FreeRADIUS Beginner's Guide电子书

FreeRADIUS

Table of Contents

FreeRADIUS

Credits

About the Author

About the Reviewers

www.PacktPub.com

Support files, eBooks, discount offers, and more

Why Subscribe?

Free Access for Packt account holders

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Time for action – heading

What just happened?

Pop quiz – heading

Have a go hero – heading

Reader feedback

Customer support

Errata

Piracy

Questions

1. Introduction to AAA and RADIUS

Authentication, Authorization, and Accounting

Authentication

Authorization

Accounting

RADIUS

RADIUS protocol (RFC2865)

The data packet

Code

Identifier

Length

Authenticator

Attributes

Conclusion

AVPs

Type

Length

Value

Vendor-Specific Attributes (VSAs)

Proxying and realms

RADIUS server

RADIUS client

RADIUS accounting (RFC2866)

Operation

Packet format

Acct-Status-Type (Type40)

Acct-Input-Octets (Type42)

Acct-Output-Octets (Type43)

Acct-Session-Id (Type44)

Acct-Session-Time (Type46)

Acct-Terminate-Cause (Type49)

Conclusion

RADIUS extensions

Dynamic Authorization extension (RFC5176)

Disconnect-Message (DM)

Change-of-Authorization Message (CoA)

RADIUS support for EAP (RFC3579)

FreeRADIUS

History

Strengths

Weaknesses

The competition

Summary

Pop quiz – RADIUS knowledge

2. Installation

Before you start

Pre-built binary

Time for action – installing FreeRADIUS

What just happened?

Advantages

Extra packages

Available packages

CentOS

SUSE

Ubuntu

Special considerations

Remember the firewall

CentOS

SUSE

Have a go hero – installing from source

Building from source

Advantages of building packages

CentOS

Time for action – building CentOS RPMs

What just happened?

Installing rpm-build

The source RPM package

The package name

Updating an existing installation

SUSE

Time for action – SUSE: from tarball to RPMs

Adding an OpenSUSE repository

What just happened?

zypper or yast -i

Tweaks done by hand

Ubuntu

Time for action – Ubuntu: from tarball to debs

What just happened?

Installing dpkg-dev

Using build-dep

fakeroot

dpkg-buildpackage

Installing the debs

For those preferring the old school

Installed executables

Running as root or not

Dictionary access for client programs

Ensure proper start-up

Summary

Pop quiz – installation

3. Getting Started with FreeRADIUS

A simple setup

Time for action – configuring FreeRADIUS

What just happened?

Configuring FreeRADIUS

Clients

Sections

Client identification

Shared secret

Message-Authenticator

Nastype

Common errors

Users

Files module

PAP module

Users file

Check items

Reply items

Operators

Substitution

DEFAULT user

Login-Time

Simultaneous-Use

Framed-IP-Address

Radtest

Helping yourself

Installed documentation

Man pages

Time for action – discovering available man pages for FreeRADIUS

dpkg systems

rpm systems

radtest revisited

Radclient

What just happened?

Have a go hero – adding more AVPs to the auth request

Configuration file comments

Pop quiz – clients.conf

Online documentation

Online help

Golden rules

Inside radiusd

Configuration files

Important includes

Libraries and dictionaries

FreeRADIUS-specific AVPs

Running as ...

Listen section

Log files

radiusd

Who was logged in and when?

Who is logged in right now?

Summary

4. Authentication

Authentication protocols

PAP

CHAP

MS-CHAP

FreeRADIUS—authorize before authenticate

Time for action – authenticating a user with FreeRADIUS

What just happened?

Access-Request arrives

Authorization

Authorize set Auth-Type

Authorization in action

Authentication

Post-Auth

Finish

Conclusion

Have a go hero – using other authentication protocols

Storing passwords

Hash formats

Time for action – hashing our password

Crypt-Password

MD5-Password

SMD5-Password

SHA-Password

SSHA-Password

NT-Password or LM-Password

What just happened?

Hash formats and authentication protocols

Other authentication methods

One-time passwords

Certificates

Summary

Pop quiz – authentication

5. Sources of Usernames and Passwords

User stores

System users

Time for action – incorporating Linux system users in FreeRADIUS

Preparing rights

SUSE is different

CentOS

Activating system users

What just happened?

Authorize using the unix module

Authenticating using pap

Tips for including system users

MySQL as a user store

Time for action – incorporating a MySQL database in FreeRADIUS

Installing MySQL

Installing FreeRADIUS's MySQL package

Preparing the database

Configuring FreeRADIUS

Connection information

Including the SQL configuration

Virtual server

Testing the MySQL user store

What just happened?

