Yes, I expected documentation in a man page …

* * * * *

Yes, I expected documentation in a man page …

So Smirk calls me up late last night. “Hey Sean,” he said. “Can you install a
Radius server on such-n-such a machine. I need to get my DSL (Digital
Subscriber Line) working.” We're offering DSL to customers [1], and as a side
benefit, we're all getting DSL (from The Company) for free.

Although I didn't expect things to be quite so far along. I think my reply to
Smirk was “Ack,” but secretly, I was Now? He wants it **now?** Although, had
the roles been reversed, I think I would have demanded DSL immediately as
well.

I do a search for freely available Radius servers, and the first one I come
across is the GNU (Gnu's Not Unix) Radius server [2]. I get it installed and
running, despite the lack of documentation. Seriously. It's not like I could
immediately buy and get the documentation right then and there [3], and the
man pages all read like:

> NAME

> radiusd - Authentication and accounting server
> SYNOPSYS

> **radiusd** [-A] [-a account_dir] …
> DESCRIPTION

> Ha ha ha ha ha ha ha! You expected documentation in man format? Ha
> ha ha ha ha ha ha ha! Silly Mortal! Man is The Man's documentation
> format, and we're here to screw The Man! We use info, based on the
> “One True Editor” that is known as Emacs (and no jokes about it
> sucking up more memory than Windows least we come in and reformat
> your system to the GNU Hurd). So what if the key bindings give you
> carpel tunnel syndrome? If it's good enough to criple RMS then it's
> good enough to criple you. So suck it up and use info.
>

And the info pages are a twisty maze of jargon and confusing examples (more
on that later).

But at this point, I have no clue how to get a Cisco router to authenticate
against a Radius server, did a quick search, found a few commands, typed them
in, and locked myself out of the router (as it was attempting to authenticate
my administrative logins against the Radius server).

So much for Smirk and his DSL last night.

Today I spent all day on the phone with G, our CCNE consultant (who did admit
that on th Cisco test, all Radius server questions were only worth a
collective two points, so even he was unsure on some of this). I did,
however, realize I didn't fully finish configuring GNU Radius. You first need
to expliticly tell it to listen on the network port (okay, good default for
the security conscience) and tell it the IP address of the client(s) (an even
better default for the security paranoid).

I was luckily able to log into the Cisco router on the console port and fix
the administrative login problem so G could log in. A few hours of playing,
and we could administratively login locally, but network authentications (for
say, DSL) would go against the Radius server. We then saw Smirk's DSL unit
attempt to log in, as [email protected].

Only, I set the account up as smirk.

When Smirk changed his user ID to smirk, nothing, and I mean nothing came
through. Smirk, G and I were checking both the Cisco logs and the Radius
server logs, and nope. Smirk's DSL unit wasn't even making an attempt.

An hour or so later, Smirk got off the phone with either the CPC (Circuit
Provisioning Center), the BRC (Business Reliability Center) or the BBG
(Battling Business Group) (yes, we have to work through at least three
departments at BellSouth to offer DSL as a CLEC (Competitive Local Exchange
Carrier) (pronounced “sē′‧lək”)—alphabet soup anyone?) and found out that
BellSouth will only pass the authentication request if the packet has the
format user“@”domain.

Nice.

Only I opted to configure the GNU Radius server to use the underlying Unix
system authentication. Now I had to figure out how to get it to accept
[email protected].

I'll spare you the pain I suffered, but let me just say that GNU Radius is
extremely picky about the syntax of its configuration files. And for it's
security conscience about networking, it's rather stupid about CHAP
(Challenge-Handshake Authentication Protocol) authentication, where it
requires the un-encrypted version of the password in the configuration file.
Five hours to get:

> "[email protected]" Suffix = "@example.net",
> Strip-User-Name = Yes,
> Auth-Type = Local,
> User-Password = XXXXXXXXXX
> Service-Type = Framed-User,
> Framed-Protocol = PPP,
> Framed-IP-Address = XXX.XXX.XXX.XXX
>

The commands? Case sensitive. Options, like the “Yes” … case sensitive and it
has to be “Yes”. Commas? I can't figure out where it wants them, and where it
doesn't want them. Basically, I had to make a change, then run radiusd -m c
to see if it liked the configuration file, and if not, what it didn't like
about it. And the examples! That further confused issues because of random
indenting! In one section, I saw:

> DEFAULT Suffix = ".ppp",
> Auth-Type = SQL,
> Login-Time = "Al",
> Simultaneous-Use = 1,
> Strip-User-Name = Yes
> Service-Type = Framed-User,
> Framed-Protocol = PPP
>

Somewhere else:

> DEFAULT Suffix = ".slip",
> Strip-User-Name = Yes
> Hint = "SLIP",
> Service-Type = Framed-User,
> Framed-Protocol = SLIP
>

But then:

> DEFAULT Hint = "SLIP",
> Auth-Type = Mysql
> Service-Type = Framed-User
> Framed-Protocol = SLIP
>

I found out that indenting isn't that important—that is, it's required, but
how much isn't. And if you can figure out where commas are required and not,
please tell me so I don't have to play “Hunt the Comma Location” again.

Sheesh.

But I finally got Smirk up and running with his DSL, and I'm slated to get it
later this month. Woot!

[1] gopher://gopher.conman.org/0Phlog:2005/11/15.1
[2] http://www.gnu.org/software/radius/radius.html
[3] http://www.gnu.org/doc/radius.html

Email author at [email protected]