Chapter Contents
Elektron is a RADIUS server, and as such must deal with RADIUS attributes. Due to the wide variety of vendor-specific and site-specific attributes available, it is impossible to configure Elektron “from the factory” to support every conceivable RADIUS attribute. Instead, Elektron’s attribute support is configured using user-editable files.
Attributes are chunks of data appended to RADIUS requests and responses that convey additional information about the user’s authentication request and the server’s response to that request. Attributes are formatted as a code indicating the type of attribute (such as “User-Name” or “Session-Timeout”), and the value of the attribute (such as “alice@example.com” or “3600”).
Dictionary files quantify the types of attributes available to Elektron, and the possible values for each attribute. Elektron ships with a default dictionary file, “radius.dictionary”, that includes common RADIUS attributes and their values. This includes all attributes defined in the various RADIUS protocol specifications (i.e., RFCs 2865-2869).
If you require the use of RADIUS attributes not specified in the default dictionary file, Elektron also allows for user-defined RADIUS attributes. To create your own custom attributes, create a file called user.dictionary in the Elektron dictionary directory. On Windows systems, this directory is by default located at:
C:\Program Files\Periodik\Elektron\dict
On Mac OS X systems, this directory is located at:
/Library/Application Support/Periodik/Elektron/dict
Note that the dictionary files are used by both the Elektron server process and the Elektron Enterprise Settings application. If you are using the Elektron Settings Application to configure a remote server, you must edit the dictionary files on both machines for a complete configuration.
The Elektron server loads the dictionary files at startup, and caches the parsed file information in order to speed up connections. If you edit a dictionary file, you will need to instruct Elektron to reload the file. To do so, use the elekconf utility. On Windows, from a command prompt issue the command (this may vary if you installed Elektron to a different location):
C:\Program Files\Periodik\Elektron\elektron.exe ReloadDictionary
You must be a member of the Administrators group to use this command. On Mac OS X systems, use:
sudo /usr/sbin/elektron ReloadDictionary
You may be prompted for your password when you execute this command.
Dictionary File Format
Elektron dictionaries use a simple text file format to describe RADIUS attributes and values. Dictionaries are sequence of entries, with each entry on a separate line. Each entry in turn is a sequence of values separated by whitespace (either spaces or tab characters):
<value><whitespace><value><whitespace><value>
Each dictionary file may contain three types of entries: attributes, values, and vendors.
Attributes
Attributes are defined in dictionary files using either four or five values; four for standard RADIUS attributes, five for vendor-specific attributes. For standard RADIUS attributes, each entry is of the form:
ATTRIBUTE <Attribute-Name> <Attribute-Identifier> <Attribute-Type>
The word “ATTRIBUTE” instructs Elektron to process the entry as a RADIUS attribute. The Attribute-Name is the human-readable name of the attribute, Attribute-Identifier is the attribute-specific number (from 0-255) assigned to the attribute, and Attribute-Type is the permitted type of the attribute value. The following attribute value types are recognized by Elektron:
- string A simple text value
- integer An 32 bit numerical value, expressed in decimal notation
- ipaddr An IP address in dotted-quad format, e.g., 192.168.1.1
- _date A date, expressed as a 32 bit number indicating the number of seconds since January 1, 1970 at 12:00 AM.
- octets A binary value, expressed in hexadecimal format, e.g., C738B5AD2F08
An example of a standard RADIUS attribute:
ATTRIBUTE Session-Timeout 27 integer
Vendor-specific attributes are defined using five values: the first four from standard RADIUS attributes (withe Attribute-Value set to the vendor’s attribute value), and a fifth indicating the name of the vendor:
ATTRIBUTE <Attribute-Name> <Attribute-Identifier> <Attribute-Type> <Vendor-Name>
For instance:
ATTRIBUTE Cisco-AVPair 1 string Cisco
Vendors
Before defining a vendor-specific attribute in your dictionary file, you must first define the vendor using a VENDOR entry, which is of the form:
VENDOR <Vendor-Name> <Vendor-Identifier>
The Vendor-Name must match the Vendor-Name used in vendor-specific attribute entries. The Vendor-Identifier is the integer value assigned to the vendor. An example VENDOR entry:
VENDOR Cisco 9
Values
Finally, you may define attribute values. Some RADIUS attributes that take integer values have defined specific possible values. For instance, the “NAS-Port-Type” attribute has a limited set of possible values, including “Telnet” and “Wireless-IEEE-802.11”.
Attribute value entries are of the form:
VALUE <Attribute-Name> <Attribute-Value-Name> <Value-Identifier>
The Attribute-Name specifies to which RADIUS attribute this value applies. Attribute-Value-Name is the label applied to the value, and Value-Identifier is the numeric value. For instance:
VALUE NAS-Port-Type Wireless-IEEE-802.11 19
Instructs Elektron that when it encounters a NAS-Port-Type attribute with an integer value of 19, that value corresponds to “Wireless-IEEE-802.11”.
Note that labels and names should not have whitespace in them, since whitespace is used to separate values in the dictionary file. Writing “Wireless-IEEE-802.11” and “Wireless IEEE 802.11” are not equivalent, and adding the extra spaces will confuse the parser. Use hyphens instead of spaces in names and labels.
If Elektron encounters errors while parsing a dictionary file, it will log those errors to the RADIUS error log. If you have created custom attributes and they are not working correctly, check the error log for problems.