RAdmin® Radius User Administration

5.2.1 mSQL

1. Edit installMsql.sh, check and possibly change the configurable variables near the top to suit your site.
2. sh installMsql.sh

5.2.2 MySQL

1. Edit installMysql.sh, check and possibly change the configurable variables near the top to suit your site.
2. Become root
3. sh installMysql.sh

5.2.3 Oracle

1. Edit installOracle.sh, check and possibly change the configurable variables near the top to suit your site.
2. sh installOracle.sh

5.2.4 Sybase

1. Edit installSybase.sh, check and possibly change the configurable variables near the top to suit your site.
2. sh installSybase.sh

5.2.5 Postgresql

1. Edit installPostgresql.sh, check and possibly change the configurable variables near the top to suit your site.
2. sh installPostgresql.sh

5.2.6 DBD::SQLite2

1. Edit installSQLite2.sh, check and possibly change the configurable variables near the top to suit your site.
2. sh installSQLite2.sh

5.2.7 Other Databases

We have not provided installation scripts for other databases. You will need to follow these steps:

1. Following your SQL vendor's instructions, create an empty database
2. Create a database user that has permission to create tables in the new database
3. Set the new database users password
4. Edit Radmin/Sql.pm, and configure it so that RAdmin can connect to the SQL database, using the connection name rules for your selected DBD module, plus the user name and password you created above.
5. Create the tables by running

 
perl createdb.pl -create

This will attempt to log in to the database using the details you entered into Radmin/Sql.pm, then create the tables described in Radmin/Schema.pm

1. If the previous step fails, it may be due to unusual table creation syntax for your SQL server. If so, you may need to hand edit a file to create the tables for your database. You can see what createdb.pl is trying to do by running it like this:

 
perl createdb.pl -create -n -d

1. Install the basic data into the database with:

 
perl createdb.pl basicdb.dat radattrs.dat  

1. Try to automate the entire process and send us an installXXX.sh so others can benefit from your experience.

6.3.1 Creating an empty database on MS-SQL 6.5

1. Run SQL Enterprise Manager. You may have to register your SQL server the first time you connect by entering the IP address, the "sa" login and the sa password (which is blank in a newly installed SQL server).
2. Choose Manage->Database Devices in the menubar. Click on "Create New Device". Enter the new device name (we recommend "radmindev") and the database device size you chose above. Enter a suitable location for the device (this is where the database file will be stored).
3. Using the same method, create the transaction log device. We recommend that you name the log device "radminlogdev".
4. Choose Manage->Databases in the menubar. Click on "Create New Database". Specify a database name (we recommend "radmin"). Make sure you put the database on the database device you created, and the transaction log on the transaction log device that you created. Check the "Truncate Log on Checkpoint" checkbox (if that is present).
5. Click "Create Now"
6. Close Enterprise Manager

6.3.2 Creating an empty database on MS-SQL 7.0 and SQL Server 2000

1. Run Enterprise Manager. It should automatically register the new SQL server the first time you run it.
2. In the left hand window, find your server by expanding the SQL Server Group. Double-click on your server name.
3. Right click on the Databases folder. Choose "New Database". Specify a database name (we recommend "radmin") and the size you chose above.
4. Click on the Transaction Log tab. Specify the size for the transaction log that you chose above.
5. Click on the Options tab. Check the "Truncate Log on Checkpoint" checkbox.
6. Click OK. The database device will be created and sized automatically.
7. Close Enterprise Manager

6.3.3 Create the RAdmin database user

You must now create a database user that the RAdmin scripts will use to log in to the database you created above.

1. Run the ISQL_w application (on MS-SQL 6.5) or the Query Analyzer (for MS-SQL 7.0). Login as "sa", password is blank in a new SQL server.
2. Change to the "radmin" database, using the DB: menu near the top.
3. Run these commands as SQL queries:

 
sp_addlogin radmin,radminpw,radmin
go
sp_changedbowner radmin,true
go

This creates a new database user called "radmin", with a password "radminpw". You may wish to choose a different password, but we recommend that you keep the user name radmin. The default database for the "radmin" user is set to the "radmin" database, which is also owned by radmin. Record these names and password, you will need them later.

1. Close ISQL_w or Query Analyzer

6.3.4 Create an ODBC System Data Source Name (DSN)

Now you must create an ODBC System DSN so that RAdmin can connect to your SQL database. You must make it a System DSN, not a User DSN.

