Before starting
- VMWare Fusion 10
- Fresh Ubuntu VM install
Install Free Radius
- Update Ubuntu VM
silvia@ubuntu :~$ sudo apt-get update
- Install freeradius. I will install also freeradius-mysql to play with mysql later.
silvia@ubuntu :~$ sudo apt-get install freeradius freeradius-mysql
- Get into root mode
silvia@ubuntu:~$ sudo -i root@ubuntu:~#
- I like vim
root@ubuntu:~# vim /etc/freeradius/users The program 'vim' can be found in the following packages: * vim * vim-gnome * vim-tiny * vim-athena * vim-gtk * vim-nox Try: apt-get install <selected package> root@ubuntu:~# apt-get install vim [...] root@ubuntu:~#
Test PAP subscriber
The first step to getting any authentication working in FreeRADIUS is to configure PAP, or clear-text passwords. Even though many deployments will end up using additional authentication protocols, PAP is the simplest and easiest to configure. And as we will see later, once PAP is configured, many other authentication protocols become simple, too.
In this example, we will configure PAP using the users file. The users file is a flat-text file that allows many common policies to be implemented. It is simple to use, easy to edit, and does not require any additional effort to configure databases like LDAP or SQL. It is therefore the ideal configuration file to use when starting to deploy a new server.
To configure PAP authentication, we must tell the server about a particular user, in this case bob. We must also tell the server what the users “known good” password is, in this case hello. This “known good” password will be used to validate the password entered by the user, and sent to FreeRADIUS by the NAS or AP. If the passwords match, then FreeRADIUS will return an Access-Accept packet. If the passwords do not match, then FreeRADIUS will return an Access-Reject packet.
- Add a test user
root@ubuntu:~# vim /etc/freeradius/users
silvia Cleartext-Password := "password"
#
# Please read the documentation file ../doc/processing_users_file,
# or 'man 5 users' (after installing the server) for more information.
#
# This file contains authentication security and configuration
# information for each user. Accounting requests are NOT processed
# through this file. Instead, see 'acct_users', in this directory.
#
# The first field is the user's name and can be up to
# 253 characters in length. This is followed (on the same line) with
# the list of authentication requirements for that user. This can
# include password, comm server name, comm server port number, protocol
# type (perhaps set by the "hints" file), and huntgroup name (set by
# the "huntgroups" file).
#
# If you are not sure why a particular reply is being sent by the
# server, then run the server in debugging mode (radiusd -X), and
# you will see which entries in this file are matched.
#
[...]
- Enter debug mode
root@ubuntu:~# freeradius -X FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Jul 26 2017 at 15:30:42 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. [...] radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 Failed binding to authentication address * port 1812: Address already in use /etc/freeradius/radiusd.conf[240]: Error binding to port for 0.0.0.0 port 1812
Obs: Get normal error as the service is already running
root@ubuntu:~# netstat -unpl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:7682 0.0.0.0:* 929/dhclient
udp 0 0 127.0.0.1:18120 0.0.0.0:* 50902/freeradius
udp 0 0 0.0.0.0:1812 0.0.0.0:* 50902/freeradius
udp 0 0 0.0.0.0:1813 0.0.0.0:* 50902/freeradius
udp 0 0 0.0.0.0:1814 0.0.0.0:* 50902/freeradius
udp 0 0 0.0.0.0:68 0.0.0.0:* 929/dhclient
udp 0 0 0.0.0.0:47222 0.0.0.0:* 50902/freeradius
udp6 0 0 :::23210 :::* 929/dhclient
- Test the created user
root@ubuntu:~# radtest silvia password localhost 0 testing123
Sending Access-Request of id 231 to 127.0.0.1 port 1812
User-Name = "silvia"
User-Password = "password"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=231, length=20
^---- This text means that authentication succeeded.
OBS: With the default configuration in Version 2.x, and the above users file entry, the following authentication types will just work:
- PAP
- CHAP
- MS-CHAP
- EAP-MD5
- EAP-MSCHAPv2
- Cisco LEAP