Table of Contents
Radius is a server for remote user authentication and accounting. Its primary use is for Internet Service Providers, though it may as well be used on any network that needs a centralized authentication and/or accounting service for its workstations.
The package includes an authentication and accounting server and some administrator tools.
Radius supports a wide variety of authentication schemes. A user supplies his authentication data to the server either directly by answering the terminal server’s login/password prompts, or using PAP or CHAP protocols. The server obtains the user’s personal data from one of the following places:
System Database The user’s login and password are stored in /etc/passwd on the server, i.e. they are a “normal” UNIX user on the system. Internal Database The user’s login ID, password etc. are stored in the internal radius database. The user’s password is stored in encrypted form using either MD5 or DES hash, whichever is appropriate. Alternatively, a plaintext password can also be used if CHAP protocol is being used, CHAP usage is strongly discouraged for security reasons. SQL authentication User’s details are stored in an SQL database. The database structure is fully determined by the system administrator, Radius does not restrict it in any way. See Interaction with SQL Servers. PAM authentication User is authenticated via PAM (Pluggable Authentication Service) framework. See the Linux PAM homepage for more details.
Radius has three built-in accounting schemes:
Unix accounting Accounting data are stored in radutmp/radwtmp files and can be viewed using radwho and radlast commands. Both commands are upward compatible with their Unix counterparts who and last. Detailed accounting The detailed accounting information is stored in plain text format. The resulting files can easily be parsed using standard text processing tools (grep. awk. etc.) SQL accounting Upon receiving accounting information Radius stores it in an SQL database. This can then be processed using standard SQL queries.
Radius is extensible and new accounting methods can be added using the extension language .
Radius is currently able to communicate with MySQL and PostgreSQL servers. Other DBMS are supported via ODBC interface.
Radius imposes no restrictions on the structure of authentication and accounting tables. The queries it uses to store and retrieve records are supplied by the system administrator thus allowing complete freedom in creating and configuring the databases.
Radius is a fully extensible system. It supports two extension languages: the built-in Rewrite language and Scheme. Rewrite has a syntax reminiscent of C and is designed primarily for modifying (“rewriting”) the contents of incoming requests.
Use of Scheme requires Guile version 1.4 or higher. It allows the administrator to write his own authentication and accounting methods.
The two extension mechanisms can interoperate with each other: e.g. Scheme functions can call Rewrite functions.
Radius allows for SNMP management of its activities. Its MIB tree contains MIBs proposed by RFC 2619 and 2621 as well as its private extensions.
Radius is compatible with any existing terminal server. It can even communicate with terminal servers that have some deviations from the RADIUS protocol. The built-in extension language allows the administrator to write his own rules for ad hoc parsing and restructuring of the packets coming from terminal servers.
The Free Software Foundation publishes a GNU Radius Reference Manual. You can order the manual in printed form from the Free Software Foundation.
Complete documentation in Texinfo format is also included in the distribution. An online manual is available.
The following mailing lists are related to GNU Radius:
The project’s homepage at Savannah is the place to look for the latest news and patches for the project.
Alpha releases of the development version can be downloaded from alpha.gnu.org .