|
|
< Day Day Up > |
|
Installation of FreeRADIUSWe have already discussed the AAA concept, the principal methodology behind RADIUS, and the structure of the RADIUS protocol, along with the packet structure, types, and values. Now we are going to take a more practical focus on the installation of the FreeRADIUS server. The official FreeRADIUS project site (http://www.freeradius.org) announces: "The FreeRADIUS Server Project is an attempt to create a high-performance and highly configurable GPL'd free RADIUS server. The server is similar to Livingston's 2.0 server. FreeRADIUS is a variant of the Cistron RADIUS server, but they don't share a lot in common. You should use it because it has a lot more features than Cistron and Livingston and is much more configurable." For the industry and production appliances we recommend installing a stable version of this product, which at the time of writing was FreeRADIUS 0.8.1. However, you might find the latest CVS version of FreeRADIUS more suitable for your needs, as it is likely to support extra features. You can download the stable and CVS versions of the server from http://www.freeradius.org/getting.html. From this section on, we use the CVS snapshot version of FreeRADIUS taken on May 26, 2003. However, your installation procedures should be similar if you use the stable or the latest CVS snapshot. To begin installation from sources, download and extract Free-RADIUS using your most accustomed method, like this: arhontus:~$ wget -c ftp://ftp.freeradius.org/pub/radius/CVS-snapshots To fine-tune FreeRADIUS to your specific needs, you should edit the Makefile or add required switches to the configure script. For details on the supported options you should do this: arhontus:$ ./configure --help Then do the following to configure and compile the sources: arhontus:$ ./configure arhontus:$ make To install FreeRADIUS you need to have root privileges and execute: arhontus:$ su arhontus:# make install Follow these instructions to install the binary package on your Debian Linux: arhontus:~# dpkg -i radiusd-freeradius_0.8.1_i386.deb or arhontus:~# dpkg -i freeradius_0.8.1+0.9pre20030526-1_i386.deb Your choice depends on whether you want to install the stable or the CVS version of FreeRADIUS, respectively. Additionally, you might want to install add-ons to the server for the purpose of integrating various authentication schemes, such as Kerberos V, SQL, or LDAP. When the installation is successfully finished, you can move on to the next section, where we describe the configuration procedures for your newly installed RADIUS server. ConfigurationAt the time of writing, the configuration files for the stable version were located in /etc/raddb or /etc/freeradius for the CVS snapshot, so you might need to make some adjustments depending on the version you choose to implement. Before going any further we recommend that you get accustomed to the directory structure and the critical configuration files: arhontus:/etc/freeradius# ls -l total 276 -rw-r----- 1 root freerad 936 May 26 19:06 acct_users -rw-r----- 1 root freerad 3454 May 26 19:06 attrs -rw-r----- 1 root freerad 756 May 27 02:02 clients -rw-r----- 1 root freerad 3062 May 24 21:05 clients.conf -rw-r----- 1 root freerad 607 May 26 19:06 dictionary -rw-r----- 1 root freerad 13995 May 26 19:06 experimental.conf -rw-r----- 1 root freerad 1780 May 26 19:06 hints -rw-r----- 1 root freerad 1604 May 26 19:06 huntgroups -rw-r----- 1 root freerad 2333 May 26 19:06 ldap.attrmap -rw-r----- 1 root freerad 8494 May 26 19:06 mssql.conf -rw-r----- 1 root freerad 1052 May 21 20:41 naslist -rw-r----- 1 root freerad 856 May 26 19:06 naspasswd -rw-r----- 1 root freerad 1199 May 26 19:06 oraclesql.conf -rw-r----- 1 root freerad 10068 May 26 19:06 postgresql.conf -rw-r----- 1 root freerad 378 May 26 19:06 preproxy_users -rw-r----- 1 root freerad 8093 May 26 19:06 proxy.conf -rw-r----- 1 root freerad 42818 May 27 10:16 radiusd.conf -rw-r----- 1 root freerad 1387 May 26 19:06 realms -rw-r----- 1 root freerad 1405 May 26 19:06 snmp.conf -rw-r----- 1 root freerad 11916 May 26 19:06 sql.conf -rw-r----- 1 root freerad 7356 May 27 00:07 users -rw-r----- 1 root freerad 7267 May 26 19:06 x99.conf -rw-r----- 1 root freerad 4165 May 26 19:06 x99passwd.sample The most critical configuration files for the RADIUS operations are briefly mentioned here. clients.confThe information provided in this file overrides anything specified in the clients or naslist file. The configuration contains all of the information from those two files, as well as additional configuration features. You should change the values in this file to suit your network configuration layout. The sample file should look like this:
client 192.168.66.0/24 {
secret = testing123456
shortname = dmz-network
}
It is strongly recommended that you change the default secret values to a nondictionary, mixed-character passphrase. Leaving the default values presents a significant security risk! naslistNext, edit the /etc/freeradius/naslist file to include the full canonical name, nickname, and the type of every NAS equipment that will address the RADIUS server. For the full list of supported NAS equipment consult either the manual pages or the naslist file itself. A sample of the file is given here: # NAS Name Short Name Type #---------------- ---------- ---- #portmaster1.isp.com pm1.NY livingston #portmaster2.isp.com pm1.LA livingston localhost local portslave 192.168.66.151 AP1 portslave 192.168.66.152 AP2 portslave 192.168.66.153 AP3 portslave radiusd.confThe /etc/freeradius/radiusd.conf file is the heart of the RADIUS server. It includes the majority of options and directives. A small section of the file is highlighted here for illustration purposes. You should adjust this file to meet your requirements and server needs. Additionally, you can consult our sample of a radiusd.conf file that integrates many features of the FreeRADIUS server, including LDAP, EAP-TLS, and UNIX password-style authentications.
(removed contents)
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius
#
# The logging messages for the server are appended to the
# tail of this file.
#
log_file = ${logdir}/radius.log
(removed contents)
realmsThe /etc/freeradius/realms file is useful if you intend to have several RADIUS servers and require users to roam from one server to another. In the latest versions of FreeRADIUS this file is obsolete and replaced by proxy.conf, which configures settings for RADIUS proxying. usersThis file identifies the methods and procedures of user authentication. Here we add various users along with the types of services they are allowed to use, as well as the default authentication mechanisms. To get more information about this file you should consult man 5 users. A sample of the file looks like this:
"rejecteduser" Auth-Type := Reject
Reply-Message = "Your account has been disabled."
"EAPuser" Auth-Type := EAP
"morpheus" Auth-Type := Local, User-Password == "testing123456"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 192.168.66.10,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
DEFAULT Auth-Type = System
Fall-Through = 1
DEFAULT Service-Type == Framed-User
Framed-IP-Address = 255.255.255.254,
Framed-MTU = 576,
Service-Type = Framed-User,
Fall-Through = Yes
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
Once you have completed tailoring the configuration files to your requirements, you are ready to run the FreeRADIUS server for the first time. The installation script has prepared the startup script for you, which can usually be found in /etc/init.d/freeradius or /etc/rc.d/rc.freeradius; invoking it in the following manner starts the Free-RADIUS server: arhontus:~# /etc/init.d/freeradius start If the RADIUS server starts successfully, you should have similar output from the following command: arhontus:~# netstat -lnp |grep radius udp 0 0 0.0.0.0:1812 0.0.0.0:* 651/freeradius udp 0 0 0.0.0.0:1813 0.0.0.0:* 651/freeradius udp 0 0 0.0.0.0:1814 0.0.0.0:* 651/freeradius Otherwise, run the server in the following manner to start Free-RADIUS in debugging mode so you can trace the source of the errors: arhontus:~# /usr/sbin/freeradius -X -A Once you have successfully started the FreeRADIUS daemon, you are ready to test user authentication, and there are several methods of doing so. The first method is to use the radtest utility, which attempts to connect to the RADIUS server with specified user credentials and then outputs the server reply. You can run the program in the following manner:
arhontus:~$ radtest andrei testing123456 127.0.0.1 10 testing123456
Sending Access-Request of id 31 to 127.0.0.1:1812
User-Name = "andrei"
User-Password = "testing123456"
NAS-IP-Address = 127.0.0.1
NAS-Port = 10
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=31, length=20
The daemon log should show an authorization logon similar to this: Tue May 27 19:17:15 2003 : Auth: Login OK: [andrei] (from client localhost port 10) Alternatively, for those who are dependent on Microsoft Windows, you can download a RADIUS testing utility called NTRadPing, available from http://www.mastersoft-group.com/download/. The application window should look like Figure 13-2 when it authenticates the user. Figure 13.2. NTRadPing RADIUS testing utility. Once you have successfully tested your server, you are ready to move on to the next section, which describes the basics of RADIUS monitoring and accounting. This is important for day-to-day RADIUS administration tasks as well as incident response procedures should a successful break-in occur. |
|
|
< Day Day Up > |
|
/freeradius-snapshot-20030526.tar.gz
arhontus:~$ tar -xvzf freeradius-snapshot-20030526.tar.gz
arhontus:~$ cd freeradius-snapshot-20030526