Steel Belted Radius Carrier 7.0 Reference Guide > Operations Files > radius.ini File

radius.ini File

The radius.ini initialization file is the main configuration file that determines the operation of Steel-Belted Radius Carrier. It contains information that controls a variety of Steel-Belted Radius Carrier functions and operations.

[Addresses] Section

By default, the Steel-Belted Radius Carrier server tries to autoconfigure all IPv4 addresses that are reported by name services for the primary host name of the server on which Steel-Belted Radius Carrier is running, so that it can listen for incoming RADIUS packets on all available network interfaces. If IPv6 is enabled, Steel-Belted Radius Carrier autoconfigures its IPv6 addresses and then listens on all interfaces using IPv6 addresses.

Explicitly configure the IP addresses that you want Steel-Belted Radius Carrier to use in the [Addresses] section of radius.ini if Steel-Belted Radius Carrier is running on a multi-homed (more than one network interface) server and if any of these statements apply to your network:

• One or more network interfaces on the server are connected to networks that you do not want to carry RADIUS traffic.
• The server has more than one host name, and IP addresses exist for names other than the primary host name.
• The server has private IP addresses that are not published by name services.

Specifying IPv4 or IPv6 addresses causes the server to listen on only those addresses and ignore all other addresses.

Specifying AutoConfigureIPv4 or AutoConfigureIPv6 causes Steel-Belted Radius Carrier to attempt to discover and configure all IPv4 or IPv6 addresses that belong to the local host automatically.

Example 1

This example configures Steel-Belted Radius Carrier to listen for RADIUS authentication and accounting requests on the IPv4 address 192.168.12.35 and on all local IPv6 interfaces. IPv6 functionality must be enabled (by setting Enable to 1 in the [IPv6] section of radius.ini) before IPv6 addresses can be used.

[Addresses]

192.168.12.35

AutoConfigureIPv6

To route all of your proxy traffic through a single interface, set the value for ProxySource in the [Configuration] section of radius.ini to the appropriate IP address or addresses, which must be listed in the [Addresses] section.

Example 2

This example routes all proxy traffic through the interface at 192.10.20.30:

[Addresses]

192.10.20.30

192.10.20.31

[Configuration]

ProxySource = 192.10.20.30

The ProxySource setting in the [Configuration] section of radius.ini disables per-realm control of proxy outbound interfaces. If ProxySource is not set, sockets are opened and bound for each interface on the server. To route different proxy realms through specific interfaces using the proxy.ini file, refer to [Interfaces] Section.

[AuditLog] Section

The [AuditLog] section (Table 11) specifies whether Steel-Belted Radius Carrier maintains an audit log file (audityyyymmdd.xml) to record administrator activities and CCM events. Audit log records are stored in XML format in the radius/audit directory.

Administrator activities include:

• Logging in and out by Steel-Belted Radius Carrier administrators
• Creating, modifying, and deleting Steel-Belted Radius Carrier objects (RADIUS clients, users, profiles, proxy targets, proxy realms, tunnels, administrators, authentication policies, or CCM nodes)
• Importing files

CCM events include publication, notification, and download of CCM files.

NOTE: The audit log does not track changes made through the LDAP configuration interface (LCI).

[AuditLog]

;Enable = 0

;LogfilePermissions = owner:group mode

;DaysToKeep = 30

 Table 11:  radius.ini [AuditLog] Syntax  

 Parameter
 Function

 Enable


  
 If set to 0, audit logging is disabled.
  
 If set to 1, audit logging is enabled.

 Default value is 0.


 LogfilePermissions

 Specifies the owner and access permission setting for the audit log (yyyymmdd.auditlog) file.
 Enter a value for the LogFilePermissions setting in owner:group permissions format, where:

  
 owner specifies the owner of the file in text or numeric format.
  
 group specifies the group setting for the file in text or numeric format.
  
 permissions specifies what privileges can be exercised by Owner/Group/Other with respect to the file in text or numeric format.

 For example, ralphw:1007 rw-r- - - - - specifies that the file owner (ralphw) can read and edit the audit log file, members of group 1007 can read (but not edit) the audit log file, and other users cannot access the audit log file.


 DaysToKeep

 Specifies the number of days the Steel-Belted Radius Carrier server retains each authentication acceptance report.
 Default value is 30 days.



 

[AuthRejectLog] Section

You configure the [AuthRejectLog] section of radius.ini (Table 12) to specify what types of authentication method rejection messages Steel-Belted Radius Carrier records in the RADIUS log file (yyyymmdd.log). You can specify that you want the server log file to record reject information generated by all authentication methods, reject information of one or more specific types, or the most relevant rejection information.

Processing an authentication request might result in multiple instances of an authentication method being given a chance to authenticate the user. If this occurs and at least one authentication method succeeds in authenticating the user, no messages are recorded to the server log file. If this occurs and all instances fail to authenticate the user, you can specify that only the most relevant reason for the authentication failure is recorded. For example, if one method resulted in an authentication error of type InvalidCredentials and another results in an authentication error of type SystemError, only the InvalidCredentials message is logged.

You can specify that more than one type of log message be recorded by entering more than one filter type value for the Filter parameter.

Table 12: radius.ini [AuthRejectLog] Syntax 

Parameter	Function
Enable	If set to 0, authentication reject details are not recorded in the server log file. If set to 1, authentication reject details of the specified type(s) are recorded in the server log file. Default value is 0.
Filter	Specifies the types of authentication reject messages to be recorded: All - Record authentication rejection details from all authentication methods. MostRelevant - When multiple authentication methods are tried and all fail, record the most relevant error messages (the messages with the greatest severity). If two messages have the same severity, both are listed. These values are listed in order of greatest to least relevance: PostProcessRejection - User was authenticated successfully but postprocessing caused rejection. InvalidCredentialsOrUser - User was not authenticated because user was not found or credentials were invalid. InvalidCredentials - User was not authenticated because user was known but the password or certificate was not correct. UnsupportedCredentialType - User was not authenticated because the credentials presented were of the wrong type. UserNotFound - User was not authenticated because user can not be found in the authentication database. AccessError - Authentication failed because a database or remote server was inaccessible. InvalidRequest - User was not authenticated because the request appeared to be malformed. BlacklistedUser - User was not authenticated because user is blacklisted. SystemError - User was not authenticated because of a system error such as a resource allocation error.

