Rudolf's Radiusclients

Radiusclients

Programm `radlogin`

Purpose

The Programm radlogin gets invoked by your systems's getty, it behaves like the normal login program to the user

First it asks the user for his loginname (if not supplied by getty) and his password.

Then it tries to find the loginname either through a RADIUS server query or in the local passwd file or through both methods.

If the user is authenticated locally radlogin calls the local login program to spawn a login enviroment.

If the user is authenticated via RADIUS radlogin calls a special other login program which gets the information that was passed from the RADIUS server in enviroment variables.

If the SCP is defined in config.h, the first letter of the username determins what kind of service is requested. This allows you to use one password for all accounts, but the radiusd supplies you just with the right information you need for the specified service type:

First Letter User Service

S Slip

C Slip with Van Jacobsen TCP/IP

P PPP

Login

With these prefixes a User-Service (with a Framed-Protocol is requested from the radiusd.

According to the answer, different programms are started. These are specified in the client.conf with start_ppp and login_local.

In these special login programs you can now either start a telnet/rlogin session or start up SLIP/CSLIP or even PPP based on the information from the RADIUS server. Furthermore you can send accounting information to a RADIUS accouting server via a program called radacct which is also part of Radiusclient.

Usage

radlogin [-hVdt] [-i client-port] [username]

where -i file name of the terminal used to determine what to send in the NAS-Port attribute. Normally the tty of stdin is used. -d disable sending of TCP keepalive packets. only of relevance if radlogin is called from inetd. -t disable automatic telnet detection. this option is set by default if radlogin is called from a terminal line. -n disable display if the radlogin issue file. this option is set by default if radlogin is called with an argument. -V display version information -h display usage information

Operation

radlogin behaves just like a normal login program and authenticates the user and then spawns either a local login program or it passes the information from the RADIUS server to a special other login program in environment variables. The environment variables are named after the attributes prefixed with "RADIUS_" and with all letters of the attribute name translated to uppercase and hyphens translated to underscores. The attribute value is passed unchanged. Furthermore you can start radlogin via inetd:

	---8<-------------------------------------------------------------------- 
	  stream  tcp     nowait  root	/bin/radlogin
	---8<--------------------------------------------------------------------

You then can telnet to this port and if you login as an outbound user you get connected to a outgoing modem. Unfortunatly telnet isn't 8 bit clean. But there still is rport which uses a pseudo tty to establish an interface between a normal serial program and the remote modem. Unfortunatly rport isn't working right at the moment.

Installation

Get your getty to execute radlogin instead of the normal login process. The method of how to do this varies from getty to getty.

If you're using getty_ps you can set the LOGIN directive in the respective config file.
agetty has a command line option (-l) which allows you to specify an alternate login program, i.e. radlogin.
With mgetty you add the following line to your login.cfg file:
```
	*       -       -       /radlogin @
		
```

I suggest you use mgetty or getty_ps, mgetty even has a nice automatic PPP detection feature, which can be useful (see chapter "PPP and radlogin" below).

Outgoing connection support

(Untested !!!! )

You can also configure radiusclient to accept network connections via inetd which get redirect to an outgoing modem. To enable this, you must add a line to your inetd configuration file (normally /etc/inetd.conf) to start radlogin.

For a Berkeley inetd you might use a line like this:

	<port-no>  stream  tcp     nowait  root	/usr/local/sbin/radlogin

You then can telnet to this port and if you login as an outbound user (Service-Type is set to Outbound in your RADIUS server database) you get connected to an outgoing modem.

Unfortunatly telnet is not 8 bit clean. But there is a program called rport in the Radiusclient package which uses a pseudo tty to establish an interface between a normal serial program and the remote modem. Unfortunatly rport isn't working right at the moment.

radlogin tries to find out if it got started from inetd and what program is on the other side of the network connection (telnet or rport). It does this by sending telnet options at the start of the session. If it gets an answer from the remote side, it assumes telnet.
If you want to disable automatic telnet detection you can disable it with the -t option of radlogin.

radlogin tries to enable keepalive packets on the network link if possible to better detect link failure. If you want to disable this, specify the -d option on the radlogin command line.

Rudolf Weber Informatik- und Netzwerkverein Ravensburg e.V