The radius contrib for SME server will use the standard unix passwords file on the server. If you want to use another authentication method then I suggest sql.
I used the "dialup_admin"
http://sourceforge.net/projects/dialup-admin/For testing, I created an ibay and placed the files in there. Also add the associated tables to the existing sql database.
In dialup_admin/conf/admin.conf change sql_password_attribute: User-Password to sql_password_attribute: Crypt-Password
Add information about your monowall or ap box into /etc/raddb/clients.conf
This is where you have a "shared secret" as freeradius will only accept connections from devices listed in this file and can provide the correct shared secret. (don't confuse shared secret with a password a user is providing to authenticate).
Here is a snippet from the end of my /etc/raddb/radiusd.conf.
# Authentication.
#
# This section lists which modules are available for authentication.
# Note that it does NOT mean 'try each module in order'. It means
# that you have to have a module from the 'authorize' section add
# a configuration attribute 'Auth-Type := FOO'. That authentication type
# is then used to pick the apropriate module from the list below.
#
# The default Auth-Type is Local. That is, whatever is not included inside
# an authtype section will be called only if Auth-Type is set to Local.
#
# So you should do the following:
# - Set Auth-Type to an appropriate value in the authorize modules above.
# For example, the chap module will set Auth-Type to CHAP, ldap to LDAP, etc.
# - After that create corresponding authtype sections in the
# authenticate section below and call the appropriate modules.
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
authtype PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
authtype CHAP {
chap
}
#
# MSCHAP authentication.
authtype MS-CHAP {
mschap
}
# pam
#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
# unix
# Uncomment it if you want to use ldap for authentication
# authtype LDAP {
# ldap
# }
# eap
}
# Pre-accounting. Look for proxy realm in order of realms, then
# acct_users file, then preprocess (hints file).
preacct {
preprocess
suffix
# files
}
# Accounting. Log to detail file, and to the radwtmp file, and maintain
# radutmp.
accounting {
acct_unique
detail
# counter
# unix # wtmp file
sql
radutmp
# sradutmp
}
# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
radutmp
sql
}
# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
post-auth {
# Get an address from the IP Pool.
#main_pool
}
I am currently without a monowall box to test this setup, so I am going from memory.
dialup admin will give you nice accounting information like duration and traffic for the users.
There is a lot of work to be done yet, but this should give you an idea of what's possible.
Shane
23 Replies
10581 Views