We're making a heavy use of both FreeRADIUS and TACACS (only for some specific use-cases) at our datacenter. Funny how simple protocols from 80/90s are still with us and better than ever,
Its also funny how these protocols are unwilling to be updated by RFC because they want "Perfect" security Why can't we just update radius to use AES 256 (symmetric algorithm )and encrypt ALL messages (including message-authenticator). AKA use a shared secret with a modern symmetric algorithm??? Its because the top level org (RFC) has decided that this is "unacceptable solution" so we are stuck with RC5 hash and blast radius exploit. IMO its the orgs fault if they leak the shared secret or use a non complex 8 char shared secret Thank a lot internet and encryption nerds, /nerdrage
I was talking to a cell tech a few years ago, and he was explaining some of the stuff they use. He mentioned "diameter" as the authentication protocol, and I laughed. He gave me a look, like, "... what?" So I said, " 'Diameter'? Like, RADIUS, Diameter...?" The lightbulb went off. "OH.. I never caught that! Huh!"
One thing that immediately caught my attention during the compilation of the orignal radiusd, was the "incompatible implicit declaration" errors. This is most likely part of the issue that causes password decryption to fail. This should be relatively easy to fix by adding the approriate header files to be included. With conf.h being present, maybe this is also where one would usually include headers (and change the options vs. adding them to the Makefile). Or maybe the version of C compiler this project originally used had some standard includes set that provided the "missing" functions.
The amount of hours I spent fighting with radius in the late 90s early 2000s i feel your pain. First was converting SCO Unix slip to ppp with compliling merit radius. Every time my company acquired an isp it seamed each used a different radius server. The craziest was one with a microsoft access database as the backend.
This stuff is a blast from the past for me. In the late 1990's, I was running network services at a university and we wanted to put up dial-in service for our students. The first generation was a few racks of MultiTech modem cards, a wall full of 66 blocks terminating individual POTs lines, and and some serial port mux that I don't remember. Ungerman-Bass, maybe? The modems were always flaking out and it became part of the daily routine to check all the blinking lights first thing in the morning to reset whichever modems had gotten wedged overnight. Things got hugely better when we upgraded to (IIRC) a Cisco 2500 with four ISDN PRI lines (basically a T1) giving us 96 56k dial-ins in 1U of rack space that just worked all the time. I don't remember if we were running RADIUS or TACACS. Probably TACACS since we were pretty much a Cisco shop and that's what they were pushing.
Man I started on Prodigy back in the summer of 1993 on a 9600 baud modem lol, ftp/irc/usenet/prodigy chat was the things to do lol. My aunt worked at prodigy and was able to give a couple of fam members free internet, had a limit how many hours can't remember that part but yeah eventually moved on to just a basement local no name ISP (preferred internet was their name, they became notorious in the Tricities TN area)
Really have enjoyed this entire series - it's managed to answer all those nagging questions I had in the 90s and to this day around an ISPs backend. I always assumed that a given ISP couldn't possibly have an individual physical modern for every user, but that clearly was the case! Great explanation of PPP throughout, that cleared up a lot of mystery and was a "wow" moment for me.
Some trivia, there's an evolution of RADIUS protocol and it's called... DIAMETER. It's mostly supported on 3GPP gear (GGSN, real-time charging) AFAIK and not as well supported in common network stuff as RADIUS.
I have been using Free RADIUS server since 2010 for user access for my Wi-Fi Network started running on a Windows XP machine but now running on a Synology disk station using LDAP database
Thank you! I just bought a Portmaster 3 from ebay and have it working with local users, but haven't yet figured out the RADIUS server from Livingston. This video will definitely come in handy! There's a WinNT version of Livingston/Lucent RADIUS too but idk if it's worth setting up since it's beta software (although y'all probably know that since I pulled the Livingston files I needed from your website lol).
Nice! I also own a PM3, connected via asterisks using a digium card, I'm currently working on setting up radius, currently trying the radius you're talking about. I think you should try it even if it's beta software, nothing wrong with exploring and learning old and new stuff!
Holy crap. TACACS is still used today in the enterprise to authenticate to network gear to update software and configs. That and RADIUS is still used today too.
Your comment about using a MySQL style DB for 1990s ISPs "seems wrong" is in fact wrong. In my ISP I started in 1997 we used MySQL for many things.. Oddly, we didn't use it for the RADIUS server setup though.