This example causes authentication reject details from all authentication methods to be recorded to the server log file.

[AuthRejectLog]

Enable = 1

Filter = All

This example causes all authentication reject details of type SystemError to be recorded.

[AuthRejectLog]

Enable = 1

Filter = SystemError

This example causes all authentication reject details of type SystemError, BlacklistedUser, or UserNotFound to be recorded.

[AuthRejectLog]

Enable = 1

Filter = SystemError, BlacklistedUser, UserNotFound

[Certificate] Section

The [Certificate] section of radius.ini (Table 13) specifies the location of a file containing information about the server certificate and private key, which are required by the EAP-TLS, EAP-TTLS, and EAP-PEAP plug-ins.

Table 13: radius.ini [Certificate] syntax 

Parameter	Function
Server_Certificate_Info_File	Identifies the full path of the file that contains information about the server's certificate. This is not the location of the PKCS#12 file that contains the certificate, but rather the file that contains information about it.

Place the server certificate information file in a directory that is not generally accessible, such as a protected /my directory in the radiusdir directory. For example, the [Certificate] section might look like this:

[Certificate]

Server_Certificate_Info_File = /opt/Juniper Networks/radius/my/certInfo.ini

[Configuration] Section

The [Configuration] section of radius.ini (Table 14) contains parameters that control basic behavior of Steel-Belted Radius Carrier.

