Installation of FreeRADIUS
We have already discussed the AAA concept, the principal
methodology behind RADIUS, and the structure of the RADIUS protocol, along with
the packet structure, types, and values. Now we are going to take a more
practical focus on the installation of the FreeRADIUS server. The official
FreeRADIUS project site (http://www.freeradius.org) announces: "The FreeRADIUS Server
Project is an attempt to create a high-performance and highly configurable GPL'd
free RADIUS server. The server is similar to Livingston's 2.0 server. FreeRADIUS
is a variant of the Cistron RADIUS server, but they don't share a lot in common.
You should use it because it has a lot more features than Cistron and Livingston
and is much more configurable."
For the
industry and production appliances we recommend installing a stable version of
this product, which at the time of writing was FreeRADIUS 0.8.1. However, you
might find the latest CVS version of FreeRADIUS more suitable for your needs, as
it is likely to support extra features. You can download the stable and CVS
versions of the server from http://www.freeradius.org/getting.html. From this section on,
we use the CVS snapshot version of FreeRADIUS taken on May 26, 2003. However,
your installation procedures should be similar if you use the stable or the
latest CVS snapshot.
To begin installation from sources, download and extract
Free-RADIUS using your most accustomed method, like this:
arhontus:~$ wget -c ftp://ftp.freeradius.org/pub/radius/CVS-snapshots
/freeradius-snapshot-20030526.tar.gz
arhontus:~$ tar -xvzf freeradius-snapshot-20030526.tar.gz
arhontus:~$ cd freeradius-snapshot-20030526
To fine-tune FreeRADIUS to your specific needs, you should edit
the Makefile or add required switches to the configure script. For
details on the supported options you should do this:
arhontus:$ ./configure --help
Then do the following to configure and compile the sources:
arhontus:$ ./configure
arhontus:$ make
To install FreeRADIUS you need to have root privileges and
execute:
arhontus:$ su
arhontus:# make install
Follow these instructions to install the binary package on your
Debian Linux:
arhontus:~# dpkg -i radiusd-freeradius_0.8.1_i386.deb
or
arhontus:~# dpkg -i freeradius_0.8.1+0.9pre20030526-1_i386.deb
Your choice depends on whether you want to install the stable
or the CVS version of FreeRADIUS, respectively. Additionally, you might want to
install add-ons to the server for the purpose of integrating various
authentication schemes, such as Kerberos V, SQL, or LDAP.
When the installation is successfully finished, you can move on
to the next section, where we describe the configuration procedures for your
newly installed RADIUS server.
Configuration
At the time of writing, the configuration files for the stable
version were located in /etc/raddb or /etc/freeradius for the
CVS snapshot, so you might need
to make some adjustments depending on the version you choose to implement.
Before going any further we recommend that you get accustomed to the directory
structure and the critical configuration files:
arhontus:/etc/freeradius# ls -l
total 276
-rw-r----- 1 root freerad 936 May 26 19:06 acct_users
-rw-r----- 1 root freerad 3454 May 26 19:06 attrs
-rw-r----- 1 root freerad 756 May 27 02:02 clients
-rw-r----- 1 root freerad 3062 May 24 21:05 clients.conf
-rw-r----- 1 root freerad 607 May 26 19:06 dictionary
-rw-r----- 1 root freerad 13995 May 26 19:06 experimental.conf
-rw-r----- 1 root freerad 1780 May 26 19:06 hints
-rw-r----- 1 root freerad 1604 May 26 19:06 huntgroups
-rw-r----- 1 root freerad 2333 May 26 19:06 ldap.attrmap
-rw-r----- 1 root freerad 8494 May 26 19:06 mssql.conf
-rw-r----- 1 root freerad 1052 May 21 20:41 naslist
-rw-r----- 1 root freerad 856 May 26 19:06 naspasswd
-rw-r----- 1 root freerad 1199 May 26 19:06 oraclesql.conf
-rw-r----- 1 root freerad 10068 May 26 19:06 postgresql.conf
-rw-r----- 1 root freerad 378 May 26 19:06 preproxy_users
-rw-r----- 1 root freerad 8093 May 26 19:06 proxy.conf
-rw-r----- 1 root freerad 42818 May 27 10:16 radiusd.conf
-rw-r----- 1 root freerad 1387 May 26 19:06 realms
-rw-r----- 1 root freerad 1405 May 26 19:06 snmp.conf
-rw-r----- 1 root freerad 11916 May 26 19:06 sql.conf
-rw-r----- 1 root freerad 7356 May 27 00:07 users
-rw-r----- 1 root freerad 7267 May 26 19:06 x99.conf
-rw-r----- 1 root freerad 4165 May 26 19:06 x99passwd.sample
The most critical configuration files for the RADIUS operations
are briefly mentioned here.