Ah yes, the "designed by committee" quagmire. Instead of using an existing good, well thought out system - that would give someone "an advantage" - they have to design something inferior to equally inconvenience everyone. We'll give everyone a say, and staple everyone's ideas together. (i.e. the submarine in the Lego Movie... a dozen people all trying to do something different.) Having used TACACS+, RADIUS, and several other systems, TACACS+ is not perfect, but RADIUS is _significantly_ less perfect. In modern terms, I can cut it some slack... security wasn't really a big concern in that era, things like SSL/TLS hadn't been invented yet. (not that AAA traffic should be going across a remotely untrusted network.) Despite "open" and "universal", _every_ vendor did stupid proprietary shit with it. (USR worst of all! USR's vendor-specific-attributes are not RADIUS attributes, they're binary blobs.)
Not even a little bit. They invented "how long have you been online?" or "how many bytes have you transferred?" so you can be billed for services used. That's it.
We're making a heavy use of both FreeRADIUS and TACACS (only for some specific use-cases) at our datacenter. Funny how simple protocols from 80/90s are still with us and better than ever,
Tacacs is how we authenticate all of our network devices logins and command permissions.
Its also funny how these protocols are unwilling to be updated by RFC because they want "Perfect" security Why can't we just update radius to use AES 256 (symmetric algorithm )and encrypt ALL messages (including message-authenticator). AKA use a shared secret with a modern symmetric algorithm??? Its because the top level org (RFC) has decided that this is "unacceptable solution" so we are stuck with RC5 hash and blast radius exploit. IMO its the orgs fault if they leak the shared secret or use a non complex 8 char shared secret Thank a lot internet and encryption nerds, /nerdrage
I was talking to a cell tech a few years ago, and he was explaining some of the stuff they use. He mentioned "diameter" as the authentication protocol, and I laughed. He gave me a look, like, "... what?" So I said, " 'Diameter'? Like, RADIUS, Diameter...?" The lightbulb went off. "OH.. I never caught that! Huh!"
One thing that immediately caught my attention during the compilation of the orignal radiusd, was the "incompatible implicit declaration" errors. This is most likely part of the issue that causes password decryption to fail. This should be relatively easy to fix by adding the approriate header files to be included.
With conf.h being present, maybe this is also where one would usually include headers (and change the options vs. adding them to the Makefile).
Or maybe the version of C compiler this project originally used had some standard includes set that provided the "missing" functions.
Love the reference to clabretro at 1:23! ;D
Crazy how far radius has come, to go from being one of the most essential parts of an isp to being used at almost every hotel/venue with public wifi
It's really great to see the ISP grow. Great videos, guys
Woo! Love the dial-up content!
The amount of hours I spent fighting with radius in the late 90s early 2000s i feel your pain. First was converting SCO Unix slip to ppp with compliling merit radius. Every time my company acquired an isp it seamed each used a different radius server. The craziest was one with a microsoft access database as the backend.
RADIUS is still critical today for WPA Enterprise, wifi login with credentials.
This stuff is a blast from the past for me. In the late 1990's, I was running network services at a university and we wanted to put up dial-in service for our students. The first generation was a few racks of MultiTech modem cards, a wall full of 66 blocks terminating individual POTs lines, and and some serial port mux that I don't remember. Ungerman-Bass, maybe? The modems were always flaking out and it became part of the daily routine to check all the blinking lights first thing in the morning to reset whichever modems had gotten wedged overnight. Things got hugely better when we upgraded to (IIRC) a Cisco 2500 with four ISDN PRI lines (basically a T1) giving us 96 56k dial-ins in 1U of rack space that just worked all the time. I don't remember if we were running RADIUS or TACACS. Probably TACACS since we were pretty much a Cisco shop and that's what they were pushing.
Definitely stepping up your animated graphics :-) Love it.
I can't like this enough. The RADIUS GUI you made!! OMG so cool.
Man I started on Prodigy back in the summer of 1993 on a 9600 baud modem lol, ftp/irc/usenet/prodigy chat was the things to do lol. My aunt worked at prodigy and was able to give a couple of fam members free internet, had a limit how many hours can't remember that part but yeah eventually moved on to just a basement local no name ISP (preferred internet was their name, they became notorious in the Tricities TN area)
Really have enjoyed this entire series - it's managed to answer all those nagging questions I had in the 90s and to this day around an ISPs backend. I always assumed that a given ISP couldn't possibly have an individual physical modern for every user, but that clearly was the case! Great explanation of PPP throughout, that cleared up a lot of mystery and was a "wow" moment for me.
