|
how to Install on FreeRadius Ubuntu I used Edgy. In order to check which version you use:
#cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=6.10
DISTRIB_CODENAME=edgy
DISTRIB_DESCRIPTION="Ubuntu 6.10"
#apt-get install freeradius
After you do that, package will be installed, but it will give you an error:
/etc/init.d/freeradius: 15: source: not found
To solve this problem, do the following:
#vim /etc/init.d/freeradius, and substitute #!/bin/sh with #!/bin/bash, and it will do necessary magic.
Install LDAP support:
#apt-get install freeradius-ldap
Reload FreeRadius:
#freeradius reload - is a good option, but on Ubuntu it doesn’t work too well. So the workaround is this line:
ps -ef grep freeradius grep -v grep cut -c 10-15 xargs kill -9
Verify that FreeRadius is running:
#top -u freerad
/OR
#ps -ef grep freerad
To test authentication, type:
#radtest username password localhost 1812 testing123
it will verify against /etc/shadow
Configure for authentication against Windows AD: Modify /etc/freeradius/radiusd.conf
port = 1812 // specify port for Radius to listen on
log_stripped_names = yes // Log the full User-Name attribute, as it was found in the request.
log_auth = yes // log authentication requests to file
log_auth_badpass = yes //logs bad passwords … sometimes useful, but it is not secure
LDAP Configuration:
ldap { server = "dc1.contoso.com" identity = "cn=FreeRadiusUser,cn=Users,dc=contoso,dc=com" //This is a regular "Domain user"
password = Yourpassword_without_quotes
basedn = "dc=contoso,dc=com" filter = "(&(samaccountname=%{user-name}))" # access_attr = "dialupAccess" 1) In Auhorizaton section of the radiusd.conf # Authorization. First preprocess (hints and huntgroups files) uncomment line: ldap //this will enable ldap authorization to DC 2) In Authentication section - comment line: # unix - uncomment 3 lines: Auth-Type LDAP { ldap }
//This will enable LDAP authentication On Radius server we should modify clients.conf file: client 192.168.44.1 { //IP address of the NAS secret = hero // secret key on the NAS shortname = CISCO3500 } clients.conf file contains defines NAS servers, which are submitting requests to the Radius server.
Instead of specifying one NAS client, you can specify subnet, it will look like this:
client 192.168.44.0/24 {
secret = hero
shortname = INTERNAL_SUBNET
}
In general FreeRadius first authorizes users, and then authenticates.
In /etc/freeradius/users comment the following line, so it will stop authenticate against local database
#DEFAULT Auth-Type = System
# Fall-Through = 1
add this line instead. This will force LDAP authentication
DEFAULT Auth-Type = LDAP
Fall-Through = 1
To Test this configuration: kill freeradius process, and start new one like this: #freeradius -X start when you will be ready to quit this process press "Ctrl+C" Open NTRadPing Test Utility and test: 
Valid output at the moment of authentication is: Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 172.30.17.88:1915, id=3, length=49 User-Name = "sampleuser" User-Password = "samplepassword" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "sampleuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 158 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorizerlm_ldap: performing user authorization for sampleuserradius_xlat: '(&(samaccountname=sampleuser))'radius_xlat: 'dc=jardencorp,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ryeserver.jardencorp.com:389, authentication 0 rlm_ldap: bind as cn=FreeRadiusUser,cn=Users,dc=contoso,dc=com/YourPassword to dc1.contoso.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=contoso,dc=com, with filter (&(samaccountname=sampleuser)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user sampleuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type LDAPauth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "sampleuser" with password "samplepassword" rlm_ldap: user DN: CN=Sample\, User,OU=General,DC=CONTOSO,DC=com rlm_ldap: (re)connect to dc1.contoso.com:389, authentication 1 rlm_ldap: bind as CN=Sample\, User,OU=General,DC=CONTOSO,DC=com/samplepassword to dc1.contoso.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user sampleuser authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 0 modcall: leaving group LDAP (returns ok) for request 0 Login OK: [sampleuser] (from client INTERNAL_NETWORK port 0) Sending Access-Accept of id 3 to 172.30.17.88 port 1915 Finished request 0 Going to the next request --- Walking the entire request list ---Waking up in 6 seconds... --- Walking the entire request list ---Cleaning up request 0 ID 3 with timestamp 46681827Nothing to do. Sleeping until we see a request. IMPORTANT! Sometimes system might give you: rlm_ldap: ldap_search() failed: Operations error This is not a configuration mistake, it is some kind of problem between Freeradius communication to Domain Controller. courtesy http://www.isrcomputing.com/index.php?view=article&catid=38%3Atechnology-tips&id=66%3Afreeradius-install-on-ubuntu&option=com_content&Itemid=82
|
Articles 