clients.conf
The information provided in this file overrides anything
specified in the clients or naslist file. The configuration
contains all of the information from those two files, as well as additional
configuration features. You should change the values in this file to suit your
network configuration layout. The sample file should look like this:
client 192.168.66.0/24 {
secret = testing123456
shortname = dmz-network
}
It is strongly recommended that you change the default secret
values to a nondictionary, mixed-character passphrase. Leaving the default
values presents a significant security risk!
naslist
Next, edit the /etc/freeradius/naslist file to include
the full canonical name, nickname, and the type of every NAS equipment that will
address the RADIUS server. For the full list of supported NAS equipment consult
either the manual pages or the naslist file itself. A sample of the file is
given here:
# NAS Name Short Name Type
#---------------- ---------- ----
#portmaster1.isp.com pm1.NY livingston
#portmaster2.isp.com pm1.LA livingston
localhost local portslave
192.168.66.151 AP1 portslave
192.168.66.152 AP2 portslave
192.168.66.153 AP3 portslave
radiusd.conf
The /etc/freeradius/radiusd.conf file is the heart of
the RADIUS server. It includes the majority of options and directives. A small
section of the file is highlighted here for illustration purposes. You should
adjust this file to meet your requirements and server needs. Additionally, you
can consult our sample of a radiusd.conf file that integrates many
features of the FreeRADIUS server, including LDAP, EAP-TLS, and UNIX
password-style authentications.
(removed contents)
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius
#
# The logging messages for the server are appended to the
# tail of this file.
#
log_file = ${logdir}/radius.log
(removed contents)
realms
The /etc/freeradius/realms file is useful if you
intend to have several RADIUS servers and require users to roam from one server
to another. In the latest versions of FreeRADIUS this file is obsolete and
replaced by proxy.conf, which configures settings for RADIUS
proxying.
users
This file identifies the methods and procedures of user
authentication. Here we add various users along with the types of services they
are allowed to use, as well as the default authentication mechanisms. To get
more information about this file you should consult man 5 users. A
sample of the file looks like this:
"rejecteduser" Auth-Type := Reject
Reply-Message = "Your account has been disabled."
"EAPuser" Auth-Type := EAP
"morpheus" Auth-Type := Local, User-Password == "testing123456"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 192.168.66.10,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
DEFAULT Auth-Type = System
Fall-Through = 1
DEFAULT Service-Type == Framed-User
Framed-IP-Address = 255.255.255.254,
Framed-MTU = 576,
Service-Type = Framed-User,
Fall-Through = Yes
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
Once you have completed tailoring the configuration files to
your requirements, you are ready to run the FreeRADIUS server for the first
time. The installation script has prepared the startup script for you, which can
usually be found in /etc/init.d/freeradius or
/etc/rc.d/rc.freeradius; invoking it in the following manner starts the
Free-RADIUS server:
arhontus:~# /etc/init.d/freeradius start
If the RADIUS server starts successfully, you should have
similar output from the following command:
arhontus:~# netstat -lnp |grep radius
udp 0 0 0.0.0.0:1812 0.0.0.0:* 651/freeradius
udp 0 0 0.0.0.0:1813 0.0.0.0:* 651/freeradius
udp 0 0 0.0.0.0:1814 0.0.0.0:* 651/freeradius
Otherwise, run the server in the following manner to start
Free-RADIUS in debugging mode so you can trace the source of the errors:
arhontus:~# /usr/sbin/freeradius -X -A
Once you have successfully started the FreeRADIUS daemon, you
are ready to test user authentication, and there are several methods of doing
so. The first method is to use the radtest utility, which attempts to connect to
the RADIUS server with specified user credentials and then outputs the server
reply. You can run the program in the following manner:
arhontus:~$ radtest andrei testing123456 127.0.0.1 10 testing123456
Sending Access-Request of id 31 to 127.0.0.1:1812
User-Name = "andrei"
User-Password = "testing123456"
NAS-IP-Address = 127.0.0.1
NAS-Port = 10
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=31, length=20
The daemon log should show an authorization logon similar to
this:
Tue May 27 19:17:15 2003 : Auth: Login OK: [andrei] (from client localhost port 10)
Alternatively, for those who are dependent on Microsoft
Windows, you can download a RADIUS testing utility called NTRadPing, available
from http://www.mastersoft-group.com/download/. The application
window should look like Figure 13-2 when
it authenticates the user.
Once you have successfully tested your server, you are ready to
move on to the next section, which describes the basics of RADIUS monitoring and
accounting. This is important for day-to-day RADIUS administration tasks as well
as incident response procedures should a successful break-in occur.
Sections
Archive
Syndication
