The RADIUSServer class has a number of methods that are accessible from the main loop of your program as well as some which are made available from inside your implementation code. These are all documented in the API documentation. Actual argument values for these methods are found in the API documentation.
Creates the RADIUS Server object. It takes no arguments. The object is thread safe so it can be instantiated any number of times. Each server object must be given different port numbers for any RADIUS servers it will run. Each RADIUS server object can only run one authentication server and one accounting server. If you want to run three accounting server, three RADIUSServer()'s must be started and the accounting server's must be assigned different ports. If SNMP is run it too must have a command port assigned that's different from the other RADIUSServer objects.
Each RADIUSServer object must start SNMP. There is a choice of starting a copy that accepts command and issues traps or a copy that simply behaves as a placeholder but offers no SNMP services.
NOTE: this must be started right after the RADIUSServer() constructor is called as most other methods require SNMP or they will throw a RADIUSServerException.
startSNMP() without arguments starts the copy that offers no external services.
With arguments the server's SNMP starts up waiting for commands. If the trapCommunity name is null traps will not be sent, even if issued by your main code or by an implementation. This includes the cold start traps when either the authentication or accounting server starts.
See setSNMPParameters for more options.
This is used to set the sysContact, sysName, and sysLocation from within the server. These properties can also be set using SNMP SET commands from the Network Management System. This is not required if you started SNMP without services.
Create a list of managers able to send messages to the SNMP agent. If this is not used requests are permitted from any machine. If the list is empty no manager has access. Only those managers listed will have access to the SNMP agent.
This initializes the server's identity and port numbers for the authentication and accounting. If you're only starting one server the other server's port may be set to 0. The server's realm is required even if it isn't a proxy target. The realm information is used to differentiate NAS's running on the same server.
The logs are set up using these methods. The roundabout way to start the actual implementations allows more elaborate constructors and additional methods to be called when creating the logs for more involved logging setups. For example you may need to read a configuration file to set the JDBC connection URL.
These two must be called even if you don't intend to send debugging output. Since you may enable debugging at any time the debugging log must exist prior to use. The server log should be set up as soon as possible since some errors may require reporting before the server is fully set up. If the implementation is not run before an error is reported the error is sent to the error output (stderr).
These methods construct your authentication and accounting implementations respectively. If you are not using one of the servers (e.g. this only an accounting server) only the implementation you require need be constructed.
If you plan to examine a packet as it enters the server (even before it's checked for correctness) start a snooper. The snooper is passed the raw packet to examine. This is sometimes helpful in determining if a client is passing an acceptable packet, or any packet at all.
The optional proxy implementation can perform a number of useful proxying tasks. When the packet has been determined to be correctly constructed this implementation is called if it exists. Your code can examine and change any attributes in the packet. Generally this is to affect proxy actions, either to change them, or prevent them.
Some circumstances include removing realm information from the User-Name and proxying to a final server. This is called transparent proxy and the proxy realm is given to the server out-of-band as a directive. The Called-Station-Id or Calling-Station-Id may contain proxy information. This is where the mapping of the attribute data to a realm is made. Sometimes it may be necessary to route several User-Name realms to another server (even the local server), which is done in your proxy implementation code.
This allows an arbitrary encoding scheme to be implemented between cooperative servers. This is outside the specification of the RADIUS protocol and not generally supported. If snooping is implemented the snooper will be run twice, once before the packet is decoded and once after.
In a dynamic intranet it may not be possible to know all the clients that may contact the server. If no configured NAS (see addNAS()) is present it may be possible to create a new NAS for the new client. The NAS created may be permanent (by using RADIUServer.addNAS()) or temporary for this RADIUS session only. This optional implementation is run after packets have been checked for correctness but before any proxy, accounting, or authentication actions have been taken.
