Unix System Admin

Download Report

Transcript Unix System Admin 

Configuring Linux Radius Server
• Objectives
– This chapter will show you how to install and use Radius
• Contents
–
–
–
–
–
An Overview Of How Radius Works
Configruation of Radius
Testing Radius server
Setting up Aironet Cisco1200 for radius
Client Setup Windows XP with wireless pccard
• Practical
– Implementing Radius server
Introducing the elements
• NAS
– Network Access Server (NAS) perform authentication, authorization, and
accounting for users.
– The network access server, is typically a router, switch, or wireless access point
– NAS act as a relay that pass or block traffic to and from authenticated clients
• RADIUS and AAA
– The RADIUS server is usually a daemon process running on a UNIX or Windows
2003 server.
– Authentication and authorization plus accounting are combined together in
RADIUS
• LDAP
– The Lightweight Directory Access Protocol (LDAP) is an open standard
– It defines a method for accessing and updating information in a X.500-like
directory.
– LDAP simplifies user administration tasks by managing users in a central
directory.
Authentication via RADIUS and LDAP
Installing FreeRADIUS
• Add a testuser
# useradd kalle
# passwd kalle
– Add a password for your testuser
• Building from source
– Usally a good idea for best optimized
code
• Start radiusd in debug mode
# tar -zxvf freeradius-1.0.2.tar.gz
# ./configure
# make
# make install
# radiusd -X
– To see if any errors arrives
• Modify /etc/shadow permission
• Make the first radius auth test
# chmod g+r /etc/shadow
– Simulate a user trying to atenticate against the radius server
# radtest kalle 123456 localhost 0 testing123
0 = fake NAS port
testing123 is the mandatory common secret for localhost
NAS clients is found in /etc/raddb/clients.conf
• If radtest receives a response, the FreeRADIUS server is working.
Configure FreeRADIUS
• FreeRADIUS configuration files are usually stored in the
/etc/raddb folder
• Modifying radiusd.conf to activate logging
– Find and correct
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = no
• Setup to enable unix account to serve as autentication and
add default authentication port’s. Cisco ports can also be
used, then change this. port = 0
• Tell radius where you store the users to authenticate
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
Configure FreeRADIUS for NAS clients
• Check that clients.conf is declared in radiusd.conf
• Adding the NAS clients in /etc/raddb/clients.conf
– Add your access points
# Cisco Aironet 1235AP
client 192.168.1.253 {
secret = mypass
shortname = ap
nastype = other
}
• Security is sligthly higher if you point out each NAS with IP
and have various password for them
• Best match is used by radius server
• Here is a subnet declaration for NAS
client 192.168.1.0/24 {
secret
= testing123
shortname = office-network
nastype
= other
}
FreeRADIUS MAC authentication setting.
• The file /etc/raddb/users contains authentication and
configuration information for each user.
– Add change thenfollowing links, place after the informative heater text:
# user-id (MAC)
Authentication type
password=MAC
00054e4d3d08 Auth-Type := Local, User-Password == "00054e4d3d08"
00186e8dc079 Auth-Type := Local, User-Password == "00186e8dc079"
– We prepare for MAC authentication for users authenticate through the NAS
– Authentication will be invisible for the enduser
• For more users just add more MAC addresses
• This can be used for almost any Cisco Switch or router.
• Authentication is invisible, users does not need to enter
something.
Configuring the Aironet 1200 (1/2)
•
For No security (open network), login to your AP and goto Express
Security
1. Enter your SSID cisco
2. No VLAN (you can have VLAN for your different SSID if you like)
3. No security
Click on APPLY
•
•
•
Activate your WLAN interfaces
Menu Security, check None or a WEP/Chiper if you like. We choose
none for best network prestanda Customer is adviced to use cisco VPN
client for security or similar.
Menu Security Server Manager
–
–
–
–
•
Select RADIUS in Current Server List, list should show <NEW>
Enter your radius server IP address and Shared secret
Standard radius Authentication port 1812 and Accounting port 1813
Click Apply
Goto SSID manager and pick your SSID
– Check Open Authentication and chose with MAC Authentication
– At server priorities chose Customize and at priority 1 pick your radius server IP address.
– Click APPLY
Configuring the Aironet 1200 (2/2)
• Next you need to set the AP to use MAC authentication.
– Again it is the Security panel, goto local RADIUS settings
– Chose general set-up menu and check MAC at Enable Authentication Protocols
– Click apply
• Last you need to set the authentication order, here we use ONLY the
radius server, no local lists.
– Select MAC Addresses Authenticated by Authentication Server Only
• If you click on security the server based security should look
something like this now:
• Looking on the SSID on same panel, it should look like this: