The Boston Diaries

The ongoing saga of a programmer who doesn't live in Boston, nor does he even like Boston, but yet named his weblog/journal “The Boston Diaries.”

Go figure.

Friday, Debtember 09, 2005

Yes, I expected documentation in a man page …

So Smirk calls me up late last night. “Hey Sean,” he said. “Can you install a Radius server on such-n-such a machine. I need to get my DSL working.” We're offering DSL to customers, and as a side benefit, we're all getting DSL (from The Company) for free.

Although I didn't expect things to be quite so far along. I think my reply to Smirk was “Ack,” but secretly, I was Now? He wants it now? Although, had the roles been reversed, I think I would have demanded DSL immediately as well.

I do a search for freely available Radius servers, and the first one I come across is the GNU Radius server. I get it installed and running, despite the lack of documentation. Seriously. It's not like I could immediately buy and get the documentation right then and there, and the man pages all read like:

radiusd - Authentication and accounting server
radiusd [-A] [-a account_dir] …
Ha ha ha ha ha ha ha! You expected documentation in man format? Ha ha ha ha ha ha ha ha! Silly Mortal! Man is The Man's documentation format, and we're here to screw The Man! We use info, based on the “One True Editor” that is known as Emacs (and no jokes about it sucking up more memory than Windows least we come in and reformat your system to the GNU Hurd). So what if the key bindings give you carpel tunnel syndrome? If it's good enough to criple RMS then it's good enough to criple you. So suck it up and use info.

And the info pages are a twisty maze of jargon and confusing examples (more on that later).

But at this point, I have no clue how to get a Cisco router to authenticate against a Radius server, did a quick search, found a few commands, typed them in, and locked myself out of the router (as it was attempting to authenticate my administrative logins against the Radius server).

So much for Smirk and his DSL last night.

Today I spent all day on the phone with G, our CCNE consultant (who did admit that on th Cisco test, all Radius server questions were only worth a collective two points, so even he was unsure on some of this). I did, however, realize I didn't fully finish configuring GNU Radius. You first need to expliticly tell it to listen on the network port (okay, good default for the security conscience) and tell it the IP address of the client(s) (an even better default for the security paranoid).

I was luckily able to log into the Cisco router on the console port and fix the administrative login problem so G could log in. A few hours of playing, and we could administratively login locally, but network authentications (for say, DSL) would go against the Radius server. We then saw Smirk's DSL unit attempt to log in, as

Only, I set the account up as smirk.

When Smirk changed his user ID to smirk, nothing, and I mean nothing came through. Smirk, G and I were checking both the Cisco logs and the Radius server logs, and nope. Smirk's DSL unit wasn't even making an attempt.

An hour or so later, Smirk got off the phone with either the CPC, the BRC or the BBG (yes, we have to work through at least three departments at BellSouth to offer DSL as a CLEC (pronounced “sē′‧lək”)—alphabet soup anyone?) and found out that BellSouth will only pass the authentication request if the packet has the format user“@”domain.


Only I opted to configure the GNU Radius server to use the underlying Unix system authentication. Now I had to figure out how to get it to accept

I'll spare you the pain I suffered, but let me just say that GNU Radius is extremely picky about the syntax of its configuration files. And for it's security conscience about networking, it's rather stupid about CHAP authentication, where it requires the un-encrypted version of the password in the configuration file. Five hours to get:

"" Suffix = "",
	Strip-User-Name = Yes,
	Auth-Type = Local,
	User-Password = XXXXXXXXXX
	Service-Type = Framed-User,
	Framed-Protocol = PPP,
	Framed-IP-Address = XXX.XXX.XXX.XXX

The commands? Case sensitive. Options, like the “Yes” … case sensitive and it has to be “Yes”. Commas? I can't figure out where it wants them, and where it doesn't want them. Basically, I had to make a change, then run radiusd -m c to see if it liked the configuration file, and if not, what it didn't like about it. And the examples! That further confused issues because of random indenting! In one section, I saw:

DEFAULT Suffix = ".ppp",
		Auth-Type = SQL,
		Login-Time = "Al",
		Simultaneous-Use = 1,
		Strip-User-Name = Yes
	Service-Type = Framed-User,
		Framed-Protocol = PPP

Somewhere else:

DEFAULT	Suffix = ".slip",
		Strip-User-Name = Yes
	Hint = "SLIP",
		Service-Type = Framed-User,
		Framed-Protocol = SLIP

But then:

		Auth-Type = Mysql
	Service-Type = Framed-User
		Framed-Protocol = SLIP

I found out that indenting isn't that important—that is, it's required, but how much isn't. And if you can figure out where commas are required and not, please tell me so I don't have to play “Hunt the Comma Location” again.


But I finally got Smirk up and running with his DSL, and I'm slated to get it later this month. Woot!

Obligatory Picture

[It's the most wonderful time of the year!]

Obligatory Links

Obligatory Miscellaneous

You have my permission to link freely to any entry here. Go ahead, I won't bite. I promise.

The dates are the permanent links to that day's entries (or entry, if there is only one entry). The titles are the permanent links to that entry only. The format for the links are simple: Start with the base link for this site:, then add the date you are interested in, say 2000/08/01, so that would make the final URL:

You can also specify the entire month by leaving off the day portion. You can even select an arbitrary portion of time.

You may also note subtle shading of the links and that's intentional: the “closer” the link is (relative to the page) the “brighter” it appears. It's an experiment in using color shading to denote the distance a link is from here. If you don't notice it, don't worry; it's not all that important.

It is assumed that every brand name, slogan, corporate name, symbol, design element, et cetera mentioned in these pages is a protected and/or trademarked entity, the sole property of its owner(s), and acknowledgement of this status is implied.

Copyright © 1999-2019 by Sean Conner. All Rights Reserved.