apt-get install freeradius
apt-get install freeradius-utils
chkconfig freeradius on
service freeradius restart
Edit /etc/freeradius/clients.conf
Below is the sample file after editing:
# -*- text -*-
##
## clients.conf -- client configuration directives
##
## $Id$
#######################################################################
#
# Define RADIUS clients (usually a NAS, Access Point, etc.).
#
# Defines a RADIUS client.
#
# '127.0.0.1' is another name for 'localhost'. It is enabled by default,
# to allow testing of the server after an initial installation. If you
# are not going to be permitting RADIUS queries from localhost, we suggest
# that you delete, or comment out, this entry.
#
#
#
# Each client has a "short name" that is used to distinguish it from
# other clients.
#
# In version 1.x, the string after the word "client" was the IP
# address of the client. In 2.0, the IP address is configured via
# the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x
# format is still accepted.
#
client localhost {
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname (radius.example.com)
ipaddr = 10.104.99.222
# OR, you can use an IPv6 address, but not both
# at the same time.
ipv6addr = ::
# ::1 == localhost
#
# A note on DNS: We STRONGLY recommend using IP addresses
# rather than host names. Using host names means that the
# server will do DNS lookups when it starts, making it
# dependent on DNS. i.e. If anything goes wrong with DNS,
# the server won't start!
#
# The server also looks up the IP address from DNS once, and
# only once, when it starts. If the DNS record is later
# updated, the server WILL NOT see that update.
#
# One client definition can be applied to an entire network.
# e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and
# "netmask = 8"
#
# If not specified, the default netmask is 32 (i.e. /32)
#
# We do NOT recommend using anything other than 32. There
# are usually other, better ways to achieve the same goal.
# Using netmasks of other than 32 can cause security issues.
#
# You can specify overlapping networks (127/8 and 127.0/16)
# In that case, the smallest possible network will be used
# as the "best match" for the client.
#
# Clients can also be defined dynamically at run time, based
# on any criteria. e.g. SQL lookups, keying off of NAS-Identifier,
# etc.
# See raddb/sites-available/dynamic-clients for details.
#
# netmask = 32
#
# The shared secret use to "encrypt" and "sign" packets between
# the NAS and FreeRADIUS. You MUST change this secret from the
# default, otherwise it's not a secret any more!
#
# The secret can be any string, up to 8k characters in length.
#
# Control codes can be entered vi octal encoding,
# e.g. "\101\102" == "AB"
# Quotation marks can be entered by escaping them,
# e.g. "foo\"bar"
#
# A note on security: The security of the RADIUS protocol
# depends COMPLETELY on this secret! We recommend using a
# shared secret that is composed of:
#
# upper case letters
# lower case letters
# numbers
#
# And is at LEAST 8 characters long, preferably 16 characters in
# length. The secret MUST be random, and should not be words,
# phrase, or anything else that is recognizable.
#
# The default secret below is only for testing, and should
# not be used in any real environment.
#
secret = rad123
#
# Old-style clients do not send a Message-Authenticator
# in an Access-Request. RFC 5080 suggests that all clients
# SHOULD include it in an Access-Request. The configuration
# item below allows the server to require it. If a client
# is required to include a Message-Authenticator and it does
# not, then the packet will be silently discarded.
#
# allowed values: yes, no
require_message_authenticator = no
#
# The short name is used as an alias for the fully qualified
# domain name, or the IP address.
#
# It is accepted for compatibility with 1.x, but it is no
# longer necessary in 2.0
#
# shortname = localhost
#
# the following three fields are optional, but may be used by
# checkrad.pl for simultaneous use checks
#
#
# The nastype tells 'checkrad.pl' which NAS-specific method to
# use to query the NAS for simultaneous use.
#
# Permitted NAS types are:
#
# cisco
# computone
# livingston
# max40xx
# multitech
# netserver
# pathras
# patton
# portslave
# tc
# usrhiper
# other # for all other types
#
nastype = cisco # localhost isn't usually a NAS...
