You are previewing FreeRADIUS Beginner's Guide.
O'Reilly logo
FreeRADIUS Beginner's Guide

Book Description

Manage your network resources with FreeRADIUS.

  • Step-by-Step instructions for all the main Linux distributions: CentOS, SUSE, and Ubuntu

  • Discover how to effectively plan and implement Dynamics AX 2009 in your business and fully grasp the necessary hardware, network, and software requirements to do so

  • Know the FreeRADIUS components and understand how they interact

  • Integrate FreeRADIUS into an existing environment or blend it into a larger infrastructure

  • Control and track the usage of network resources by using the most popular RADIUS server today

In Detail

The Open Source pioneers have proved during the past few decades that their code and projects can indeed be more solid and popular than commercial alternatives. With data networks always expanding in size and complexity FreeRADIUS is at the forefront of controlling access to and tracking network usage. Although many vendors have tried to produce better products, FreeRADIUS has proved over time why it is the champion RADIUS server. This book will reveal everything you need to know to get started with using FreeRADIUS.

FreeRADIUS has always been a back-room boy. It's not easy to measure the size or number of deployments world-wide but all indications show that it can outnumber any commercial alternatives available. This essential server is part of ISPs, universities, and many corporate networks, helping to control access and measure usage. It is a solid, flexible, and powerful piece of software, but can be a mystery to a newcomer.

FreeRADIUS Beginner's Guide is a friend of newcomers to RADIUS and FreeRADIUS. It covers the most popular Linux distributions of today, CentOS, SUSE, and Ubuntu, and discusses all the important aspects of FreeRADIUS deployment: Installing, configuring and testing; security concerns and limitations; LDAP and Active Directory integration.

It contains plenty of practical exercises that will help you with everything from installation to the more advanced configurations like LDAP and Active Directory integration. It will help you understand authentication, authorization and accounting in FreeRADIUS. It uses many practical step-by-step examples, which are discussed in detail to lead you to a thorough understanding of the FreeRADIUS server as well as the RADIUS protocol. A quiz at the end of each chapter validates your understanding.

Not only can FreeRADIUS be used to monitor and limit the network usage of individual users; but large deployments are possible with realms and fail-over functionality. FreeRADIUS can work alone or be part of a chain where the server is a proxy for other institution's users forwarding requests to their servers. FreeRADIUS features one of the most versatile and comprehensive Extensible Authentication Protocol (EAP) implementations. EAP is an essential requirement to implement enterprise WiFi security. FreeRADIUS Beginner's Guide covers all of these aspects.

