Friday, Debtember 09, 2005
Yes, I expected documentation in a man page …
So Smirk calls me up late last night. “Hey Sean,” he said. “Can you install a Radius server on such-n-such a machine. I need to get my DSL working.” We're offering DSL to customers, and as a side benefit, we're all getting DSL (from The Company) for free.
Although I didn't expect things to be quite so far along. I think my reply to Smirk was “Ack,” but secretly, I was Now? He wants it now? Although, had the roles been reversed, I think I would have demanded DSL immediately as well.
I do a search for freely available Radius servers, and the first one I come across is the GNU Radius server. I get it installed and running, despite the lack of documentation. Seriously. It's not like I could immediately buy and get the documentation right then and there, and the man pages all read like:
- NAME
- radiusd - Authentication and accounting server
- SYNOPSYS
- radiusd [-A] [-a account_dir] …
- DESCRIPTION
- Ha ha ha ha ha ha ha! You expected documentation in man format? Ha ha ha ha ha ha ha ha! Silly Mortal!
Manis The Man's documentation format, and we're here to screw The Man! We useinfo, based on the “One True Editor” that is known as Emacs (and no jokes about it sucking up more memory than Windows least we come in and reformat your system to the GNU Hurd). So what if the key bindings give you carpel tunnel syndrome? If it's good enough to cripleRMSthen it's good enough to criple you. So suck it up and useinfo.
And the info pages are a twisty maze of jargon and confusing examples (more on that later).
But at this point, I have no clue how to get a Cisco router to authenticate against a Radius server, did a quick search, found a few commands, typed them in, and locked myself out of the router (as it was attempting to authenticate my administrative logins against the Radius server).
So much for Smirk and his DSL last night.
Today I spent all day on the phone with G, our CCNE consultant (who did admit that on th Cisco test, all Radius server questions were only worth a collective two points, so even he was unsure on some of this). I did, however, realize I didn't fully finish configuring GNU Radius. You first need to expliticly tell it to listen on the network port (okay, good default for the security conscience) and tell it the IP address of the client(s) (an even better default for the security paranoid).
I was luckily able to log into the Cisco router on the console port and fix the administrative login problem so G could log in. A few hours of playing, and we could administratively login locally, but network authentications (for say, DSL) would go against the Radius server. We then saw Smirk's DSL unit attempt to log in, as smirk@exapmle.net.
Only, I set the account up as smirk.
When Smirk changed his user ID to smirk, nothing, and I mean nothing came through. Smirk, G and I were checking both the Cisco logs and the Radius server logs, and nope. Smirk's DSL unit wasn't even making an attempt.
An hour or so later, Smirk got off the phone with either the CPC, the BRC or the BBG (yes, we have to work through at least three departments at BellSouth to offer DSL as a CLEC (pronounced “sē′‧lək”)—alphabet soup anyone?) and found out that BellSouth will only pass the authentication request if the packet has the format user“@”domain.
Nice.
Only I opted to configure the GNU Radius server to use the underlying Unix system authentication. Now I had to figure out how to get it to accept smirk@example.net.
I'll spare you the pain I suffered, but let me just say that GNU Radius is extremely picky about the syntax of its configuration files. And for it's security conscience about networking, it's rather stupid about CHAP authentication, where it requires the un-encrypted version of the password in the configuration file. Five hours to get:
"smirk@example.net" Suffix = "@example.net", Strip-User-Name = Yes, Auth-Type = Local, User-Password = XXXXXXXXXX Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = XXX.XXX.XXX.XXX
The commands? Case sensitive. Options, like the “Yes” … case sensitive and it has to be “Yes”. Commas? I can't figure out where it wants them, and where it doesn't want them. Basically, I had to make a change, then run radiusd -m c to see if it liked the configuration file, and if not, what it didn't like about it. And the examples! That further confused issues because of random indenting! In one section, I saw:
DEFAULT Suffix = ".ppp", Auth-Type = SQL, Login-Time = "Al", Simultaneous-Use = 1, Strip-User-Name = Yes Service-Type = Framed-User, Framed-Protocol = PPP
Somewhere else:
DEFAULT Suffix = ".slip", Strip-User-Name = Yes Hint = "SLIP", Service-Type = Framed-User, Framed-Protocol = SLIP
But then:
DEFAULT Hint = "SLIP", Auth-Type = Mysql Service-Type = Framed-User Framed-Protocol = SLIP
I found out that indenting isn't that important—that is, it's required, but how much isn't. And if you can figure out where commas are required and not, please tell me so I don't have to play “Hunt the Comma Location” again.
Sheesh.
But I finally got Smirk up and running with his DSL, and I'm slated to get it later this month. Woot!
