Presentation is loading. Please wait.

Presentation is loading. Please wait.

FreeRADIUS configuration

Published byLynn Stewart Modified over 9 years ago

Similar presentations

Presentation on theme: "FreeRADIUS configuration"— Presentation transcript:

1 FreeRADIUS configuration
Marko Stojakovic, AMRES NA3 T4, Belgrade,

2 Contents Introduction FreeRADIUS platform
FreeRADIUS server installation Authentication configuration Accounting configuration Logging configuration New attributes – CUI and ON

3 Introduction RADIUS – Remote Authentication Dial In User Service
Networking protocol which provides centralized AAA service “Who are you?” (Authentication) “What services am I allowed to give you?” (Autorization) “What did you do with my services while you were using them?” (Accounting) Implementacije radius-a, radiator i fr i ias na windowsu

4 FreeRADIUS platform (1)
Open-source project Current version is Supported OSs: Linux (CentOS, Debian, Mandriva, Red Hat, SUSE, Ubuntu) FreeBSD Solaris OpenBSD..

5 FreeRADIUS platform (2)

6 FreeRADIUS installation (1)
Before FreeRADIUS installation: Make sure your system has gcc, glibc, binutils, and gmake installed before trying to compile Other dependencies (based on modules that you need): Openssl, openssl-devel – needed for FR EAP module to work LDAP (if you have LDAP database) MySQL Napomenuti da je ovo instalaija iz sorsa

7 FreeRADIUS installation (2)
Installation (with output redirection): ./configure -flags > text.file make make install (root privileges) You can use –flags to customize the settings (use -- help to see all available flags)

8 FreeRADIUS installation (3)
configure --with-openssl .... > config.txt freeradius-server ]# ./configure --with-openssl > config.txt configure: WARNING: snmpget not found - Simultaneous-Use and checkrad.pl may not work configure: WARNING: snmpwalk not found - Simultaneous-Use and checkrad.pl may not work configure: WARNING: pcap library not found, silently disabling the RADIUS sniffer. configure: WARNING: silently not building rlm_counter. configure: WARNING: FAILURE: rlm_counter requires: libgdbm. configure: WARNING: FAILURE: rlm_dbm requires: (ndbm.h or gdbm/ndbm.h or gdbm-ndbm.h) (libndbm or libgdbm or libgdbm_compat). configure: WARNING: silently not building rlm_dbm. configure: WARNING: the TNCS library isn't found! configure: WARNING: silently not building rlm_eap_tnc. configure: WARNING: FAILURE: rlm_eap_tnc requires: -lTNCS. configure: WARNING: silently not building rlm_eap_ikev2. configure: WARNING: FAILURE: rlm_eap_ikev2 requires: libeap-ikev2 EAPIKEv2/connector.h. configure: WARNING: silently not building rlm_ippool. configure: WARNING: FAILURE: rlm_ippool requires: libgdbm. configure: WARNING: silently not building rlm_pam. configure: WARNING: FAILURE: rlm_pam requires: libpam. configure: WARNING: silently not building rlm_python. configure: WARNING: FAILURE: rlm_python requires: Python.h. configure: WARNING: silently not building rlm_sql_iodbc. configure: WARNING: FAILURE: rlm_sql_iodbc requires: libiodb.

9 FreeRADIUS installation (5)
raddb - FreeRADIUS folder Check if the radius deamon will start (with default configuration) Starting the server in debugging mode: radiusd -X

10 FreeRADIUS authentication configuration
Which EAP type to deploy EAP type configuration Virtual server configuration NAS client parameter configuration Connecting FreeRADIUS with user database Processing of Auth requests

11 Which EAP type to deploy (1)
Supported EAP authentication types (by FreeRADIUS): EAP-TLS EAP-TTLS PEAP EAP-GTC LEAP EAP-MD5 Naglasiti da klijent proverava identitet servera

12 Which EAP type to deploy (2)
If your ID management infrastructure supports X.509 client certificates – then you can use EAP-TLS If your ID management infrastructure uses username/password: Passwords in clear-text or as NT-hash? – EAP-TTLS, PEAP If the passwords are in any other format - then you can use only EAP-TTLS