1. Double-click on "ODBC" in the Control Panel
2. Choose the "System DSN" tab
3. Click on "Add..."
4. Choose "SQL Server (32-bit)" if it is present, else "SQL Server". If these are not present, then you have not correctly installed the ODBC drivers for MS-SQL.
5. Click on Finish
6. You will get a new window "Create a New Data Source to SQL Server". In the Name: field, enter "Radmin". In the Description field, enter "RAdmin radius database". In the Server field, choose or enter the name of the server where your SQL database is running (usually "local", meaning on the same computer). Click on "Next>"
7. Choose the "With SQL Server authentication using ..." radio button. In Login ID: enter "radmin". In Password, enter "radminpw", or whatever the password you configured for the radmin user is. Click on "Next>"
8. Click on "Next>"
9. Click on "Next>"
10. Click on "Finish"
11. Click on "Test Data Source". This will attempt to connect using ODBC to the Radmin database, and log in as the radmin user. If it says "TESTS COMPLETED SUCCESSFULLY!" you are ready to move onto the next step. Click on "OK"
12. Close the ODBC Data Source Administrator.

6.3.5 Create the RAdmin tables and complete the installation

By now, you should have installed a web server, ActiveState Perl, plus the DBI and DBD-ODBC perl modules. If so, you can now use the createdb.pl program supplied with RAdmin to create the database tables that RAdmin needs.

1. Start a MS-DOS Command Prompt window.
2. Change directories to the RAdmin distribution
3. Edit the file Radmin\Sql.pm in your RAdmin distribution directory. This is the file that tells all the RAdmin programs how to connect to the SQL database. Ensure that it is set up like this:

 
$Radmin::config{DBSource}   = 'dbi:ODBC:Radmin';
$Radmin::config{DBUsername} = 'radmin';
$Radmin::config{DBAuth} = 'radminpw';

Where "Radmin" is the name of the ODBC System DSN you created above, "radmin" is the SQL database login name you created above, and "radminpw" is the password for that user.

1. Run the command:

 
perl createdb.pl -create -- basicdb.dat radattrs.dat

This will create all the tables and data that RAdmin needs

7.1.1 RAdmin user authentication

In web-based adminstration packages such as RAdmin, it is commmon to require administrators to log in before they can use the system. RAdmin has a flexible system for authenticating access to RAdmin web pages. The RAdmin system administrator is able to configure one of 3 types of authentication:

• No authentication.
• Web-Server authentication.
• RAdmin authentication.

Hint: There should never be any need to configure both Web-Server authentication and RAdmin authentication.

7.1.2 No Authentication

This is the default configuration for RAdmin.

In this option, Administrative users are not required to log in before using the RAdmin web pages. You would only choose this if there were only one or 2 administrators, and then only access to the RAdmin web pages was from within the local network. This option is not recommended for production systems.

In this method every administrative user is logged in as `anonymous', and will receive the permissions profile configured for `anonymous' on the `Edit Administrative User' page.

7.1.3 Web-Server authentication.

With this option, RAdmin user authentication is done by your web server, using whatever methods and systems have been configured into the web server. You might choose this option if you have a pre-existing system for controlling and authenticating access to web server pages for your staff. With this option, the Password field on the `Edit Administratorve User'' page is not used. To enable this option, you must configure your web server appropriately but you do not need to enable any authentication options with RAdmin.

In this method every administrative user will receive the permissions profile configured into RAdmin for the username with which they authenticated to the web server (or `anonymous' if no such Administrative user has been configured into RAdmin). See the `Edit Administrative User' page for each web-server authenticated user.

Like any other web application, you can configure your web server so that only specific users can access particular pages. You can choose whether or not to do this, based on a number of factors:

• Do you intend to let your dialup users access the public/changePassword.pl page and change their own page?
• Do you intend to impose user-specific permissions to RAdmin users, i.e. to permits different staff members to do different things?

In order to distinguish between your dialup users (usually the public, with few privileges), and your authorized RAdmin administrative users (usually your internal staff, responsible for administering the end users), or to distinguish between individual RAdmin users (perhaps with different access levels or permissions) you will need to enable web server access control on your web server.

The way to do this depends on what type of web server you are running, and is usually different for each type. If you are running the Apache, you can put a .htaccess file in each directory you wish to protect. In the following example, only users specified in the password file are permitted to access the contents of the directory.

