O'Reilly Book Excerpts: RADIUS
Getting Started with FreeRADIUS
Editor's note: RADIUS author Jonathan Hassell brings practical suggestions and advice in his book for implementing RADIUS, and he provides instructions for using an open source variation called FreeRADIUS. In this excerpt, Jonathan shows you how to install, configure, and test FreeRADIUS.
[RADIUS covers, among other things,] the theoretical underpinnings of both the authentication-authorization-accounting (AAA) architecture as well as the specific implementation of AAA characteristics that is the RADIUS protocol. [In this excerpt from Chapter 5], I will now focus on practical applications of RADIUS: implementing it, customizing it for your specific needs, and extending its capabilities to meet other needs in your business. First, though, I need a product that talks RADIUS.
Introduction to FreeRADIUS
The developers of FreeRADIUS speak on their product and its development, from the FreeRADIUS Web site:
FreeRADIUS is one of the most modular and featureful [sic] RADIUS servers available today. It has been written by a team of developers who have more than a decade of collective experience in implementing and deploying RADIUS software, in software engineering, and in Unix package management. The product is the result of synergy between many of the best-known names in free software-based RADIUS implementations, including several developers of the Debian GNU/Linux operating system, and is distributed under the GNU GPL (version 2).
FreeRADIUS is a complete rewrite, ground-up compilation of a RADIUS server. The configuration files exhibit many similarities to the old Livingston RADIUS server. The product includes support for:
- Limiting the maximum number of simultaneous logons, even on a per-user basis
- More than one
DEFAULTentry, with each being capable of "falling through" to the next
- Permitting and denying access to users based on the
huntgroupto which they are connected
- Setting certain parameters to be
- Intelligent "hints" files that select authentication protocols based on the syntax of the username
- Executing external programs upon successful login
- Using the
$INCLUDEfilename format with configuration, users, and dictionary files
- Vendor-specific attributes
- Acting as a proxy RADIUS server
FreeRADIUS supports the following popular NAS equipment:
- 3Com/USR Hiper Arc Total Control
- 3Com/USR NetServer
- 3Com/USR TotalControl
- Ascend Max 4000 family
- Cisco Access Server family
- Cistron PortSlave
- Computone PowerRack
- Cyclades PathRAS
- Livingston PortMaster
- Multitech CommPlete Server
- Patton 2800 family
FreeRADIUS is available for a wide range of platforms, including Linux, FreeBSD, OpenBSD, OSF/Unix, and Solaris. For the purposes of this book, I will focus on FreeRADIUS running under Linux. Also, as of this printing, a stable Version 1.0 of the product had not been released. However, development of the server is very stable, careful, and somewhat slow, so changes to the procedures mentioned are unlikely. In the event a procedure does change, it's likely to be a relatively small modification. Always check the FreeRADIUS Web site for up-to-date details.
At present, the FreeRADIUS team doesn't offer precompiled binaries. The best way to start off is to grab the latest source code, compressed using tar and gzip, from the FreeRADIUS Web site. Once the file is on your computer, execute the following command to uncompress the file:
tar -zxvf freeradius.tar.gz
Next, you'll need to compile FreeRADIUS. Make sure your system at least has
gmake installed before trying to compile. To begin compiling, change to the directory where your uncompressed source code lies and execute
./configure from the command line. You can also run
./configure -flags and customize the settings for the flags in Table 5-1.
Table 5-1: Optional configuration flags for FreeRADIUS
||Builds shared libraries.||Yes|
||Builds static libraries.||Yes|
||Optimizes the resulting files for fastest installation.||Yes|
||Makes the procedure assume the C compiler uses GNU lD.||No|
||Avoids locking problems. This may break parallel builds.||Not applicable|
||Specifies the directory for log files.||
||Specifies the directory for detail files.||
||Specifies the directory for configuration files.||
||Makes the dictionary case insensitive.||Yes|
||Includes support for attributes provided with the Ascend binary filter.||Yes|
||Uses threads if they're supported and available.||Yes|
||Compiles SNMP support into the binaries.||Yes|
||Specifies where the include files for MySQL can be found.||Not applicable|
||Specifies where the dictionary files for MySQL can be found.||Not applicable|
||Specifies where MySQL is installed on the local system.||Not applicable|
||Does not install
||Compiles the list of modules statically.||Not applicable|
||Turns on extra developer warnings in the compiler.||Not applicable|
Commonly, the following locations are used when installing a RADIUS product (these practices go back to the Cistron RADIUS server):
Binaries: /usr/local/bin and /usr/local/sbin
Manual (man) pages: /usr/local/man
Configuration files: /etc/raddb
Log files: /var/log and /var/log/radacct
To make the compiler use these locations automatically, execute:
./configure --localstatedir=/var --sysconfdir=/etc
The programs will then be configured to compile. The rest of this chapter will assume that you installed FreeRADIUS in these locations.
make. This will compile the binaries. Finally, type
make install. This will place all of the files in the appropriate locations. It will also install configuration files if this server has not had a RADIUS server installed before. Otherwise, the procedure will not overwrite your existing configuration and will report to you on what files it did not install.
