Presentation is loading. Please wait.

Presentation is loading. Please wait.

Configuring Linux Radius Server

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Configuring Linux Radius Server"— Presentation transcript:

1 Configuring Linux Radius Server
Objectives This chapter will show you how to install and use Radius Contents An Overview Of How Radius Works Configruation of Radius Testing Radius server Setting up Aironet Cisco1200 for radius Client Setup Windows XP with wireless pccard Practical Implementing Radius server

2 Introducing the elements
NAS Network Access Server (NAS) perform authentication, authorization, and accounting for users. The network access server, is typically a router, switch, or wireless access point NAS act as a relay that pass or block traffic to and from authenticated clients RADIUS and AAA The RADIUS server is usually a daemon process running on a UNIX or Windows 2003 server. Authentication and authorization plus accounting are combined together in RADIUS LDAP The Lightweight Directory Access Protocol (LDAP) is an open standard It defines a method for accessing and updating information in a X.500-like directory. LDAP simplifies user administration tasks by managing users in a central directory. A full-featured RADIUS server can support a variety of mechanisms to authenticate users in addition to LDAP, including PAP (Password Authentication Protocol, used with PPP in which the password is sent to the client as clear text for comparison); CHAP (Challenge Handshake Authentication Protocol, more secure than PAP, it uses a username and password); the local UNIX/Linux system password database (/etc/passwd); other local databases.

3 Authentication via RADIUS and LDAP
Imagine the following scenario: The user at home can access his company's intranet by dial-up authentication. Wireless-enabled laptops can be connected to a campus network by wireless authentication. Administrators use their workstations to log into network devices via telnet or HTTP via administrative user authentication. All the these authentication tasks can be done by a RADIUS server against a central LDAP server (see above).

4 Installing FreeRADIUS
Add a testuser Add a password for your testuser Building from source Usally a good idea for best optimized code Start radiusd in debug mode To see if any errors arrives Modify /etc/shadow permission Make the first radius auth test Simulate a user trying to atenticate against the radius server 0 = fake NAS port testing123 is the mandatory common secret for localhost NAS clients is found in /etc/raddb/clients.conf If radtest receives a response, the FreeRADIUS server is working. # useradd kalle # passwd kalle # tar -zxvf freeradius tar.gz # ./configure # make # make install # radiusd -X # chmod g+r /etc/shadow Successful authentication result: radtest kalle localhost 0 testing123 Sending Access-Request of id 231 to port 1812 User-Name = ”kalle" User-Password = "123456" NAS-IP-Address = NAS-Port = 0 rad_recv: Access-Accept packet from host :1812, id=231, length=20 # radtest kalle localhost 0 testing123

5 Configure FreeRADIUS FreeRADIUS configuration files are usually stored in the /etc/raddb folder Modifying radiusd.conf to activate logging Find and correct Setup to enable unix account to serve as autentication and add default authentication port’s. Cisco ports can also be used, then change this. Tell radius where you store the users to authenticate log_auth = yes log_auth_badpass = yes log_auth_goodpass = no port = 0 Configuring the RADIUS server consists of configuring the server, the client, and the user (both for authentication and authorization). There can be different configurations of the RADIUS server for different needs; fortunately most of the configurations are similar. Later we will add ldap backend to RADIUS but we start with local autentication. files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users compat = no }

6 Configure FreeRADIUS for NAS clients
Check that clients.conf is declared in radiusd.conf Adding the NAS clients in /etc/raddb/clients.conf Add your access points Security is sligthly higher if you point out each NAS with IP and have various password for them Best match is used by radius server Here is a subnet declaration for NAS # Cisco Aironet 1235AP client { secret = mypass shortname = ap nastype = other } client /24 { secret = testing123 shortname = office-network nastype = other }

7 FreeRADIUS MAC authentication setting.
The file /etc/raddb/users contains authentication and configuration information for each user. Add change thenfollowing links, place after the informative heater text: We prepare for MAC authentication for users authenticate through the NAS Authentication will be invisible for the enduser For more users just add more MAC addresses This can be used for almost any Cisco Switch or router. Authentication is invisible, users does not need to enter something. # user-id (MAC) Authentication type password=MAC 00054e4d3d08 Auth-Type := Local, User-Password == "00054e4d3d08" 00186e8dc079 Auth-Type := Local, User-Password == "00186e8dc079" Problem can arrive with Windows XP which might not support correct cryptations, there are hacks and workarounds on Microsoft homepage. The same goes for other adapters and OS.