13 Which EAP type to deploy (3)
clear-text NT-hash MD5 hash Salted MD5 hash SHA1 hash Salted SH1 hash Unix Crypt PAP o CHAP x Digest MS-Chap PEAP EAP-MSCHAPv2 Cisco LEAP EAP-GTC EAP-MD5 EAP-SIM

14 EAP type configuration raddb/eap.conf
eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = whatever private_key_file =${certdir}/private.key certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = /dev/urandom fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" } ttls { default_eap_type = pap copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } mschapv2 { } } Ne ulaziti u detalje konfiguracije

15 Virtual server creation (1)
Two virtual servers First one processes requests before the EAP tunnel is established (“outer-tunnel”) Second one processes requests inside the EAP tunnel (“inner- tunnel”) Location: raddb/sites-available/outer-tunnel raddb/sites-available/inner-tunnel Soft link for virtual servers: raddb/sites-enabled/

16 Virtual server creation (2) raddb/sites-available/outer-tunnel
server outer-tunnel { authorize { preprocess chap mschap digest suffix eap files expiration logintime pap } authenticate { Auth-Type PAP { Auth-Type CHAP { Auth-Type MS-CHAP { unix preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp exec attr_filter.accounting_response session { post-auth { reply_log Post-Auth-Type REJECT { attr_filter.access_reject pre-proxy { post-proxy { eap

17 Virtual server creation (3) raddb/sites-available/inner-tunnel
server inner-tunnel { authorize { suffix update control { Proxy-To-Realm := LOCAL } eap files expiration logintime pap authenticate { Auth-Type PAP { Auth-Type CHAP { chap Auth-Type MS-CHAP { mschap unix session { radutmp } post-auth { Post-Auth-Type REJECT { attr_filter.access_reject pre-proxy { post-proxy { eap

18 Client parameter configuration raddb/clients.conf
client AP-library { ipaddr = secret = mYs3cr3t shortname = AP1 nastype = other virtual_server = outer-tunnel } client radius2 { ipaddr = secret = uRs3cr3t shortname = radius2 nastype = other virtual_server = outer-tunnel RADIUS is based on a client-server model. The NAS-devices (Access Points, switches etc.) forward credentials to a RADIUS server, i.e. act as a client, and therefore need to be defined on the RADIUS server. Other RADIUS servers can act as a client as well, so every kind of RADIUS-request can be forwarded to another server.

19 Connecting to user database (1)
LDAP – Lightweight Directory Access Protocol Active Directory FreeRADIUS users file Additional configuration lines should be added to inner-tunnel Configuration of additional modules depends of database type Spomeni i sql

20 Connecting to user database (2) - LDAP
LDAP configuration file /raddb/modules/ldap ldap { server = "localhost" identity = "uid=reader,ou=SystemAccounts,dc=bg,dc=ac,dc=rs" password = b1g$3cr3t basedn = "ou=People,dc=bg,dc=ac,dc=rs“ ... Mapping between RADIUS and LDAP attributes is configured in /raddb/ldap.attrmap checkItem SMB-Account-CTRL-TEXT acctFlags checkItem Expiration radiusExpiration checkItem NAS-IP-Address radiusNASIpAddress checkItem Cleartext-Password userPassword checkItem User-Name uid #checkItem Pool-Name ismemberof

21 Connecting to user database (3) - LDAP – inner-tunnel
authorize { suffix update control { Proxy-To-Realm := LOCAL } eap files ldap expiration logintime pap authenticate { Auth-Type PAP {

22 Connecting to user database (4) - Active Directory
Kerberos Samba ntlm_auth --request-nt-key --domain=MYDOMAIN --username=user --password=pass Configuration of /raddb/modules/ntlm_auth file exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=Domain --username=%{Stripped-User-Name} -password=%{User-Password}" } Samba is a software which provides interoperability between linux and windows platforms Kerberos is authentication protocol used by windows.. It is installed by default on most linux platforms

23 Connecting to user database (5) - Active Directory – inner-tunnel
authorize { suffix update control { Proxy-To-Realm := LOCAL Auth-Type := ntlm_auth } eap files ntlm_auth expiration logintime pap authenticate { Auth-Type ntlm_auth {

24 Connecting to user database (6) - FR users file
john Cleartext-Password:= “J0#n46!“ Manipulation with authentication requests Adding configuration parametar files to inner-tunnel: server inner-tunnel { authorize { auth_log eap files mschap pap }

