VoIP Security Linux IP Appliance Platform Home Linux IP Appliance Platform Contact Linux Appliance Platform
Linux IP Appliance

Best of Show Security and Encryption
Arlinx IP Platform wins top honor at the 2007 Internet Telephony Conference and Expo
Editor' Choice Best of Show Award.
(Best of the Best of Show)



Arlinx IP Security Platform
Strong Authentication,
Accelerated Encryption,
Certified Cryptographic Storage

Uses 98% Less Electricity (6 Watts vs. 300 Watts)
RoHS Compliant, No Battery, Long Life Cycle, Recyclable, Environmentally Benign Manufacturing,
Best Performance per Watt in the Industry





freeRADIUS AAA Server

RADIUS, ITEF RFC 2865

NOTE: Diameter is the proposed successor of the RADIUS protocol.
Go to Arlinx Diameter Page

Go to Arlinx RADIUS Page

The FreeRADIUS project has developed an open source RADIUS server. Based on current statistics, there are over 50,000 deployments of the software. These deployments include small sites with 10 users, large-scale enterprises with tens of thousands of users, and carrier-class deployments with over 10 million users. In total, the sites that we know are using FreeRADIUS support nearly 100 million users. The only other servers that come close in terms of market share and/or number of sites are ACS and IAS.

The server scales easily from embedded systems with small amounts of memory to systems with millions of users. It is fast, flexible, configurable, and supports more authentication protocols than most commercial servers. It includes support for SQL, LDAP, RADIUS Proxying, failover, load balancing, and nearly 100 vendor dictionary files. It can perform authentications via the PAP, CHAP, MS-CHAP, EAP-MD5, EAP-GTC, EAP-TLS, EAP-TTLS, PEAPv0, LEAP, EAP-SIM, and Digest authentication protocols. It has reached a stable, with incremental improvements added in each release.

The project is growing to include a client library that is BSD licensed. There is also a PAM library, and an Apache module.

Features of the FreeRADIUS AAA Server

The FreeRADIUS server has a number of features which are commonly found in RADIUS servers, and additional features which are not found in any other free software server. Rather than doing a feature by feature comparison, we will simply list some of the features of the server, and let you decide if they satisfy your needs.

Cross-platform issues and source code

The FreeRADIUS server has been compiled and tested to run on the following platforms:

  • Linux (all versions)
  • FreeBSD
  • NetBSD
  • Solaris
  • MAC OSX

The server currently has support for the following platforms, but has not been fully tested on them.

  • HP/UX
  • AIX
  • MINGW32, CygWin (Unix-style environment under Windows NT.)
  • SFU (or Interix, for Windows XP)

Unlike commercial servers, a large number of CPU and OS architectures are have been verified to work, and are "supported" via the users list. The drawback of supporting so many variations of systems is that the steps required to install the server can often be more than just "install a package". We suggest that you look to your OS vendor for a FreeRADIUS package for your system first, and if one was not found, then build the server from source>.

Additional server configuration attributes

In addition to the RFC and VSA attributes defined above, the FreeRADIUS server has a number of server configuration attributes. These attributes allow you to control almost any aspect of an incoming RADIUS request. You can use these attributes to:

  • Append attributes to the request
  • Re-write any attribute of the request
  • Proxy or replicate the request to another RADIUS server, based on any criteria, not just '@realm'.
  • Choose an authentication method to use for this user.
  • Administer users by groups
  • Implement time of day access restrictions
  • Execute a local program
  • Limit the number of simultaneous logins by the user

All of the server configuration attributes can be used on either authentication or accounting RADIUS requests. Most servers limit this sort of configurability to authentication requests only.

Selecting a particular configuration

It is often difficult to allow a users request to match a particular configuration which should be used to reply to the user. The FreeRADIUS server provides a wide range of methods to select configurations.