At this point, your base FreeRADIUS software is installed. Before you begin, though, you'll need to customize some of the configuration files so that they point to machines and networks specific to your configuration. Most of these files are located in /etc/raddb. The following files are contained by default:
radius:/etc/raddb # ls -al total 396 drwxr-xr-x 2 root root 4096 Apr 10 10:39 . drwxr-xr-x 3 root root 4096 Apr 10 10:18 .. -rw-r--r-- 1 root root 635 Apr 10 10:18 acct_users -rw-r--r-- 1 root root 3431 Apr 10 10:18 attrs -rw-r--r-- 1 root root 595 Apr 10 11:02 clients -rw-r--r-- 1 root root 2235 Apr 10 10:39 clients.conf -rw-r--r-- 1 root root 12041 Apr 10 10:18 dictionary -rw-r--r-- 1 root root 10046 Apr 10 10:39 dictionary.acc -rw-r--r-- 1 root root 1320 Apr 10 10:39 dictionary.aptis -rw-r--r-- 1 root root 54018 Apr 10 10:39 dictionary.ascend -rw-r--r-- 1 root root 11051 Apr 10 10:39 dictionary.bay -rw-r--r-- 1 root root 4763 Apr 10 10:39 dictionary.cisco -rw-r--r-- 1 root root 1575 Apr 10 10:39 dictionary.compat -rw-r--r-- 1 root root 1576 Apr 10 10:39 dictionary.erx -rw-r--r-- 1 root root 375 Apr 10 10:39 dictionary.foundry -rw-r--r-- 1 root root 279 Apr 10 10:39 dictionary.freeradius -rw-r--r-- 1 root root 2326 Apr 10 10:39 dictionary.livingston -rw-r--r-- 1 root root 2396 Apr 10 10:39 dictionary.microsoft -rw-r--r-- 1 root root 190 Apr 10 10:39 dictionary.nomadix -rw-r--r-- 1 root root 1537 Apr 10 10:39 dictionary.quintum -rw-r--r-- 1 root root 8563 Apr 10 10:39 dictionary.redback -rw-r--r-- 1 root root 457 Apr 10 10:39 dictionary.shasta -rw-r--r-- 1 root root 2958 Apr 10 10:39 dictionary.shiva -rw-r--r-- 1 root root 1274 Apr 10 10:39 dictionary.tunnel -rw-r--r-- 1 root root 63265 Apr 10 10:39 dictionary.usr -rw-r--r-- 1 root root 2199 Apr 10 10:39 dictionary.versanet -rw-r--r-- 1 root root 1767 Apr 10 10:18 hints -rw-r--r-- 1 root root 1603 Apr 10 10:18 huntgroups -rw-r--r-- 1 root root 2289 Apr 10 10:39 ldap.attrmap -rw-r--r-- 1 root root 830 Apr 10 10:18 naslist -rw-r--r-- 1 root root 856 Apr 10 10:18 naspasswd -rw-r--r-- 1 root root 9533 Apr 10 10:39 postgresql.conf -rw-r--r-- 1 root root 4607 Apr 10 10:39 proxy.conf -rw-r--r-- 1 root root 27266 Apr 10 10:57 radiusd.conf -rw-r--r-- 1 root root 27232 Apr 10 10:39 radiusd.conf.in -rw-r--r-- 1 root root 1175 Apr 10 10:18 realms -rw-r--r-- 1 root root 1405 Apr 10 10:39 snmp.conf -rw-r--r-- 1 root root 9089 Apr 10 10:39 sql.conf -rw-r--r-- 1 root root 6941 Apr 10 10:18 users -rw-r--r-- 1 root root 6702 Apr 10 10:39 x99.conf -rw-r--r-- 1 root root 3918 Apr 10 10:39 x99passwd.sample
The clients File
First, take a look at the /etc/raddb/clients file. This file lists the hosts authorized to hit the FreeRADIUS server with requests and the secret key those hosts will use in their requests. Some common entries are already included in the /etc/raddb/clients file, so you may wish to simply uncomment the appropriate lines. Make sure the secret key that is listed in the clients file is the same as that programmed into your RADIUS client equipment. Also, add the IP address of a desktop console machine with which you can test your setup using a RADIUS ping utility. A sample clients file looks like this:
# Client Name Key #---------------- ---------- #portmaster1.isp.com testing123 #portmaster2.isp.com testing123 #proxyradius.isp2.com TheirKey localhost testing123 192.168.1.100 testing123 tc-clt.hasselltech.net oreilly
TIP: It's recommended by the FreeRADIUS developers that users move from the clients file to the clients.conf file. The clients.conf file wis not addressed in this chapter, but for the sake of simplicity and startup testing, I will continue using the plain clients file in this introduction.
While it may seem obvious, change the shared secrets from the defaults in the file or the samples listed previously. Failing to do so presents a significant security risk to your implementation and network.
The naslist File
Next, open the /etc/raddb/naslist file. Inside this file, you should list the full canonical name of every NAS that will hit this server, its nickname, and the type of NAS. For your test console, you can simply use the "
portslave" type. Table 5-2 lists the FreeRADIUS-supported NAS equipment and the type identifier needed for the naslist file.
Table 5-2: Supported NAS equipment and its type identifier
|NAS equipment||Type identifier|
|3Com/USR Hiper Arc Total Control||
|Ascend Max 4000 family||
|Cisco Access Server family||
|Multitech CommPlete Server||
|Patton 2800 family||
A sample /etc/raddb/naslist file looks like this:
# NAS Name Short Name Type #---------------- ---------- ---- #portmaster1.isp.com pm1.NY livingston localhost local portslave 192.168.1.100 local portslave tc-clt.hasselltech.net tc.char tc