Table 14: radius.ini [Configuration] Syntax  

Parameter	Function
AcctAutoStopEnable	The Proxy AutoStop feature forwards session termination information to downstream proxy RADIUS servers when a user session is closed, so that the resources associated with the user session can be freed. If set to 0, the Proxy AutoStop feature is disabled. If set to 1, the Proxy AutoStop feature is enabled. Default value is 0.
AddDestIPAddressAttrToRequest	If set to 0, Steel-Belted Radius Carrier does not add destination address information to RADIUS requests. If set to 1, Steel-Belted Radius Carrier adds a Funk-Dest-IP-Address attribute identifying the IP address to which the RADIUS request was sent to the attributes in the packet. All processing that can be performed on an attribute included in the request packet, such as check list processing, can be performed on this attribute. Default value is 0. If you enable this attribute, the attribute is visible to the proxy module. If your environment proxies requests, you might want to configure Steel-Belted Radius Carrier to strip the attribute from the request before forwarding the request to a downstream server.
AddDestUDPPortAttrToRequest	If set to 0, Steel-Belted Radius Carrier does not add destination port information to RADIUS requests. If set to 1, Steel-Belted Radius Carrier adds a Funk-Dest-UDP-Port attribute identifying the UDP port to which the RADIUS request was sent to the attributes in the packet. All processing that can be performed on an attribute included in the request packet, such as check list processing, can be performed on this attribute. Default value is 0. If you enable this attribute, the attribute is visible to the proxy module. If your environment proxies requests, you might want to configure Steel-Belted Radius Carrier to strip the attribute from the request before forwarding the request to a downstream server.
AddFunkClientGroupToRequest	If set to 0, Steel-Belted Radius Carrier does not add a Funk-Radius-Client-Group attribute to an incoming RADIUS request. If set to 1, Steel-Belted Radius Carrier adds a Funk-Radius-Client-Group attribute to the RADIUS request. The value of the Funk-Radius-Client-Group attribute is set to the name of the client group. Default value is 0. NOTE: Enable this option only if you configure RADIUS client groups in SBR Administrator. For more information on RADIUS client groups, refer to the Steel-Belted Radius Carrier Administration and Configuration Guide.
AddFunkLocationGroupIdToRequest	If set to 0, Steel-Belted Radius Carrier does not add a Funk-Location-Group-Id attribute to an incoming RADIUS request. If set to 1, Steel-Belted Radius Carrier adds a Funk-Location-Group-Id attribute to an incoming RADIUS request if the request comes from a client in a configured location group. The value of the Funk-Location-Group-Id attribute is set to the name of the location group, which can be used for SQL, LDAP, and check list processing. Default value is 0.
AddSourceIPAddressAttrToRequest	If set to 0, Steel-Belted Radius Carrier does not add source address information to RADIUS requests. If set to 1, Steel-Belted Radius Carrier adds a Funk-Source-IP-Address attribute identifying the IP address from which the RADIUS request was received to the attributes in the packet. All processing that can be performed on an attribute included in the request packet, such as check list processing, can be performed on this attribute. Default value is 0. If you enable this attribute, the attribute is visible to the proxy module. If your environment proxies requests, you might want to configure Steel-Belted Radius Carrier to strip the attribute from the request before forwarding the request to a downstream server.
Apply-Login-Limits	If set to yes, the maximum number of concurrent connections for each user is enforced, and connection attempts above the limit are rejected. If set to no, connections above the limit are allowed, but an event is noted in the server log file. Default value is yes.
AttributeEdit	If set to 1, the attribute editing feature for proxy realms is enabled. If set to 0, the feature is disabled. Default value is 1.
AuthenticateOnly	If set to 1, no response attributes are included in the response packet to an AuthenticateOnly (Service-Type 8) request. If set to 0, the normal response attributes are included in the response. Default value is 1.
AutoPasswords	If set to yes, support for SHA and UNIXcrypt passwords for authentication against the native database are enabled. This feature may be used to test the use of passwords created with various encryption algorithms which are normally used by plug-ins such as LDAP and SQL. The algorithm is indicated by a token string enclosed by curly braces prepended to the password, for example, {md4}47476919506799271480 for an MD4-encoded password. Supported encryption algorithms and their token strings include message digest algorithm 4 (MD4) hash (md4), secure hash algorithm (SHA) 1 base 64 (sha), salted secure hash algorithm (SSHA) 1 base 64 (ssha), UNIX crypt (crypt), encmd5 (md5), and http digest md5 (http), as well as hex representation of ASCII password (hex). Default value is no (disabled).
CheckMessageAuthenticator	Specifies whether validation of Message-Authenticator occurs on receipt of an Access-Request from a network access device or on receipt of an Access-Accept, Access-Reject, or Access-Challenge from a proxy (extended proxy only). If set to 0, validation of received Message-Authenticator attributes is disabled. If set to 1, validation is performed if the Message-Authenticator attributes are received. Message-Authenticator attributes must be present for EAP messages. If set to 2, Message-Authenticator attributes are always required and always validated. If these attributes are not present, Steel-Belted Radius Carrier rejects the message. For the WiMAX mobility module, set this to 1. Default value is 0. NOTE: Validation does not occur for ordinary proxy.
ClassAttributeStyle	If set to 1, Steel-Belted Radius Carrier uses unencrypted Class attributes with multiple ASCII keys in Access-Accept packets. If set to 2, Steel-Belted Radius Carrier uses enhanced/encrypted Class attributes in Access-Accept packets. Default value is 2. NOTE: The ClassAttributeStyle parameter must be set to a value of 2 before you can use attribute embedding. For information on attribute embedding, see [Debug] Section.
DisablePromptAttribute	The Prompt attribute may be sent during an Access-Challenge. This parameter specifies whether or not to echo the user's response to the Access-Challenge on the client. 0 indicates the user's response to the Access-Challenge is not echoed. 1 indicates the user's response to the Access-Challenge is echoed. Default value is 0. Steel-Belted Radius Carrier uses the Prompt attribute during SecurId authentications. However, some clients do not respond properly to the Prompt attribute, so this parameter provides a way to disable it.
DisableSecondaryMakeModelSelection	If set to 1, Steel-Belted Radius Carrier looks up the network access device entry by using the source address of the request and sets the make/model according to the information specified for the client. If set to 0, Steel-Belted Radius Carrier: Looks up the network access device entry by using the source address of the request and sets the make/model according to the information specified for the client. Uses the NAS-IP-Address attribute (if present) to look up the network access device entry. If the IP address is found, override the make/model information identified in Step 1. Uses the NAS-Identifier attribute (if present) to look up the network access device by name. If the name is found, override the make/model information defined in Step 1 or Step 2. Default value is 0.
EnableEricssonViGHTTPDigestSupport	If set to 1, the Ericsson ViG version of HTTP Digest Access authentication is enabled. If set to 0, the Ericsson ViG version of HTTP Digest Access authentication is disabled. When the Ericsson ViG version of HTTP Digest Access authentication is enabled, Steel-Belted Radius Carrier looks for the ViG VSAs when it parses incoming packets, and, if it finds them, converts them to AVPs compatible with the current HTTP Digest Access authentication. Default value is 0. NOTE: This setting is ignored if the EnableHTTPDigestSupport setting is set to 0 (disabled).
EnableHTTPDigestSupport	If set to 1, HTTP Digest Access authentication is enabled. If set to 0, HTTP Digest Access authentication is enabled. When HTTP Digest Access authentication is enabled, Steel-Belted Radius Carrier interprets the inclusion of certain attribute-value pairs in an Access-Request message as a request to use HTTP Digest Access authentication. Default value is 0.
EnhancedDiagnosticLogging	If set to no, standard diagnostic logging messages are written to the RADIUS log file when the log level is set to 0. If set to yes, messages relating to proxy retries, proxy timeouts, and LDAP timeouts, as well as standard diagnostic logging messages, are written to the RADIUS log file (yyyymmdd.log) when the log level is set to 0. Default value is no.
ExtendedProxy	If set to 1, you can set up realms for proxy RADIUS or directed authentication/accounting. If set to 0, Steel-Belted Radius Carrier can proxy-forward to specific servers (identified using Proxy entries in the Administrator program), but proxy realms and directed realms are disabled. If the ExtendedProxy setting is not present in the [Configuration] section, realms are disabled by default. Default value is 1.
FramedIPAddressHint	If set to yes, the attribute Framed-IP-Address is treated as a hint. If this attribute appears in the Access-Request and the user's return list is configured to allocate Framed-IP-Address from a pool, the IP address in the Access-Request is returned instead of a newly-allocated IP address. Default value is no.
IncRoutedProxyUsageCount	If set to 1, the usage count is incremented both before the Access-Request is proxied, and when the proxy target responds with an Access-Accept. This is consistent with previous releases. If set to 0, the usage count is incremented only when the proxy target responds with an Access-Accept, it is not incremented before the Access-Request is forwarded to the proxy. Default value is 0.
LogAccept	If set to 1, specifies that messages associated with Accepts that meet the current LogLevel are recorded in the server log file. If set to 0, messages associated with Accepts are ignored. Default value is 1. The LogAccept setting is re-read whenever the server receives a HUP signal.
LogFilePermissions	Specifies the owner and access permission setting for the system log (yyyymmdd.log) file. Enter a value for the LogFilePermissions setting in owner:group permissions format, where: owner specifies the owner of the file in text or numeric format. group specifies the group setting for the file in text or numeric format. permissions specifies what privileges can be exercised by Owner/Group/Other with respect to the file in text or numeric format. For example, ralphw:1007 rw-r- - - - - specifies that the file owner (ralphw) can read and edit the log file, members of group 1007 can read (but not edit) the log file, and other users cannot access the log file.
LogfileMaxMBytes	If set to 0 (or if setting is absent), the server log file size is ignored and log file names are date-stamped to identify when they were opened (YYYYMMDD.log). If set to a value in the range 1-2047, the current server log file is closed when it reaches the specified number of megabytes (1024 x 1024 bytes), and a new server log file using the date and time it was opened as its filename (YYYYMMDD_HHMM.log) is opened. Default value is 0. NOTE: The size of the log file is checked once per minute. The log file might exceed the size specified in LogFileMaxMBytes, since it does not roll over until the next log size check occurs.
LogHighResolutionTime	If set to no, the timestamp for entries in the Steel-Belted Radius Carrier log file (yyyymmdd.log) are recorded as MM/DD/YYYY/hh:mm:ss (month/date/year/hour:minutes:seconds). If set to yes, the timestamp for entries in the Steel-Belted Radius Carrier log file (yyyymmdd.log) are recorded as MM/DD/YYYY/hh:mm:ss.xxx, where xxx represents the number of elapsed milliseconds since the ss value changed. Default value is no.
LogLevel	Sets the rate at which Steel-Belted Radius Carrier writes entries to the server log file (.LOG): 0 - Production logging level 1 - Informational logging level 2 - Debug logging level Default value is 0. The LogLevel setting is re-read whenever the server receives a HUP signal.
LogReject	If set to 0, messages associated with Rejects are ignored. If set to 1, messages associated with Rejects that meet the current LogLevel are recorded in the server log file. Default value is 1. The LogReject setting is re-read whenever the server receives a HUP signal.
NoNullTermination	If set to 0, RADIUS reply attributes of type string are sent with a null character at the end of the string (null terminated string). If set to 1, RADIUS reply attributes of type string are sent without the null character at the end of the string. Entering a value of 1 for this setting is the equivalent of changing all reply attributes of type string to type stringnz. Default value is 0. NOTE: After you change this setting, you must delete the saved-dicts.bin file and restart the Steel-Belted Radius Carrier service.
PhantomTimeout	The maximum number of seconds that a phantom session record remains active. As soon as the corresponding accounting start packet is received, a phantom record is discarded. If a phantom record still exists at the end of its timeout period, it is discarded and all resources associated with it are released.
PrivateDir	Sets the destination directory on the local host where server log files are stored. Default value is the Steel-Belted Radius Carrier directory. To use a non-default location, you must move or copy the database, the dictionary files, the *.xml files, and the system directory and its contents to the new directory. After you restart the Steel-Belted Radius Carrier service, the server log is created in the new directory. NOTE: You cannot write server log files to a mapped or shared drive. NOTE: The PrivateDir parameter was called LogDir in Steel-Belted Radius releases.
ProcessRealmBeforeTunnel	If set to 0, Steel-Belted Radius Carrier checks whether a request matches the criteria established for tunnels before it tests whether a request matches the criteria for proxy and directed realms. If set to 1, Steel-Belted Radius Carrier checks whether a request matches the criteria established for proxy and directed realms before it tests whether a request matches the criteria established for tunnels. Default value is 0.
ProxyFastFail	Specifies the number of seconds a Steel-Belted Radius Carrier server continues to forward packets to a proxy RADIUS target that appears to be down. A value of 0 disables the feature. Default value is 300.
ProxySource	Specifies the IP address of the interface through which all outgoing proxy traffic is routed. The IP address specified for ProxySource must be listed in the [Addresses] section of radius.ini. If a ProxySource address is not specified and per-realm control of proxy interfaces is not enabled, Steel-Belted Radius Carrier uses the first interface it finds on the server.
ProxyStripRealm	If set to 1, the proxy realm decoration is stripped before sending the request downstream. If set to 0, no realm name stripping is performed. Default value is 1.
SelectIPPoolNameByNasAVPs	If set to 0, the IP address pool for a RADIUS client is based on the source IP address in the UDP packet containing the access request. If set to 1, the IP address pool for a RADIUS client is based on the value of the NAS-IP-Address or NAS-Identifier attribute included in the access request. If the NAS-IP-Address or NAS-Identifier attribute is not present, or if a RADIUS client matching the IP address or identifier cannot be found, the IP address pool for a RADIUS client is based on the source IP address in the UDP packet containing the access request. Default value is 0.
SendOnlyOneClassAttribute	When a user's identity information is encrypted during authentication, Steel-Belted Radius Carrier uses a special Class attribute to pass the user's encrypted identity to an accounting server. Because this typically requires more than one Class attribute to be included in the Accept response, and because some Access Points do not support echoing more than one Class attribute, you can use the SendOnlyOneClassAttribute parameter to specify how you want Steel-Belted Radius Carrier to forward encrypted user identity information. If set to 1, Steel-Belted Radius Carrier creates a Class attribute containing a Class attribute flag, a server identifier, and a transaction identifier. The user identification data that is normally stored in the Class attributes is stored in the current sessions table. When Steel-Belted Radius Carrier receives an accounting request, it looks up the Class information in the current sessions table and uses it as if it had arrived in the accounting request packet. If set to 0, Steel-Belted Radius Carrier creates one or more Class attributes to return a user's encrypted identity to the Access Point, with the assumption that the AP forwards the Class attribute(s) containing the encrypted user identification information to the accounting server. Default value is 0. For the optional WiMAX mobility module, set this to 1. NOTE: This feature works only if accounting requests go to the same server that performs authentication. Accounting requests that go to servers other than the authenticating server fail.
StartupTimeout	Specifies the number of seconds Steel-Belted Radius Carrier waits for its startup sequence to finish before timing out. Default value is 360 seconds.
TraceLevel	Specifies the RADIUS packet tracing level: 0 - No packet tracing 1 - Parsed content of packets is logged 2 - Raw content and parsed content of the packet is logged Default value is 0. NOTE: Packet traces are written to the server log file and can be a useful tool for troubleshooting interoperability problems.
TreatAddressPoolsAsDisjoint	If set to 1, Steel-Belted Radius Carrier treats each IP address pool as though it operates off its own disjoint address space. This disables the normal checks to ensure that an IP address is allocated only to a single address pool. If set to 0, a single IP address can be allocated only to a single session and from a single IP address pool. Default value is 0. NOTE: To track allocated resources, Steel-Belted Radius Carrier uses the Class attribute to track IP addresses. This attribute contains the IP pool name and IP address.
UseNewAttributeMerge	If set to 1, the new profile and user attribute merging calculation is performed. If set to 0, the older calculation technique is used. Refer to "Resolving Profile and User Attributes" in the Steel-Belted Radius Carrier Administration and Configuration Guide for an explanation of new attribute merging. Default value is 1.
UseProfileCache	If set to 0, user profile results are not cached. If set to 1, user profile results are cached, improving processing during LDAP scripting. Set this parameter to 1 only if you have licensed the optional JavaScript module. Default value is 0.

