4.3 KiB
4.3 KiB
@push.rocks/smartradius/server
🖥️ RADIUS Server Implementation - Full RFC 2865/2866 compliant authentication and accounting server
Overview
This module provides a complete RADIUS server implementation supporting both authentication (RFC 2865) and accounting (RFC 2866) protocols. It handles PAP and CHAP authentication, accounting session tracking, and includes duplicate detection with response caching.
Features
- ✅ PAP Authentication - Password Authentication Protocol with RFC-compliant encryption
- ✅ CHAP Authentication - Challenge-Handshake Authentication Protocol
- ✅ Accounting - Session start/stop/interim-update tracking
- ✅ Duplicate Detection - Automatic response caching for retransmitted requests
- ✅ Per-Client Secrets - Support for different shared secrets per NAS
- ✅ Statistics - Built-in request/response counters
- ✅ VSA Support - Vendor-Specific Attributes handling
- ✅ Message-Authenticator - HMAC-MD5 for EAP support
Exports
Classes
| Class | Description |
|---|---|
RadiusServer |
Main server class handling authentication and accounting |
RadiusPacket |
Packet encoder/decoder for RADIUS protocol |
RadiusAttributes |
Attribute parsing and encoding utilities |
RadiusAuthenticator |
Cryptographic operations (PAP encryption, CHAP, authenticators) |
RadiusSecrets |
Client secret management |
Interfaces (Server-Specific)
| Interface | Description |
|---|---|
IRadiusServerOptions |
Server configuration options |
IRadiusServerStats |
Server statistics counters |
IAuthenticationRequest |
Request context passed to auth handler |
IAuthenticationResponse |
Response from auth handler |
IAccountingRequest |
Request context passed to accounting handler |
IAccountingResponse |
Response from accounting handler |
TAuthenticationHandler |
Handler function type for authentication |
TAccountingHandler |
Handler function type for accounting |
TSecretResolver |
Function type for resolving client secrets |
Usage
import { RadiusServer, ERadiusCode } from '@push.rocks/smartradius';
const server = new RadiusServer({
authPort: 1812,
acctPort: 1813,
defaultSecret: 'shared-secret',
authenticationHandler: async (request) => {
// PAP authentication
if (request.password === 'correct-password') {
return {
code: ERadiusCode.AccessAccept,
replyMessage: 'Welcome!',
sessionTimeout: 3600,
};
}
// CHAP authentication
if (request.chapPassword && request.chapChallenge) {
const isValid = RadiusAuthenticator.verifyChapResponse(
request.chapPassword,
request.chapChallenge,
'expected-password'
);
if (isValid) {
return { code: ERadiusCode.AccessAccept };
}
}
return { code: ERadiusCode.AccessReject };
},
accountingHandler: async (request) => {
console.log(`Session ${request.sessionId}: ${request.statusType}`);
return { success: true };
},
});
await server.start();
Low-Level Packet Operations
import {
RadiusPacket,
RadiusAuthenticator,
RadiusAttributes,
ERadiusAttributeType,
} from '@push.rocks/smartradius';
// Decode incoming packet
const packet = RadiusPacket.decodeAndParse(buffer);
// Encrypt PAP password
const encrypted = RadiusAuthenticator.encryptPassword(
password, authenticator, secret
);
// Verify CHAP response
const valid = RadiusAuthenticator.verifyChapResponse(
chapPassword, challenge, expectedPassword
);
// Create Vendor-Specific Attribute
const vsa = RadiusAttributes.createVendorAttribute(
9, // Cisco vendor ID
1, // Vendor type
Buffer.from('value')
);
Server Options
| Option | Type | Default | Description |
|---|---|---|---|
authPort |
number | 1812 | Authentication port |
acctPort |
number | 1813 | Accounting port |
bindAddress |
string | '0.0.0.0' | Address to bind to |
defaultSecret |
string | - | Default shared secret |
secretResolver |
function | - | Per-client secret resolver |
duplicateDetectionWindow |
number | 10000 | Duplicate detection window (ms) |
maxPacketSize |
number | 4096 | Maximum packet size |
Re-exports
This module re-exports all types from ts_shared for convenience, so you can import everything from a single location.