The server can select a configuration based on any of the following criteria:

  • Attributes which have a given value
  • Attributes which do not have a given value
  • Attributes which are in the request (independent of their value)
  • Attributes which are not in the request
  • String attributes which match a regular expression
  • Integer attributes which match a range (e.g. <, >, <=, >=)
  • Source IP address of the request. This can be different than the NAS-IP-Address attribute
  • Group of NAS boxes. (These may be grouped based on Source IP address, NAS-IP-Address, or any other configuration)
  • User-Name
  • a DEFAULT configuration
  • multiple DEFAULT configurations

Authorization methods

The following authorization types are some of the methods which are supported by the server

  • Local files
  • Local DB/DBM database
  • LDAP
  • A locally executed program. (like a CGI program.)
  • Perl program
  • Python program
  • MySQL DB
  • PostgreSQL DB
  • Oracle SQL DB
  • any IODBC SQL DB
  • IBM's DB2

Authentication methods

The following authentication types are some of the methods which are supported by the server

  • Clear-text password in local configuration file (PAP)
  • Encrypted password in local configuration file
  • CHAP
  • MS-CHAP
  • MS-CHAPv2
  • authentication to a Windows Domain Controller (via ntlm_auth and winbindd)
  • Proxy to another RADIUS server
  • System authentication. (usually through /etc/passwd )
  • PAM (Pluggable Authentication Modules)
  • LDAP (PAP only)
  • PAM (PAP only)
  • CRAM
  • Perl program
  • Python program
  • SIP Digest (Cisco VOIP boxes)
  • A locally executed program. (like a CGI program.)
  • Netscape-MTA-MD5 encrypted passwords
  • Kerberos authentication
  • X9.9 authentication token (e.g. Arlinx's Crypto Storage Module)
  • EAP, with embedded authentication methods
    • EAP-MD5,
    • Cisco LEAP,
    • EAP-MSCHAP-V2 (as implemented by Microsoft),
    • EAP-GTC,
    • EAP-SIM,
    • EAP-TLS,
    • EAP-TTLS, with any authentication protocol inside of the TLS tunnel,
    • EAP-PEAP, with tunneled EAP

Accounting methods

The following accounting logging methods are supported by the server

  • Local 'detail' files
  • Local 'wtmp' and 'utmp' files
  • Proxy to another RADIUS server
  • Replicate to one or more RADIUS servers
  • SQL (Oracle, MySQL, PostgreSQL, Sybase, IODBC, etc)

Dialup Admin Web Administration Interface

The server includes dialup_admin, a PHP4 based web administration interface for the server.
Dialup Admin supports:

  • Users in LDAP database
  • Users and Groups in SQL database (MySQL or PostgreSQL)
  • Create, test, delete, change personal information, check accounting and change dialup settings for a user
  • Accounting Report Generator
  • Bad Users facility to keep a record of users creating problems
  • Online finger facility
  • Test RADIUS server
  • Online Usage Statistics

Scripting Languages

FreeRADIUS contains plug-in modules which support Perl, and Python. These languages allow scripts to modify RADIUS requests and responses in a very efficient and simple manner.

RFC Compliance

FreeRADIUS strives to be conformant to relevant RFCs.

Supported RFC's

Installing and Testing FreeRADIUS


                
tar -zxvf freeradius-1.0.2.tar.gz         - extract it with gunzip and tar
./configure
make
make install                              - run this command as root
radiusd or                                - start RADIUS server
radiusd -X                                - start RADIUS server in debug mode
radtest test test localhost 0 testing123  - test RADIUS server

If radtest receives a response, the FreeRADIUS server is working.

Another free tool, NTRadPing, can test authentication and authorization requests from Windows clients. It can display detailed responses such as attributes value sent back from the RADIUS server.


Configuring FreeRADIUS

Configuring the RADIUS server consists of configuring the server, the client, and the user (both for authentication and authorization). There can be different configurations of the RADIUS server for different needs; fortunately most of the configurations are similar.