 
# Example Apache .htaccess file
AuthUserFile /path/to/your/password/file
AuthName "RAdmin system"
AuthType Basic
require valid-user

Consult your web server vendor documentation for details on other web servers.

It is common practice to enable access control for the RAdmin private scripts (usually in cgi-bin/Radmin/private), and to have no access control for the publicly runnable scripts (usually in cgi-bin/Radmin/public).

: It is possible to configure Apache (and some other web server) to authenticate web users by access a Radius server (such as Radius) to authenticate users. This can be very convenient, because you would not have to maintain a separate AuthUserFile for your Apache web access.

7.1.4 RAdmin authentication.

With this option, Administrative User authentication is done by Radmin. To enable this option, set the `Authenticate Admin users?' option on the `Edit RAdmin Configuration'. When this option is set, RAdmin users will be required to log in to RAdmin before any RAdmin functions can be used. The first time an administrative page is access, a RAdmin Login page will be presented and the user will be required to enter a valid administrative user name and password (configured using the `Add Administrative User' page).

Having logged in, the administrative user will not need to re-authenticate until the `Maximum Admin User session time (mins)' expires.

This options requires cookies to be enabled in Administrative user's web browsers.

7.1.5 RAdmin user permissions

Regardless of how RAdmin users are authenticated, RAdmin applies restrictions to what RAdmin users are able to do using the RAdmin web pages.

You can impose different levels of access to the RAdmin system to different users by using RAdmin permissions. These allow you to specify what RAdmin functions your RAdmin users are permitted to access. (Do not confuse this with what your dialup users are allowed to do: RAdmin users are usually your staff members charged with adding, changing and administering your dialup users)

You can create any number of Permission Profiles, using the Add Permissions Profile page. Each Permission Profile lists what actions RAdmin users with that profile are permitted to do. Then you can add and configure RAdmin users using the Add Admin User page. There you can select which Permissions Profile the user gets, and therefore what things that RAdmin user is permitted to do.

When a RAdmin page is protected by web access control, RAdmin will attempt to match their web user name with a RAdmin Administrator User Name, in order to find out what permissions they have. The exceptions to this are:

• If there is no web access control on that page, the name "anonymous" will be used. This is usually the general public who have few, if any permissions.
• If there is no exact matching RAdmin user name, the profile for the Radmin user "DEFAULT" will be used. DEFAULT is therefor a catchall for users that do not have their own RADmin Admin user entry.

RAdmin is delivered with a number of standard Permission profiles and 2 RAdmin users" "anonymous" and "DEFAULT", each with the "Everything" permissions profile. This means that any user person with access to your web server has permission to do anything in RAdmin. . It is common practice to give "View own usage" and "Change own password" to "anonymous", and more extensive permissions to your staff. At least one of your staff should have the "All" profile, so that they can administer the permissions profiles of other users. The you can add, change and delete as many Permissions profiles as you need to suit your organization's requirements.

7.1.6 Subscriptions

RAdmin can optionally manage a set of web page subscriptions. With this system, you can establish a set of subscription products, each with its own Apache htpasswd style password file. You can then enable or disable access to each product on a per-user basis. RAdmin will then automatically add or remove the user from the web server access file, and optionally email the user with access details. Automatic expiry is supported by the goodies/expire program. Importation of user data from a (now obsolete) Subs user database is supported by the goodies/importsubs program (see Section 8.2 ).

To enable Subscriptions, you need to set $Radmin::config{Subscriptions} to 1 in your Site.pm file. There are a number of other Site.pm configuration options that relate only to Subscriptions, such as SubscriptionEmailBody, SubscriptionEmailSubject that you may wish to configure to suit your site.

7.1.7 Digipass Support

RAdmin can optionally support Vasco Digipass tokens (http://www.vasco.com). Digipass tokens are small handheld devices that generate one-time-passwords. They can be purchased from Vasco and issued to your users. Such tokens provide much higher levels of security than static passwords. Vasco Digipass is supported by RAdmin on Solaris, Linux and Windows. Support for Vasco Digipass requires the installation of the Authen::Digipass module from Open System Consultants. The Authen::Digipass module is available in the standard Radiator distribution.

You can add new tokens into the RAdmin database with the RAdmin `Import Digipass Tokens' page. After a token is imported, it must be allocated to a user before that user can use the token to authenticate.

In order to enable Yubikey token support:

1. Install Radiator in the usual way
2. Follow the instructions in Radiator/goodies/digipass-install.txt to install the Authen-Digipass support module (precompiled binaries for Solaris, Linux and Windows are included with Radiator). This is required on both the Radiator host and on the RAdmin web server host (if they are different).
3. Install RAdmin as described above in this document.
4. On the `Edit Radmin Configuration' page enable the `Support Vasco Digipass?' option. Click `'.
5. RAdmin web pages will now include `List Digipass Tokens' and `Import Digipass Tokens', and the Edit User page will include some new options for allocating and listing Digipass tokens.
6. Configure Radiator based on the example configuration file goodies/radminDigipass.cfg which shows how to authenticate using Digipass token data held in the RAdmin database.

Exactly which Digipass actions are available to a particular RAdmin user depends on the Permissions profile assigned to them. The Permissions profile individually controls whether a user can List, Allocate, Deallocate, Unlock, Reset, Reset the static password and Import tokens.

7.1.8 Yubikey Support

RAdmin can optionally support Yubikey tokens from Yubico (http://www.yubico.com). Yubico tokens are small USB devices that act like a keyboard and which type in a one-time-password when the button is pressed. They can be purchased from Yubico and issued to your users. Such tokens provide much higher levels of security than static passwords. Yubikey is supported on all RAdmin platforms. Support for Vasco Digipass requires the installation.

Each Yubikey token has a unique Token ID (also called the public identity in Yubico documentation), and a secret AES cryptographic key. In order to authenticate a Yubikey token, the RAdmin database must contain a Yubikey record containing both the Token ID and the AES secret for that key. You can add new tokens into the RAdmin database with the RAdmin `Import Yubikey Tokens' page. After a token is imported, it must be allocated to a user before that user can use the token to authenticate.

In order to enable Yubikey token support:

1. Install Radiator in the usual way
2. Install the Auth-Yubikey_Decrypter-0.05 module from CPAN (www.cpan.org) and the Crypt::Rijndael module, also available from CPAN on the Raditor host.
3. Install RAdmin as described above in this document.
4. On the `Edit Radmin Configuration' page enable the `Support Yubikey?' option. Click `'.
5. RAdmin web pages will now include `List Yubikey Tokens' and `Import Yubikey Tokens', and the Edit User page will include some new options for allocating and listing allocated Yubikey tokens.
6. Configure Radiator based on the example configuration file goodies/radminYubikey.cfg which shows how to authenticate using Yubikey token data held in the RAdmin database.

Exactly which Yubikey actions are available to a particular RAdmin user depends on the Permissions profile assigned to them. The Permissions profile individually controls whether a user can List, Allocate, Deallocate, and Import tokens.

The `Import Yubikey Tokens' has an optional feature for automatically initialising Yubikeys. This feature requires that the Yubico Windows COM/ActiveX Personalization Library be installed on the browser host. If that package is installed, when the Import Yubikey Tokens' appears, the user is pronpted to insert a Yubikey into a USB port on the browser host. The Yubikey wil be automatically initiliased with a new random Token ID and AES Secret.

If the Yubico Windows COM/ActiveX Personalization Library is not installed, the administrator will need to use the Yubico Personalization Tool to program the Yubikey with a new 6 byte Token ID (public identity) and a random AES Secret (AES key), then enter the programmed Token ID and AES Secret into the Import Yubikey Tokens' page.

FIGURE 1. Edit RAdmin Configuration

The following configuration options are available:

7.2.1 Administrator email address

The email address of the RAdmin system administrator. Used to generate the link in the contact address at the bottom of every RAdmin page.

7.2.2 Authenticate Admin users?

If this option is enabled, Administrative users will be reqauired to log in to RAdmin before being able to use RAdmin.

Caution: do not enable this option until you have configured the required Administrative users and their passwords.

Hint: The default passwords for the default Administrative users `anonymous' and `DEFAULT' are empty.

7.2.3 Auto password format

The format for automatically generated passwords. Used in the `Add User' page. The format consists of a sequence of special characters, which specify how to generate a random password. The following special characters are available:

For example, if Auto password format is set to cvcvc99 it would generate passwords like: hobela56 or pemedo25 , which are relatively easy for English speakers to pronounce and remember.

7.2.4 Date Format

The format that will be used to display dates, and to recognize input dates. Options include:

• yyyy-mm-dd
• dd/mm/yy
• mm/dd/yy

7.2.5 Enable Debug?

Causes RAdmin to print some internal debugging information to STDERR. It is sometimes useful for finding and fixing database access problems. Most web servers will capture this information and log it to a log file. For Apache, this would typically be a file like /etc/httpd/logs/error_log. The exact location may depend on your local web server configuration.

7.2.6 Default Email Address

The default Email Address for the `Add User' page.

7.2.7 Default Service name

The default Service Profile for the `Add User' page.

7.2.8 Default Static Address

The default Static IP Address for the `Add User' page.

7.2.9 Default User Name

The default User Name for the `Add User' page. If most of your user names have a common feature (such as an @domain.com), this can be used to set up the default domain suffix.

7.2.10 Default Valid From date

The default Valid From for the `Add User' page. Any of the special relative dates such as `today', `tomorrow' etc. can be used.

7.2.11 Default Valid To date

The default Valid To for the `Add User' page. Any of the special relative dates such as `1 week', `1 year' etc. can be used.

7.2.12 Subscription email From:

The `From:' address that will be used on all automatically generated emails sent by the RAdmin subscription system. Only used if `Enable Subscription Management' is enabled.

7.2.13 Hide Passwords?

If this flag is enabled, the Edit User page will disguise all user passwords, rather than showing them in plaintext. The passwords will be disguised with the string entered in `Password Mask' below.

7.2.14 Time Interval Format

The format used to display time intervals, such as in the `List Usage' and `Usage Summary' pages.

7.2.15 Logo image

The name of your site's log image file. Must be an absolute or a relative URL.

7.2.16 Maximum Admin User session time (mins)

This option specifies the maximum time (in minutes) that an Adminstrative User authenticated by RAdmin can use RAdmin without re-authenticating. After this time has expired the user will be required to re-authenticate. If set to 0, session times are not limited, and the user will not be required to reauthenticate for as long as they continue to use the same browser.

7.2.17 Password storage format

Specifies how end-user passwords are to be stored in the RAdmin database. Options are:

Caution : if you change this, you will also need to alter your Radiator configuration so that it expects the new format. Failure to do this may result in users being unable to log on through Radiator.

7.2.18 Password Mask

When `Hide Passwords' is enabled, this specifies the string that will be used to hide passwords in the `Edit User' page.

7.2.19 Rcrypt Key

When `Password storage format' is set to RCrypt, this is the key that will be used to encrypt and decrypt passwords from the RADmin database. If you are using RCrypt storage, your Radiator system will have to be configured to use exactly the same Rcrypt key that you enter here.

7.2.20 Subscription email SMTP Server

If `Enable Subscription management' is set, this field specifies the name or address of the SMTP mail server that will be used to send automatically generated email.

7.2.21 Subscription Email Access

If `Enable Subscription management' is set, this field specifies the text that will be used in the body of emails sent when access has been granted to one or more subscription products. It will typically be used to tell the user their username and password. IN the text, the special character %0 will be replaced with the users User Name, and %1 will be replaced with their password.

7.2.22 Subscription Email Body

If `Enable Subscription management' is set, this field specifies the text of email that is sent whenever access to a subscribed product(s) changes. %0 is replaced by password details (see Subscription Email Access above). If access to any product has been added or extended %1 is replaced by the product access change details.

7.2.23 Subscription Email Subject

If `Enable Subscription management' is set, this field specifies the Subject: line that will be used on all outgoing emails about subscription changes.

7.2.24 Enable Subscription management

This flag enables RAdmin subscription management option. When enabled, administrators are able to define subscription products, and then select which product(s) end users are subscribed to.

7.2.25 Support Vasco Digipass

If this flag is set and the Authen-Digipass Perl module is installed on the RAdmin server host, then a number of new menu items and links will appear for importing, listing and assigning Vasco (www.vasco.com) Digipass tokens for each user. See Section 7.1.7 for more details.

7.2.26 Support Yubikey

If this flag is set, then a number of new menu items and links will appear for importing, listing and assigning Yubico (www.yubico.com) Yubikey tokens for each user. See Section 7.1.7 on page 14 for more details.

7.2.27 Table heading attributes

Customizes the look of headings in the tables on various list pages. Any HTML that can be used inside <th>...</th> tags is valid.

7.2.28 Table heading font

Customizes the font of headings in the tables on various list pages. Any HTML that can be used inside a <font ...> tag is valid.

7.2.29 User help document

Absolute or relative URL for the location of the RADmin user administrator help document.

7.2.30 Volume Interval Format

The format used to display data volumes, such as in the `List Usage' and `Usage Summary' pages.