8 Configuring the Aironet 1200 (1/2)
For No security (open network), login to your AP and goto Express Security Enter your SSID cisco No VLAN (you can have VLAN for your different SSID if you like) No security Click on APPLY Activate your WLAN interfaces Menu Security, check None or a WEP/Chiper if you like. We choose none for best network prestanda Customer is adviced to use cisco VPN client for security or similar. Menu Security Server Manager Select RADIUS in Current Server List, list should show <NEW> Enter your radius server IP address and Shared secret Standard radius Authentication port 1812 and Accounting port 1813 Click Apply Goto SSID manager and pick your SSID Check Open Authentication and chose with MAC Authentication At server priorities chose Customize and at priority 1 pick your radius server IP address. Click APPLY This depends on your users workstations and other CPE devices capability. At security settings in Aironet you can further granulate authentication protocols for your need.

9 Configuring the Aironet 1200 (2/2)
Next you need to set the AP to use MAC authentication. Again it is the Security panel, goto local RADIUS settings Chose general set-up menu and check MAC at Enable Authentication Protocols Click apply Last you need to set the authentication order, here we use ONLY the radius server, no local lists. Select MAC Addresses Authenticated by Authentication Server Only If you click on security the server based security should look something like this now: Looking on the SSID on same panel, it should look like this:

Download ppt "Configuring Linux Radius Server"

Similar presentations

Filtering and Security By Mohammad Shanehsaz June 2004.

Filtering and Security By Mohammad Shanehsaz June 2004.
Hotspot Customization

Hotspot Customization
Wireless connection to the projector Install and start LiveViewer 6 Installation package

Wireless connection to the projector Install and start LiveViewer 6 Installation package
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Wireless and Switch Security NETS David Mitchell.

Wireless and Switch Security NETS David Mitchell.
14.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

14.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialBCMSN 6 - 6 1 Configuring Wireless LANs BCMSN Module 6 Lesson 6.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialBCMSN Configuring Wireless LANs BCMSN Module 6 Lesson 6.
Samba Integrating SMB file systems with UNIX. Samba Provides a file server compatible with Windows 9x and NT.. SMB Can function in NETBIOS name browsing.

Samba Integrating SMB file systems with UNIX. Samba Provides a file server compatible with Windows 9x and NT.. SMB Can function in NETBIOS name browsing.
Network Shares and Accounts Sharing Printers, Drives, Folders – Setup Windows 95/98 Windows NT (2000, XP) Linux – Users – Groups.

Network Shares and Accounts Sharing Printers, Drives, Folders – Setup Windows 95/98 Windows NT (2000, XP) Linux – Users – Groups.
Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.

Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
CCNA Exploration Semester 3 Modified by Profs. Ward and Cappellino

CCNA Exploration Semester 3 Modified by Profs. Ward and Cappellino
1 Chapter Overview Introduction to Windows XP Professional Printing Setting Up Network Printers Connecting to Network Printers Configuring Network Printers.

1 Chapter Overview Introduction to Windows XP Professional Printing Setting Up Network Printers Connecting to Network Printers Configuring Network Printers.
Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Virtual Private Network (VPN) © N. Ganesan, Ph.D..
1 The VPN Menu. 2 The VPN Menu VPN The GD eSeries can be set up either as an OpenVPN server or as a client, and even play both roles at the same time,

1 The VPN Menu. 2 The VPN Menu VPN The GD eSeries can be set up either as an OpenVPN server or as a client, and even play both roles at the same time,
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
RADIUS Secured and Authenticated WiFi Robert Leahy Charles Bodman Brandon Ellis.

RADIUS Secured and Authenticated WiFi Robert Leahy Charles Bodman Brandon Ellis.
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.

PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Implementing RADIUS AAA Phil & Rick. Content Terms and Concepts Access Control What is AAA? Benefits of AAA What is RADIUS? Microsoft IAS Overview Installation.

Implementing RADIUS AAA Phil & Rick. Content Terms and Concepts Access Control What is AAA? Benefits of AAA What is RADIUS? Microsoft IAS Overview Installation.

Similar presentations

Ads by Google