Connect communicate collaborate FreeRADIUS configuration Marko Stojakovic, AMRES NA3 T4, Belgrade, 12.09.2011

connect • communicate • collaborate

FreeRADIUS configuration

Marko Stojakovic, AMRES

NA3 T4, Belgrade, 12.09.2011

marko stojakovic

hello everyone,my name is marko stojakovic, and i will present to you freeradius configurationbefore i start i want to emphisize that


Contents

Introduction

FreeRADIUS platform

FreeRADIUS server installation

Authentication configuration

Accounting configuration

Logging configuration

New attributes – CUI and ON

marko stojakovic

the primary goal of this presentation is to present freeradius configuration for....potrebno je naglasiti da ova prezentacija nema glavni cilj da predstavi konfiguraciju potrebnu za eduroam servis već uopšteno za wireless mreže

marko stojakovic

takođe naglasiti da će najviše vremena biti posvećeno authentication configuration temi, tj ona je najbitnija


Introduction

RADIUS – Remote Authentication Dial In User Service

Networking protocol which provides centralized AAA service

“Who are you?” (Authentication)

“What services am I allowed to give you?” (Autorization)

“What did you do with my services while you were using them?” (Accounting)


FreeRADIUS platform (1)

www.freeradius.org

Open-source project

Current version is 2.1.11

Supported OSs:Linux (CentOS, Debian, Mandriva, Red Hat, SUSE, Ubuntu)

FreeBSD

Solaris

OpenBSD..

http://www.freeradius.org/





marko stojakovic

configuration is presented on the centos platform, the comands presented here could be slightly different on other OSs

marko stojakovic

freeradius is widely deployed radius server, it is feature rich, modular and scalableand is free which is very convinient :) current version is 2.1.11 - on the freeradius.org are listed releace notes if anyone wants to see


FreeRADIUS platform (2)

radiusd.conf

clients.conf eap.conf

proxy.conf

sql.conf users

FreeRADIUS

inner-tunnel

ldap

ippool


FreeRADIUS installation (1)

Before FreeRADIUS installation: Make sure your system has gcc, glibc, binutils, and gmake installed before trying to compile

Other dependencies (based on modules that you need):

Openssl, openssl-devel – needed for FR EAP module to work

LDAP (if you have LDAP database)

MySQL

marko stojakovic

Make sure your system at least has gcc, glibc, binutils, and gmake installed before trying to compile



Installation (with output redirection):

./configure -flags > text.filemakemake install (root privileges)

You can use –flags to customize the settings (use --help to see all available flags)



configure --with-openssl .... > config.txt

[root@radius freeradius-server-2.1.11]# ./configure --with-openssl > config.txt

configure: WARNING: snmpget not found - Simultaneous-Use and checkrad.pl may not workconfigure: WARNING: snmpwalk not found - Simultaneous-Use and checkrad.pl may not workconfigure: WARNING: pcap library not found, silently disabling the RADIUS sniffer.configure: WARNING: silently not building rlm_counter.configure: WARNING: FAILURE: rlm_counter requires: libgdbm.configure: WARNING: FAILURE: rlm_dbm requires: (ndbm.h or gdbm/ndbm.h or gdbm-ndbm.h)

(libndbm or libgdbm or libgdbm_compat).configure: WARNING: silently not building rlm_dbm.configure: WARNING: the TNCS library isn't found!configure: WARNING: silently not building rlm_eap_tnc.configure: WARNING: FAILURE: rlm_eap_tnc requires: -lTNCS.configure: WARNING: silently not building rlm_eap_ikev2.configure: WARNING: FAILURE: rlm_eap_ikev2 requires: libeap-ikev2 EAPIKEv2/connector.h.configure: WARNING: silently not building rlm_ippool.configure: WARNING: FAILURE: rlm_ippool requires: libgdbm.configure: WARNING: silently not building rlm_pam.configure: WARNING: FAILURE: rlm_pam requires: libpam.configure: WARNING: silently not building rlm_python.configure: WARNING: FAILURE: rlm_python requires: Python.h.configure: WARNING: silently not building rlm_sql_iodbc.configure: WARNING: FAILURE: rlm_sql_iodbc requires: libiodb.



raddb - FreeRADIUS folder

Check if the radius deamon will start (with default configuration)

Starting the server in debugging mode:

radiusd -X

marko stojakovic

marko stojakovic9/2/2011When the server has been installed on a new machine, the first step is to start it in debugging mode, as user root:$ radiusd -XThis step demonstrates that the server is installed and configured properly. If you have installed Version 2 from source, this step will also create the default certificates used for EAP authentication.


