8.1 Protecting the RADIUS Server

In order to support several RADIUS protocols, the RADIUS server must have access to users eDirectory passwords.

Therefore, you need to take the following precautions:

  • Ensure that you protect the RADIUS server from any attack or subversion. Have a strong eDirectory password for the RADIUS server.

  • Always protect the RADIUS server with local and network-edge firewalls, so that it is not directly accessible to the Internet.

  • Avoid the exploitation of the vulnerabilities in the software running on the host with root privileges by restricting host login.

  • Apply the latest security patches to the networked services running on the host and strictly control access to these services by using a good firewall configuration.

  • Regularly monitor and review the log files for any evidence of attack. You need to enable the logging of critical information such as username and passwords in case of authentication or password failures.

    To enable logging of usernames, authentication failures, and passwords, set the value of the following parameters to yes in the /etc/raddb/radiusd.conf file:

    • log_stripped_names=yes

      Logs the User-Name attribute as it was found in the request.

    • log_auth=yes

      Logs authentication requests to the log file.

    • log_auth_badpass=yes


      Log passwords with the authentication requests. Enabling log_auth_badpass logs a password when it is rejected and enabling log_auth_goodpass logs a password when the password is correct

    NOTE:Protect the log file by using file system rights. For more information, refer to Protecting the Configuration Files.