Advantages of SQL over flat files

Other uses for the SQL database

Duplicate users

The database schema

Groups

Have a go hero – exploring group usage

Using SQL Groups

Controlling the use of groups

Profiles

LDAP as a user store

Time for action – connecting FreeRADIUS to LDAP

Installing slapd

Configuring slapd

CentOS

SUSE

Ubuntu

Adding the radiusProfile schema

Populating the LDAP directory

Installing FreeRADIUS's LDAP package

Configuring the ldap module

Testing the LDAP user store

What just happened?

Binding as a user

Advanced use of LDAP

Have a go hero – explore advanced use of LDAP

Ldap-Group and User-Profile AVP

Reading passwords from LDAP

Active Directory as a user store

Time for action – connecting FreeRADIUS to Active Directory

Installing Samba

Configuring Samba

Joining the domain

CentOS

SUSE

Ubuntu

FreeRADIUS and ntlm_auth

PAP Authentication

MS-CHAP Authentication

Summary

Linux system users

SQL database

LDAP directory

Active Directory

Pop quiz – user stores

6. Accounting

Requirements for this chapter

Basic accounting

Time for action – simulate accounting from an NAS

Files for simulation

Starting a session

Ending a session

Orphan sessions

What just happened?

Independence of accounting

NAS: important AVPs

Acct-Status-Type

Acct-Session-Id

AVPs indicating usage

NAS: included AVPs

FreeRADIUS: pre-accounting section

Realms

Setting Acct-Type

FreeRADIUS: accounting section

Minimising orphan sessions

radwho

radzap

Limiting a user's simultaneous sessions

Time for action – limiting a user's simultaneous sessions

What just happened?

Session section

Problems with orphan sessions

checkrad

Limiting the usage of a user

30 minutes per day in total

How FreeRADIUS can help

Time for action – limiting a user's usage

Activating a daily counter

Terminating the session at a specified time

What just happened?

rlm_counter

Have a go hero – using a single database for various counters

Using rlm_sqlcounter

Resetting the counter

SQL module instance

Special variables inside the query

Empty account records

Counters that reset daily

Counting octets

Housekeeping of accounting data

Web-based tools

Summary

Pop quiz – accounting

7. Authorization

Implementing restrictions

Authorization in FreeRADIUS

Introduction to unlang

Using conditional statements

Time for action – using the if statement in unlang

Obtaining a return code using the if statement

Authorizing a user using the if statement

What just happened?

Module return codes

Keywords in unlang

Have a go hero – other tests using conditional statements

Checking if an attribute exists

Using logical expressions to authenticate a user

Attributes and variables

Attribute lists

Time for action – referencing attributes

Attributes in the if statement

What just happened?

Referencing attributes in a condition

Comparison operators

Attribute manipulation

Variables

Time for action – SQL statements as variables

What just happened?

Time for action – setting default values for variables

What just happened?

Time for action – using command substitution

What just happened?

Time for action – using regular expressions

What just happened?

Practical unlang

Limiting data usage

Time for action – using unlang to create a data counter

Defining custom attributes

32-bit limitation

Using the perl module

reset_time.pl

check_usage.pl

Installing the perl module on CentOS

Updating the dictionary files

The recommended way of updating dictionaries

Preparing the users file

Preparing the SQL database

Adding unlang code to the virtual server

The SUSE and Ubuntu bug

Pre-loading Perl library

Testing the data counter

Clean-up

Summary

Pop quiz – authorization

8. Virtual Servers

Why use virtual servers?

Defining and enabling virtual servers

Time for action – creating two virtual servers

What just happened?

Available sub-sections

Enabling and disabling virtual servers

Using enabled virtual servers

Time for action – using a virtual server

What just happened?

Including a virtual server

Handling Post-Auth-Type correctly

Taking care of Type attributes

Virtual server for happy hour

Time for action – incorporating the Hotspot Happy Hour policy

Enabling the Happy Hour virtual server

Adding the virtual server to a client

What just happened?

Defining clients in SQL

Consolidating an existing setup using a virtual server

Time for action – creating a virtual server for the Computer Science faculty

Consolidation implementation

A named files section

A virtual server for the Computer Science faculty

Incorporating the new virtual server

What just happened?

What about users stored in SQL?

When IP addresses and ports clash

Local listen and client sections

IPv6

Listen section → type directive

Pre-defined virtual servers

Summary

Pop quiz – virtual servers

9. Modules

Installed, available, and missing modules

Time for action – discovering available modules

Locating installed modules

What just happened?

Naming convention

Adding alternative paths

Available modules

Missing modules

Including and configuring a module

Time for action – incorporating expiration and linelog modules

What just happened?

Configuring a module

Using modules

Sections that can contain modules

Using one module with different configurations

Have a go hero – creating multiple instances of a module

What just happened?

