RADIUS

Since its initial 0.1 release, Holger and Kostas have been hard at work putting together a whole host of changes for the 0.2.1 release. This release is now available with the following changelog:

  • Fix for accounting request port bug (0.2.1)
  • Add more sanity checks on the incoming RADIUS packets. This should eliminate a few security threats in the previous version.
  • Add functions for changing attribute values (length should be the same for now)
  • Add functions for reading attribute values instead of using the attribute structure elements (nice OO abstraction)
  • Make maximum attribute value length 253 (as it should be).
  • Add UserLogon attribute support and the corresponding dictionary
    : 
    		  UserLogon-HomeDir:              User home directory
		  UserLogon-Type:                 In our case, Windows-Logon
		  UserLogon-Restriction:          Determine if the user is anonymous, or admin
		  UserLogon-GroupNames:           User Groups
		  UserLogon-DriveNames:           Drives to map
		  UserLogon-UserDescription:      User Description
		  UserLogon-UserFullName:         User Full Name
		  UserLogon-UserProfile:          The default user profile to use
		  UserLogon-UserDomain:           The Domain to use for the user
  • Add anonymous user support
  • Move a few attributes to the build_radius_packet() function so that they always get sent.
  • Add support for Vendor Specific attributes.
  • Update the random vector calculator to be more random.
  • Calculate session-time in a more nice way.
  • Support the Class attribute.
  • Move a few static variables to a request_t structure and remember that.
  • Allow the administrator to specify the NAS-IP-Address to be sent in requests.
  • Support the Session-Timeout attribute.
  • If multiple IPs are returned for a given server hostname, choose one of them randomly (instead of simply using the first one).
  • Save a copy of the radius_server_t structure which was used for authentication and remember it in order to reuse the server data for accounting (instead of repeatedly reading the configuration from the registry and repeatedly resolving the server hostname).
  • Make the select() timeout configurable.
  • Make the local port the RADIUS plugin bind()s to configurable.
  • Make the Service-Type attribute values configurable seperately for authentication and accounting requests; but make this a “hidden feature”, as using different values for authentication and accounting is a rather uncommon setup. The value set via the configuration dialog will be saved to the registry as “service_type” and used for both authentication and accounting as long as “service_type_acct” (which would be used for accounting) isn’t set manually.
  • Update the configuration dialog to support the new options.
  • Update documentation with all new features.

The RADIUS Plugin for pGina is written by:
Holger Weiss <holger@ZEDAT.FU-Berlin.DE>
Code contributions by: Kostas Kalevras <kkalev@noc.ntua.gr>

Feel free to drop us an e-mail if you have any questions, bug reports or comments on the plugin.

You may want to watch Holger’s home page for the plugin as well: http://www.jhweiss.de/software/radius.html