ISR Computing -

FreeRadius Install on Ubuntu

General Installation

#cat /etc/lsb-release 

DISTRIB_ID=Ubuntu 
DISTRIB_RELEASE=6.10 
DISTRIB_CODENAME=edgy 
DISTRIB_DESCRIPTION="Ubuntu 6.10" 

#apt-get install freeradius 

After you do that, package will be installed, but it will give you an error:

/etc/init.d/freeradius: 15: source: not found 

To solve this problem, do the following:

#vim /etc/init.d/freeradius, and substitute #!/bin/sh with #!/bin/bash, and it will do necessary magic. 

---

Go to top

---

Installing LDAP support

#apt-get install freeradius-ldap

Reload FreeRadius. #freeradius reload - is a good option, but on Ubuntu it doesn’t work too well. So the workaround is this line:

ps -ef | grep freeradius | grep -v grep | cut -c 10-15 | xargs kill -9

Verify that FreeRadius is running:

#top -u freerad
/OR
#ps -ef grep freerad 

To test authentication, type:

# radtest username password localhost 1812 testing123

it will verify against /etc/shadow

---

Go to top

---

Integrate Freeradius with Windows Active Directory

Modify /etc/freeradius/radiusd.conf

port = 1812 // specify port for Radius to listen on
log_stripped_names = yes // Log the full User-Name attribute, as it was found in the request.
log_auth = yes // log authentication requests to file
log_auth_badpass = yes //logs bad passwords, sometimes useful, but it is not secure

LDAP Configuration:

 
ldap {
 server = "dc1.contoso.com"
 identity = "cn=FreeRadiusUser,cn=Users,dc=contoso,dc=com"
 //This is a regular "Domain user"
 password = Yourpassword_without_quotes
 basedn = "dc=contoso,dc=com"
 filter = "(&(samaccountname=%{user-name}))"
 # access_attr = "dialupAccess"

• In Auhorizaton section of the radiusd.conf

# Authorization. First preprocess (hints and huntgroups files)

uncomment line:

ldap //this will enable ldap authorization to DC

• In Authentication section

- comment line:

# unix

- uncomment 3 lines:

Auth-Type LDAP {
 ldap
}

Note: This will enable LDAP authentication.

---

Go to top

---

Network Access Server Configuration

On Radius server we should modify clients.conf file:

client 192.168.44.1 { //IP address of the NAS
 secret = hero // secret key on the NAS
 shortname = CISCO3500
}

clients.conf file contains defines NAS servers, which are submitting requests to the Radius server.
Instead of specifying one NAS client, you can specify subnet, it will look like this:

client 192.168.44.0/24 {
 secret = hero
 shortname = INTERNAL_SUBNET
} 

In general FreeRadius first authorizes users, and then authenticates.
In /etc/freeradius/users comment the following line, so it will stop authenticate against local database

#DEFAULT Auth-Type = System
# Fall-Through = 1

add the below line instead. This will force LDAP authentication

DEFAULT Auth-Type = LDAP
Fall-Through = 1

---

Go to top

---

Testing Connfiguration

Kill freeradius process, and start a new one like this:

#freeradius -X start

when you will be ready to quit this process press "Ctrl+C"

Open NTRadPing Test Utility and test.

Valid output at the moment of authentication is:

Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 172.30.17.88:1915, id=3, length=49
User-Name = "sampleuser" 
User-Password = "samplepassword" 
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0 
modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 
rlm_realm: No '@' in User-Name = "sampleuser", looking up realm NULL
rlm_realm: No such realm "NULL" modcall[authorize]: 
module "suffix" returns noop for request 0 
rlm_eap: No EAP-Message, not doing EAP 
modcall[authorize]: 
module "eap" returns noop for request 0 
users: Matched entry DEFAULT at line 158 
modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorizerlm_ldap: performing user authorization for sampleuserradius_xlat: '(&(samaccountname=sampleuser))'radius_xlat: 'dc=contoso,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to dc1.contoso.com:389, authentication 0
rlm_ldap: bind as cn=FreeRadiusUser,cn=Users,dc=contoso,dc=com/YourPassword to dc1.contoso.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=contoso,dc=com, with filter (&(samaccountname=sampleuser))
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user sampleuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0 
modcall[authorize]: module "ldap" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type LDAPauth: type "LDAP" Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "sampleuser" with password "samplepassword"
rlm_ldap: user DN: CN=Sample\, User,OU=General,DC=CONTOSO,DC=com
rlm_ldap: (re)connect to dc1.contoso.com:389, authentication 1
rlm_ldap: bind as CN=Sample\, User,OU=General,DC=CONTOSO,DC=com/samplepassword to dc1.contoso.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user sampleuser authenticated succesfully 
modcall[authenticate]: module "ldap" returns ok for request 0
modcall: leaving group LDAP (returns ok) for request 0
Login OK: [sampleuser] (from client INTERNAL_NETWORK port 0)
Sending Access-Accept of id 3 to 172.30.17.88 port 1915
Finished request 0
Going to the next request
--- Walking the entire request list
---Waking up in 6 seconds...
--- Walking the entire request list 
---Cleaning up request 0 ID 3 with timestamp 46681827
Nothing to do.
Sleeping until we see a request.

IMPORTANT!
Sometimes system might give you:

rlm_ldap: ldap_search() failed: Operations error

This is not a configuration mistake, it is some kind of problem between Freeradius communication to Domain Controller.