summaryrefslogtreecommitdiffstats
path: root/doc/vendor
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-28 09:49:46 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-28 09:49:46 +0000
commit50b37d4a27d3295a29afca2286f1a5a086142cec (patch)
tree9212f763934ee090ef72d823f559f52ce387f268 /doc/vendor
parentInitial commit. (diff)
downloadfreeradius-50b37d4a27d3295a29afca2286f1a5a086142cec.tar.xz
freeradius-50b37d4a27d3295a29afca2286f1a5a086142cec.zip
Adding upstream version 3.2.1+dfsg.upstream/3.2.1+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'doc/vendor')
-rw-r--r--doc/vendor/ascend57
-rw-r--r--doc/vendor/bay11
-rw-r--r--doc/vendor/cisco.rst168
-rw-r--r--doc/vendor/proxim12
4 files changed, 248 insertions, 0 deletions
diff --git a/doc/vendor/ascend b/doc/vendor/ascend
new file mode 100644
index 0000000..57a44be
--- /dev/null
+++ b/doc/vendor/ascend
@@ -0,0 +1,57 @@
+ Ascend Radius Options
+ or
+ What happens when a big vendor ignores an RFC
+
+
+ FreeRADIUS uses Vendor-Specific attributes to send the Ascend attributes.
+By default, Ascend NASes send the Ascend specific attributes as NON VSA's,
+which conflict with new RADIUS attributes assigned by the IETF. This was
+a very bad screw-up by Ascend that still causes many headaches, but sometimes
+we have to live with it, so we try to cope the best we can.
+
+ If you see a large number of messages about invalid Message-Authenticator
+attribute, you most likely are affected by this problem, and should implement
+the first option.
+
+You have two options:
+
+o Enable VSA's on the Ascend/Lucent MAX:
+
+ This is by far the preferred method ( as it solves many other problems ).
+
+ Max6000/4000 Series TAOS with Menued Interface:
+
+ Go to Ethernet->Mod Config->Auth.
+ At the bottom of the menu, change Auth-Compat from "OLD" to "VSA".
+ Save your changes, no reboot is needed.
+
+ Go to Ethernet->Mod Config->Acct.
+ At the bottom of the menu, change Acct-Compat from "OLD" to "VSA".
+ Save your changes, no reboot is needed.
+
+ Max TNT/Apex 8000 Series TAOS with CLI:
+
+ nas> read external-auth
+ nas> set rad-auth-client auth-radius-compat = vendor-specific
+ nas> set rad-acct-client acct-radius-compat = vendor-specific
+ nas> write
+
+o Enable OLD attributes in FreeRADIUS
+
+ One note on this, Ciscos have an Ascend compatibility mode that
+ accepts only the OLD style Ascend attributes, just to make life more
+ interesting. :)
+
+ You can make FreeRADIUS send the OLD style attributes by prefixing the
+ Ascend attributes with 'X-' in the 'users' file, sql table, ldap directory,
+ attr_filter module, etc...
+
+ Thus the VSA Ascend attribute:
+
+ Ascend-Data-Filter
+
+ becomes the OLD Ascend attribute:
+
+ X-Ascend-Data-Filter
+
+$Id$
diff --git a/doc/vendor/bay b/doc/vendor/bay
new file mode 100644
index 0000000..a23cacd
--- /dev/null
+++ b/doc/vendor/bay
@@ -0,0 +1,11 @@
+ All versions of the BAY software prior to 18.0.2 are broken in
+regards to the Message-Authenticator. They send a strictly MD5
+encoded secret instead of the encoding required by the RFC. This has
+been fixed in 18.0.2 and only 18.0.2.
+
+ If you see messages in the radius log like:
+
+Received packet from xxx.xxx.xxx.xxx with invalid Message-Authenticator!
+
+ and you are using a Bay Annex, then you MUST upgrade the software on
+your Annex. There is NO other solution to the problem.
diff --git a/doc/vendor/cisco.rst b/doc/vendor/cisco.rst
new file mode 100644
index 0000000..12270cb
--- /dev/null
+++ b/doc/vendor/cisco.rst
@@ -0,0 +1,168 @@
+Cisco IOS and Radius
+====================
+
+Introduction
+------------
+
+Cisco NAS equipment has become quite popular of late, but being Cisco
+equipment running IOS, the configuration can be a bit non-obvious to the
+unfamiliar. This document aims to describe the most common configuration
+options to make your Ciscos interoperate with radius as you would expect a
+well-behaved NAS to do.
+
+IOS 12.x
+--------
+
+For Cisco 12.x ( 12.0 and 12.1 ), the following AAA configuration directives
+are suggested:
+
+::
+
+ aaa new-model
+ aaa authentication login default group radius local
+ aaa authentication login localauth local
+ aaa authentication ppp default if-needed group radius local
+ aaa authorization exec default group radius local
+ aaa authorization network default group radius local
+ aaa accounting delay-start
+ aaa accounting exec default start-stop group radius
+ aaa accounting network default start-stop group radius
+ aaa processes 6
+
+this configuration works very well with most radius servers. One of the more
+important configurations is:
+
+::
+
+ aaa accounting delay-start
+
+This directive will delay the sending of the Accounting Start packet until
+after an IP address has been assigned during the PPP negotiation process.