Some trivia, there's an evolution of RADIUS protocol and it's called... DIAMETER. It's mostly supported on 3GPP gear (GGSN, real-time charging) AFAIK and not as well supported in common network stuff as RADIUS.
Great video as always!, cant wait for the digital saga!
Love the videos and interviews. They create trips through my past career in many ways. Very well done.
One of the best UA-cam channels. Thanks guys.
I have been using Free RADIUS server since 2010 for user access for my Wi-Fi Network started running on a Windows XP machine but now running on a Synology disk station using LDAP database
I use to work with freeRADUIS doing AAA on cell connections and fibre. This took me back.
So great to see videos on the history of old tech like this
This is one of the best channels on UA-cam!
Aww yeah! Waited for this
That's definitely a worldly choice of User-Password there.
Great Video, can't wait till you start on the 56k era.
Very interesting, thank you!
It's still shockingly relevant.
Another great video!!
Thank you! I just bought a Portmaster 3 from ebay and have it working with local users, but haven't yet figured out the RADIUS server from Livingston. This video will definitely come in handy! There's a WinNT version of Livingston/Lucent RADIUS too but idk if it's worth setting up since it's beta software (although y'all probably know that since I pulled the Livingston files I needed from your website lol).
Nice! I also own a PM3, connected via asterisks using a digium card, I'm currently working on setting up radius, currently trying the radius you're talking about. I think you should try it even if it's beta software, nothing wrong with exploring and learning old and new stuff!
I've been trying to get my hands on a pm3, but haven't had much luck. I had 10+ of them I trashed 4-5 years ago that I regret not keeping one.
Freeradius is so gnarly to configure, the original one is unthinkable.
Man, I only touched Microsoft Active Directory, and RADIUS on my Cisco IOS homelab. This is very enlightening.
Saw that 15454. Looking forward to that.
You honestly deserve more than 6k views...
RADIUS has been on my todo list too for WPA3-EAP and 802.1X
Holy crap. TACACS is still used today in the enterprise to authenticate to network gear to update software and configs. That and RADIUS is still used today too.
I hope you are using TACACS+ and not TACACS.
9:22 Top of the page: "Owners of Livingston hardware should use RADIUS server 2.0.1 or later instead." WELL THERE'S YOUR PROBLEM! :-)
That day a full /tmp caused an empty file tonbe semt to all radius servers... Nome of our customers could log in. Fun times working on the helpdesk 😂
Are you also using Asterix?
I noticed some corrosion on the lithium battery, at the end of the video
man I remember RADIUS
Your comment about using a MySQL style DB for 1990s ISPs "seems wrong" is in fact wrong. In my ISP I started in 1997 we used MySQL for many things.. Oddly, we didn't use it for the RADIUS server setup though.
lol blast radius what could possibly go wrong ????????
Did you try RADIUS in ye ole Cyclades?
Darnit, I wished that I wasn't on the other side of the world.
I know I keep commenting the same thing, but seriously when are we going to see anything regarding ISDN ?
What should we do with ISDN?
Ah yes, the "designed by committee" quagmire. Instead of using an existing good, well thought out system - that would give someone "an advantage" - they have to design something inferior to equally inconvenience everyone. We'll give everyone a say, and staple everyone's ideas together. (i.e. the submarine in the Lego Movie... a dozen people all trying to do something different.)
Having used TACACS+, RADIUS, and several other systems, TACACS+ is not perfect, but RADIUS is _significantly_ less perfect. In modern terms, I can cut it some slack... security wasn't really a big concern in that era, things like SSL/TLS hadn't been invented yet. (not that AAA traffic should be going across a remotely untrusted network.) Despite "open" and "universal", _every_ vendor did stupid proprietary shit with it. (USR worst of all! USR's vendor-specific-attributes are not RADIUS attributes, they're binary blobs.)
so they invent internet tracking... that doesn't sound great...
...?
are you talking about the "accounting" part of AAA?
Not even a little bit. They invented "how long have you been online?" or "how many bytes have you transferred?" so you can be billed for services used. That's it.
None of these cos we cant afford them 😂 staying with our dogemicrosystem 56k modems and asterisk, even that does more than yours 36,6k wtf dude 28k