Sunday 9 August 2015

Configuring FreeRADIUS

Step 1: You can setup FreeRADIUS by modifying configuration files. Location of configuration files depends on how you install the product.

If you install FreeRadius using configure, make, make install, configuration files will be under /usr/local/etc/raddb.

For CentOS, SLES configuration files will be under /etc/raddb.

For Ubuntu, it will be under /etc/freeradius.

Step 2: Goto the directory, where FreeRadius files located. In my case it is in /usr/local/etc/raddb.

Step 3: FreeRadius installation comes with default client called localhost. Open clients.conf file and make sure following entry exist in clients.conf.

client localhost {
         ipaddr = 127.0.0.1
         secret = testing123
         require_message_authenticator = no
         nastype = other
}

The clients.conf file is used to define clients to the FreeRADIUS server. FreeRadius server identifies a client using ip address. If unknown client sends a request to a radius server, then the request is simply ignored.

Secret is used to encrypt and decrypt certain information between radius client and server.

Step 4: Open users file, add following lines.

"alice" Cleartext-Password := "passme"        
         Framed-IP-Address = 172.16.156.62,    
         Reply-Message = "Hello, %{User-Name}"

Make sure the second and third lines are indented by a single tab character.

Users are defined in users file. Above statements add user “alice”.

Step 5: Start radius server in debug mode. Use following command to start radius server.

$ /usr/local/sbin/radiusd -X

Step 6: Open another terminal and run following command.

radtest alice passme 127.0.0.1 100 testing123

$ radtest alice passme 127.0.0.1 100 testing123
Sent Access-Request Id 80 from 0.0.0.0:55604 to 127.0.0.1:1812 length 75
 User-Name = "alice"
 User-Password = "passme"
 NAS-IP-Address = 127.0.0.1
 NAS-Port = 100
 Message-Authenticator = 0x00
 Cleartext-Password = "passme"
Received Access-Accept Id 80 from 127.0.0.1:1812 to 0.0.0.0:0 length 40
 Framed-IP-Address = 172.16.156.62
 Reply-Message = "Hello, alice"

What I am done here is, I used the radtest command as a client to the FreeRADIUS server to test authentication.

If unknown client sends a request to a radius server, then the request is simply ignored.
For example, when I try to communicate with Radius server from unknown ip, the response like following.

$ radtest alice passme 127.0.0.2 100 testing123
Sent Access-Request Id 80 from 0.0.0.0:59385 to 127.0.0.2:1812 length 75
 User-Name = "alice"
 User-Password = "passme"
 NAS-IP-Address = 127.0.0.1
 NAS-Port = 100
 Message-Authenticator = 0x00
 Cleartext-Password = "passme"
Sent Access-Request Id 80 from 0.0.0.0:59385 to 127.0.0.2:1812 length 75
 User-Name = "alice"
 User-Password = "passme"
 NAS-IP-Address = 127.0.0.1
 NAS-Port = 100
 Message-Authenticator = 0x00
 Cleartext-Password = "passme"
Sent Access-Request Id 80 from 0.0.0.0:59385 to 127.0.0.2:1812 length 75
 User-Name = "alice"
 User-Password = "passme"
 NAS-IP-Address = 127.0.0.1
 NAS-Port = 100
 Message-Authenticator = 0x00
 Cleartext-Password = "passme"
(0) No reply from server for ID 80 socket 4




Prevoius                                                 Next                                                 Home

No comments:

Post a Comment