pppd-radius

pppd [options] plugin radius.so [radius-config-file /etc/radiusclient-ng/radiusclient.conf] ...

plugin <path_to_plugin.so>
    Loads a shared library plugin. For RADIUS support, this is commonly radius.so or pppd-radius.so, which provides the RADIUS client functionality to pppd.

radius-config-file <path_to_file>
    Specifies an alternate path to the RADIUS client configuration file. The default path is typically /etc/radiusclient-ng/radiusclient.conf or /etc/radiusclient.conf.

auth
    Requires the peer to authenticate itself. Essential when using RADIUS for authentication.

require-chap
    Forces pppd to require CHAP authentication. RADIUS servers typically support CHAP.

require-pap
    Forces pppd to require PAP authentication. RADIUS servers typically support PAP.

user <name>
    Specifies the username to use for authentication. This can be overridden by the remote peer or specified by RADIUS.

name <name>
    Sets the local system name for authentication. This name might be used as the NAS-Identifier in RADIUS requests.

debug
    Enables verbose debugging output, which is invaluable for troubleshooting RADIUS communication issues.

pppd-radius refers to the integration of the Point-to-Point Protocol daemon (pppd) with RADIUS (Remote Authentication Dial-In User Service) for centralized Authentication, Authorization, and Accounting (AAA).

Instead of pppd relying on local files (e.g., /etc/ppp/chap-secrets) or PAM for user authentication, it queries a remote RADIUS server. This setup is crucial for Internet Service Providers (ISPs), VPN servers, and other network access servers that require scalable and centralized user management.

pppd typically achieves this by loading a RADIUS client library (such as libradiusclient-ng or radcli) as a plugin. It sends authentication requests (Access-Request) to verify user credentials and accounting information (Accounting-Request) to track session details like start/stop times and data usage.

Using pppd-radius requires careful configuration and attention to security:

1. RADIUS Server Setup: A functioning RADIUS server (e.g., FreeRADIUS) must be properly configured to handle authentication and accounting requests from the pppd client.
2. Configuration File: The radiusclient.conf file must accurately define the RADIUS server addresses, shared secrets, and other client-specific settings.
3. Security: Shared secrets between pppd and the RADIUS server must be strong and kept confidential. Ensure UDP ports 1812 (authentication) and 1813 (accounting) are correctly firewalled.
4. Plugin Dependency: The RADIUS functionality relies on a specific pppd plugin (e.g., from the radiusclient-ng package), which might not be pre-installed or available on all systems.
5. Troubleshooting: Debugging can be complex, involving analysis of pppd logs, RADIUS server logs, and potentially network packet captures.

The core configuration for the RADIUS client is typically found in /etc/radiusclient-ng/radiusclient.conf or /etc/radiusclient.conf. Key settings within this file include:

• servers: Defines the IP addresses or hostnames of RADIUS authentication and accounting servers, along with their shared secrets.
• auth_port, acct_port: Specifies the UDP ports for authentication (default 1812) and accounting (default 1813).
• dictionary: Path to the RADIUS dictionary file, which defines the attributes and their corresponding values used in RADIUS packets.
• login_tries, login_timeout: Controls retransmission attempts and timeout values for RADIUS requests.

A RADIUS server can return various attributes to pppd upon successful authentication, which can control aspects of the PPP session. These attributes often include:

• IP Address Assignment: e.g., Framed-IP-Address, Framed-IP-Netmask.
• DNS Server Assignment: e.g., MS-DNS1, MS-DNS2.
• Session Control: e.g., Session-Timeout (maximum session duration), Idle-Timeout.
• Bandwidth Management: e.g., using Vendor-Specific Attributes like Cisco-AVPair for traffic shaping.
• Accounting: pppd sends accounting start and stop packets, including details like Acct-Status-Type, Acct-Session-Id, Acct-Input-Octets, and Acct-Output-Octets.

The Point-to-Point Protocol daemon (pppd) has historically offered various authentication mechanisms. As network access servers grew in complexity and scale, the need for centralized user management became paramount. RADIUS emerged as the industry standard for Authentication, Authorization, and Accounting (AAA).

Integration with RADIUS for pppd became commonplace through dynamically loadable plugins. Libraries like radiusclient and later radiusclient-ng (which provides the radius.so plugin) were developed to enable pppd to communicate with RADIUS servers, allowing for a robust and scalable solution for managing remote access users, superseding simpler local authentication methods.

pppd(8), radiusclient.conf(5), radclient(1), freeradius(8)