1. INTRO

This is version 1.5.3 of the Cistron Radius daemon. Most of
the code was taken from radius-1.16 by Livingston Enterprises,
available from ftp.livingston.com.

This code has lots of new features:
o Multiple DEFAULT entries, that can optionally fall-through.
o In fact, every entry can fall-through
o Deny/permit access based on huntgroup users dials into
o Set certain parameters (such as static IP address) based on huntgroup
o Extra "hints" file that can select SLIP/PPP/rlogin based on
  username pattern (Puser or user.ppp is PPP, plain "user" is rlogin etc).
o Can execute an external program when user has authenticated (for example
  to run a sendmail queue).
o No good documentation at all, just like the original radiusd 1.16!

Extra command line flags:
o -y: log all failed login attempts with login/password
o -z: log all successful login attemps, also with login/password.

2. COMPILE

You will need to:

o Edit src/conf.h to adjust the paths for the logfiles.
o Edit src/Makefile
  Defines:  DBM             DBM support
            NDBM            NDBM support (mutually exclusive)
            NOSHADOW        Don't compile in shadow support
            CISTRON_COMPAT  Backwards compatibility with older Cistron
                            terminal servers.
            NT_DOMAIN_HACK  Strip first part of NT_DOMAIN\loginname
            NOCASE          Dictionary file is case insensitive

o Copy the examples in raddb to /etc/raddb and edit+rename the sample files.
o If you have a Debian system, you might want to install rc.radiusd
  in /etc/init.d/radiusd and install startup symlinks with
  "update-rc.d radiusd defaults".
o If you use rc.radiusd, also install radwatch in /usr/local/sbin.
o Start radiusd (using /etc/init.d/radiusd start if applicable).

3. USAGE

You can use last -f /var/log/radwtmp to get last info on all users.
You can use "radwho" at any time to find out who's logged in.
If you want, you can install "radwho" as /usr/sbin/in.fingerd.
Also, the "raduse" program can be very useful to monitor your modem pool.

4. CONFIGURATION FILES

4a. CLIENTS

Make sure the clients (portmasters, Linux with portslave etc) are set up to
use the host radiusd is running on as authentication and accounting host.
Configure these clients to use a "radius secret password". For every client,
also enter this "secret password" into the file /etc/raddb/clients.
See also the manual page for clients(5rad).

4b. HINTS

Customize the /etc/raddb/hints file. This file is used to give users a
different login type based on a prefix/suffix of their loginname. For
example, logging in as "user" may result in a rlogin session to a Unix
system, and logging in as "Puser" starts a PPP session.

4c. HUNTGROUPS

This is the /etc/raddb/huntgroups file. Here you can define different
huntgroups. These can be used to:

  - restrict access to certain huntgroups to certain users/groups of
    users (define this in the huntgroups file itself)
  - match a loginname with a huntgroup in /etc/raddb/users. One use
    for this is to give a user a static IP address based on the
    huntgroup / Point of Presence  (s)he dials in to.

4d. USERS

With the original RADIUS server, every user had to be defined in this
file. There could be one default entry, where you could for example
define that a user not in the radius file would be checked agains the
UNIX password file and on succesfull login would get a PPP connection.

In the new style file, you can define multiple DEFAULT entries. All
entries are processed in the order as they appear in the users file.
If an entry matches the username, radiusd will stop scanning the users
file unless the attribute "Fall-Through = Yes" is set.

4e. NEW RADIUS ATTRIBUTES (to be used in the USERS file).

Name			Type		Descr.
----			----		------
Group-Name		string		UNIX group name.
Simultaneous-Use	integer		Max. number of concurrent logins
Fall-Through		integer		Yes/No
Exec-Program		string		program to execute after authentication

Exec-Program can take arguments. You can use macros in the arguments:

  %p   Port number
  %n   NAS IP address
  %f   Framed IP address
  %u   User name

5. LOG FILES

5a. /var/log/radutmp

In this file the currently logged in users are held. The program "radwho"
reads this file and gives you a summary. Rogue sessions can be deleted
from this file with the "radzap" program.

5b. /var/log/radwtmp

This file is "wtmp" compatible and keeps a history of all radius logins/
logouts. This file can be read with the "last" program, and other Unix
accounting programs (such as "ac" and "sac") can be used to produce a
summary.

5c. /var/log/radius.log

All RADIUS informational. diagnostic and error messages are logged in this file.
If radiusd has been started with the "-y" flag, all failed logins (including
the wrong password) will be logged in this file. With the "-z" flag, all
successfull logins will be logged as well. That's pretty dangerous though
in case anyone unpriviliged ever magages to get access to this file!

5d. /var/log/radacct/<terminal_server>/detail

This is the original radius logfile, as written by all the livingston
radius servers. It's only created if the directory /var/log/radacct exists.
The <terminal_server> name is the short name if one is defined in
/etc/raddb/clients.


