Login-Service = Telnet,

Login-TCP-Port = Telnet"

clients.conf file

This file defines a RADIUS client (usually a NAS). The information given here over rides anything given in the clients file, or in the naslist file. The configuration here contains all of the information from those two files, and allows for more configuration items.

The shortname is be used for logging. The nastype, login and password fields are mainly used for checkrad and are optional.

This defines a RADIUS client. The format is as follows:

client[hostnameip-address]

127.0.0.1is another name for localhost. It is enabled by default, to allow testing of the server after an initial installation. If you are not going to be permitting RADIUS queries from localhost, you need to comment it out.

Refer to /usr/local/etc/raddb/clients.conf for more information.

radiusd.conf file

This file contains values for multiple directives used by FreeRADIUS. Some of the directives are explained in the following sections.

1.libdir – Specifies the location of rlm_* modules.

This should be automatically set at configuration time. If the server builds and installs, but fails at execution time with an undefined symbol error, then you can use the libdir directive to work around the problem.

The cause is usually that a library has been installed on your system in a place where the dynamic linker cannot find it. When executing as root (or another user), your personal environment may be set up to allow the dynamic linker to find the library. When executing as a daemon, FreeRADIUS may not have the same personalized configuration.

To work around the problem, determine which library contains that symbol, and add the directory containing that library to the end of libdir, with a colon separating the directory names. No spaces are allowed. For example:

libdir = /usr/local/lib:/opt/package/lib

You can also try setting the LD_LIBRARY_PATH environment variable in a script which starts the server.

If that does not work, then you can re-configure and re-build the server to not use shared libraries, using the following:

./configure --disable-shared make make install

2.pidfile: Specifies where to place the PID of the RADIUS server.

The server may be signalled while it is running by using this file. This file is written when only running in daemon mode. kill

-HUP 'cat /var/run/radiusd/radiusd.pid'

3.user/group: The name (or #number) of the user/group as which to run radiusd.

If these are commented out, the server will run as the user/group that started it. In order to change to a different user/group, you must be root (or have root privleges ) to start the server. HP recommends that you run the server with as few permissions as possible. That is, if you are not using shadow passwords, the user and group items below should be set to nobody.

On SCO (ODT 3) use user = nouser and group = nogroup. Note that some kernels refuse to setgid(group) when the value of (unsigned)group is above 60000. Do not use group nobody on these systems. On systems with shadow passwords, you might have to set group

188 Network Security Administration

Page 188
Image 188
HP UX Internet Express Software manual Clients.conf file, Radiusd.conf file, Configure --disable-shared make make install