Radius Authentication Server Project
We implement a simple Radius Authentication server, mostly compliant with the protocol given RFC 2865: Remote Authentication Dial In User Service
NAME mini-radius SYNOPSIS mini-radius [-vR -k shared-key -p port] -h host username password mini-radius [-vLR -k shared-key -p port] password-file DESCRIPTION The program runs as either client or server, depending on the whether the -h option is present. If server, the password-file is opened and the servers listens on the port of authentication requests. If client, the given username password is authenticated to the server/port as given in the option, and YES or NO is printed, according to the result. The protocol is described in RFC 2865, simplified for only password authentication. The access-request (code 1) packet sent by the client has two attributes, user-name (code 1) and user-password (code 2); and the response is either an access-accept (code 2) or an access-reject (code 3). OPTIONS -k the shared key for encrypting, the default is pa55word0 -p the port the server listens (is listening) on, the default is 1812 -h the radius server hostname -v Verbose. Helpful debugging output to stdout. -R no randomness. The stream of random bytes used by the program is set to 1, 2, 3, ... -L when run as a server, do not loop; answer one full request and terminate FILE FORMAT Username/Passwords are stored in file on the server. It is of the format (name:password\n)+ where name and password are non-empty strings from (a-z, A-Z, 0-9)*. NOTES The program will have simplifying limitations, as given in the detailed project instructions. HISTORY First introduced in Spring 2017. LAST UPDATED 28 March 2017
Detailed description
Because the algorithm for masking the password is complicated by variable length passwords, and because the length of the password should not be disclosed, our mini-radius will MD5 hash the password to exactly 16 bytes. The openssl library has the MD5 function. See man 3 md5. The -R provides test non-randomness. Cryptographic randomness is provided by /dev/random and /dev/urandom. See man urandom. You can ignore the requirement for NAS-IP-Address or NAS-Identifier in the access request packet.
Author: Burton Rosenberg
Created: 28 March 2017
Last Update: 28 March 2017