25 Processing of Auth requests
Do we want to process the requests only localy or some authentication requests requires proxying to another server? IdP or IdP+RP (eduroam)? Relevant configuration file is raddb/proxy.conf

26 Processing of Auth requests proxy.conf – Local
proxy server { default_fallback = no } home_server localhost { type = auth+acct ipaddr = port = 1812 secret = testing123 response_window = 20 zombie_period = 40 revive_interval = 120 status_check = status-server check_interval = 30 num_answers_to_alive = 3 realm inst-domain { authhost = LOCAL accthost = LOCAL User-Name = "%{Stripped-User-Name}" realm LOCAL { realm NULL {

27 Processing of Auth requests proxy.conf – Local + Proxy
proxy server { default_fallback = no } home_server localhost { type = auth+acct ipaddr = port = 1812 secret = testing123 response_window = 20 zombie_period = 40 revive_interval = 120 status_check = status-server check_interval = 30 num_answers_to_alive = 3 realm inst-domain { authhost = LOCAL accthost = LOCAL User-Name = "%{Stripped-User-Name}" realm LOCAL { realm NULL { home_server radius2 { type = auth+acct ipaddr = port = 1812 secret = response_window = 20 zombie_period = 40 revive_interval = 120 status_check = status-server check_interval = 30 num_answers_to_alive = 3 } home_server_pool radius2 { home_server = radius2 realm DEFAULT { pool = radius2 nostrip

28 RADIUS Accounting configuration (1)
Depends of whether the devices that you use as NAS supports RADIUS Acct (Cisco, Lancom) MySQL configuration: Create a table (table examples can be found in raddb/sql/mysql/) Create a user with write priviledges FreeRADIUS configuration: Create accounting queries in something.conf in raddb/sql/mysql/ Edit raddb/sql.conf Radius acct is a very convenient way of tracking informations about user, including user-name, ip address, mac address, connection time... Accounting queries se prave za start stop i update

29 RADIUS Accounting configuration (2) raddb/sql.conf
sql ws-test { database = "mysql" driver = "rlm_sql_${database}" server = “ " login = “jupiter" password = radius_db = "radius" acct_table1 = “table1" acct_table2 = “table1" postauth_table = "radpostauth" authcheck_table = "radcheck" authreply_table = "radreply" groupcheck_table = "radgroupcheck" groupreply_table = "radgroupreply" usergroup_table = "radusergroup" deletestalesessions = yes sqltrace = yes sqltracefile = ${logdir}/sqltrace.sql num_sql_socks = 5 connect_failure_retry_delay = 60 nas_table = "nas" $INCLUDE sql/${database}/something.conf }

30 RADIUS Accounting configuration (3) raddb/sites-available/outer-tunnel
... preacct { preprocess acct_unique suffix files } accounting { ws-test detail unix radutmp exec attr_filter.accounting_response session {

31 FreeRADIUS logs - Syslog
The file location var/log/radius/radius.log Fri Sep 9 12:07: : Auth: Login OK: (from client cisco5508-L port 1 cli f-d ) Configure raddb/radiusd.conf .... log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } ...

32 FreeRADIUS logs Auth messages logging
In communication with one client we can log (inside and outside the tunnel) : Authentication requests Reply messages Pre proxy messages Post proxy messages Containing folder, by default: var/log/radius/radacct/client-ip-address/logmessagetype-date

33 FreeRADIUS logs Auth messages logging - example
var/log/radius/radacct/ /auth-detail Thu Sep 8 12:06: Packet-Type = Access-Request User-Name = Calling-Station-Id = "00-1c " Called-Station-Id = "18-ef-63-fc-d7-c0:eduroam" NAS-Port = 1 NAS-IP-Address = NAS-Identifier = "cisco5508-L" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "300" EAP-Message = 0x State = 0x4c78ac7b4f7eb9522dd950731fb7c846 Message-Authenticator = 0x d2198dc33a29bff1fdf092c4a Thu Sep 8 12:06: Packet-Type = Access-Request User-Name = FreeRADIUS-Proxied-To = Calling-Station-Id = "00-1c " Called-Station-Id = "18-ef-63-fc-d7-c0:eduroam" NAS-Port = 1 NAS-IP-Address = NAS-Identifier = "cisco5508-L" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "300"