Order of modules and return codes

Time for action – investigating the order of modules

Access-Request

Return codes

Some interesting modules

Summary

Pop quiz – modules

10. EAP

EAP basics

EAP components

Authenticator

Supplicant

Backend authentication server

EAP conversation

EAPOL-Start

EAPOL-Packet

Practical EAP

Time for action – testing EAP on FreeRADIUS with JRadius Simulator

Preparing FreeRADIUS

Configuring JRadius Simulator

What just happened?

Configuring the eap module

The user store

EAP on the client

EAP in production

Public Key Infrastructure in brief

Creating a PKI

Time for action – creating a RADIUS PKI for you organization

What just happened?

Why use a PKI?

Adding a CA to the client

Configuring the inner-tunnel virtual server

Time for action – testing authentication on the inner-tunnel virtual server

What just happened?

The difference between inner and outer identities

Have a go hero – using JRadius Simulator to test with two identities

What just happened?

Naming conventions for the outer identity

Disabling unused EAP methods

Time for action – disabling unused EAP methods

What just happened?

Message-Authenticator

Summary

Pop quiz – EAP

11. Dictionaries

Why do we need dictionaries?

Parsing requests

Generating responses

How to include dictionaries

Time for action – including new dictionaries

What just happened?

How FreeRADIUS includes dictionary files

Including your own dictionary files

Including dictionary files already installed

Adding private attributes

Updating an existing dictionary

Time for action – updating the MikroTik dictionary

What just happened?

Finding the latest supported attributes

Location of updated dictionary files

Order of inclusions

Attribute names

Upgrading FreeRADIUS

Format of dictionary files

Notes inside the comments

Vendor definitions

Attributes and values

Name field

Number field

Type field

Optional vendor field

Value definitions

Accessing dictionary files

Summary

Pop quiz – dictionaries

12. Roaming and Proxying

Roaming—an overview

Agreement between an ISP and a Telco

Agreement between two organizations

Realms

Time for action – investigating the default realms in FreeRADIUS

What just happened?

Suffix module

NULL realm

Enabling an instance of the realm module

Defining the NULL realm

Time for action – activating the NULL realm

What just happened?

Stripped-User-Name and realm

LOCAL realm

Actions for a realm

Defining a proper realm

Time for action – defining the realm

What just happened?

Rejecting usernames without a realm

Time for action – rejecting requests without a realm

What just happened?

DEFAULT realm

In closing

Proxying

Time for action – configuring proxying between two organizations

What just happened?

Proxying authentication requests

home_server

home_server_pool

Flow chart of an authentication proxy request

Suffix setting control: Proxy-To-Realm

Pre-proxy section

Post-proxy section

EAP and dynamic VLANs

Have a go hero – testing proxying of EAP authentication

Removing and replacing reply attributes

Time for action – filtering reply attributes returned by a home server

What just happened?

Status of the home servers

Time for action – using the preferred way for status checking

Proxying accounting requests

Time for action – simulating proxied accounting

What just happened?

Flow of an accounting proxy request

Updating accounting records after a server outage

Have a go hero – implementing robust-proxy-accounting functionality

Summary

Pop quiz – roaming and proxying

13. Troubleshooting

Basic principles

FreeRADIUS does not start up

Who's using my port?

Checking the configuration

Finding a missing module or library

Fixing a broken external component

FreeRADIUS refuses to start

FreeRADIUS runs despite the display of an error message

FreeRADIUS only reports a problem when answering a request

Using the startup script

FreeRADIUS is slow

Time for action – performing baseline speed testing

What just happened?

Tuning the performance of FreeRADIUS

Main server

LDAP Module

SQL Module

Redundancy and load-balancing

Things beyond our control

FreeRADIUS dies

Client-related problems

Testing UDP connectivity to a RADIUS server

The control-socket virtual server

Time for action – using the control-socket and raddebug for troubleshooting

CentOS

SUSE

Ubuntu

Using raddebug

What just happened?

Remember the log output

Spotting a mismatched shared secret

Options for raddebug

Raddebug auto termination

If there's no output from raddebug

Authenticating users

Editing the users file

Using raddebug

When passwords change

Password length

EAP problems

The CA certificate

Identify where a problem is located

Problems with proxying

Online resources

Using the mailing list

Summary

Pop quiz – troubleshooting

A. Pop Quiz Answers

Chapter 1

Pop quiz – RADIUS knowledge

Chapter 2

Pop quiz – installation

Chapter 3

Pop quiz – clients.conf

Chapter 4

Pop quiz – authentication

Chapter 5

Pop quiz – user stores

Chapter 6

Pop quiz – accounting

Chapter 7

Pop quiz – authorization

Chapter 8

Pop quiz – virtual servers

Chapter 9

Pop quiz – modules

Chapter 10

Pop quiz – EAP

Chapter 11

Pop quiz – dictionaries

Chapter 12

Pop quiz – roaming and proxying

Chapter 13

Pop quiz – troubleshooting

Index