#
# The following two configurations are for future use.
# The 'naspasswd' file is currently used to store the NAS
# login name and password, which is used by checkrad.pl
# when querying the NAS for simultaneous use.
#
# login = !root
# password = someadminpas
#
# As of 2.0, clients can also be tied to a virtual server.
# This is done by setting the "virtual_server" configuration
# item, as in the example below.
#
# virtual_server = home1
#
# A pointer to the "home_server_pool" OR a "home_server"
# section that contains the CoA configuration for this
# client. For an example of a coa home server or pool,
# see raddb/sites-available/originate-coa
# coa_server = coa
}
# IPv6 Client
client 2001::1 {
secret = rad123
shortname = AAA_ASR1
}
#
# All IPv6 Site-local clients
#client fe80::/16 {
# secret = testing123
# shortname = localhost
#}
#client some.host.org {
# secret = testing123
# shortname = localhost
#}
#
# You can now specify one secret for a network of clients.
# When a client request comes in, the BEST match is chosen.
# i.e. The entry from the smallest possible network.
#
client 9.14.14.14 {
secret = rad123
shortname = asr1k_2054
}
#
client 9.27.110.102 {
secret = rad123
shortname = AAA_ASR1
}
#client 10.10.10.10 {
# # secret and password are mapped through the "secrets" file.
# secret = testing123
# shortname = liv1
# # the following three fields are optional, but may be used by
# # checkrad.pl for simultaneous usage checks
# nastype = livingston
# login = !root
# password = someadminpas
#}
#######################################################################
#
# Per-socket client lists. The configuration entries are exactly
# the same as above, but they are nested inside of a section.
#
# You can have as many per-socket client lists as you have "listen"
# sections, or you can re-use a list among multiple "listen" sections.
#
# Un-comment this section, and edit a "listen" section to add:
# "clients = per_socket_clients". That IP address/port combination
# will then accept ONLY the clients listed in this section.
#
#clients per_socket_clients {
# client 192.168.3.4 {
# secret = testing123
# }
#}
root@ubuntu-2:~#
root@ubuntu-2:~# iptables -I INPUT 1 -p udp --dport 1812 -j ACCEPT
root@ubuntu-2:~# iptables -I INPUT 1 -p udp --dport 1813 -j ACCEPT
root@ubuntu-2:~# iptables -I INPUT 1 -p udp --dport 1645 -j ACCEPT
root@ubuntu-2:~# iptables -I INPUT 1 -p udp --dport 1646 -j ACCEPT
root@ubuntu-2:~#
root@ubuntu-2:~#
root@ubuntu-2:~#
root@ubuntu-2:~#
root@ubuntu-2:~# iptables-save
# Generated by iptables-save v1.4.12 on Sat Oct 25 14:11:30 2014
*filter
:INPUT ACCEPT [36:4425]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [20:2880]
-A INPUT -p udp -m udp --dport 1646 -j ACCEPT
-A INPUT -p udp -m udp --dport 1645 -j ACCEPT
-A INPUT -p udp -m udp --dport 1813 -j ACCEPT
-A INPUT -p udp -m udp --dport 1812 -j ACCEPT
COMMIT
# Completed on Sat Oct 25 14:11:30 2014
root@ubuntu-2:~#
root@ubuntu-2:~#
root@ubuntu-2:~#
Make sure you edit the users file as per your requirement. Below is a sample "users" file for your reference.
client2 Cleartext-Password :="welcome"
Service-Type = Login,
Cisco-Avpair = "shell:priv-lvl=15"
client_test Cleartext-Password := "cisco"
Service-Type = Login-User,
Cisco-Avpair = "shell:priv-lvl=15"
client1 Cleartext-Password :="welcome"
Service-Type = Framed
$enab15$ Cleartext-Password :=rad123
Cisco-Avpair = "shell:priv-lvl=15"
########################################################
/usr/sbin/freeradius -i 2001::1234 -p 1645 -X &
/usr/sbin/freeradius -i 10.104.99.222 -p 1645 -X &
/usr/sbin/freeradius -i 2001::1234 -p 1812 -X &
/usr/sbin/freeradius -i 10.104.99.222 -p 1812 -X &
#######################################################
The logs can be found in below path:
/var/log/freeradius
Accounting records will be stored in below path:
/var/log/freeradius/radacct
Sample test command
radtest client1 welcome 10.104.99.222 1 cisco
root@ubuntu-2:/etc/freeradius# radtest client1 welcome 10.104.99.222 1 cisco
Sending Access-Request of id 105 to 10.104.99.222 port 1645
User-Name = "client1"
User-Password = "welcome"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1
rad_recv: Access-Request packet from host 10.104.99.222 port 44808, id=105, length=59
User-Name = "client1"
User-Password = "welcome"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "client1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry client1 at line 95
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "welcome"
[pap] Using clear text password "welcome"
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 105 to 10.104.99.222 port 44808
Service-Type = Framed-User
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Accept packet from host 10.104.99.222 port 1645, id=105, length=26
Service-Type = Framed-User
root@ubuntu-2:/etc/freeradius#
No comments:
Post a Comment