A comprehensive guide to deployment and administration of FreeRADIUS on Linux

Table of Contents

  1. FreeRADIUS
    1. Table of Contents
    2. FreeRADIUS
    3. Credits
    4. About the Author
    5. About the Reviewers
    6. www.PacktPub.com
      1. Support files, eBooks, discount offers, and more
        1. Why Subscribe?
        2. Free Access for Packt account holders
    7. Preface
      1. What this book covers
      2. What you need for this book
      3. Who this book is for
      4. Conventions
      5. Time for action – heading
        1. What just happened?
        2. Pop quiz – heading
        3. Have a go hero – heading
      6. Reader feedback
      7. Customer support
        1. Errata
        2. Piracy
        3. Questions
    8. 1. Introduction to AAA and RADIUS
      1. Authentication, Authorization, and Accounting
        1. Authentication
        2. Authorization
        3. Accounting
      2. RADIUS
        1. RADIUS protocol (RFC2865)
          1. The data packet
            1. Code
            2. Identifier
            3. Length
            4. Authenticator
            5. Attributes
            6. Conclusion
          2. AVPs
            1. Type
            2. Length
            3. Value
          3. Vendor-Specific Attributes (VSAs)
          4. Proxying and realms
          5. RADIUS server
          6. RADIUS client
        2. RADIUS accounting (RFC2866)
          1. Operation
          2. Packet format
          3. Acct-Status-Type (Type40)
          4. Acct-Input-Octets (Type42)
          5. Acct-Output-Octets (Type43)
          6. Acct-Session-Id (Type44)
          7. Acct-Session-Time (Type46)
          8. Acct-Terminate-Cause (Type49)
          9. Conclusion
        3. RADIUS extensions
          1. Dynamic Authorization extension (RFC5176)
            1. Disconnect-Message (DM)
            2. Change-of-Authorization Message (CoA)
          2. RADIUS support for EAP (RFC3579)
      3. FreeRADIUS
        1. History
        2. Strengths
        3. Weaknesses
        4. The competition
      4. Summary
        1. Pop quiz – RADIUS knowledge
    9. 2. Installation
      1. Before you start
      2. Pre-built binary
      3. Time for action – installing FreeRADIUS
        1. What just happened?
        2. Advantages
        3. Extra packages
        4. Available packages
          1. CentOS
          2. SUSE
          3. Ubuntu
        5. Special considerations
        6. Remember the firewall
          1. CentOS
          2. SUSE
        7. Have a go hero – installing from source
      4. Building from source
        1. Advantages of building packages
        2. CentOS
      5. Time for action – building CentOS RPMs
        1. What just happened?
          1. Installing rpm-build
          2. The source RPM package
          3. The package name
          4. Updating an existing installation
        2. SUSE
      6. Time for action – SUSE: from tarball to RPMs
        1. Adding an OpenSUSE repository
      7. What just happened?
        1. zypper or yast -i
        2. Tweaks done by hand
      8. Ubuntu
      9. Time for action – Ubuntu: from tarball to debs
        1. What just happened?
          1. Installing dpkg-dev
          2. Using build-dep
          3. fakeroot
          4. dpkg-buildpackage
          5. Installing the debs
        2. For those preferring the old school
      10. Installed executables
      11. Running as root or not
      12. Dictionary access for client programs
      13. Ensure proper start-up
      14. Summary
        1. Pop quiz – installation
    10. 3. Getting Started with FreeRADIUS
      1. A simple setup
      2. Time for action – configuring FreeRADIUS
        1. What just happened?
        2. Configuring FreeRADIUS
        3. Clients
          1. Sections
          2. Client identification
          3. Shared secret
          4. Message-Authenticator
          5. Nastype
          6. Common errors
        4. Users
          1. Files module
          2. PAP module
          3. Users file
            1. Check items
            2. Reply items
            3. Operators
            4. Substitution
            5. DEFAULT user
            6. Login-Time
            7. Simultaneous-Use
            8. Framed-IP-Address
        5. Radtest
      3. Helping yourself
        1. Installed documentation
          1. Man pages
      4. Time for action – discovering available man pages for FreeRADIUS
        1. dpkg systems
        2. rpm systems
        3. radtest revisited
        4. Radclient
      5. What just happened?
      6. Have a go hero – adding more AVPs to the auth request
        1. Configuration file comments
      7. Pop quiz – clients.conf
      8. Online documentation
      9. Online help
      10. Golden rules
      11. Inside radiusd
        1. Configuration files
        2. Important includes
        3. Libraries and dictionaries
        4. FreeRADIUS-specific AVPs
        5. Running as ...
        6. Listen section
        7. Log files
          1. radiusd
          2. Who was logged in and when?
          3. Who is logged in right now?
      12. Summary
    11. 4. Authentication
      1. Authentication protocols
        1. PAP
        2. CHAP
        3. MS-CHAP
      2. FreeRADIUS—authorize before authenticate
      3. Time for action – authenticating a user with FreeRADIUS
        1. What just happened?
        2. Access-Request arrives
        3. Authorization