FreeRADIUS authentication configuration

Which EAP type to deploy

EAP type configuration

Virtual server configuration

NAS client parameter configuration

Connecting FreeRADIUS with user database

Processing of Auth requests


Which EAP type to deploy (1)

Supported EAP authentication types (by FreeRADIUS):

EAP-TLS

EAP-TTLS

PEAP

EAP-GTC

LEAP

EAP-MD5



If your ID management infrastructure supports X.509 client certificates – then you can use EAP-TLS

If your ID management infrastructure uses username/password:

Passwords in clear-text or as NT-hash? – EAP-TTLS, PEAP

If the passwords are in any other format - then you can use only EAP-TTLS

marko stojakovic

Regarding the identity management backend, the most fundamental differentiation between EAP types is the type of credential they support.

marko stojakovic

i will concentrate on ttls and peap



clear-text

NT-hash

MD5 hash

Salted MD5 hash

SHA1 hash

Salted SH1 hash

Unix Crypt

PAP o o o o o o o

CHAP o x x x x x x

Digest o x x x x x x

MS-Chap o o x x x x x

PEAP o o x x x x x

EAP-MSCHAPv2 o o x x x x x

Cisco LEAP o o x x x x x

EAP-GTC o o o o o o o

EAP-MD5 o x x x x x x

EAP-SIM o x x x x x x


EAP type configurationraddb/eap.conf

eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = whatever private_key_file =${certdir}/private.key certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = /dev/urandom fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" }

ttls { default_eap_type = pap copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } mschapv2 { } }


Virtual server creation (1)

Two virtual servers

First one processes requests before the EAP tunnel is established (“outer-tunnel”)

Second one processes requests inside the EAP tunnel (“inner-tunnel”)

Location:raddb/sites-available/outer-tunnelraddb/sites-available/inner-tunnel

Soft link for virtual servers:raddb/sites-enabled/

marko stojakovic

možda bih ovde trebao da kažem kako fr funkcionišeda svaki servis može imati po jedan vsvirtual server configuration enables freeradius server to support multiple services simultaniously


Virtual server creation (2)raddb/sites-available/outer-tunnel

server outer-tunnel {authorize { preprocess chap mschap digest suffix eap files expiration logintime pap

}authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } digest unix eap}

preacct { preprocess acct_unique suffix files}accounting { detail unix radutmp exec attr_filter.accounting_response}session { radutmp}post-auth { reply_log exec Post-Auth-Type REJECT { attr_filter.access_reject }}pre-proxy {}post-proxy { eap}}


Virtual server creation (3)raddb/sites-available/inner-tunnel

server inner-tunnel {authorize { suffix update control { Proxy-To-Realm := LOCAL } eap files expiration logintime pap}authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix eap}

session { radutmp}post-auth { Post-Auth-Type REJECT { attr_filter.access_reject }}pre-proxy {}post-proxy { eap}


Client parameter configurationraddb/clients.conf

client AP-library { ipaddr = 192.168.1.25 secret = mYs3cr3t shortname = AP1 nastype = other virtual_server = outer-tunnel}

client radius2 { ipaddr = 192.168.6.34 secret = uRs3cr3t shortname = radius2 nastype = other virtual_server = outer-tunnel}

marko stojakovic

RADIUS is based on a client-server model. The NAS-devices (Access Points, switches etc.) forward credentials to a RADIUS server, i.e. act as a client, and therefore need to be defined on the RADIUS server. Other RADIUS servers can act as a client as well, so every kind of RADIUS-request can be forwarded to another server.


