Getting Started with FreeRADIUS

O'Reilly Book Excerpts: RADIUS

Getting Started with FreeRADIUS

Introduction

[RADIUS covers, among other things,] the theoretical underpinnings of both the authentication-authorization-accounting (AAA) architecture as well as the specific implementation of AAA characteristics that is the RADIUS protocol. [In this excerpt from Chapter 5], I will now focus on practical applications of RADIUS: implementing it, customizing it for your specific needs, and extending its capabilities to meet other needs in your business. First, though, I need a product that talks RADIUS.

Enter FreeRADIUS.

Introduction to FreeRADIUS

The developers of FreeRADIUS speak on their product and its development, from the FreeRADIUS Web site:

FreeRADIUS is one of the most modular and featureful [sic] RADIUS servers available today. It has been written by a team of developers who have more than a decade of collective experience in implementing and deploying RADIUS software, in software engineering, and in Unix package management. The product is the result of synergy between many of the best-known names in free software-based RADIUS implementations, including several developers of the Debian GNU/Linux operating system, and is distributed under the GNU GPL (version 2).

FreeRADIUS is a complete rewrite, ground-up compilation of a RADIUS server. The configuration files exhibit many similarities to the old Livingston RADIUS server. The product includes support for:

Limiting the maximum number of simultaneous logons, even on a per-user basis
More than one DEFAULT entry, with each being capable of "falling through" to the next
Permitting and denying access to users based on the huntgroup to which they are connected
Setting certain parameters to be huntgroup specific
Intelligent "hints" files that select authentication protocols based on the syntax of the username
Executing external programs upon successful login
Using the $INCLUDE filename format with configuration, users, and dictionary files
Vendor-specific attributes
Acting as a proxy RADIUS server

FreeRADIUS supports the following popular NAS equipment:

3Com/USR Hiper Arc Total Control
3Com/USR NetServer
3Com/USR TotalControl
Ascend Max 4000 family
Cisco Access Server family
Cistron PortSlave
Computone PowerRack
Cyclades PathRAS
Livingston PortMaster
Multitech CommPlete Server
Patton 2800 family

FreeRADIUS is available for a wide range of platforms, including Linux, FreeBSD, OpenBSD, OSF/Unix, and Solaris. For the purposes of this book, I will focus on FreeRADIUS running under Linux. Also, as of this printing, a stable Version 1.0 of the product had not been released. However, development of the server is very stable, careful, and somewhat slow, so changes to the procedures mentioned are unlikely. In the event a procedure does change, it's likely to be a relatively small modification. Always check the FreeRADIUS Web site for up-to-date details.

Installing FreeRADIUS

At present, the FreeRADIUS team doesn't offer precompiled binaries. The best way to start off is to grab the latest source code, compressed using tar and gzip, from the FreeRADIUS Web site. Once the file is on your computer, execute the following command to uncompress the file:

tar -zxvf freeradius.tar.gz

Next, you'll need to compile FreeRADIUS. Make sure your system at least has gcc, glibc, binutils, and gmake installed before trying to compile. To begin compiling, change to the directory where your uncompressed source code lies and execute ./configure from the command line. You can also run ./configure -flags and customize the settings for the flags in Table 5-1.