Configuring the server

FreeRADIUS configuration files are usually stored in the /etc/raddb folder. First we need to modify the radiusd.conf file as shown.

Modifying radiusd.conf
                
 1) Global settings:

log_auth = yes                - log authentication requests to the log file
log_auth_badpass = no         - don't log passwords if request rejected
log_auth_goodpass = no        - don't log passwords if request accepted

2) LDAP Settings:

modules {
   ldap {
      server = "bluepages.ibm.com"   - the hostname or IP address of the LDAP server
      port = 636                     - encrypted communications
      basedn = "ou=bluepages,o=ibm.com"   - define the base Distinguished Names (DN),
                                          - under the Organization (O) "ibm.com",
                                          - in the Organization Unit (OU) "bluepages"
      filter = "(mail=%u)"                   - specify search criteria
      base_filter = "(objectclass=person)"   - specify base search criteria
   }

authenticate {                - enable authentication against LDAP
   Auth-Type LDAP {
      ldap
   }

The parameters are set for working with IBM BluePages, an instance of an LDAP service. Parameters may be different for other LDAP servers.

Configuring the client

Clients are configured in /etc/raddb/clients.conf. There are two ways to configure RADIUS clients. You can group the NAS by IP subnet (Listing 3) or you can list the NAS by hostname or IP address (Listing 4). When you follow the second method, shortname and nastype can be defined.

Grouping the NAS by IP subnet

                
client 192.168.0.0/24 {
   secret      = mysecret1   - the "secret" should be the same as configured on NAS
   shortname   = mylan       - the "shortname" can be used for logging
   nastype      = cisco      - the "nastype" is used for checkrad and is optional
}

Listing the NAS by hostname or IP address
                
client 192.168.0.1 {
   secret      = mysecret1
   shortname   = myserver
   nastype      = other
}

Configuring the user for authentication

The file /etc/raddb/user contains authentication and configuration information for each user.


Listing 5. The /etc/raddb/user file
                
   1) Authentication type:
Auth-Type := LDAP - authenticate against LDAP Auth-Type := Local, User-Password == "mypasswd" - authenticate against the - password set in /etc/raddb/user Auth-Type := System - authenticate against the system password file - /etc/passwd or /etc/shadow Service type: Service-Type = Login, - for administrative login

>Configuring the user for authorization

The following authentication server attribute value (AV) pair should be configured for user authorization. It is returned to the NAS for an administrator login request after authentication is accepted.

For a Cisco router, there are different privilege levels:

  • Level 1 is non-privileged. The prompt is router>, the default level for login.
  • Level 15 is privileged. The prompt is router#, the level after going into enable mode.
  • Levels 2 through 14 are not used in a default configuration.

The following command causes a user logging in from a network access server to have immediate access to EXEC commands:

cisco-avpair ="shell:priv-lvl=15"

The following code handles the same task for a Cisco wireless access point:

Cisco:Avpair = "aironet:admin-capability=write+snmp+ident+firmware+admin"

Any combination of capabilities is returned with this attribute:

Cisco:Avpair = "aironet:admin-capability=ident+admin"
Cisco:Avpair = "aironet:admin-capability=admin"

Contact Cisco for more information on these commands.



Configuring the network access server

For a Cisco router, then for a Cisco WAP.

For the Cisco IOS 12.1 router, we'll enable AAA, then configure authentication, authorization, and accounting.

Enabling AAA


                
aaa new-model
radius-server host 192.168.0.100
radius-server key mysecret1

AAA should be enabled on the router. Then, a list of RADIUS servers that will provide AAA services for the NAS can be specified. The encryption key is used to encrypt the data transfer between the NAS and the RADIUS server. It must be identical with the one configured on FreeRADIUS.

Configuring authentication

                
aaa authentication login default group radius local
line vty 0 4
login authentication default

In this example, network administrators use RADIUS authentication. If a RADIUS server is not available, use the NAS's local user database password.