For example if a client contacts the server with a NAS-Identifier with a known prefix (e.g. AXL) the client could be granted access to the server. The implementation may elect to allow the packet through, send an Access-Reject packet or silently drop the packet altogether.
debugLog()
Send a message to the debug log. If the debug log implementation hasn't been defined the message is written to the standard output.
closeLogFiles()
Close all log files. After closing the debug log writes to the standard output and the server log writes to the error output.
addDebugFilter()
Add an IP address to the debug filter. Only those packets arriving from or being sent to addresses in the filter log will show up the debug log. The default is to display all packets if startDebug() is called. IP address filters may be added at any time.
clearDebugFilter()
Remove all filter addresses from the debug filter. The IP address filter may be cleared at any time.
removeDebugFilter()
Remove a particular address from the debug filter list. It's harmless to remove a filter that doesn't exist. IP address filters may be removed at any time.
startDebug()
Start the debugging log. By default the debug log is disabled. It may be stopped and started whenever necessary.
stopDebug()
Stop the debugging log. It may be stopped and started whenever necessary. It's harmless to stop it more than once in a row.
log()
Send a message to the server log. If the server log implementation hasn't been defined the message is written to the error output.
sendSNMPTrap()
Send a SNMP trap containing a message. If traps are disabled no trap will be sent.
setServerLogAll()
The server log will log failures and successes.
setServerLogFailure()
The server log will only log failures.
setServerLogSuccess()
The server log will only log successes.
setServerLogNone()
Prevent the server log from logging either successes or failures. Other log messages will continue to be written.
setServerLogLevel()
Explicitly set the server's logging ORing constants: RADIUSServer.SL_SUCCESS, RADIUSServer.SL_FAILURE, RADIUSServer.SL_BOTH or setting it RADIUSServer.SL_NONE. This allows the log level to be set with any mask.
addAcctPacketType()
Add an acceptable packet type to the accounting server and indicate it's direction. The direction is either a request or a response (PacketType.Request or PacketType.Response). Packets not in the list will be logged and dropped.
The normal Accounting-Request and Accounting-Response are permitted by default. This allows other packet types to be legally accepted on the accounting server. A common packet type to add is Accounting-Status. Normally the packet will be interpreted by the ExtendedPacketImpl class. Using divertExtendedPacket() you can handle it using the AccountingImpl class.
addAuthPacketType()
Add an acceptable packet type to the authentication server and indicate it's direction. The direction is either a request or a response (PacketType.Request or PacketType.Response). Packets not in the list will be logged and dropped.
The normal Access-Request, Access-Accept, Access-Reject, and Access-Challenge are permitted by default. This allows other packet types to be legally accepted on the accounting server. There are many authentication packet types to add.
Normally the packet will be interpreted by the ExtendedPacketImpl class. Using divertExtendedPacket() you can handle it using the AccessImpl class.
removeAcctPacketType()
Remove an acceptable packet type from the accounting server.
removeAuthPacketType()
Remove an acceptable packet type from the authentication server.
divertExtendedPacket()
Normally a packet type added using addAcctPacketType() or addAuthPacketType() is handled by the ExtendedPacketImpl class. Using this method diverts the given packet type to the AccessImpl or AccountingImp class.
setMultihome()
The default server configuration is to accept connections on all interfaces. If setMultiHome(false) is used the authentication and accounting servers bind to the interface set in the setServerInfo() method.
disableAuthDuplicateChecking() / disableAcctDuplicateChecking()
The server is able to detect duplicate packets arriving at the server. This sometimes happens when the client is retrying after the server has received a packet, but before the response is sent. Duplicate checking is on by default. This method disables checking. In general it's better not to respond to duplicate packets as this can thwart some replay attacks.
setAuthDuplicateTTL() / setAcctDuplicateTTL()
The Time to Live for duplicate packets about five seconds. Depending on your server's response time (determined not only by server cpu time, but round trip time) is better than this you can reduce it to a specified number of seconds. Conversely it can be raised if there are large latency problems.
getCurrentPacketCount()
Get the approximate number of concurrent packets being processed. You can use this to help determine the value for setMaximumPackets().
getMaximumPackets()
Get the current maximum number of packets that will be processed at one time..
setMaximumPackets()
Set the maximum number of packets to handle. This can prevent processing bottlenecks where you could accept a lot of packets, but can't process them all in a reasonable time. For example if you could accept 10,000 packets per second, but it would take more than acceptable latency (5 seconds) to process them all it's better to throttle attempts than to cause a flood of retries.