Table 5-1: Optional configuration flags for FreeRADIUS

Flag	Purpose	Default
`--enable-shared[=PKGS]`	Builds shared libraries.	Yes
`--enable-static[=PKGS]`	Builds static libraries.	Yes
`--enable-fast-install[=PKGS]`	Optimizes the resulting files for fastest installation.	Yes
`--with-gnu-ld`	Makes the procedure assume the C compiler uses GNU lD.	No
`--disable-libtool-lock`	Avoids locking problems. This may break parallel builds.	Not applicable
`--with-logdir=DIR`	Specifies the directory for log files.	`LOCALSTATEDIR/log`
`--with-radacctdir=DIR`	Specifies the directory for detail files.	`LOGDIR/radacct`
`--with-raddbdir=DIR`	Specifies the directory for configuration files.	`SYSCONFDIR/raddb`
`--with-dict-nocase`	Makes the dictionary case insensitive.	Yes
`--with-ascend-binary`	Includes support for attributes provided with the Ascend binary filter.	Yes
`--with-threads`	Uses threads if they're supported and available.	Yes
`--with-snmp`	Compiles SNMP support into the binaries.	Yes
`--with-mysql-include-dir=DIR`	Specifies where the include files for MySQL can be found.	Not applicable
`--with-mysql-lib-dur=DIR`	Specifies where the dictionary files for MySQL can be found.	Not applicable
`--with-mysql-dir-DIR`	Specifies where MySQL is installed on the local system.	Not applicable
`--disable-ltdl-install`	Does not install `libltdl`.	Not applicable
`--with-static-modules=QUOTED-MODULE-LIST`	Compiles the list of modules statically.	Not applicable
`--enable-developer`	Turns on extra developer warnings in the compiler.	Not applicable

Commonly, the following locations are used when installing a RADIUS product (these practices go back to the Cistron RADIUS server):

Binaries: /usr/local/bin and /usr/local/sbin

Manual (man) pages: /usr/local/man

Configuration files: /etc/raddb

Log files: /var/log and /var/log/radacct

To make the compiler use these locations automatically, execute:

./configure --localstatedir=/var --sysconfdir=/etc

The programs will then be configured to compile. The rest of this chapter will assume that you installed FreeRADIUS in these locations.

Next, type make. This will compile the binaries. Finally, type make install. This will place all of the files in the appropriate locations. It will also install configuration files if this server has not had a RADIUS server installed before. Otherwise, the procedure will not overwrite your existing configuration and will report to you on what files it did not install.

At this point, your base FreeRADIUS software is installed. Before you begin, though, you'll need to customize some of the configuration files so that they point to machines and networks specific to your configuration. Most of these files are located in /etc/raddb. The following files are contained by default:

radius:/etc/raddb # ls -al
total 396
drwxr-xr-x    2 root   root      4096 Apr 10 10:39 .
drwxr-xr-x    3 root   root      4096 Apr 10 10:18 ..
-rw-r--r--    1 root   root       635 Apr 10 10:18 acct_users
-rw-r--r--    1 root   root      3431 Apr 10 10:18 attrs
-rw-r--r--    1 root   root       595 Apr 10 11:02 clients
-rw-r--r--    1 root   root      2235 Apr 10 10:39 clients.conf
-rw-r--r--    1 root   root     12041 Apr 10 10:18 dictionary
-rw-r--r--    1 root   root     10046 Apr 10 10:39 dictionary.acc
-rw-r--r--    1 root   root      1320 Apr 10 10:39 dictionary.aptis
-rw-r--r--    1 root   root     54018 Apr 10 10:39 dictionary.ascend
-rw-r--r--    1 root   root     11051 Apr 10 10:39 dictionary.bay
-rw-r--r--    1 root   root      4763 Apr 10 10:39 dictionary.cisco
-rw-r--r--    1 root   root      1575 Apr 10 10:39 dictionary.compat
-rw-r--r--    1 root   root      1576 Apr 10 10:39 dictionary.erx
-rw-r--r--    1 root   root       375 Apr 10 10:39 dictionary.foundry
-rw-r--r--    1 root   root       279 Apr 10 10:39 dictionary.freeradius
-rw-r--r--    1 root   root      2326 Apr 10 10:39 dictionary.livingston
-rw-r--r--    1 root   root      2396 Apr 10 10:39 dictionary.microsoft
-rw-r--r--    1 root   root       190 Apr 10 10:39 dictionary.nomadix
-rw-r--r--    1 root   root      1537 Apr 10 10:39 dictionary.quintum
-rw-r--r--    1 root   root      8563 Apr 10 10:39 dictionary.redback
-rw-r--r--    1 root   root       457 Apr 10 10:39 dictionary.shasta
-rw-r--r--    1 root   root      2958 Apr 10 10:39 dictionary.shiva
-rw-r--r--    1 root   root      1274 Apr 10 10:39 dictionary.tunnel
-rw-r--r--    1 root   root     63265 Apr 10 10:39 dictionary.usr
-rw-r--r--    1 root   root      2199 Apr 10 10:39 dictionary.versanet
-rw-r--r--    1 root   root      1767 Apr 10 10:18 hints
-rw-r--r--    1 root   root      1603 Apr 10 10:18 huntgroups
-rw-r--r--    1 root   root      2289 Apr 10 10:39 ldap.attrmap
-rw-r--r--    1 root   root       830 Apr 10 10:18 naslist
-rw-r--r--    1 root   root       856 Apr 10 10:18 naspasswd
-rw-r--r--    1 root   root      9533 Apr 10 10:39 postgresql.conf
-rw-r--r--    1 root   root      4607 Apr 10 10:39 proxy.conf
-rw-r--r--    1 root   root     27266 Apr 10 10:57 radiusd.conf
-rw-r--r--    1 root   root     27232 Apr 10 10:39 radiusd.conf.in
-rw-r--r--    1 root   root      1175 Apr 10 10:18 realms
-rw-r--r--    1 root   root      1405 Apr 10 10:39 snmp.conf
-rw-r--r--    1 root   root      9089 Apr 10 10:39 sql.conf
-rw-r--r--    1 root   root      6941 Apr 10 10:18 users
-rw-r--r--    1 root   root      6702 Apr 10 10:39 x99.conf
-rw-r--r--    1 root   root      3918 Apr 10 10:39 x99passwd.sample

The clients File

First, take a look at the /etc/raddb/clients file. This file lists the hosts authorized to hit the FreeRADIUS server with requests and the secret key those hosts will use in their requests. Some common entries are already included in the /etc/raddb/clients file, so you may wish to simply uncomment the appropriate lines. Make sure the secret key that is listed in the clients file is the same as that programmed into your RADIUS client equipment. Also, add the IP address of a desktop console machine with which you can test your setup using a RADIUS ping utility. A sample clients file looks like this:

# Client Name           Key
#----------------       ----------
#portmaster1.isp.com    testing123
#portmaster2.isp.com    testing123
#proxyradius.isp2.com   TheirKey 
localhost               testing123
192.168.1.100           testing123
tc-clt.hasselltech.net  oreilly

TIP: It's recommended by the FreeRADIUS developers that users move from the clients file to the clients.conf file. The clients.conf file wis not addressed in this chapter, but for the sake of simplicity and startup testing, I will continue using the plain clients file in this introduction.

While it may seem obvious, change the shared secrets from the defaults in the file or the samples listed previously. Failing to do so presents a significant security risk to your implementation and network.

The naslist File

Next, open the /etc/raddb/naslist file. Inside this file, you should list the full canonical name of every NAS that will hit this server, its nickname, and the type of NAS. For your test console, you can simply use the "portslave" type. Table 5-2 lists the FreeRADIUS-supported NAS equipment and the type identifier needed for the naslist file.

Table 5-2: Supported NAS equipment and its type identifier

NAS equipment	Type identifier
3Com/USR Hiper Arc Total Control	`usrhiper`
3Com/USR NetServer	`netserver`
3Com/USR TotalControl	`tc`
Ascend Max 4000 family	`max40xx`
Cisco Access Server family	`cisco`
Cistron PortSlave	`portslave`
Computone PowerRack	`computone`
Cyclades PathRAS	`pathras`
Livingston PortMaster	`livingston`
Multitech CommPlete Server	`multitech`
Patton 2800 family	`patton`

A sample /etc/raddb/naslist file looks like this:

# NAS Name              Short Name      Type
#----------------       ----------      ----
#portmaster1.isp.com    pm1.NY          livingston
localhost               local           portslave
192.168.1.100           local           portslave
tc-clt.hasselltech.net  tc.char         tc

Pages: 1, 2, 3, 4, 5, 6