+This will supersede the need to enable the sending of "Alive" packets as
+described below for IOS versions 11.x
+
+*Note* with the above it will use the radius server to authenticate
+your inbound 'telnet' connections. You will need to create an entry
+in your users file similar to the following to allow access:
+
+::
+
+ !root Cleartext-Password := "somepass" Service-Type = NAS-Prompt-User
+
+This will let a user in for the first level of access to your Cisco. You
+will still need to 'enable' ( using the locally configured enable secret )
+to perform any configuration changes or anything requiring a higher level
+of access. The username '!root' was used as an example here, you can make
+this any username you want, of course.
+
+Unique Acct-Session-Id's
+^^^^^^^^^^^^^^^^^^^^^^^^
+
+From: http://isp-lists.isp-planet.com/isp-australia/0201/msg05143.html
+
+Just a note to all cisco ISPs out there who want RFC2866 compliance need to
+enable the hidden command ``radius-server unique-ident <n>``
+
+Minimum IOS: 12.1(4.1)T.
+
+Acct-Session-Id should be unique and wrap after every 256 reboots.
+
+You must reboot after entering this command to take effect. If not, you
+will observe after 10 minutes
+of entering this command, the following message.
+
+::
+
+ %RADIUS-3-IDENTFAIL: Save of unique accounting ident aborted.
+
+IOS 11.x
+--------
+
+For Cisco 11.1, you normally use
+
+::
+
+ aaa new-model
+ aaa authentication ppp radppp if-needed radius
+ aaa authorization network radius none
+ aaa accounting network wait-start radius
+
+to get the Cisco to talk to a radius server.
+
+With IOS 11.3
+^^^^^^^^^^^^^
+
+::
+
+ aaa accounting update newinfo
+
+If you want the IP address of the user to show up in the radutmp file
+(and thus, the output of "radwho").
+
+This is because with IOS 11.3, the Cisco first sends a "Start" accounting
+packet without the IP address included. By setting "update newinfo" it
+will send an account "Alive" packet which updates the information.
+
+Also you might see a lot of "duplicates" in the logfile. That can be
+fixed by:
+
+::
+
+ aaa accounting network wait radius
+ radius-server timeout 3
+
+To disable the Ascend style attributes (which is a VERY good idea!):
+
+::
+
+ radius-server host X.Y.Z.A auth-port 1645 acct-port 1646
+
+To enable the Ascend style attributes (which we do NOT recommend!):
+
+::
+
+ radius-server host X.Y.Z.A auth-port 1645 acct-port 1646 non-standard
+
+To see Cisco-AVPair attributes in the Cisco debugging log:
+
+ radius-server vsa accounting
+
+Cisco 36xx & 26xx, keeping the NAS IP static
+--------------------------------------------
+
+The Cisco 36/26 by default selects (it seems at random) any IP address
+assigned to it (serial, ethernet etc.) as it's RADIUS client source
+address, thus the access request may be dropped by the RADIUS server,
+because it can not verify the client. To make the cisco box always use
+one fixed address, add the following to your configuration:
+
+::
+
+ ip radius source-interface Loopback0
+
+and configure the loopback interface on your router as follows:
+
+::
+
+ interface Loopback0
+ ip address 192.0.2.250 255.255.255.255
+
+Use a real world IP address and check the Cisco documentation for why
+it is a good idea to have working loopback interface configured on
+your router.
+
+If you don't want to use the loopback interface of course you can set
+the source-interface to any interface on your Cisco box which has an
+IP address.
+
+Credits
+-------
+
+Original - Alan DeKok <aland@ox.org>
+12.x Info - Chris Parker <cparker@starnetusa.net> 2000-10-12
+
+More Information
+----------------
+For more information, the following page on Cisco's web site may help:
+
+http://www.cisco.com/univercd/cc/td/doc/product/access/acs_serv/vapp_dev/vsaig3.htm
diff --git a/doc/vendor/proxim b/doc/vendor/proxim
new file mode 100644
index 0000000..3a8f2b9
--- /dev/null
+++ b/doc/vendor/proxim
@@ -0,0 +1,12 @@
+Proxim
+^^^^^^
+
+Proxim AP-2000 NASes up to and including firmware version 2.4.5 ignore
+the Session-Timeout attribute, despite the fact that Proxim's firmware
+release notes specifically state that it is supported. On top of
+this, firmware version 2.4.5 (the latest as of this writing) has a bug
+in which the reauthentication interval on the AP cannot be set to any
+value less than 2 hours. As such, fine-grained control of client
+session times is not currently possible with this NAS. Note that this
+NAS is OEMed to several vendors, including Avaya, and may be listed
+under different names with different vendors.