[CurrentSessions] Section

The [CurrentSessions] section of radius.ini (Table 15) controls the Current Sessions Table.

[CurrentSessions]

;CaseSensitiveUsernameCompare = 1

Table 15: radius.ini [CurrentSessions] Syntax  

Parameter	Function
CaseSensitiveUsernameCompare	If set to 1, when the server searches its Current Sessions Table for sessions that have the same username, it uses case-sensitive lookups. If set to 0, the server ignores case. Default value is 1.

[Debug] Section

The [Debug] section of radius.ini (Table 16) helps debug problems with Steel-Belted Radius Carrier operations by incorporating thread identifiers in log messages. Thread identifiers help you parse the diagnostic log when messages about different RADIUS requests are interleaved.

The syntax for including thread identifiers in diagnostic log messages is:

[Debug]

Log-Thread-ID = yes

Table 16: radius.ini [Debug] Syntax  

Parameter	Function
Log-Thread-ID	If set to yes, thread identifiers are included in Steel-Belted Radius Carrier log messages. If set to no, thread identifiers are omitted from Steel-Belted Radius Carrier log messages. Default value is no.

When multiple requests are processed simultaneously, log entries for different requests might appear consecutively in the log file. Configuring the radius.ini file to include a thread identification number with log entries correlates the log entries produced while processing each RADIUS request.

In this example, the Log-Thread-ID of 98 is assigned to one request and 73 is assigned to another.

M

08/24/2008 15:16:27 ../radauthd.c radAuthHandleRequest() 2720 (98) Entering

08/24/2008 15:16:27 (98) Looking up shared secret

08/24/2008 15:16:27 (98) Looking for RAS client 172.25.97.54 in DB

08/24/2008 15:16:27 (98) Matched 172.25.97.54 to RAS client <ANY>

08/24/2008 15:16:27 (98) Parsing request

08/24/2008 15:16:27 (98) Initializing cache entry

08/24/2008 15:16:27 (98) Doing inventory check on request

08/24/2008 15:16:27 (98) Getting info on requesting client

08/24/2008 15:16:27 (98) User-Name : String Value = 1212864080212345

M

08/24/2008 15:16:27 (73) Authentication Request

08/24/2008 15:16:27 (73) Received from: ip=172.25.97.54 port=4334

08/24/2008 15:16:27 (73) 

08/24/2008 15:16:27 (73) Raw Packet :

[EmbedInClass] Section

The [EmbedInClass] section of radius.ini (Table 17) identifies attributes that are available during authentication processing which must be made available in accounting requests. Attribute embedding allows billing information to be embedded in a Class attribute returned to Steel-Belted Radius Carrier by a network access device. When Steel-Belted Radius Carrier receives an embedded attribute, it decodes the attribute and places it in the Accounting request according to the settings specified in the classmap.ini file (described on 118).

NOTE: The ClassAttributeStyle parameter in the [Configuration] section of radius.ini must be set to a value of 2 before you can use attribute embedding.

The syntax for embedding attributes is:

[EmbedInClass]

responseAttribute={ Clear | Encrypt }[,Remove]

Table 17: radius.ini [EmbedInClass] Syntax  

Parameter	Function
responseAttribute	Identifies the response attribute to be embedded in the RADIUS Class attribute.
Clear	Specifies that the retrieved information is included in the Class attribute in cleartext format.
Encrypt	Specifies that the retrieved information is encrypted before it is included in the Class attribute.
Remove	Optional parameter that removes the embedded attribute from the Accept-Response packet.

[HiddenEAPIdentity] Section

The [HiddenEAPIdentity] section of radius.ini allows the known inner identity of EAP/TTLS and EAP/SIM protocols to be included in the Access-Accept message returned in response to an authentication request.

The syntax is:

[HiddenEAPIdentity]

IncludeInAcceptResponse=0|1

ResponseAttribute = attributeName[, replaceAttribute]

Table 18: radius.ini [HiddenEAPIdentity] Syntax 

Parameter	Function
IncludeInAcceptResponse	If set to 0, inclusion of the inner identity in Access-Accept responses is disabled. If set to 1, Steel-Belted Radius Carrier includes the inner identity in the specified attribute of an Access-Accept response. Default value is 0.
attributeName	Identifies the attribute in which to include the inner identity in an Access-Accept message. If this value is omitted, the User-Name attribute is used. The attributeName value can be any string attribute, including a VSA, that is defined in an attribute dictionary.
[, replaceAttribute]	Identifies the Access-Accept attribute that retains the original value of the attribute specified in the attributeName argument. If a replacement value is not specified, the value of the original attribute is lost.

[IPPoolSuffixes] Section

The [IPPoolSuffixes] section of radius.ini lets you define suffixes that can be used to split the IP address pools reserved for a network access device into smaller subcategories.

The syntax is:

[IPPoolSuffixes]

Suffix1

Suffix2

...

