Freeradius setup on Ubuntu 14.04

22 01 2016

Frustrated with a dilapidated installation of Freeradius 1.x in our lab, and conscious that it is unsupported any more, I decided to install a new Freeradius server.

Ubuntu 14.04.3 LTS is the platform I am installing it on, and this is a relatively fresh installation of Ubuntu server.   It needs to serve access-requests from a Redback and a Juniper router in our lab for both PPP and DHCP clients.

Install freeradius using ‘apt-get install freeradius’.  This pulls down Freeradius 2.1 as can be seen below:

Setting up freeradius (2.1.12+dfsg-1.2ubuntu8.1)

Edit the /etc/freeradius/clients.conf file to permit all hosts on the lab network (192.168.3.0/24) to be ‘clients’ of my new Freeradius server – as long as they use  a shared secret when authenticating.  To do this, include the following section:

client 192.168.3.0/24 {
      secret = testing123
      shortname = labnet-3
}

Copy /etc/freeradius/users to /etc/freeradius/users.originalfile so that we have a backup in case everything goes wrong.

Edit the /etc/freeradius/users file and  create a new user:

andrew Cleartext-Password := "password"
 Reply-Message = "Hello %{User-Name}"

Save the users file.

Test this locally using the ‘radtest’ command.  The format of this is:

root@labhost:/etc/freeradius# radtest
Usage: radtest [OPTIONS] user passwd radius-server[:port] nas-port-number secret [ppphint] [nasname]
 -d RADIUS_DIR Set radius directory
 -t <type> Set authentication method
 type can be pap, chap, mschap, or eap-md5
 -x Enable debug output
 -4 Use IPv4 for the NAS address (default)
 -6 Use IPv6 for the NAS address

So the command works like this – I just made up any number for the nas-port-number parameter:

root@labhost:/etc/freeradius# radtest andrew password localhost 123 testing123
Sending Access-Request of id 171 to 127.0.0.1 port 1812
 User-Name = "andrew"
 User-Password = "password"
 NAS-IP-Address = 192.168.3.237
 NAS-Port = 123
 Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=171, length=34
 Reply-Message = "Hello andrew"
root@labhost:/etc/freeradius#

 

All seems to be working.

Now to test it from the Juniper router, there is a useful test facility at the CLI, but first you need tell Junos about the RADIUS server by configuring something like this:

andy@juniper> show configuration access
radius-server {
 192.168.3.237 {
 port 1812;
 secret "$9$iHfz9Cu1Eyp0yKWxwsZUjHP5z36AuO"; ## SECRET-DATA
 source-address 192.168.3.79;
 }
}

profile labhost {
 authentication-order radius;
 radius {
 authentication-server 192.168.3.237;
 }
}
domain {
 map dvsr.dia {
 target-routing-instance ttb_internet;
 }
 map rpm.com {
 target-routing-instance ttb_internet;
 }
}
radius-options {
 revert-interval 60;
 request-rate 4000;
}

After committing this config, we can test if it works:

andy@nge001.gui> test aaa ppp user andrew password password profile labhost
 Authentication Deny
 Reply message : Hello andrew
 Reason : address-allocation-fail
 Received Attributes :
 User Name - andrew
 Virtual Router Name - default
 Agent Remote Id - NULL
 Client IP Address - 0.0.0.0
 Client IP Netmask - 0.0.0.0
 Primary DNS IP Address - 0.0.0.0
 Secondary DNS IP Address - 0.0.0.0
 Primary WINS IP Address - 0.0.0.0
 Secondary WINS IP Address - 0.0.0.0
 Primary DNS IPv6 Address - ::
 Secondary DNS IPv6 Address - ::
 Reply Message - Hello andrew
 Class Attribute - not set
 Service Type - 0
 Framed Pool - not set
 Client IPv6 Address - ::
 Client IPv6 Mask - null
 Framed IPv6 Prefix - ::/0
 Framed IPv6 Pool - not-set
 NDRA IPv6 Prefix - not-set
 Login IPv6 Host - ::
 Framed Interface Id - 0:0:0:0
[...OUTPUT OMITTED...]
 NAS Port Id - -0/0/0.0
 NAS Port - 4095
 NAS Port Type - 15
 Framed Protocol - 1
 Test complete. Exiting

 

As you can see, it did not – we got denied because of an IP address allocation failure.  But at least the two are talking!

If you do a ‘service freeradius stop’ and then start it again in debug mode, you can see the freeradius side of things quite nicely:

Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.

rad_recv: Access-Request packet from host 192.168.3.79 port 52305, id=102, length=161
 User-Name = "andrew"
 User-Password = "password"
 Service-Type = Framed-User
 Framed-Protocol = PPP
 Chargeable-User-Identity = ""
 Acct-Session-Id = "21481"
 ERX-Dhcp-Mac-Addr = "abcd.0000.0001"
 NAS-Identifier = "nge001.gui"
 NAS-Port = 4095
 NAS-Port-Id = "-0/0/0.0"
 NAS-Port-Type = Ethernet
 ERX-Pppoe-Description = "pppoe ab:cd:00:00:00:01"
 NAS-IP-Address = 192.168.3.79
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "andrew", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry andrew at line 93
[files] expand: Hello %{User-Name} -> Hello andrew
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "password"
[pap] Using clear text password "password"
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 102 to 192.168.3.79 port 52305
 Reply-Message = "Hello andrew"
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 102 with timestamp +9
Ready to process requests.

 

The PPP user isn’t going to get logged in with so little configuration though.  I need to be able to assign him an IP address and put him in a routing-instance somehow.  I’ll do a followup post on how to achieve that.

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: