3.114. <ServerHTTP> Previous topic Parent topic Child topic Next topic

The <ServerHTTP> clause presents a HTTP interface that allows Radiator to be monitored, configured and reconfigured through a standard web browser. The Graphical User Interface (GUI) that it presents is designed to be easy to use and intuitive, and to allow access to the full range of detailed configuration options that are usually access directly by editing the configuration file.
The GUI presented by <ServerHTTP> is a useful alternative to the more traditional editing of the Radiator configuration file. Further it allows access to other useful information about the host that Radiator is running on, the details of the version of Perl installed, and details about the versions and modules of Radiator installed on that host.
The GUI presented by this interface is described in Section 5. Configuring Radiator with GUI.
<ServerHTTP> supports TLS. For more information about TLS parameters, see Section 3.9. TLS configuration.

Authentication

Any user attempting to connect to <ServerHTTP> is subject to authentication. If authentication does not succeed, then the user is unable to access any web pages. Once logged in, the information the user is permitted to see, and the actions the user is permitted to do are controlled by the user's Privilege Level. The authentication steps are:
  1. Check all the clauses in the AuthBy list, if any, continuing until the AuthByPolicy is met.
  2. If no AuthBy clause succeeds (or if there are no AuthBy clauses), authenticate against the hardwired User name and Password in this clause.
  3. If the hardwired User name is not defined permit authentication as the user ’anonymous’ without a password.
If the last AuthBy returns ACCEPT, the connection is accepted. If the last AuthBy returns IGNORE, or there are no AuthBys, then fall back to the hardwired User name and Password parameters is done.
Note
If you plan to use <AuthBy RADIUS>, you need to configure the AuthBy with the Synchronous parameter. Otherwise <AuthBy RADIUS> returns immediately with IGNORE.
An authentication lasts for the time period given by SessionTimeout, after which the user will be required to log in again.
The users Privilege Level is determined in the following way:
  1. If the successful authentication was from an AuthBy clause, and the user had a Management- Policy-Id reply item, then the Privilege Level is given by the integer in the Management-Policy-Id.
  2. Otherwise the Privilege Level is given by the DefaultPrivilegeLevel parameter.

Privilege Level

The information the user is permitted to see, and the actions the user is permitted to do are controlled by the user's Privilege Level. The Privilege Level is a number from 0 to 15, where 0 is the lowest privilege, (and which does not even permit logging in), and 15 is the highest, which allows all actions.
The Privilege Level is a bitmask obtained by adding together the following numbers:
  • 1: Permission to view basic (non-security-critical) status only.
  • 2: Permission to reset the server
  • 4: Permission to edit and change the running configuration (but not save it)
  • 8: Permission to save changes to the configuration file
For example, to grant privilege to view status and to reset the server, the Privilege Level should be set to 3 (1 + 2). To grant all privileges, the Privilege Level should be set to 15 (1 + 2 + 4 + 8).
CAUTION
Careless configuration of this clause can open security holes in your RADIUS host. In order to limit the possibility of security compromise, It is recommended that you:
  1. Limit the clients that can connect with the Clients parameter.
  2. Make sure the Radiator configuration file is only readable by root.
  3. Consider making Radiator run as a non-privileged user.
  4. Use secure user names and password to authenticate access to this server.
  5. Enable SSL connections only with the UseSSL flag.
  6. Disable this clause when not required.