After FreeRADIUS has been installed it needs to be configured for our requirements. This article by Dirk van der Walt, author of FreeRADIUS Beginner’s Guide, will help you to get familiar with FreeRADIUS. It assumes that you already know the basics of the RADIUS protocol.
In this article we shall:
(For more resources on this subject, see here.)
Before you start
This article assumes that you have a clean installation of FreeRADIUS. You will need root access to edit FreeRADIUS configuration files for the basic configuration and testing.
We start this article by creating a simple setup of FreeRADIUS with the following:
After we have defined the client and the test user, we will use the radtest program to fill the role of a RADIUS client and test the authentication of Alice.
FreeRADIUS is set up by modifying configuration files. The location of these files depends on how FreeRADIUS was installed:
The following instructions assume that the FreeRADIUS configuration directory is your current working directory:
client localhost {
ipaddr = 127.0.0.1
secret = testing123
require_message_authenticator = no
nastype = other
}
“alice” Cleartext-Password := “passme”
Framed-IP-Address = 192.168.1.65,
Reply-Message = “Hello, %{User-Name}”
$> sudo su
#> /etc/init.d/freeradius stop
#> freeradius -X
You can also use the more brutal method of kill -9 $(pidof freeradius) or killall freeradius on Ubuntu and kill -9 $(pidof radius) or killall radiusd on CentOS and SLES if the startup script does not stop FreeRADIUS.
Ready to process requests.
If this did not happen, read through the output of the FreeRADIUS server started in debug mode to see what problem was identified and a possible location thereof.
$> radtest alice passme 127.0.0.1 100 testing123
Sending Access-Request of id 17 to 127.0.0.1 port 1812
User-Name = “alice”
User-Password = “passme”
NAS-IP-Address = 127.0.1.1
NAS-Port = 100
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812,
id=147, length=40
Framed-IP-Address = 192.168.1.65
Reply-Message = “Hello, alice”
We have created a test user on the FreeRADIUS server. We have also used the radtest command as a client to the FreeRADIUS server to test authentication.
Let’s elaborate on some interesting and important points.
Configuration of the FreeRADIUS server is logically divided into different files. These files are modified to configure a certain function, component, or module of FreeRADIUS. There is, however, a main configuration file that sources the various sub-files. This file is called radiusd.conf.
The default configuration is suitable for most installations. Very few changes are required to make FreeRADIUS useful in your environment.
Although there are many files inside the FreeRADIUS server configuration directory, only a few require further changes. The clients.conf file is used to define clients to the FreeRADIUS server.
Before an NAS can use the FreeRADIUS server it has to be defined as a client on the FreeRADIUS server. Let’s look at some points about client definitions.
A client is defined by a client section. FreeRADIUS uses sections to group and define various things. A section starts with a keyword indicating the section name. This is followed by enclosing brackets. Inside the enclosing brackets are various settings specific to that section. Sections can also be nested.
Sometimes the section’s keyword is followed by a single word to differentiate between sections of the same type. This allows us to have different client entries in clients.conf. Each client has a short name to distinguish it from the others.
The clients.conf file is not the only file where client sections can be defined although it is the usual and most logical place. The following image shows nested client definitions inside a server section:
(Move the mouse over the image to enlarge.)
The FreeRADIUS server identifies a client by its IP Address. If an unknown client sends a request to the server, the request will be silently ignored.
The client and server also require to have a shared secret, which will be used to encrypt and decrypt certain AVPs. The value of the User-Password AVP is encrypted using this shared secret. When the shared secret differs between the client and server, FreeRADIUS server will detect it and warn you when running in debug mode:
Failed to authenticate the user.
WARNING: Unprintable characters in the password. Double-
check the shared secret on the server and the NAS!
When defining a client you can enforce the presence of the Message-Authenticator AVP in all the requests. Since we will be using the radtest program, which does not include it, we disable it for localhost by setting require_message_authenticator to no.
The nastype is set to other. The value of nastype will determine how the checkrad Perl script will behave. Checkrad is used to determine if a user is already using resources on an NAS. Since localhost does not have this function or need we will define it as other.
If the server is down or the packets from radtest cannot reach the server because of a firewall between them, radtest will try three times and then give up with the following message:
radclient: no response from server for ID 133 socket 3
If you run radtest as a normal user it may complain about not having access to the FreeRADIUS dictionary file. This is required for normal operations. The way to solve this is either to change the permissions on the reported file or to run radtest as root.
I remember deciding to pursue my first IT certification, the CompTIA A+. I had signed…
Key takeaways The transformer architecture has proved to be revolutionary in outperforming the classical RNN…
Once we learn how to deploy an Ubuntu server, how to manage users, and how…
Key-takeaways: Clean code isn’t just a nice thing to have or a luxury in software projects; it's a necessity. If we…
While developing a web application, or setting dynamic pages and meta tags we need to deal with…
Software architecture is one of the most discussed topics in the software industry today, and…