Connecting to user database (1)

User database:

LDAP – Lightweight Directory Access Protocol

Active Directory

FreeRADIUS users file

Additional configuration lines should be added to inner-tunnel

Configuration of additional modules depends of database type


Connecting to user database (2)- LDAP

LDAP configuration file /raddb/modules/ldapldap { server = "localhost" identity = "uid=reader,ou=SystemAccounts,dc=bg,dc=ac,dc=rs" password = b1g$3cr3t basedn = "ou=People,dc=bg,dc=ac,dc=rs“ ...

Mapping between RADIUS and LDAP attributes is configured in /raddb/ldap.attrmap

checkItem SMB-Account-CTRL-TEXT acctFlagscheckItem Expiration radiusExpirationcheckItem NAS-IP-Address radiusNASIpAddresscheckItem Cleartext-Password userPasswordcheckItem User-Name uid#checkItem Pool-Name ismemberof


Connecting to user database (3)- LDAP – inner-tunnel

authorize { suffix update control { Proxy-To-Realm := LOCAL } eap files ldap expiration logintime pap}authenticate { Auth-Type PAP { pap }


Connecting to user database (4)- Active Directory

Kerberos

Samba

ntlm_auth --request-nt-key --domain=MYDOMAIN --username=user --password=pass

Configuration of /raddb/modules/ntlm_auth file

exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=Domain --

username=%{Stripped-User-Name} -password=%{User-Password}"}


Connecting to user database (5)

- Active Directory – inner-tunnelauthorize { suffix update control { Proxy-To-Realm := LOCAL Auth-Type := ntlm_auth } eap files ntlm_auth expiration logintime pap}authenticate { Auth-Type ntlm_auth { ntlm_auth }


john Cleartext-Password:= “J0#n46!“

Manipulation with authentication requests

Adding configuration parametar files to inner-tunnel:

server inner-tunnel {authorize { auth_log eap

files mschap pap}

Connecting to user database (6)- FR users file


Processing of Auth requests

Do we want to process the requests only localy or some authentication requests requires proxying to another server?

IdP or IdP+RP (eduroam)?

Relevant configuration file is raddb/proxy.conf


Processing of Auth requests proxy.conf – Local

proxy server { default_fallback = no}home_server localhost { type = auth+acct ipaddr = 127.0.0.1 port = 1812 secret = testing123 response_window = 20 zombie_period = 40 revive_interval = 120 status_check = status-server check_interval = 30 num_answers_to_alive = 3}realm inst-domain { authhost = LOCAL accthost = LOCAL User-Name = "%{Stripped-User-Name}"}realm LOCAL {}realm NULL {}


Processing of Auth requests proxy.conf – Local + Proxy

proxy server { default_fallback = no}home_server localhost { type = auth+acct ipaddr = 127.0.0.1 port = 1812 secret = testing123 response_window = 20 zombie_period = 40 revive_interval = 120 status_check = status-server check_interval = 30 num_answers_to_alive = 3}realm inst-domain { authhost = LOCAL accthost = LOCAL User-Name = "%{Stripped-User-Name}"}realm LOCAL {}realm NULL {}

home_server radius2 { type = auth+acct ipaddr = 192.168.14.15 port = 1812 secret = r@diu$ response_window = 20 zombie_period = 40 revive_interval = 120 status_check = status-server check_interval = 30 num_answers_to_alive = 3}home_server_pool radius2 { home_server = radius2}realm DEFAULT { pool = radius2 nostrip}


RADIUS Accounting configuration (1)

Depends of whether the devices that you use as NAS supports RADIUS Acct (Cisco, Lancom)

MySQL configuration:Create a table (table examples can be found in raddb/sql/mysql/)

Create a user with write priviledges

FreeRADIUS configuration: Create accounting queries in something.conf in raddb/sql/mysql/Edit raddb/sql.conf


RADIUS Accounting configuration (2)raddb/sql.conf

sql ws-test { database = "mysql" driver = "rlm_sql_${database}" server = “192.168.14.23" login = “jupiter" password = “s@turn" radius_db = "radius" acct_table1 = “table1" acct_table2 = “table1" postauth_table = "radpostauth" authcheck_table = "radcheck" authreply_table = "radreply" groupcheck_table = "radgroupcheck" groupreply_table = "radgroupreply" usergroup_table = "radusergroup" deletestalesessions = yes sqltrace = yes sqltracefile = ${logdir}/sqltrace.sql num_sql_socks = 5 connect_failure_retry_delay = 60 nas_table = "nas" $INCLUDE sql/${database}/something.conf}


RADIUS Accounting configuration (3)raddb/sites-available/outer-tunnel

...preacct { preprocess acct_unique suffix files}accounting { ws-test detail unix radutmp exec attr_filter.accounting_response}session { radutmp}...