For example, to create three categories that append -Bronze, -Silver, and -Gold to IP Address Pool names, this section is defined:

[IPPoolSuffixes]

-Bronze

-Silver

-Gold

[IPv6] Section

[IPv6]

Enable = 0

DynamicNameResolution = 2

IPv6LinkLocalUnicastScopeId = 0 

IPv6SiteLocalUnicastScopeId = 0 

The [IPv6] section of radius.ini (Table 19) controls IPv6 network transport features.

Table 19: radius.ini [IPv6] Syntax 

Parameter	Function
Enable	Determines whether IPv6 networking is enabled in Steel-Belted Radius Carrier. If set to 0, IPv6 networking is disabled, and other values in the IPv6 section of radius.ini are ignored. If set to 1, IPv6 networking is enabled. Default value is 1. NOTE: IPv4 networking is always enabled in Steel-Belted Radius Carrier.
DynamicNameResolution	Determines whether the Steel-Belted Radius Carrier server tries to use IPv6 name services (DNSv6) to resolve host names. 0 - Do not use IPv6 name services. IPv4 name services are not affected by this setting. 1 - Use only IPv6 name services. IPv4 name services are disabled by this setting. 2 - Use IPv6 name services first; use IPv4 name services in case of failure. Default value is 2.
IPv6LinkLocalUnicastScopeId	Specifies an interface name (such as hme0) or index (4) for Solaris hosts.. If set to 0, Steel-Belted Radius Carrier does not use link local addresses. Default value is 0.
IPv6SiteLocalUnicastScopeId	Specifies an interface name (such as hme0) or index (4). If set to 0, Steel-Belted Radius Carrier selects the site local scope ID automatically. Default value is 0.

[LDAP] Section

The [LDAP] section of radius.ini (Table 20) sets the TCP port number that you want to use for communication between Steel-Belted Radius Carrier and LDAP clients.

The syntax is:

[LDAP]

Enable = 1

TCPPort = portNumber

Table 20: radius.ini [LDAP] Syntax

Parameter	Function
Enable	If set to 0, the LDAP Configuration Interface is disabled. If set to 1, the LDAP Configuration Interface is enabled. Default value is 0. NOTE: Enabling LCI without changing the access password might leave your Steel-Belted Radius Carrier database vulnerable to access by any LDAP client. Read Chapter 24, Using the LDAP Configuration Interface of the Steel-Belted Radius Carrier Administration and Configuration Guide before you enable this feature.
TCPPort	Specifies the TCP port number that you want to use for communication between Steel-Belted Radius Carrier and LDAP clients. Default value is 667.

[LDAPAddresses] Section

The [LDAPAddresses] section of radius.ini lets you specify the interfaces on which Steel-Belted Radius Carrier listens for LDAP Configuration Interface (LCI) requests. If you want to provide these settings, you must add a section called [LDAPAddresses] to the radius.ini file. This section contains a list of IP addresses, one per line:

[LDAPAddresses]

199.198.197.196

196.197.198.199

If the [LDAPAddresses] section is omitted or empty, Steel-Belted Radius Carrier listens for LCI requests on all bound IP interfaces.

[MsChapNameStripping] Section

The [MsChapNameStripping] section of radius.ini (Table 21) specifies whether you want Steel-Belted Radius Carrier to try to strip domain information from usernames when it tries to match its user entry to the username/password hash forwarded by the enduser. This feature is useful in situations where the username in the Steel-Belted Radius Carrier database includes characters the enduser host considers domain information, which it deletes before computing its hash of the user's credentials.

If this feature is enabled:

1. Steel-Belted Radius Carrier scans the username in its database looking for delimiter characters that might indicate a domain is prefixed to the username. If a prefix delimiter character is found, the server strips that character (and all characters to the left of the delimiter), generates its own hash of the user's credentials, and compares the result to the hashed credentials forwarded by the enduser to determine if a match is found.
2. If a prefix delimiter is not found (or if the hashed credentials do not match after the prefix is stripped), Steel-Belted Radius Carrier scans the username looking for delimiter characters that might indicate a domain is suffixed to the username. If a suffix delimiter character is found, the server strips that character (and all characters to the right of the delimiter), generates its own hash of the user's credentials, and compares the result to the hashed credentials forwarded by the enduser to determine if a match is found.
3. If neither a prefix delimiter nor a suffix delimiter is found (or if a delimiter was found but the hashed credentials did not match), the server uses the entire username string to generate the hashed credentials and compares the result to the hashed credentials forwarded by the enduser to determine if a match is found.

The syntax for the [MsChapNameStripping] section is:

[MsChapNameStripping]

Enable=1

Prefix=\\

Suffix=/@

Table 21: radius.ini [MsChapNameStripping] Syntax  

Parameter	Function
Enable	If set to 0 (or omitted), MS-CHAP v2 name stripping is disabled. If set to 1, MS-CHAP v2 name stripping is enabled. Default value is 0.
Prefix	A list of as many as five ASCII characters to strip from the prefix. If a space character appears in the list, the entire list must be surrounded by quotation marks. Enter a double backslash (\\) to indicate you want to strip the backslash character. A double backslash counts as one character in the list. Default value is \\.
Suffix	A list of as many as five ASCII characters to strip from the suffix. If a space character appears in the list, the entire list must be surrounded by quotation marks. Enter a double backslash (\\) to indicate you want to strip the backslash character. A double backslash counts as one character in the list. Default value is /@.

[Ports] Section

The [Ports] section of radius.ini (Table 22) provides a method for setting the UDP ports used by Steel-Belted Radius Carrier.

• If one or more UDPAuthPort settings are specified in the [Ports] section of radius.ini, the port numbers in this section are the only ones on which the server listens for authentication requests. Similarly, if one or more UDPAcctPort settings are specified, they are the only ones on which the server listens for accounting requests.

You can specify as many as 4096 ports on a Solaris server. If this limit is exceeded, the RADIUS authentication subcomponent fails to initialize.

