Monday, June 22, 2015

Setting up freeradius in ubuntu

apt-get install freeradius
apt-get install freeradius-utils
 
chkconfig freeradius on
 
service freeradius restart
 
Edit /etc/freeradius/clients.conf
 
Below is the sample file after editing:
 
# -*- text -*-
##
## clients.conf -- client configuration directives
##
##      $Id$
 
#######################################################################
#
#  Define RADIUS clients (usually a NAS, Access Point, etc.).
 
#
#  Defines a RADIUS client.
#
#  '127.0.0.1' is another name for 'localhost'.  It is enabled by default,
#  to allow testing of the server after an initial installation.  If you
#  are not going to be permitting RADIUS queries from localhost, we suggest
#  that you delete, or comment out, this entry.
#
#
 
#
#  Each client has a "short name" that is used to distinguish it from
#  other clients.
#
#  In version 1.x, the string after the word "client" was the IP
#  address of the client.  In 2.0, the IP address is configured via
#  the "ipaddr" or "ipv6addr" fields.  For compatibility, the 1.x
#  format is still accepted.
#
client localhost {
        #  Allowed values are:
        #       dotted quad (1.2.3.4)
        #       hostname    (radius.example.com)
        ipaddr = 10.104.99.222
 
        #  OR, you can use an IPv6 address, but not both
        #  at the same time.
        ipv6addr = ::
 
        # ::1 == localhost
        #
        #  A note on DNS:  We STRONGLY recommend using IP addresses
        #  rather than host names.  Using host names means that the
        #  server will do DNS lookups when it starts, making it
        #  dependent on DNS.  i.e. If anything goes wrong with DNS,
        #  the server won't start!
        #
        #  The server also looks up the IP address from DNS once, and
        #  only once, when it starts.  If the DNS record is later
        #  updated, the server WILL NOT see that update.
        #
 
        #  One client definition can be applied to an entire network.
        #  e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and
        #  "netmask = 8"
        #
        #  If not specified, the default netmask is 32 (i.e. /32)
        #
        #  We do NOT recommend using anything other than 32.  There
        #  are usually other, better ways to achieve the same goal.
        #  Using netmasks of other than 32 can cause security issues.
        #
        #  You can specify overlapping networks (127/8 and 127.0/16)
        #  In that case, the smallest possible network will be used
        #  as the "best match" for the client.
        #
        #  Clients can also be defined dynamically at run time, based
        #  on any criteria.  e.g. SQL lookups, keying off of NAS-Identifier,
        #  etc.
        #  See raddb/sites-available/dynamic-clients for details.
        #
 
#       netmask = 32
 
        #
        #  The shared secret use to "encrypt" and "sign" packets between
        #  the NAS and FreeRADIUS.  You MUST change this secret from the
        #  default, otherwise it's not a secret any more!
        #
        #  The secret can be any string, up to 8k characters in length.
        #
        #  Control codes can be entered vi octal encoding,
        #       e.g. "\101\102" == "AB"
        #  Quotation marks can be entered by escaping them,
        #       e.g. "foo\"bar"
        #
        #  A note on security:  The security of the RADIUS protocol
        #  depends COMPLETELY on this secret!  We recommend using a
        #  shared secret that is composed of:
        #
        #       upper case letters
        #       lower case letters
        #       numbers
        #
        #  And is at LEAST 8 characters long, preferably 16 characters in
        #  length.  The secret MUST be random, and should not be words,
        #  phrase, or anything else that is recognizable.
        #
        #  The default secret below is only for testing, and should
        #  not be used in any real environment.
        #
        secret          = rad123
 
        #
        #  Old-style clients do not send a Message-Authenticator
        #  in an Access-Request.  RFC 5080 suggests that all clients
        #  SHOULD include it in an Access-Request.  The configuration
        #  item below allows the server to require it.  If a client
        #  is required to include a Message-Authenticator and it does
        #  not, then the packet will be silently discarded.
        #
        #  allowed values: yes, no
        require_message_authenticator = no
 
        #
        #  The short name is used as an alias for the fully qualified
        #  domain name, or the IP address.
        #
        #  It is accepted for compatibility with 1.x, but it is no
        #  longer necessary in 2.0
        #
#       shortname       = localhost
 
        #
        # the following three fields are optional, but may be used by
        # checkrad.pl for simultaneous use checks
        #
 
        #
        # The nastype tells 'checkrad.pl' which NAS-specific method to
        #  use to query the NAS for simultaneous use.
        #
        #  Permitted NAS types are:
        #
        #       cisco
        #       computone
        #       livingston
        #       max40xx
        #       multitech
        #       netserver
        #       pathras
        #       patton
        #       portslave
        #       tc
        #       usrhiper
        #       other           # for all other types
 
        #
        nastype     = cisco     # localhost isn't usually a NAS...
 
        #
        #  The following two configurations are for future use.
        #  The 'naspasswd' file is currently used to store the NAS
        #  login name and password, which is used by checkrad.pl
        #  when querying the NAS for simultaneous use.
        #
#       login       = !root
#       password    = someadminpas
 
