Using the RADIUS Server
There are only a few commands one needs to know in order to operate RADIUS. It is
actually easier to use the command line of the Linux OS to test for the existence of a user
or to add one. Other than that, the web CGI interface is the best way to maintain users.
Command Line:
user tests the database for the existence of a username
newrad adds a user to the database
Eaxmples:
user frevostat
tests for the user frevostat. If the user exists, RADIUS will reply with what it knows
about this user.
newrad frevostat buford
adds the user ‘frevostat’ to the database and assigns the password ‘buford’
Managing and maintaining accounts is more easily done with the web interface.
However, you may certainly use the web interface to add a user as well. Access is gained
through the following URL:
http://rs1.lightningnet.net/cgi-bin/radius.cgi
Log in with the username ‘radius’ and the password ‘light’
Access to the radius interface must come from your network, so there is a certain level of
security offered. We have run for years with a very simplistic username and password
with no breaches ever.
Root may not log in to the RADIUS server. The system was set up not to accept a root
login. Not even from the console. This can be defeated by simply changing the root
password, but we suggest that you don’t.
Log in as a regular user and then switch-user to root using the ‘rs’ command. I created the
username ‘jeremy’ with the password ‘jeremy.’ You will want to change that password as
soon as possible. In order to become root, log in as jeremy and issue the command ‘rs’
(which is an abbreviation for root shell). rs is a command system I wrote, so don’t expect
to find a lot of information on it.
RADIUS stores its information in a mySQL database installed in the linux server. The
username and password with permission to manipulate the database are the same as for
the server itself. The web interface is pretty self explanatory, so I won’t give a detailed
set of instructions for it.
The server itself is a bit different from your other server. It purposely has none of the
utility simplicity that the other one does. So to add a user, for instance, you will have to
execute the unix commands:
/usr/sbin/useradd –s /bin/bash frevostat
/bin/passwd frevostat
You will need to execute these commands as root.
For the most part, you should not modify the configurations for the RADIUS server. The
machine is not supposed to be an extra utility box, so putting any user functions on it is a
big mistake. No web pages, mail or that sort of thing. You want to keep all users out of
this box, after all, your entire security system is now based in it. Losing this box to a
hacker or having a user function disrupt the machine will take you offline until you
correct whatvever problem was created. So just use it for the very few things it was made
to do: authenticate people.
The server has been set up as a backup DNS server. This gives the people accessing your
network two chances to get DNS info locally, before your system reaches all the way up
here for backup DNS. This should speed the functions on your local net somewhat.
This means that you have to spend some time learning more about DNS now. Since this
server is a slave for DNS, the setup is slightly different. The best way to reveal the
differences is for you to compare the /etc/named.conf files on both boxes. You will note
that the primary DNS box has entries for master while the secondary has entries for
slave.
You will need to manually create a zone entry in named.conf on the secondary that you
do on the primary. But other than that, the system will keep both systems synched up and
you should never need to create a zone file on the secondary. DNS will do that for you.
You will, however, need to create and maintain the zone files on the primary by hand.
I noted that you guys were a bit remiss in maintaining the primary zone files in
/var/named. I have created the appropriate entries for you that reflect the information I
had about your network. I have left a number of the entries unfinished… you should
complete them. You will note that the semi-colon is used to ‘comment out’ the entries
that are incomplete, or to preface a comment in the zone file. When you have placed the
appropriate IP number into one of the incomplete entries, you should erase the semi-
colon at the beginning of the line. Any time you change a zone file, you must
increment the serial number at the top of the zone file!!! If you don’t, DNS will
ignore your changes and not update the secondary. That would be bad. Any time you
make a change to the zone files, you must also restart the DNS server. This is easily done
with the following command:
/etc/rc.d/init.d/named restart