          1. Authorize set Auth-Type
          2. Authorization in action
        4. Authentication
        5. Post-Auth
        6. Finish
        7. Conclusion
        8. Have a go hero – using other authentication protocols
      4. Storing passwords
        1. Hash formats
      5. Time for action – hashing our password
        1. Crypt-Password
        2. MD5-Password
        3. SMD5-Password
        4. SHA-Password
        5. SSHA-Password
        6. NT-Password or LM-Password
        7. What just happened?
        8. Hash formats and authentication protocols
      6. Other authentication methods
        1. One-time passwords
        2. Certificates
      7. Summary
        1. Pop quiz – authentication
    12. 5. Sources of Usernames and Passwords
      1. User stores
      2. System users
      3. Time for action – incorporating Linux system users in FreeRADIUS
        1. Preparing rights
          1. SUSE is different
          2. CentOS
          3. Activating system users
        2. What just happened?
        3. Authorize using the unix module
        4. Authenticating using pap
        5. Tips for including system users
      4. MySQL as a user store
      5. Time for action – incorporating a MySQL database in FreeRADIUS
        1. Installing MySQL
        2. Installing FreeRADIUS's MySQL package
        3. Preparing the database
        4. Configuring FreeRADIUS
          1. Connection information
          2. Including the SQL configuration
          3. Virtual server
        5. Testing the MySQL user store
        6. What just happened?
        7. Advantages of SQL over flat files
        8. Other uses for the SQL database
        9. Duplicate users
        10. The database schema
          1. Groups
        11. Have a go hero – exploring group usage
          1. Using SQL Groups
          2. Controlling the use of groups
          3. Profiles
      6. LDAP as a user store
      7. Time for action – connecting FreeRADIUS to LDAP
        1. Installing slapd
        2. Configuring slapd
          1. CentOS
          2. SUSE
          3. Ubuntu
        3. Adding the radiusProfile schema
        4. Populating the LDAP directory
        5. Installing FreeRADIUS's LDAP package
        6. Configuring the ldap module
        7. Testing the LDAP user store
        8. What just happened?
        9. Binding as a user
        10. Advanced use of LDAP
        11. Have a go hero – explore advanced use of LDAP
          1. Ldap-Group and User-Profile AVP
          2. Reading passwords from LDAP
      8. Active Directory as a user store
      9. Time for action – connecting FreeRADIUS to Active Directory
        1. Installing Samba
        2. Configuring Samba
        3. Joining the domain
          1. CentOS
          2. SUSE
          3. Ubuntu
        4. FreeRADIUS and ntlm_auth
          1. PAP Authentication
          2. MS-CHAP Authentication
      10. Summary
        1. Linux system users
        2. SQL database
        3. LDAP directory
        4. Active Directory
        5. Pop quiz – user stores
    13. 6. Accounting
      1. Requirements for this chapter
      2. Basic accounting
      3. Time for action – simulate accounting from an NAS
        1. Files for simulation
        2. Starting a session
        3. Ending a session
        4. Orphan sessions
        5. What just happened?
        6. Independence of accounting
        7. NAS: important AVPs
          1. Acct-Status-Type
          2. Acct-Session-Id
          3. AVPs indicating usage
        8. NAS: included AVPs
        9. FreeRADIUS: pre-accounting section
          1. Realms
          2. Setting Acct-Type
        10. FreeRADIUS: accounting section
        11. Minimising orphan sessions
        12. radwho
        13. radzap
      4. Limiting a user's simultaneous sessions
      5. Time for action – limiting a user's simultaneous sessions
        1. What just happened?
        2. Session section
        3. Problems with orphan sessions
        4. checkrad
      6. Limiting the usage of a user
        1. 30 minutes per day in total
        2. How FreeRADIUS can help
      7. Time for action – limiting a user's usage
        1. Activating a daily counter
        2. Terminating the session at a specified time
        3. What just happened?
        4. rlm_counter
        5. Have a go hero – using a single database for various counters
        6. Using rlm_sqlcounter
        7. Resetting the counter
        8. SQL module instance
        9. Special variables inside the query
        10. Empty account records
        11. Counters that reset daily
        12. Counting octets
      8. Housekeeping of accounting data
        1. Web-based tools
      9. Summary
        1. Pop quiz – accounting
    14. 7. Authorization
      1. Implementing restrictions
      2. Authorization in FreeRADIUS
      3. Introduction to unlang
        1. Using conditional statements
      4. Time for action – using the if statement in unlang
        1. Obtaining a return code using the if statement
          1. Authorizing a user using the if statement
          2. What just happened?
            1. Module return codes
            2. Keywords in unlang
          3. Have a go hero – other tests using conditional statements
          4. Checking if an attribute exists
          5. Using logical expressions to authenticate a user
        2. Attributes and variables
          1. Attribute lists
