Thursday, 24 October 2013

Step by Step Free Radius Configuration authenticated by LDAP

I am installing Free-Radius Server integrated with OpenLDAP server on CentOS 5.5 using kernel 2.6.18-194.el5. I will install all packages using yum configured on CentOS server. You can configure OpenLDAP using my blog using Link http://jitendrakumaryogi.blogspot.in/2013/09/ldapsamba_23.html. After Installing OpenLDAP you can configure Free-Radius Server.

I am checking the CentOS configuration on Server.

[root@ldapnoida ~]# cat /etc/redhat-release
CentOS release 5.5 (Final)
[root@ldapnoida ~]# uname -a
Linux ldapnoida.example.com 2.6.18-194.el5 #1 SMP Fri Apr 2 14:58:14 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux

You can Install FreeRadius packages on server using yum.

[root@ldapnoida ~]# yum install freeradius*

It will install following FreeRadius Packages on server.

[root@ldapnoida ~]# rpm -qa | grep radius
freeradius2-krb5-2.1.12-5.el5
freeradius2-postgresql-2.1.12-5.el5
freeradius2-utils-2.1.12-5.el5
freeradius2-python-2.1.12-5.el5
freeradius2-2.1.12-5.el5
freeradius2-ldap-2.1.12-5.el5
freeradius2-mysql-2.1.12-5.el5
freeradius2-unixODBC-2.1.12-5.el5
freeradius2-perl-2.1.12-5.el5

Once the installation is complete, “/etc/raddb” directory is created which contains all configuration files of FreeRadius server.

[root@ldapnoida raddb]# cd /etc/raddb/
[root@ldapnoida raddb]# vi eap.conf

default_eap_type = md5

 Now, open the file named “ldap” In “/etc/raddb/modules” directory and change the configuration to the following:

[root@ldapnoida raddb]# cd modules/
[root@ldapnoida modules]# pwd
/etc/raddb/modules
[root@ldapnoida modules]# vi ldap

ldap {
        #
        #  Note that this needs to match the name in the LDAP
        #  server certificate, if you're using ldaps.
        server = "127.0.0.1"                                         # Local LDAP Server on same host
        identity = "cn=Manager,dc=example,dc=com"  #ldap Account to Manage LDAP server
        password = root123                                         # Password of above mentioned ldap account
        basedn = "dc=example,dc=com"
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"


Now open file “ /etc/raddb/sites-available/default” and change the following parameters into authorize section in this file.

[root@ldapnoida sites-available]# vi /etc/raddb/sites-available/default

authorize {
        #  The ldap module will set Auth-Type to LDAP if it has not
        #  already been set
        ldap                                                               #Uncomment ldap
        #  Read the 'users' file
        #  files                                                           #Comment files



Now open file “/etc/raddb/sites-available/inner-tunnel” and change the following parameters into authorize and authenticate section in this file.

[root@ldapnoida sites-available]# vi /etc/raddb/sites-available/inner-tunnel

authorize {
        #  Read the 'users' file
        #  files                                                                           #Comment files
        #  The ldap module will set Auth-Type to LDAP if it has not
        #  already been set
        ldap                                                                               #Uncomment ldap


authenticate {

 # Uncomment it if you want to use ldap for authentication
 #
        # Note that this means "check plain-text password against
        # the ldap database", which means that EAP won't work,
        # as it does not supply a plain-text password.
        Auth-Type LDAP {
                ldap
        }


Open the “clients.conf” file and edit the IP address at 34th line of file i.e. ip address and enter the IP address of your radius server. Edit the client section to allow the APs (Access Points) to communicate with your radius server. Configuration would something look like this:

[root@ldapnoida raddb]# vi /etc/raddb/clients.conf

client 10.226.0.0/16 {
        secret          = 1234                                               # Radius Secret Key to give on Access Points
        shortname       = radping                                        # It is User Defined name of your choice
}



 Run the radius server in debug mode with “radius -X” and try to authenticate a user.


Testing of Radius Server authenticated with LDAP Server.

My Radius & Ldap Server IP Address is 10.226.2.66 which will be used for testing.

