RADIUS by Jonathan Hassell The unconfirmed error reports are from readers. They have not yet been approved or disproved by the author or editor and represent solely the opinion of the reader. Here's a key to the markup: [page-number]: serious technical mistake {page-number}: minor technical mistake : important language/formatting problem (page-number): language change or minor formatting problem ?page-number?: reader question or request for clarification This page was updated April 9, 2008. UNCONFIRMED errors and comments from readers: (1) 3rd paragraph; "There's one protocol that does this all: the Remote Access Dialin User Service, or RADIUS" is incorrect. According to RFC2865, RADIUS is acronym for Remote Authentication Dial In User Service" therefore the sentence should say "There's one protocol that does this all: the Remote Authentication Dial In User Service, or RADIUS". {16} 1st paragraph; Merit & Lucent RADIUS servers are commercial products, not free. [31] Section on PAP; The discussion of PAP password hiding mechanism on p31 is not correct. My understanding is that the Shared Secret and the Request Authenticator are used for the initial MD5 hashing, not the Shared Secret and the Identifier. Isn't the process better described as: Call the shared secret S and the pseudo-random 128-bit Request Authenticator RA. Break the password into 16-octet chunks p1, p2, etc. with the last one padded at the end with nulls to a 16-octet boundary. Call the ciphertext blocks c(1), c(2), etc. We'll need intermediate values b1, b2, etc. b1 = MD5(S + RA) c(1) = p1 xor b1 b2 = MD5(S + c(1)) c(2) = p2 xor b2 . . . . . . bi = MD5(S + c(i-1)) c(i) = pi xor bi The String will contain c(1)+c(2)+...+c(i) where + denotes concatenation. On receipt, the process is reversed to yield the original password. (1) The result of this calculation is used as the value of the User-Password attribute. (79) 4. entry in Table 5.1; The purpose of the --with-gnu-ld flag is mistyped. Wrong version: "Makes the procedure assume the C compiler uses GNU ID." Correct version: "Makes the procedure assume the C compiler uses GNU ld." {85} From web-site; In chapter 5, rfc 2138 is referenced. To be technically correct, the most current rfc for authentication is 2865 and for accounting is rfc 2866. Sorry for not providing a page because I looked at the sample chapter from your web site. The section where the error was found is located above "Figure 5-1. The NTRadPing 1.2 application window" snap-shot. "Testing the Initial Setup Once you have FreeRADIUS running, you need to test the configuration to make sure it is responding to requests. FreeRADIUS starts up listening, by default, on the port specified either in the local /etc/services file or in the port directive in radiusd.conf. While RFC 2138..." {90} 1st paragraph; According to freeradius.org, FreeRADIUS should be installd under user=radius, group=radius. {175} Other Radius Server; Navis Access is listed as Lucent RADIUS server however, the Lucent RADIUS server is NavisRadius. URL - http://www.lucentradius.com/ {175} bottom; Lucent's RADIUS server has been renamed "VitalAAA" and will be renamed again after the Alcatel acquisition. {176} top; Steel Belted RADIUS (formerly Funk) now owned by Juniper, runs on BOTH Windows and Unix (SPARC) systems. Radiator is a commercial implementation of RADIUS. Bridgewater makes a RADIUS server used by large ISPs that is extremely fast and stable, but not very flexible. www.bridgewatersystems.com Cisco makes Cisco Access Control Server which runs RADIUS & TACACS+. Available for Windows, Unix, and as an appliance.