Configuring Linux Radius Server by ssy92676


									Configuring Linux Radius Server
• Objectives
   – This chapter will show you how to install and use Radius
• Contents
   –   An Overview Of How Radius Works
   –   Configruation of Radius
   –   Testing Radius server
   –   Setting up Aironet Cisco1200 for radius
   –   Client Setup Windows XP with wireless pccard

• Practical
   – Implementing Radius server
Introducing the elements
  – Network Access Server (NAS) perform authentication, authorization, and
    accounting for users.
  – The network access server, is typically a router, switch, or wireless access point
  – NAS act as a relay that pass or block traffic to and from authenticated clients
  – The RADIUS server is usually a daemon process running on a UNIX or Windows
    2003 server.
  – Authentication and authorization plus accounting are combined together in
  – The Lightweight Directory Access Protocol (LDAP) is an open standard
  – It defines a method for accessing and updating information in a X.500-like
  – LDAP simplifies user administration tasks by managing users in a central
Authentication via RADIUS and LDAP
Installing FreeRADIUS
• Add a testuser                                                      # useradd kalle
   – Add a password for your testuser                                 # passwd kalle
• Building from source
   – Usally a good idea for best optimized           # tar -zxvf freeradius-1.0.2.tar.gz
       code                                          # ./configure
                                                     # make
                                                     # make install
• Start radiusd in debug mode
   – To see if any errors arrives                                           # radiusd -X
• Modify /etc/shadow permission
                                                              # chmod g+r /etc/shadow
• Make the first radius auth test
   – Simulate a user trying to atenticate against the radius server

   0 = fake NAS port                # radtest kalle 123456 localhost 0 testing123
   testing123 is the mandatory common secret for localhost
   NAS clients is found in /etc/raddb/clients.conf
• If radtest receives a response, the FreeRADIUS server is working.
Configure FreeRADIUS
• FreeRADIUS configuration files are usually stored in the
  /etc/raddb folder
• Modifying radiusd.conf to activate logging
   – Find and correct
                                                   log_auth = yes
                                                   log_auth_badpass = yes
                                                   log_auth_goodpass = no

• Setup to enable unix account to serve as autentication and
  add default authentication port’s. Cisco ports can also be
  used, then change this.    port = 0

• Tell radius where you store the users to authenticate
                         files {
                                   usersfile = ${confdir}/users
                                   acctusersfile = ${confdir}/acct_users
                                   compat = no
Configure FreeRADIUS for NAS clients
• Check that clients.conf is declared in radiusd.conf
• Adding the NAS clients in /etc/raddb/clients.conf
   – Add your access points
                              # Cisco Aironet 1235AP
                                   client {
                                          secret = mypass
                                          shortname = ap
                                          nastype = other

• Security is sligthly higher if you point out each NAS with IP
  and have various password for them
• Best match is used by radius server
• Here is a subnet declaration for NAS {
                                              secret    = testing123
                                              shortname = office-network
                                              nastype   = other
FreeRADIUS MAC authentication setting.
• The file /etc/raddb/users contains authentication and
  configuration information for each user.
   – Add change thenfollowing links, place after the informative heater text:

    # user-id (MAC)    Authentication type            password=MAC
    00054e4d3d08 Auth-Type := Local, User-Password == "00054e4d3d08"
    00186e8dc079 Auth-Type := Local, User-Password == "00186e8dc079"

   – We prepare for MAC authentication for users authenticate through the NAS
   – Authentication will be invisible for the enduser
• For more users just add more MAC addresses
• This can be used for almost any Cisco Switch or router.
• Authentication is invisible, users does not need to enter
Configuring the Aironet 1200 (1/2)
•   For No security (open network), login to your AP and goto Express
    1. Enter your SSID cisco
    2. No VLAN (you can have VLAN for your different SSID if you like)
    3. No security
    Click on APPLY
•   Activate your WLAN interfaces
•   Menu Security, check None or a WEP/Chiper if you like. We choose
    none for best network prestanda Customer is adviced to use cisco VPN
    client for security or similar.
•   Menu Security Server Manager
    –   Select RADIUS in Current Server List, list should show <NEW>
    –   Enter your radius server IP address and Shared secret
    –   Standard radius Authentication port 1812 and Accounting port 1813
    –   Click Apply
•   Goto SSID manager and pick your SSID
    – Check Open Authentication and chose with MAC Authentication
    – At server priorities chose Customize and at priority 1 pick your radius server IP address.
    – Click APPLY
Configuring the Aironet 1200 (2/2)
• Next you need to set the AP to use MAC authentication.
   – Again it is the Security panel, goto local RADIUS settings
   – Chose general set-up menu and check MAC at Enable Authentication Protocols
   – Click apply
• Last you need to set the authentication order, here we use ONLY the
  radius server, no local lists.
   – Select MAC Addresses Authenticated by Authentication Server Only
• If you click on security the server based security should look
  something like this now:

• Looking on the SSID on same panel, it should look like this:

To top