      5. Time for action – referencing attributes
        1. Attributes in the if statement
          1. What just happened?
            1. Referencing attributes in a condition
            2. Comparison operators
            3. Attribute manipulation
          2. Variables
      6. Time for action – SQL statements as variables
        1. What just happened?
      7. Time for action – setting default values for variables
        1. What just happened?
      8. Time for action – using command substitution
        1. What just happened?
      9. Time for action – using regular expressions
        1. What just happened?
      10. Practical unlang
        1. Limiting data usage
      11. Time for action – using unlang to create a data counter
        1. Defining custom attributes
          1. 32-bit limitation
        2. Using the perl module
          1. reset_time.pl
          2. check_usage.pl
          3. Installing the perl module on CentOS
        3. Updating the dictionary files
          1. The recommended way of updating dictionaries
        4. Preparing the users file
        5. Preparing the SQL database
        6. Adding unlang code to the virtual server
        7. The SUSE and Ubuntu bug
          1. Pre-loading Perl library
        8. Testing the data counter
        9. Clean-up
      12. Summary
        1. Pop quiz – authorization
    15. 8. Virtual Servers
      1. Why use virtual servers?
      2. Defining and enabling virtual servers
      3. Time for action – creating two virtual servers
        1. What just happened?
        2. Available sub-sections
        3. Enabling and disabling virtual servers
      4. Using enabled virtual servers
      5. Time for action – using a virtual server
        1. What just happened?
        2. Including a virtual server
        3. Handling Post-Auth-Type correctly
          1. Taking care of Type attributes
      6. Virtual server for happy hour
      7. Time for action – incorporating the Hotspot Happy Hour policy
        1. Enabling the Happy Hour virtual server
        2. Adding the virtual server to a client
        3. What just happened?
        4. Defining clients in SQL
      8. Consolidating an existing setup using a virtual server
      9. Time for action – creating a virtual server for the Computer Science faculty
        1. Consolidation implementation
        2. A named files section
        3. A virtual server for the Computer Science faculty
        4. Incorporating the new virtual server
        5. What just happened?
        6. What about users stored in SQL?
        7. When IP addresses and ports clash
        8. Local listen and client sections
          1. IPv6
          2. Listen section → type directive
      10. Pre-defined virtual servers
      11. Summary
        1. Pop quiz – virtual servers
    16. 9. Modules
      1. Installed, available, and missing modules
      2. Time for action – discovering available modules
        1. Locating installed modules
        2. What just happened?
          1. Naming convention
          2. Adding alternative paths
        3. Available modules
        4. Missing modules
      3. Including and configuring a module
      4. Time for action – incorporating expiration and linelog modules
        1. What just happened?
        2. Configuring a module
          1. Using modules
        3. Sections that can contain modules
      5. Using one module with different configurations
        1. Have a go hero – creating multiple instances of a module
        2. What just happened?
      6. Order of modules and return codes
      7. Time for action – investigating the order of modules
        1. Access-Request
        2. Return codes
      8. Some interesting modules
      9. Summary
        1. Pop quiz – modules
    17. 10. EAP
      1. EAP basics
        1. EAP components
          1. Authenticator
          2. Supplicant
          3. Backend authentication server
        2. EAP conversation
          1. EAPOL-Start
          2. EAPOL-Packet
      2. Practical EAP
      3. Time for action – testing EAP on FreeRADIUS with JRadius Simulator
        1. Preparing FreeRADIUS
        2. Configuring JRadius Simulator
        3. What just happened?
        4. Configuring the eap module
          1. The user store
          2. EAP on the client
      4. EAP in production
        1. Public Key Infrastructure in brief
        2. Creating a PKI
      5. Time for action – creating a RADIUS PKI for you organization
        1. What just happened?
          1. Why use a PKI?
          2. Adding a CA to the client
        2. Configuring the inner-tunnel virtual server
      6. Time for action – testing authentication on the inner-tunnel virtual server
        1. What just happened?
        2. The difference between inner and outer identities
        3. Have a go hero – using JRadius Simulator to test with two identities
        4. What just happened?
          1. Naming conventions for the outer identity
        5. Disabling unused EAP methods
      7. Time for action – disabling unused EAP methods
        1. What just happened?
          1. Message-Authenticator
      8. Summary
        1. Pop quiz – EAP
    18. 11. Dictionaries
      1. Why do we need dictionaries?
        1. Parsing requests
        2. Generating responses
      2. How to include dictionaries
      3. Time for action – including new dictionaries
        1. What just happened?