[root@ldapnoida raddb]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:50:56:90:01:0D
          inet addr:10.226.2.66  Bcast:10.226.15.255  Mask:255.255.240.0
          inet6 addr: fe80::250:56ff:fe90:10d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:65186388 errors:0 dropped:0 overruns:0 frame:0
          TX packets:674273 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:9508735851 (8.8 GiB)  TX bytes:113603579 (108.3 MiB)

You can download NTRadPing tool from Link http://www.novell.com/coolsolutions/tools/14377.html and test the Radius user authentication using this tool.




As per picture I authenticated admin user on ldap using radius and it is accepted and access is given.

 [root@ldapnoida raddb]# radiusd –X

radiusd: #### Opening IP addresses and Ports ####
listen {
        type = "auth"
        ipaddr = *
        port = 0
}
listen {
        type = "acct"
        ipaddr = *
        port = 0
}
listen {
        type = "control"
 listen {
        socket = "/var/run/radiusd/radiusd.sock"
 }
}
listen {
        type = "auth"
        ipaddr = 127.0.0.1
        port = 18120
}
 ... adding new socket proxy address * port 49997
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.226.1.206 port 37858, id=0, length=45
        User-Name = "admin"
        User-Password = "root123"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "admin", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "admin", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[ldap] performing user authorization for admin
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> admin
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=admin)
[ldap]  expand: dc=example,dc=com -> dc=example,dc=com
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to 127.0.0.1:389, authentication 0
  [ldap] bind as cn=Manager,dc=example,dc=com/root123 to 127.0.0.1:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
  [ldap] performing search in dc=example,dc=com, with filter (uid=admin)
[ldap] looking for check items in directory...
  [ldap] userPassword -> Password-With-Header == "{crypt}x"
  [ldap] sambaNtPassword -> NT-Password == 0x3836313939443144384638323935373639354134304642453632443346443846
[ldap] looking for reply items in directory...
[ldap] user admin authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "root123"
[pap] Using NT encryption.
[pap]   expand: %{User-Password} -> root123
[pap] NT-Hash of root123 = 86199d1d8f82957695a40fbe62d3fd8f
[pap]   expand: %{mschap:NT-Hash %{User-Password}} -> 86199d1d8f82957695a40fbe62d3fd8f
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 0 to 10.226.1.206 port 37858
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 0 with timestamp +12
Ready to process requests.



___________________________________________________________

Please give your feedback.

3 comments:

  1. LDAP Online Training
    If you are seeking training and support you can reach me on 91-9000444287
    Introduction
    LDAP - Overview
    A brief History of LDAP
    LDAP Overview
    LDAP vs. Database
    LDAP Usage Summary
    LDAP Data (Object) Model
    Object Tree Structure
    Attributes
    Object Classes
    Describing the Tree and Adding Data
    Navigating the Tree (DNs and RDNs)
    LDAP Replication and Referrals
    http://www.21cssindia.com/courses/ldap-online-training-103.htmlLDAP Online Training
    If you are seeking training and support you can reach me on 91-9000444287
    Introduction
    LDAP - Overview
    A brief History of LDAP
    LDAP Overview
    LDAP vs. Database
    LDAP Usage Summary
    LDAP Data (Object) Model
    Object Tree Structure
    Attributes
    Object Classes
    Describing the Tree and Adding Data
    Navigating the Tree (DNs and RDNs)
    LDAP Replication and Referrals
    http://www.21cssindia.com/courses/ldap-online-training-103.html

    ReplyDelete
  2. Hi, can I ask? I have followed the steps but it's not working. I got the
    "Access-Reject id from x.x.x.x to 0.0.0.0 length 20" Reply when doing the Radtest.

    also when I run radiusd -X , i got an error message :

    /etc/raddb/sites-enabled/default[528]: Failed to find "ldap" as a module or policy.
    /etc/raddb/sites-enabled/default[528]: Please verify that the configuration exist in /etc/raddb/modules-enabled/ldap
    /etc/raddb/sites-enabled/default[528]: Failed to parse ldap entry.

    Can You or Anyone help? thanks a lot

    ReplyDelete