Unix System Admin
Download
Report
Transcript Unix System Admin
Configuring Linux Radius Server
• Objectives
– This chapter will show you how to install and use Radius
• Contents
–
–
–
–
–
An Overview Of How Radius Works
Configruation of Radius
Testing Radius server
Setting up Aironet Cisco1200 for radius
Client Setup Windows XP with wireless pccard
• Practical
– Implementing Radius server
Introducing the elements
• NAS
– Network Access Server (NAS) perform authentication, authorization, and
accounting for users.
– The network access server, is typically a router, switch, or wireless access point
– NAS act as a relay that pass or block traffic to and from authenticated clients
• RADIUS and AAA
– The RADIUS server is usually a daemon process running on a UNIX or Windows
2003 server.
– Authentication and authorization plus accounting are combined together in
RADIUS
• LDAP
– The Lightweight Directory Access Protocol (LDAP) is an open standard
– It defines a method for accessing and updating information in a X.500-like
directory.
– LDAP simplifies user administration tasks by managing users in a central
directory.
Authentication via RADIUS and LDAP
Installing RADIUS
• Add a testuser
# useradd kalle
# passwd kalle
– Add a password for your testuser
• Building from source
– Usally a good idea for best optimized
code
• Start radiusd in debug mode
# tar -zxvf freeradius-1.0.2.tar.gz
# ./configure
# make
# make install
# radiusd -X
– To see if any errors arrives
• Modify /etc/shadow permission
• Make the first radius auth test
# chmod g+r /etc/shadow
– Simulate a user trying to atenticate against the radius server
# radtest kalle 123456 localhost 0 testing123
0 = fake NAS port
testing123 is the mandatory common secret for localhost
NAS clients is found in /etc/raddb/clients.conf
• If radtest receives a response, the FreeRADIUS server is working.
Configure FreeRADIUS
• FreeRADIUS configuration files are usually stored in the
/etc/raddb folder
• Modifying radiusd.conf to activate logging
– Find and correct
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = no
• Setup to enable unix account to serve as autentication and
add cisco authentication port
port = 1645
passwd = /etc/passwd
shadow = /etc/shadow
group = /etc/group
Configure FreeRADIUS for NAS clients
• Adding the NAS clients in /etc/raddb/clients.conf
– You can add single clients or subnets if your like
client 192.168.1.254/24 {
secret
= mysecret1
shortname = ap1200
nastype
= cisco
}
• Security is sligthly higher if you point out each NAS with IP
and have various password for them
• Here is a subnet declaration for NAS
client 192.168.2.0/24 {
secret
= mysecret1
shortname = myserver
nastype
= other
}
Configuring the user for authentication
• The file /etc/raddb/users contains authentication and
configuration information for each user.
– Add change thenfollowing links, place after the informative heater text:
Auth-Type := LDAP
Auth-Type := Local, User-Password == "mypasswd"
Auth-Type := System
Service-Type = Login
– We prepare for LDAP and LOCAL authentication for users authenticate through
the NAS
• The file /etc/raddb/eap.conf sets the user cryptation
methodes (there are many)
– Change/add the following:
default_eap_type = md5
auth_type = PAP
md5 { }
leap{ }
Configuring the Aironet 1200
•
For EAP security, login to your AP and goto express security
1. Enter your SSID cisco
2. No VLAN
3. Security EAP
Enter IP address of your Radius server: 192.168.1.10
Enter the Server Secret:
mysecret1
Click on APPLY
•
For WPA security, login to your AP and goto express security
1. Enter your SSID cisco
2. No VLAN
3. Security WPA
Enter IP address of your Radius server: 192.168.1.10
Enter the Server Secret:
mysecret1
Click on APPLY
Configuring the user CPE equipment
• In this particular case we have windows xp as CPE
– Install your