Installing and Operating a RADIUS Server
Whenever access to a resource must be regulated, there must be a regulation mechanism. A RADIUS server is a mechanism for regulating access to a computer network by users (customers, usually.) It makes sure that they are authorized. Specifically, the public wireless (WiFi) networks I am installing in some McDonalds restaurants include a RADIUS server. Not anyone can use these networks, only those customers to whom McDonalds has given a password. The RADIUS server checks the passwords entered by the users and grants or denies access as appropriate. It also keeps a record of network usage so that the restaurants’ management can see when and how much their networks are being used.
In this paper, I describe what a RADIUS server does, the steps I followed in setting it up, how I used the server once it was in place, and some projects for making RADIUS useful in a business context.
The service called RADIUS (Remote Access Dial-In User Service) consists of computer user authentication, authorization, and accounting. In this context, here are definitions of these key terms.
Authentication is the process of determining the identity of a user. The most common form of authentication is by user name and password. This is the form used here. Other forms use digital certificates, digital signatures, etc.
Authorization is the process of determining which service(s) a user is permitted to use and to what extent. It requires that the identity of the user be previously established by some authentication process. The authenticated user ID is then authorized by lookup in a file, table, database, or directory service such as LDAP.
Accounting is the process of keeping track of network usage. It records the date and time of the start of each user’s session, its duration and the number of bytes transferred.
The RADIUS Service
In my RADIUS service, authentication and authorization are done by lookup in a MySQL database, and accounting is done by recording usage information there.
The sequence of events in the lifecycle of a RADIUS-mediated WiFi connection is:
- An administrator provides commands to the RADIUS server to cause it to store in its database the name and password of a user.
- A user with a laptop connects wirelessly to the access point and requests something such as a web page, a file transfer from a remote host, a connection to a POP (email) server, etc.
- The access point challenges the laptop user for an ID and a password.
- The access point contacts the RADIUS server across the Internet and asks it to authenticate the user.
- The RADIUS finds the user and password in its database, bestows its blessing, and logs the start of a new session.
- The access point proceeds to grant the laptop user the services he or she requests.
- When the user session terminates (whether or not by the user’s choice) the access point informs the RADIUS server which logs the end of the session.
The RADIUS Protocol
RADIUS (Remote Access Dial-In User Service) is actually a protocol not a program, an interface not an implementation. That is, it is the definition of a standardized “conversation” for the purposes described above. One side of the conversation is the server; the other is the client.
There are several implementations of the server side of the RADIUS protocol, including:
- Freeradius (used here)
- GNU Radius
- Cistron Radius
- Radiator Radius
- Microsoft IAS
- Advanced Radius (commercial product with features e.g. VoIP, billing, configuration GUI)
On the client side of the protocol are a variety of devices called network access servers (NAS). A NAS is a piece of equipment that directly accepts users’ connections. For example, in a wireless network the access point (the transmitter/receiver to which the customers connect from their laptops as they eat their burgers) serves as the NAS. In an ISP’s dialup network, the NAS is the switch that connects the receiving modems to the computers providing the dialup services (e.g. e-mail and web browsing.)
RADIUS is a standardized protocol. As with other Internet-related protocols, the standard is established by the Internet Engineering Task Force (IETF) and documented in a document termed a Request for Comments (RFC). Specifically, RADIUS is documented in:
- RFC 2138 (obsolete)
- RFC 2865 (the RADIUS autheticating and authorizing protocol)
- RFC 2866 (the RADIUS accounting protocol)
With regard to the RADIUS protocol, these documents are the ultimate authority.
One essential detail of the RADIUS specification is that it uses port 1812. Port numbers are part of the TCP/IP mechanism for connecting clients and servers on the Internet. Unless the default is overridden, the FreeRadius server gets the port number by lookup in the /etc/services file, the standard place in Unix (and Linux, Solaris, etc.) where port numbers are kept.
The components — software and hardware — that comprise my installation are:
- The server side:
- A Linux host (a Sun/Cobalt 550 server which I have installed in a colocation facility in downtown San Francisco) on which resides the following software
- The RADIUS server (radiusd — the “d” stands for “daemon”, Unix’s term for a server program)
- telnetd and bash (bourne-again shell) for starting and restarting radiusd and for examining its log
- MySQL (a good, free relational database)
- Apache (a good, free web server)
- The client side:
- A D-Link DWL-990AP+ access point that authenticates via the RADIUS server (alas not a Colubris; my Colubris is in production use so I can’t monkey with it)
- Various laptop computers that connect to the Internet through this access point after being authenticated by the RADIUS server
- The connection between client and server: DSL service (from Covad)