• If no UDPAuthPort or UDPAcctPort settings are present in the [Ports] section, the server attempts to read the port numbers associated with radius service (authentication) and radacct (accounting) in /etc/services. If successful, the server listens on these port numbers. No more than one port can be specified for the radius service or for the radacct service.
• If no UDPAuthPort settings are present in the [Ports] section and no radius service or radacct is listed in the /etc/services file, the server listens for authentication requests on UDP ports 1645 and 1812 for authentication and UDP ports 1646 and 1813 for accounting.
  

  NOTE: Any failure to bind to one of the selected UDP ports causes the affected subcomponent (authentication or accounting) to fail to initialize.

  
  

If you want the server to function as a proxy forwarding server, you can specify a block of UDP port numbers from which the proxy RADIUS ports are allocated. Proxy RADIUS allocates port numbers in sets of eight. Port numbers in an allocated block do not have to be contiguous: if a UDP port number that falls in the proxy RADIUS range is in use, proxy RADIUS skips over it.

Table 22: radius.ini [Ports] Syntax  

Parameter	Function
SecureTcpAdminAddress	Specifies the IP address of the administrative interface used for communication between SBR Administrator and the Steel-Belted Radius Carrier server. If not specified, any network interface on the Steel-Belted Radius Carrier server accepts a connection from SBR Administrator.
SecureTcpAdminPort	Specifies the TCP port used for communication between SBR Administrator and the Steel-Belted Radius Carrier server. Default value is 1813. NOTE: Consult Juniper Networks Technical Support before changing the port number. Using a non-default port may cause communication problems between SBR Administrator and the Steel-Belted Radius Carrier server.
TCPControlAddress	Specifies the IP address of the administrative interface on the Steel-Belted Radius Carrier server used for SNMP and CCM/ replication communication. If not specified, any network interface on the Steel-Belted Radius Carrier server can be used for SNMP and CCM traffic.
TCPControlPort	Specifies the TCP port used for SNMP and CCM/replication communication. Default value is 1812. NOTE: Consult Juniper Networks Technical Support before changing the port number. Using a non-default port may cause communication problems between SBR Administrator and the Steel-Belted Radius Carrier server.
UDPAcctPort	Specifies the UDP port(s) used for accounting. If you use more than one port, specify each port number on a separate line. Default values are 1646 and 1813. NOTE: Consult Juniper Networks Technical Support before changing the port number. Using a non-default port may cause communication problems between SBR Administrator and the Steel-Belted Radius Carrier server.
UDPAuthPort	Specifies the UDP port(s) used for authentication. If you use more than one port, specify each port number on a separate line. Default values are 1645 and 1812. NOTE: Consult Juniper Networks Technical Support before changing the port number. Using a non-default port may cause communication problems between SBR Administrator and the Steel-Belted Radius Carrier server.
UDPProxyPortBlockLength	Specifies the number of addresses in the port number range used for proxy RADIUS communication. Default value is 64.
UDPProxyPortBlockStart	Specifies the starting port number in the port number range used for proxy RADIUS communication. Default value is 28000. NOTE: If you change the default value, choose a number range that does not overlap with well-known UDP ports and proprietary UDP ports on your network. NOTE: You might need to configure network firewalls to allow ports in the specified number range to pass.

For example:

[Ports]

SecureTcpAdminPort = 1813

SecureTcpAdminAddress = 192.168.12.15

TcpControlPort = 1812

TCPControlAddress = 192.168.15.55

UDPAuthPort = 1645

UDPAuthPort = 1812

UDPAcctPort = 1646

UDPAcctPort = 1813

UDPProxyPortBlockStart = 28000

UDPProxyPortBlockLength = 64

The UDP port assignments entered in the [Ports] section of the radius.ini file override the UDP port assignments specified in the /etc/services file. For more information, see services File.

[SecurID] Section

The [SecurID] section of radius.ini (Table 23) contains items specific to RSA SecurID authentication for ISDN users. It provides information that allows Steel-Belted Radius Carrier to cache the user's credentials temporarily after a successful SecurID authentication. This technique is necessary to permit a second ISDN B-channel to be authenticated during the user's session. Steel-Belted Radius Carrier uses the cached token to authenticate the second channel.

NOTE: If this feature is not enabled, users who want to authenticate against a SecurID database through an ISDN connection that bonds both B-channels, fail to authenticate due to a SecurID security violation. ISDN users running only one B-channel are not affected.

Table 23: radius.ini [SecurID] Syntax 

Parameter	Function
CachePasscodes	If set to yes, RSA SecurID passcode caching is enabled. If set to no, RSA SecurID passcode caching is disabled. Default value is no.
SecondsToCachePasscodes	The number of seconds to retain the cached SecurID passcode (PIN and token code). Default value is 60 seconds.

[Self] Section

The [Self] section of radius.ini lists all the realm names that the Steel-Belted Radius Carrier server handles locally. The syntax is:

[Self]

RealmName

RealmName

M

You can use the [Self] section to map a realm name to the Steel-Belted Radius Carrier server. If you acquire a batch of new user accounts, users do not have to change how they enter usernames. They can enter the name User<Delimiter>RealmName or RealmName<Delimiter>User as usual.

When a username comes into Steel-Belted Radius Carrier, if the [Self] section lists RealmName, Steel-Belted Radius Carrier understands that it is the target, and handles the request locally instead of directing the request elsewhere.

[StaticAcctProxy] Section

The [StaticAcctProxy] section of radius.ini controls the delivery of Accounting messages to additional RADIUS accounting-enabled devices on the network, even when the initial RADIUS transaction is not a proxy RADIUS transaction. The syntax is:

[StaticAcctProxy]

target = proxy 

where proxy identifies the name of the RADIUS accounting-enabled device.

[Strip] Section

The [Strip] section specifies how Steel-Belted Radius Carrier manipulates the username by stripping the incoming User-Name attribute value of realm names and other decorations.