FreeRADIUS logs- Syslog

The file location var/log/radius/radius.log

Fri Sep 9 12:07:34 2011 : Auth: Login OK: [[email protected]] (from client cisco5508-L port 1 cli 04-18-0f-d6-50-13)

Configure raddb/radiusd.conf

....

log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = yes auth_badpass = no auth_goodpass = no}...


FreeRADIUS logsAuth messages logging

In communication with one client we can log (inside and outside the tunnel) :

Authentication requests

Reply messages

Pre proxy messages

Post proxy messages

Containing folder, by default:

var/log/radius/radacct/client-ip-address/logmessagetype-date


FreeRADIUS logsAuth messages logging - example

var/log/radius/radacct/147.91.6.201/auth-detail-20110809

Thu Sep 8 12:06:09 2011 Packet-Type = Access-Request User-Name = "[email protected]" Calling-Station-Id = "00-1c-26-60-27-69" Called-Station-Id = "18-ef-63-fc-d7-c0:eduroam" NAS-Port = 1 NAS-IP-Address = 147.91.6.201 NAS-Identifier = "cisco5508-L" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "300" EAP-Message = 0x020600061500 State = 0x4c78ac7b4f7eb9522dd950731fb7c846 Message-Authenticator =

0x2121578d2198dc33a29bff1fdf092c4a

Thu Sep 8 12:06:10 2011 Packet-Type = Access-Request User-Name = "[email protected]" FreeRADIUS-Proxied-To = 127.0.0.1 Calling-Station-Id = "00-1c-26-60-27-69" Called-Station-Id = "18-ef-63-fc-d7-c0:eduroam" NAS-Port = 1 NAS-IP-Address = 147.91.6.201 NAS-Identifier = "cisco5508-L" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "300"



server outer-tunnel {authorize { auth_log preprocess chap mschap digest suffix eap files expiration logintime pap

}authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } digest unix eap}

preacct { preprocess acct_unique suffix files}accounting { detail unix radutmp exec attr_filter.accounting_response}session { radutmp}post-auth { reply_log exec Post-Auth-Type REJECT { attr_filter.access_reject }}pre-proxy { pre_proxy_log}post-proxy { post_proxy_log eap}}



server inner-tunnel {authorize { auth_log suffix update control { Proxy-To-Realm := LOCAL } eap files expiration logintime pap}authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix eap}

session { radutmp}post-auth { reply_log Post-Auth-Type REJECT { attr_filter.access_reject }}pre-proxy { pre_proxy_log}post-proxy { post_proxy_log eap}


New attributes - CUI and ON

eduroam has a problem with logging of users from other realms – if some visitor makes an incident, the resource provider can only block the entire visitor’s realm

Solution: CUI – Chargeable User Identity and ON (Operator Name)



Auth-Request

Resource Provider

Identitty Provider

[email protected]

[email protected]

Auth-RequestUser = [email protected] = “ ”ON = domain.rp

[email protected]

Auth = OKUser = [email protected] = “2bf04dd2913b0334fd50”

CUI = hash {john & ON}

(real username = [email protected])



Inside the Access-Request, resource provider sends the empty CUI attribute along with ON (Operator Name) attribute

Based on User Name and Operator Name, the identity provider creates random value (CUI) and returns it to the RP

This number presents the unique identifier for every visiting user


New attributes - CUI and ONconfiguration

Configuration – raddb/policy.conf (FR version 2.1.11) defines

cui_postauth (for IdP)

cui_pre_proxy (for RP)

cui_updatedb (for RP)

cui_accounting (for RP)


The end

questions?

Documents

Connect communicate collaborate FreeRADIUS configuration Marko Stojakovic, AMRES NA3 T4, Belgrade, 12.09.2011