networkclient
|
The dictionaries define name to number mappings. (See also Dictionary Lookup Functions). For simplicity, the dictionary definitions are compiled to C, and statically linked into the library. This allows them to be used without any run-time initialization. However, the downside is that cannot be modified or updated at run time. That limitation should not affect RADIUS client applications.
The reason for this limiration is that this library implements an "embedded" client. That means that it is capable of sending requests which contain a small list of pre-defined attributes, and receiving responses which contain a small list of pre-defined attributes. Any attributes which are not known at compile time are ignored.
The list of "known" attributes are defined by the dictionaries. These dictionaries are parsed at compile time to create a "static const" array of definitions (see nr_dict_attrs, radius.h, and dictionaries.c). We recommend customizing the dictionaries to contain only the attributes which are needed. See convert.pl.
This library includes a sample vendor dictionary, called "share/dictionary.vendor". It also includes a minimal Microsoft dictionary, called "share/dictionary.microsoft". No other vendor dictionaries are included. We recommend using the RFC attributes, and possibly a vendor dictionary defined by yourself, using your own private enterprise number. Using attributes from other vendor dictionaries is not recommended.
The dictionaries used here are in the FreeRADIUS format, which is an extension of the original Livingston dictionary format. See the FreeRADIUS documentation for a complete description of the format. We give a short description here.
The format consists of a series of lines of text, defined by an initial keyword:
with the following definitions:
The last two types are included only for compatibility with VSAs defined by certain vendors. We strongly recommend against using them in any new dictionaries.
We strongly recommend against using the "format=.." variants. Non-standard formats are incompatible and problematic.
A list of Vendor-Specific Attributes is wrapped by BEGIN-VENDOR and END-VENDOR statements:
This wrapping defines all intermediate attributes as being VSAs for that vendor.
See the file "share/dictionary.vendor" for an example. See also the FreeRADIUS documentation for additional details not discussed here.
The dictionaries should be edited by placing new files into the "share/" directory. We recommend the following procedurex:
The library does not support run-time extension of the dictionaries. If you need this functionality, see the FreeRADIUS "libfreeradius-radius" library, which is available under the LGPL license.
The files radius.h and dictionaries.c contain definitions for all standard RADIUS attributes. They are automatically created from the files "share/dictionary*", when those files change. The default versions of those radius.h and dictionaries.c have been generated from the default dictionaries. Those files should never be edited directly. Instead, edit the "share/dictionary*" files, and re-build the library.
There is no predefined limit to the number of attributes which can be defined. We recommend defining the RFC standard attributes, and any VSAs that you need. There is usually no need to define a "minimum" set of attributes. Memory is cheap, and it is useful for the library to have definitions for all of the standard attributes.
The library will compile even if no attributes are defined in the dictionaries. However, it will likely not do anything useful. We recommend defining the following attributes at the absolute minimum:
Note that the Vendor-Specific attribute does not need to be defined for VSAs to work. However, any VSAs should still be defined in a vendor dictionary.
The process to create a vendor dictionary is relatively straightforward, as the dictionaries are just text files. However, we suggest using the services of Network RADIUS to help design custom dictionaries. The reason is that the technical requirements on the dictionaries can be complex. These requirements are document in RFC 6158, among others.
The team at Network RADIUS wrote those standards, so we are most familiar with them. Following our recommendations ensures that the dictionaries will be compatible with all existing RADIUS servers and clients.
At a high level, the process is as follows:
The dictionary needs to be shared with all customers who will be using the RADIUS client. The dictionary also should be shared with all major RADIUS server vendors. In practice, this means adding them to FreeRADIUS, and the other vendors will copy the files from there.
The dictionary file format used by FreeRADIUS is simple. Customers and vendors can trivially convert that format to the format required by any other RADIUS server.