Listing 8. Configuring authorization
                
aaa authorization exec default group radius if-authenticated

Allow the user to run an EXEC shell when logging into the NAS.

Configuring accounting

                
aaa accounting system default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting connection default start-stop group radius
aaa accounting exec default stop-only group radius
aaa accounting commands 1 default stop-only group radius
aaa accounting commands 15 default wait-start group radius

The router must be specifically configured to send accounting records to the RADIUS server. Use the commands in Listing 9 to record accounting information on NAS system events, network connections, outbound connections, EXEC operations, and commands at levels 1 and 15.

That's it. Now let's look at configuring for a Cisco wireless access point. The following configuration applies to the Cisco 1200 Series AP with Firmware 12.01T1. As shown in the screen shot in Figure 2, you:

  • Input the server name or IP address and shared secret.
  • Select type as "Radius" and check "User Authentication."

Figure 2. Configuring NAS for WAP
Configuring NAS for WAP

Actually, here you can also configure EAP Authentication so FreeRADIUS can be used to authenticate general users to wireless LAN.


Accounting: RADIUS at work

Now that all the configurations have been completed, the FreeRADIUS server can start logging all information sent by NAS, storing it in the /var/log/radius/radius.log file like so:


Listing 10. The /var/log/radius/radius.log file
                
Thu Mar 3 21:37:32 2005 : Auth: Login OK: [David] (from client
                                mylan port 1 cli 192.168.0.94)
Mon Mar 7 23:39:53 2005 : Auth: Login incorrect: [John] (from
                                client mylan port 1 cli 192.168.0.94)

Detailed accounting information is stored in the /var/log/radius/radacct directory. Listing 11 shows that David logged into router 192.168.0.1 from 192.168.0.94 between 19:40 to 19:51 on March 4, 2005. This level of detailed information will definitely be a help to administrators investigating security incidents and trying to maintain easily auditable records.


Listing 11. Sample of the RADIUS-supplied accounting details
                
Fri Mar  4 19:40:12 2005
        NAS-IP-Address = 192.168.0.1
        NAS-Port = 1
        NAS-Port-Type = Virtual
        User-Name = "David"
        Calling-Station-Id = "192.168.0.94"
        Acct-Status-Type = Start
        Acct-Authentic = RADIUS
        Service-Type = NAS-Prompt-User
        Acct-Session-Id = "00000026"
        Acct-Delay-Time = 0
        Client-IP-Address = 192.168.0.1
        Acct-Unique-Session-Id = "913029a52dacb116"
        Timestamp = 1109936412

Fri Mar  4 19:51:17 2005
        NAS-IP-Address = 192.168.0.1
        NAS-Port = 1
        NAS-Port-Type = Virtual
        User-Name = "David"
        Calling-Station-Id = "192.168.0.94"
        Acct-Status-Type = Stop
        Acct-Authentic = RADIUS
        Service-Type = NAS-Prompt-User
        Acct-Session-Id = "00000026"
        Acct-Terminate-Cause = Idle-Timeout
        Acct-Session-Time = 665
        Acct-Delay-Time = 0
        Client-IP-Address = 192.168.0.1
        Acct-Unique-Session-Id = "913029a52dacb116"
        Timestamp = 1109937077



Conclusion

By following the simple steps outlined in this article, you can set up a Remote Authentication Dial-In User Service server that uses an external LDAP server to handle authentication, authorization, and accounting for your network security issues. This article has provided the following to help you accomplish this task:

  • An introduction to the RADIUS and LDAP servers and to the AAA concept.
  • A scenario to put the installation and implementation into context.
  • Instructions on installing and configuring the RADIUS server.
  • Details on configuring the network access server.
  • A sample of the detailed information that RADIUS will provide and manage.

These instructions can make quick work of the task of making sure protected data can only be accessed by authorized entities on your Linux system.



Resources