retry} statement:

@smallexample
retry @var{number}
@end smallexample

The example @file{raddb/client.conf} follows:

@exindex @file{client.conf}
@smallexample
@group
server first 10.11.10.1 secret 1645 1646
server second 10.11.10.1 secret 1645 1646
source_ip 127.0.0.1
timeout 3
retry 5
@end group
@end smallexample

@comment *L2****************************************************************
@include radtest.texi

@comment *L2****************************************************************
@node radsession
@section radsession
@pindex radsession

@command{radsession} is a Guile script that sends authentication and
accounting requests to the Radius server. To invoke the script, run

@smallexample
radsession @var{options} @var{action}
@end smallexample

Possible actions are:

@table @option
@item --auth
Send authentication request.
@item --start
Send accounting start request.
@item --stop
Send accounting stop request.
@end table

Options determine the contents of the request's pairlist. They are:

@table @option
@item -l STRING
@itemx --login STRING
Set login name. 
@item -p STRING
@itemx --passwd STRING
Set password.
@item -n IP
@itemx --nas IP
Set the value of @attr{NAS-IP-Address} attribute.
@item -s STRING
@itemx --sid STRING
Set the session @sc{id} (@attr{Acct-Session-Id} attribute).
@item -P NUMBER
@itemx --port NUMBER
Set the port number (@attr{NAS-Port-Id} attribute).
@item -h
@itemx --help
Print a short usage message and exit.
@item -v
@itemx --verbose
Verbosely list the contents of the received reply.
@end table

@comment *L2****************************************************************
@node nas.scm
@section @command{nas.scm}
@pindex nas.scm

@command{nas.scm} is a Guile program that allows one to convert a GNU/Linux
box into a @NAS{}. It requires Guile version 1.4 or better and PPP
version 2.3.7 or better.

To use it, you will basically need to do the following:

@enumerate 1
@item Create links:

@smallexample
@group
ln -s @var{libexec}/nas.scm /etc/ppp/ip-up
ln -s @var{libexec}/nas.scm /etc/ppp/ip-down
@end group
@end smallexample
@noindent

Here, @var{libexec} denotes the location of your libexec directory,
where @command{nas.scm} is installed. If not overridden at configure
time, it defaults to @samp{@var{prefix}/libexec}. These links assure
that @command{ppp} will invoke @command{nas.scm} when the user's session
starts and ends, thus giving it a possibility to send accounting
requests.
@item Configure the file @file{raddb/client.conf}.
@item Edit the file @file{raddb/nas.rc}. The supplied @file{nas.rc} template
is tailored to work in most environments. The only variables you may
need to change are @code{nas-log-facility}, specifying the syslog
facility to be used for logging, and @code{pppd-args}, keeping the
arguments to be given to @command{ppp}. 
@item Configure your @file{/etc/inittab} and @command{getty}.

For example, if you use @command{mgetty}, then the @file{inittab}
entries for dial-up lines will look like:

@smallexample
@group
d0:345:respawn:/sbin/mgetty ttyS0 vt100
d1:345:respawn:/sbin/mgetty ttyS1 vt100
...
@end group
@end smallexample
@noindent

@command{mgetty}'s @file{login.config} will then contain the following line:

@smallexample
*       -       -       /usr/local/libexec/nas.scm @@
@end smallexample

If you use @command{agetty}, then the @file{inittab} will contain
(with the long lines split for readability)

@smallexample
@group
d0:345:respawn:/sbin/agetty -mt60 \
   -l /usr/local/libexec/nas.scm 38400,19200,9600 \
   ttyS0 vt100
d1:345:respawn:/sbin/agetty -mt60 \
   -l /usr/local/libexec/nas.scm 38400,19200,9600 \
   ttyS1 vt100
...
@end group
@end smallexample
@noindent

@end enumerate

@comment *L2****************************************************************
@node pam_radius.so
@section @command{pam_radius.so}
@pindex pam_radius.so

@command{pam_radius.so} is a @acronym{PAM} module for Radius
authentication. The module understands the following command line options:

@table @option
@item audit
Enable audit information.

@item debug[=@var{level}]
Enable debugging information. The higher @var{level} is, the more
debugging info is output. When omitted, @var{level} defaults to
100. 

Debugging levels equal to or greater than
10 compromise users' passwords, so use them sparingly.

@item use_authtok
Use the authentication token passed from the previous module in the stack.

@item confdir=@var{path}
Look for configuration files in @var{path}. The default is
@file{$sysconfdir/etc/raddb}.

@item attr:
This keyword marks the end of command line options. The part of the command
line after it is parsed as a whitespace-separated list of @AVP{}s
to be sent with the request.

@item service_type=@var{type}
This option is retained for compatibility with the 0.96 series of GNU
Radius. It is equivalent to

@smallexample
        attr: Service-Type=@var{type}
@end smallexample        
@end table

The @command{pam_radius.so} module logs its messages under @code{LOG_AUTH}
syslog facility.