The [Strip] section (and accompanying [StripPrefix] and [StripSuffix] sections) look like this:

[Strip]

Authentication=Yes

Accounting=No

StripPrefixCharacters=@#%

StripSuffixCharacters="! "

[StripPrefix]

PrefixStringToStrip1

PrefixStringToStrip2

M

[StripSuffix]

SuffixStringToStrip1

SuffixStringToStrip2

M

:

Table 24: radius.ini [Strip] Syntax 

Parameter	Function
Authentication	If set to yes, the [StripPrefix] and [StripSuffix] rules are used to strip the username before an authentication request is processed. Default value is no.
Accounting	If set to yes, the [StripPrefix] and [StripSuffix] rules are used to strip the username before an accounting request is processed. Default value is no.
StripPrefixCharacters	A list of ASCII characters to strip from the prefix. If a space character appears in the list, the entire list must be surrounded by quotation marks.
StripSuffixCharacters	A list of ASCII characters to strip from the suffix. If a space character appears in the list, the entire list must be surrounded by quotation marks.

[StripPrefix] Section

The [StripPrefix] section lists prefixes you want removed from the beginning of usernames, including the delimiter. If a space character appears in the list, the entire list must be surrounded by quotation marks.

[Strip]

Authentication=yes

Accounting=yes

[StripPrefix]

isp.com\

att.net]

In this example, Steel-Belted Radius Carrier strips the prefixes isp.com\ and att.net] from usernames in authentication and accounting requests.

[StripSuffix] Section

The [StripSuffix] section lists suffixes you want removed from the end of usernames, including the delimiter.

For example:

[Strip]

Authentication=yes

Accounting=yes

[StripSuffix]

@myrealm.com

@yahoo.com

In this example, Steel-Belted Radius Carrier strips the suffixes @myrealm.com and @yahoo.com from usernames in authentication and accounting requests.

[UserNameTransform] Section

The [UserNameTransform] section (Table 25) lets you specify a rule for transforming user names in RADIUS requests from the form in which they are received to a form in which they can be processed. This can be useful when the form in which users supply their names to the network access device is not compatible with the form in which the RADIUS server applies its rules for proxy forwarding or with the form that the authentication system requires.

The user name transformation rule used to convert input strings to output strings is based on an input format and an output format. The user name transformation rule is applied to user names appearing in RADIUS requests. The user name from the RADIUS request is parsed based on the input format.

• If the user name does not conform to the input format, the rule does not apply and the user name is unchanged.
• If the rule does apply, the parsed elements of the user name are formatted based on the output format to construct the transformed user name:

1. The User-Name from the Access-Accept (or Acct-Start/Acct-Stop) is compared to the input format rule.
2. If the User-Name matches the rule, it is modified into the output format, and authentication continues.
3. If the User-Name does not match the input format, no modification occurs, and authentication continues.

The transformed user name replaces the original user name in RADIUS processing, just as if the transformed user name had been included in the request. The decision to proxy-forward the packet is based on the transformed user name, and all authentications are based on the transformed user name.

Format strings can be any sequence of characters, and can contain embedded variables enclosed in angle brackets (< >). The backslash (\) is an escape character within text, used to represent literal characters. Within variable names, a backslash is treated as a character, not as an escape; and therefore, variable names may not include right angle brackets (>).

Compose the literal text with characters you do not expect to be found in the variable elements. Use punctuation characters such as a slash (/) or an at-sign (@), rather than letters or numbers.

The user name transformation rule can be applied to authentication packets, accounting packets, or both.

[UserNameTransform]

In=<input format>

Out=<output format>

Authentication=< yes | no >

Accounting=< yes | no >

Table 25: radius.ini [UserNameTransform] Syntax 

Parameter	Function
In	A format string identifying the input format for user names. For example, <user>@<realm>.
Out	A format string identifying the output format for user names. For example, <user>.
Authentication	Set to Yes to enable the transform for authentication requests. Default value is Yes.
Accounting	Set to Yes to enable the transform for accounting requests. Default value is Yes.
Proxy	Set to Yes to enable the transform for proxied requests. Default value is Yes.

For example, these settings transforms george@acme.com to george:

In = <user>@<realm>

Out = <user>

These settings transform abc/martha@bigco.com to bigco.com::abc/martha:

In = <prefix>/<user>@<realm>

Out = <realm>::<prefix>/user

[ValidateAuth] and [ValidateAcct] Sections

The [ValidateAuth] and [ValidateAcct] sections of radius.ini (Table 26) specify how Steel-Belted Radius Carrier validates usernames in authentication and accounting requests. These sections enable Steel-Belted Radius Carrier to examine the User-Name attribute in the incoming packet to determine whether it employs a valid character set.

[ValidateAuth]

User-Name = RegularExpression

[ValidateAcct]

User-Name = RegularExpression

Table 26: radius.ini [ValidateAuth] and [ValidateAcct] Syntax 

Parameter	Function
[ValidateAuth]	This section applies only to authentication servers.
[ValidateAcct]	This section applies only to accounting servers.
User-Name	Names the regular expression against which the User-Name attribute is validated. If the User-Name entry is absent from the section or the regular expression is blank, no validation occurs.
RegularExpression	The regular expression lists each valid character or range of characters. A dash (-) indicates a range of alphanumeric characters. For example, A-Z indicates every uppercase alphabetic character. A backslash (\) followed by a non-alphanumeric character indicates that character literally, for example \? indicates the question mark. \ is used as an escape character: \a     bell (7) \b     backspace (8) \t     tab (0x09) \n     newline (10) \v     vertical tab (11) \f     formfeed (12) \r     return (13) \xnn     hex value, where nn is a two-digit hexadecimal number \nnn     decimal value, where nnn is a three-digit decimal number

This example permits a string composed only of upper-case and lower-case characters, digits, periods, and commas:

User-Name = A-Za-z0-9.,

This example permits upper-case and lower-case characters:

User-Name = A-Za-z