How To Download and Install The FreeRADIUS Packages
Most RedHat and Fedora Linux software products are available in the RPM format. When searching for the file, remember that the FreeRADIUS RPM’s filename usually starts with freeradius followed by a version number, as in freeradius-0.9.1-1.i386.rpm.
Starting and Stopping FreeRADIUS
You can use the chkconfig command to get the FreeRADIUS daemon, radiusd, configured to start at boot:
[root@bigboy tmp]# chkconfig radiusd on
To start, stop, and restart radiusd after booting, use
[root@bigboy tmp]# service radiusd start
[root@bigboy tmp]# service radiusd stop
[root@bigboy tmp]# service radiusd restart
Remember to restart the radiusd process every time you make a change to the configuration files for the changes to take effect on the running process.
Configuring The /etc/raddb/radiusd.conf File
The /etc/raddb/radiusd.conf file stores the main RADIUS configuration parameters. You’ll have to update some of the settings to allow LDAP queries from RADIUS.
1. Activate the use of the LDAP module in the authorize section of the file by uncommenting the word ldap.
authorize {
…
…
#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
Ldap
…
…
}
2. Activate the use of the LDAP module in the authenticate section by uncommenting the Auth-Type block for LDAP:
Auth-Type LDAP {
ldap
}
3. Define the LDAP domain, LDAP server, and password methods to be used in the ldap block. In the example, the LDAP and RADIUS server is the same machine, so you set the LDAP server IP address to localhost.
ldap {
# Define the LDAP server and the base domain name
server = “localhost”
basedn = “dc=example,dc=com”# Define which attribute from an LDAP “ldapsearch” query
# is the password. Create a filter to extract the password
# from the “ldapsearch” outputpassword_attribute = “userPassword”
filter = “(uid=%{Stripped-User-Name:-%{User-Name}})”# The following are RADIUS defaults
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
These configuration steps only cover how to configure RADIUS to interact with LDAP. You’ll have to define the login attributes and privileges each user will receive and the IP addresses of the varius RADIUS clients. We’ll cover these topics next.
Configuring The /etc/raddb/users File
The /etc/raddb/users file defines the types of attributes a user receives upon login. In the case of a router, this may include allowing some user groups to login to a device in a privileged mode, while allowing other only basic access.
One of the first entries in this file is to check the local server’s /etc/passwd file. The very next entry should be one referring to your LDAP server with a fall through statement that will allow additional authorizations to be granted to the LDAP user further down the file based on other sets of criteria.
#
# First setup all accounts to be checked against the UNIX /etc/passwd.
#
DEFAULT Auth-Type = System
Fall-Through = 1#
# Defaults for LDAP
#
DEFAULT Auth-Type := LDAP
Fall-Through = 1
Configuring The /etc/raddb/clients.conf File
You can define a shared secret password key to be used by the RADIUS server and its clients in the /etc/raddb/clients.conf file.
Passwords can be allocated for ranges of IP addresses in each network block using the secret keyword. The next example defines the password testing123 for all queries from localhost, but s3astar for the 192.168.1.0/24 network and shrtp3nc1l for the 172.16.1.0/24 network. All RADIUS clients have to peer with the RADIUS server from these networks using the correct password before logins are correctly accepted.
client 127.0.0.1 {
secret = testing123
shortname = localhost
}client 192.168.1.0/24 {
secret = s3astar
shortname = home-network
}client 172.16.1.0/24 {
secret = shrtp3nc1l
shortname = office-network
}
Troubleshooting And Testing RADIUS
You can now test the various elements of the RADIUS setup:
Server Setup
To test the server, run radiusd in debug mode to see verbose messages about the status of the RADIUS queries. These messages are much more informative than those provided in the /var/log/messages and /var/log/radius/radius.log files.
[root@bigboy tmp]# /usr/sbin/radiusd -X -A
After testing is complete, you must start the radiusd daemon in the normal manner using the command service radiusd start.
Linux Client Setup
For Linux clients, you can perform RADIUS queries with the radtest command. The arguments are the LDAP username, the LDAP user’s password, the LDAP server IP address, an NAS port value (any value between 1 and 100 will work here), and the RADIUS client-server shared secret password key. Successful queries will show an Access-Accept message.
A successful test from the RADIUS server looks like this.
[root@bigboy tmp]# radtest ldapuser “ldapuser-password” \
localhost 2 testing123
…
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=99, length=20
…
[root@bigboy tmp]#
A successful test from a Linux RADIUS client looks like this:
[root@smallfry bin]# radtest ldapuser “ldapuser-password” 192.168.1.100 2 s3astar
…
rad_recv: Access-Accept packet from host 192.168.1.100:1812, id=51, length=20
…
[root@smallfry bin]#
In this case, freeradius was installed solely for the purposes of testing the shared secret password key from another network. This is a good troubleshooting tip to verify remote client access before deploying network equipment.
Cisco Client Setup
Here is a sample snippet of how to set up a Cisco device to use a RADIUS server. You can find full coverage of Cisco authentication, authorization, and accounting (AAA) setup using RADIUS on Cisco’s corporate Web site at www.cisco.com.
aaa new-model
aaa authentication login default radius enable
aaa authentication ppp default radius
aaa authorization network radiusradius-server host 192.168.1.100
radius-server timeout 10
radius-server key shrtp3nc1l
The important thing to note in relation to our setup is that the radius-server statements define the RADIUS server’s IP address and the shared secret password key.