34 FreeRADIUS logs Auth messages logging
server outer-tunnel { authorize { auth_log preprocess chap mschap digest suffix eap files expiration logintime pap } authenticate { Auth-Type PAP { Auth-Type CHAP { Auth-Type MS-CHAP { unix preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp exec attr_filter.accounting_response session { post-auth { reply_log Post-Auth-Type REJECT { attr_filter.access_reject pre-proxy { pre_proxy_log post-proxy { post_proxy_log eap

35 FreeRADIUS logs Auth messages logging
server inner-tunnel { authorize { auth_log suffix update control { Proxy-To-Realm := LOCAL } eap files expiration logintime pap authenticate { Auth-Type PAP { Auth-Type CHAP { chap Auth-Type MS-CHAP { mschap unix session { radutmp } post-auth { reply_log Post-Auth-Type REJECT { attr_filter.access_reject pre-proxy { pre_proxy_log post-proxy { post_proxy_log eap

36 New attributes - CUI and ON
eduroam has a problem with logging of users from other realms – if some visitor makes an incident, the resource provider can only block the entire visitor’s realm Solution: CUI – Chargeable User Identity and ON (Operator Name)

37 New attributes - CUI and ON

38 New attributes - CUI and ON
Inside the Access-Request, resource provider sends the empty CUI attribute along with ON (Operator Name) attribute Based on User Name and Operator Name, the identity provider creates random value (CUI) and returns it to the RP This number presents the unique identifier for every visiting user

39 New attributes - CUI and ON configuration
Configuration – raddb/policy.conf (FR version ) defines cui_postauth (for IdP) cui_pre_proxy (for RP) cui_updatedb (for RP) cui_accounting (for RP)

40 The end  questions?

Download ppt "FreeRADIUS configuration"

Similar presentations

Authentication.

Authentication.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Wireless LAN  Setup & Optimizing Wireless Client in Linux  Hacking and Cracking Wireless LAN  Setup Host Based AP ( hostap ) in Linux & freeBSD  Securing.

Wireless LAN  Setup & Optimizing Wireless Client in Linux  Hacking and Cracking Wireless LAN  Setup Host Based AP ( hostap ) in Linux & freeBSD  Securing.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan.

CONFIDENTIAL © Copyright Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan.
Eduroam Training 18.11.2010 Конфигурација на freeradius.

Eduroam Training Конфигурација на freeradius.
Connect communicate collaborate RADIUS and WLAN Infrastructure Monitoring Jovana Palibrk, AMRES NA3 T2, Sofia, 19.06.2014.

Connect communicate collaborate RADIUS and WLAN Infrastructure Monitoring Jovana Palibrk, AMRES NA3 T2, Sofia,
Configuring Linux Radius Server

Configuring Linux Radius Server
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication.
Wireless LAN Security Framework Backend AAA Infrastructure RADIUS, TACACS+, LDAP, Kerberos TLSLEAPTTLSPEAPMD5 VPN EAP PPP 802.3802.5802.11 802.1x EAP API.

Wireless LAN Security Framework Backend AAA Infrastructure RADIUS, TACACS+, LDAP, Kerberos TLSLEAPTTLSPEAPMD5 VPN EAP PPP x EAP API.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.

Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.
Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.

Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.
Deploying eduroam Deyan Stoykov, BREN E-infrastructure Autumn Workshops 8 September, 2014.

Deploying eduroam Deyan Stoykov, BREN E-infrastructure Autumn Workshops 8 September, 2014.
RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.

RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.
Wireless Security with 802.1X Copyright 2005 Michael Griego This work is the intellectual property of the author. Permission is granted for this material.

Wireless Security with 802.1X Copyright 2005 Michael Griego This work is the intellectual property of the author. Permission is granted for this material.
Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,

Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,
Wireless Security and Accounting with 802.1X. Introduction Background Why 802.1X? What is 802.1X? Implementing 802.1X at UTD The future of 802.1X and.

Wireless Security and Accounting with 802.1X. Introduction Background Why 802.1X? What is 802.1X? Implementing 802.1X at UTD The future of 802.1X and.
S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.

S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.

Similar presentations

Ads by Google