This affects the number of session threads in the thread pool.
setMinimumPackets()
This sets the initial number of server session threads. If the authentication or accounting server is already running this method cannot decrease the initial number of threads (default is 1). Starting with a larger number means the server won't have to create new session threads as it goes, but will have them ready to go.
setMaxPacketSize()
Set the maximum packet size. The default size (set by the RADIUS RFC) is 4096. The minimum is 20 bytes, which is the size of an empty RADIUS packet. If your RADIUS packets tend to be larger and packet fragmentation isn't a problem this can be set to a larger value.
addNAS()
Add a Network Access Server (client). Each valid client will require that you add a NAS entry for it. Alternatively the NASCallBack implementation can dynamically add NAS's.
clearNAS()
Clears the list known NAS's.
removeNAS()
Remove a particular NAS from the list of known NAS's.
replaceNASList()
Replace all current NAS's with a new set. This is an atomic operation.
setFastNAS()
Normally the server is fully compliant with the RFC's on NAS lookup. There must be a valid NAS-IP-Address and / or a valid NAS-Identifier present.
setFastNAS()with an argument of true will not perform strict checking for any NAS and will validate on the source address only. This is different than the non-strict checking in the NAS class where it's controlled on an individual basis. There is a danger that other RADIUS clients could spoof an authentication request from the wrong NAS if this is engaged. The default value is to perform strict checking. This may be enabled at any time.The default is to use strict checking that the NAS-IP-Address matches the source IP address.
addProxyTarget()
Add a proxy target (proxy realm) to the server. Proxy targets are RADIUS servers that act as either a terminal authentication server or a proxy server. If the current server is a terminal server for all packets this is optional.
clearProxyTarget()
This will remove all servers which can act as proxy servers from the list.
removeProxyTarget()
Removes a particular proxy server from the list.
setProxyCharacter()
The default proxy indication character is '@' which can be changed to any other character. This is used to break the realm information from the user name in the User-Name attribute. It's probably not a good idea to change this. However, it can be used to disable proxy routing by changing it to an unlikely character.
translateProxyId()
The default system translates identfiers in the packet to it's own. In other words it acts like it really is a client to the next server. For example, if the originating NAS-IP-Address is 192.168.1.1 and the server is at 192.168.1.10, the NAS-IP-Address attribute will be translated to 192.168.1.10. The same applies to the NAS-Identifier. This may not be quite what everyone wants. To enable this use translateProxyId(false).
Typically the setting translateProxyId(false).
startAccountingServer() / stopAccountingServer()
Start or stop the accounting server. This may be run without starting the authentication server.
It's possible to override the thread pooling and use only one thread by starting the server with an argument of true. The server will block for each request. Why? Someone wanted the feature. It could conceivably help in debugging.
startAuthenticationServer() / stopAuthenticationServer()
Start or stop the authentication server. This may be run without starting the accounting server.
stopServer()
Stop all running servers.
stopSNMP()
Stop the SNMP service. This is only important if the services have been exposed. If startSNMP() was call with no arguments this method does not need to be used. Once SNMP has been stopped it must be started before any other configuration can be made. See startSNMP().
getSNMPStats()
Returns the SNMPStats object. The only really useful information are the fields and the toString() method that returns a human readable version of the SNMP stats. This is available no matter which startSNMP() was used.
getStats()
A simple version of the SNMP statistics. Not nearly as detailed as getSNMPStats as it contains fewer counters and does not track individual NAS's.
testEnc()
The default encoding for passwords and attribute values is UTF-8. If you require another encoding you can test your encoding with this method. It return true if the encoding worked.
toString()
Returns the server's name and version number.
toVerboseString()
Returns a very long description of the server and the SNMPStats toString() result.
setSecretEncoding()
The default encoding is UTF-8. If you require another string encoding use setSecretEncoding(). The testEnc() method can be used to determine if your encoding works on your platform.
setPasswordEncoding()
The default encoding is UTF-8. If you require another string encoding use setPasswordEncoding(). The testEnc() method can be used to determine if your encoding works on your platform.