        #
        #  As of 2.0, clients can also be tied to a virtual server.
        #  This is done by setting the "virtual_server" configuration
        #  item, as in the example below.
        #
#       virtual_server = home1
 
        #
        #  A pointer to the "home_server_pool" OR a "home_server"
        #  section that contains the CoA configuration for this
        #  client.  For an example of a coa home server or pool,
        #  see raddb/sites-available/originate-coa
#       coa_server = coa
}
 
# IPv6 Client
client 2001::1 {
        secret          = rad123
        shortname       = AAA_ASR1
}
#
# All IPv6 Site-local clients
#client fe80::/16 {
#       secret          = testing123
#       shortname       = localhost
#}
 
#client some.host.org {
#       secret          = testing123
#       shortname       = localhost
#}
 
#
#  You can now specify one secret for a network of clients.
#  When a client request comes in, the BEST match is chosen.
#  i.e. The entry from the smallest possible network.
#
client 9.14.14.14 {
        secret          = rad123
        shortname       = asr1k_2054
}
#
client 9.27.110.102 {
        secret          = rad123
        shortname       = AAA_ASR1
}
 
 
#client 10.10.10.10 {
#       # secret and password are mapped through the "secrets" file.
#       secret      = testing123
#       shortname   = liv1
#       # the following three fields are optional, but may be used by
#       # checkrad.pl for simultaneous usage checks
#       nastype     = livingston
#       login       = !root
#       password    = someadminpas
#}
 
#######################################################################
#
#  Per-socket client lists.  The configuration entries are exactly
#  the same as above, but they are nested inside of a section.
#
#  You can have as many per-socket client lists as you have "listen"
#  sections, or you can re-use a list among multiple "listen" sections.
#
#  Un-comment this section, and edit a "listen" section to add:
#  "clients = per_socket_clients".  That IP address/port combination
#  will then accept ONLY the clients listed in this section.
#
#clients per_socket_clients {
#       client 192.168.3.4 {
#               secret = testing123
#        }
#}
 
 
root@ubuntu-2:~#
root@ubuntu-2:~# iptables -I INPUT 1 -p udp --dport 1812 -j ACCEPT
root@ubuntu-2:~# iptables -I INPUT 1 -p udp --dport 1813 -j ACCEPT
root@ubuntu-2:~# iptables -I INPUT 1 -p udp --dport 1645 -j ACCEPT
root@ubuntu-2:~# iptables -I INPUT 1 -p udp --dport 1646 -j ACCEPT
root@ubuntu-2:~#
root@ubuntu-2:~#
root@ubuntu-2:~#
root@ubuntu-2:~#
root@ubuntu-2:~# iptables-save
# Generated by iptables-save v1.4.12 on Sat Oct 25 14:11:30 2014
*filter
:INPUT ACCEPT [36:4425]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [20:2880]
-A INPUT -p udp -m udp --dport 1646 -j ACCEPT
-A INPUT -p udp -m udp --dport 1645 -j ACCEPT
-A INPUT -p udp -m udp --dport 1813 -j ACCEPT
-A INPUT -p udp -m udp --dport 1812 -j ACCEPT
COMMIT
# Completed on Sat Oct 25 14:11:30 2014
root@ubuntu-2:~#
root@ubuntu-2:~#
root@ubuntu-2:~#
 
Make sure you edit the users file as per your requirement. Below is a sample "users" file for your reference.
 
client2     Cleartext-Password :="welcome"
            Service-Type =  Login,
            Cisco-Avpair = "shell:priv-lvl=15"
 
client_test Cleartext-Password := "cisco"
            Service-Type =  Login-User,
            Cisco-Avpair = "shell:priv-lvl=15"
 
client1     Cleartext-Password :="welcome"
            Service-Type = Framed
 
$enab15$    Cleartext-Password :=rad123
            Cisco-Avpair = "shell:priv-lvl=15"
 
 
########################################################
 
/usr/sbin/freeradius -i 2001::1234 -p 1645 -X &
/usr/sbin/freeradius -i 10.104.99.222 -p 1645 -X &
/usr/sbin/freeradius -i 2001::1234 -p 1812 -X &
/usr/sbin/freeradius -i 10.104.99.222 -p 1812 -X &
 
 
#######################################################
 
The logs can be found in below path:
 
/var/log/freeradius
 
Accounting records will be stored in below path:
 
/var/log/freeradius/radacct
 
Sample test command
 
radtest client1 welcome 10.104.99.222 1 cisco
 
root@ubuntu-2:/etc/freeradius# radtest client1 welcome 10.104.99.222 1 cisco
Sending Access-Request of id 105 to 10.104.99.222 port 1645
        User-Name = "client1"
        User-Password = "welcome"
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 1
rad_recv: Access-Request packet from host 10.104.99.222 port 44808, id=105, length=59
        User-Name = "client1"
        User-Password = "welcome"
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 1
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "client1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry client1 at line 95
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "welcome"
[pap] Using clear text password "welcome"
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 105 to 10.104.99.222 port 44808
        Service-Type = Framed-User
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Accept packet from host 10.104.99.222 port 1645, id=105, length=26
        Service-Type = Framed-User
root@ubuntu-2:/etc/freeradius#
 

No comments:

Post a Comment