*

JRadius with FreeRADIUS

JRadius is not a stand-alone RADIUS server. Instead, it is a Java Server which is called by the rlm_jradius module built into the FreeRADIUS server. The module, using pooled connections to the JRadius server, passes the RADIUS request and response packets to JRadius for any of the FreeRADIUS module entry points. Meaning, you can have JRadius process authentication, accounting, or proxy requests.

The JRadius Server itself is a light-weight stand-alone Java server. Within its XML configuration, JRadius can be configured with your specific JRadius/FreeRADIUS Dictionary and any number of custom JRadius Handlers chained together.

Building and Installing FreeRADIUS with JRadius

Download the latest FreeRADIUS server:

   wget ftp://ftp.freeradius.org/pub/radius/freeradius-1.1.7.tar.gz
   tar xzf freeradius-1.1.7.tar.gz
   cd freeradius-1.1.7

Download the JRadius patch and apply it to the FreeRADIUS source:

   wget http://dev.coova.org/svn/cjradius/freeradius/patch/freeradius-1.1.7.patch
   patch -p1 < freeradius-1.1.7.patch

Compile and install:

   ./configure
   make
   make install

Run FreeRADIUS (shown here in debug mode):

   /usr/local/sbin/radiusd -X

Configuring for JRadius

Below are the portions of the FreeRADIUS etc/raddb/radiusd.conf file related to JRadius. Also see the etc/raddb/ files in the patched distribution.

   modules {
      ...
      # configure the rlm_jradius module
      jradius {
         name      = "example"             # The "Requester" name (a single
                                           # JRadius server can have
                                           # multiple "applications")
         primary   = "localhost"           # Uses default port 1814
         secondary = "192.168.0.1"         # Fail-over server
         tertiary  = "192.168.0.1:8002"    # Fail-over server on port 8002
         timeout   = 1                     # Connect Timeout
         onfail    = NOOP                  # What to do if no JRadius
                                           # Server is found. Options are:
                                           # FAIL (default), OK, REJECT, NOOP
         keepalive = yes                   # Keep connections to JRadius pooled
         connections = 8                   # Number of pooled JRadius connections
     }
   }

In this example, the requester name is configured with name example. Different requesters can be mapped to different handler chains in the JRadius context. You can also configure primary, secondary, and tertiary JRadius servers for redundancy fail-over. The TCP/IP connections to JRadius are pooled with persistant connections if keepalive is yes.

   authorize {
      ...
      jradius
   }

   post-auth {
      ...
      jradius
      Post-Auth-Type REJECT {             # Use this to also process failures -
          jradius                         # AccessReject replies 
      }                                   # from the post-auth handler.
   }
 
   preacct {
      ...
      jradius
   }
 
   accounting {
      ...
      jradius
   }

You can put jradius in any of the FreeRADIUS stages, typically in authorize (to among other things, add a user's plain text password in the FreeRADIUS context for use in it's authenticate stage), post-auth, and accounting. It would be rare to have jradius in the authenticate stage, since that is the part FreeRADIUS does on its own. The above configurations are considered standard. But, if your FreeRADIUS server is configured to proxy, then the following is also possible:

   pre-proxy {
      ...
      jradius
   }
 
   post-proxy {
      ...
      jradius
   }

Now, you are ready to run JRadius server...