Radius
RADIUS is a simple mechanism and can be added to the main core of ClearOS with relative ease so that it snaps into the LDAP infrastructure. Ideally this will be added to ClearOS 5.2 as a feature.
This spec assumes that the steps in the RADIUS HowTo have be completed as well.
Webconfig
Add RADIUS Tab
A new tab should appear in the
RADIUS Service Page
The body of the page is standard.
Start/Stop ToAuto/Manual
This tab should have the typical 'Start' button for the service and also have the 'To Auto' button.
Group
This element should be a pulldown menu that enumerates all the current groups. This is the group whose members will register as Access-Accept when the authentication request comes in.
When this element is set it changes the groupmembership_attribute value in the ldap{} element in radiusd.conf
Servers that can access this RADIUS Server
This area will look similar to Web Server page and will have the ability to add multiple entries. These entries directly affect and are enumerated by the the /etc/raddb/clients.conf file. By default, the local host entry will be enumerated and instead of the 'Remove' button, it will have a Disable/Enable button. This will comment or uncomment the entry in clients.conf.
Table will look like this:
Name | Server Address | Shared Secret | |
---|---|---|---|
Debug | localhost | radiustest | |
wap | 10.1.1.50 | w1r3l35s | |
server | server4.mycompany.lcl | VpNS3cr3t | |
machines | 10.1.1.192/28 | cl13nt5 | |
The output of such a configuration in /etc/raddb/clients.conf would be:
#client 127.0.0.1 { #secret = radiustest #shortname = debugging #nastype = other #} client 10.1.1.50 { secret = w1r3l35s shortname = wap nastype = other } client server4.mycompany.lcl { secret = VpNS3cr3t shortname = server nastype = other } client 10.1.1.192/28 { secret = cl13nt5 shortname = machines nastype = other }
When an entry is created, nastype is set to 'other' if the user manually specifies a different type, adding new servers/networks to the list should NOT override the manual setting of the other entries.
- Name (shortname): should be 15 characters of less and should not have any spaces or funky characters, dashes and underscores are ok.
- Server Address (client): can me FQDN, IP, or CIDR
- Shared Secret (secret): Needs to be tested to see if characters such as $ or * give problems.