      4. How FreeRADIUS includes dictionary files
        1. Including your own dictionary files
          1. Including dictionary files already installed
          2. Adding private attributes
          3. Updating an existing dictionary
      5. Time for action – updating the MikroTik dictionary
        1. What just happened?
          1. Finding the latest supported attributes
          2. Location of updated dictionary files
          3. Order of inclusions
          4. Attribute names
          5. Upgrading FreeRADIUS
      6. Format of dictionary files
        1. Notes inside the comments
        2. Vendor definitions
        3. Attributes and values
          1. Name field
          2. Number field
          3. Type field
          4. Optional vendor field
          5. Value definitions
        4. Accessing dictionary files
      7. Summary
        1. Pop quiz – dictionaries
    19. 12. Roaming and Proxying
      1. Roaming—an overview
        1. Agreement between an ISP and a Telco
        2. Agreement between two organizations
      2. Realms
      3. Time for action – investigating the default realms in FreeRADIUS
        1. What just happened?
          1. Suffix module
          2. NULL realm
          3. Enabling an instance of the realm module
        2. Defining the NULL realm
      4. Time for action – activating the NULL realm
        1. What just happened?
          1. Stripped-User-Name and realm
          2. LOCAL realm
          3. Actions for a realm
        2. Defining a proper realm
      5. Time for action – defining the realm
        1. What just happened?
        2. Rejecting usernames without a realm
      6. Time for action – rejecting requests without a realm
        1. What just happened?
        2. DEFAULT realm
        3. In closing
      7. Proxying
      8. Time for action – configuring proxying between two organizations
        1. What just happened?
        2. Proxying authentication requests
          1. home_server
          2. home_server_pool
        3. Flow chart of an authentication proxy request
          1. Suffix setting control: Proxy-To-Realm
          2. Pre-proxy section
          3. Post-proxy section
        4. EAP and dynamic VLANs
      9. Have a go hero – testing proxying of EAP authentication
        1. Removing and replacing reply attributes
      10. Time for action – filtering reply attributes returned by a home server
        1. What just happened?
          1. Status of the home servers
      11. Time for action – using the preferred way for status checking
        1. Proxying accounting requests
      12. Time for action – simulating proxied accounting
        1. What just happened?
          1. Flow of an accounting proxy request
          2. Updating accounting records after a server outage
        2. Have a go hero – implementing robust-proxy-accounting functionality
      13. Summary
        1. Pop quiz – roaming and proxying
    20. 13. Troubleshooting
      1. Basic principles
      2. FreeRADIUS does not start up
        1. Who's using my port?
          1. Checking the configuration
        2. Finding a missing module or library
        3. Fixing a broken external component
          1. FreeRADIUS refuses to start
          2. FreeRADIUS runs despite the display of an error message
          3. FreeRADIUS only reports a problem when answering a request
        4. Using the startup script
      3. FreeRADIUS is slow
      4. Time for action – performing baseline speed testing
        1. What just happened?
        2. Tuning the performance of FreeRADIUS
          1. Main server
          2. LDAP Module
          3. SQL Module
        3. Redundancy and load-balancing
        4. Things beyond our control
      5. FreeRADIUS dies
      6. Client-related problems
        1. Testing UDP connectivity to a RADIUS server
        2. The control-socket virtual server
      7. Time for action – using the control-socket and raddebug for troubleshooting
        1. CentOS
        2. SUSE
        3. Ubuntu
        4. Using raddebug
        5. What just happened?
          1. Remember the log output
          2. Spotting a mismatched shared secret
          3. Options for raddebug
          4. Raddebug auto termination
          5. If there's no output from raddebug
      8. Authenticating users
        1. Editing the users file
        2. Using raddebug
        3. When passwords change
          1. Password length
        4. EAP problems
          1. The CA certificate
          2. Identify where a problem is located
      9. Problems with proxying
      10. Online resources
      11. Using the mailing list
      12. Summary
        1. Pop quiz – troubleshooting
    21. A. Pop Quiz Answers
      1. Chapter 1
        1. Pop quiz – RADIUS knowledge
      2. Chapter 2
        1. Pop quiz – installation
      3. Chapter 3
        1. Pop quiz – clients.conf
      4. Chapter 4
        1. Pop quiz – authentication
      5. Chapter 5
        1. Pop quiz – user stores
      6. Chapter 6
        1. Pop quiz – accounting
      7. Chapter 7
        1. Pop quiz – authorization
      8. Chapter 8
        1. Pop quiz – virtual servers
      9. Chapter 9
        1. Pop quiz – modules
      10. Chapter 10
        1. Pop quiz – EAP
      11. Chapter 11
        1. Pop quiz – dictionaries
      12. Chapter 12
        1. Pop quiz – roaming and proxying
      13. Chapter 13
        1. Pop quiz – troubleshooting
    22. Index