Re: freeradius howto/need info

Fri, 14 Mar 2003 16:46:52 -0800 

On Friday 14 March 2003 19:33, Bryan Koschmann - GKT wrote:
> On Fri, 14 Mar 2003, tarvid wrote:
> |http://www.frontios.com/freeradius.html got me going. Once "file"
> |authentication worked i settled for sql accounting
> |
> |but i did export an old icradius database by patching in a "==" operator
> | and duplicating a couple of fields in the old accounting records.
> |
> |There is a text to sql converter but I have never used it.
> |
> |If you are desparate and will settle for less my config notes are around
> |someplace.
>
> Thanks for the link! I think it will give me a better basis on getting
> started.
>
> Would you be able to send me a couple rows from the database, so I can see
> some real world examples (nwames changed to protect the customer of course
>
> :) ) Don't worry about it if it's a hassle, I'm just trying to get a good
>
> grasp before I dive into all this.
>
> Thanks,
>
>       Bryan
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
My notes are attached.
Title: freeradius-0.8.1-1mdk configuration


  
  
    
freeradius 0.8.1-1mdk configuration

    
This is the package generated by Oden Eriksson for the
    cooker contrib library on Sun Mar 02 2003. The goal here is to
    provide the information to get the package working in the
    simplest manner.

    
clients.conf

    
We have four clients - two for dialins and two for testing.
    The minimum default configuration would be one client -
    localhost - so that the program radtest can run. The "secret"
    must be known to the user of radtest.

    
    
      
  • as5200-e1 - dialins
    • 
      
  • as5200-e2 - dialins
    • 
      
  • nuhorace - to enable radtest
    • 
      
  • diva.ls.net - to enable ntradping
    • 
    

    
Each entry has the form -


client client-ip {
      secret          = radius-secret
      shortname       = client-hostname
      nastype         = cisco|other|portslave
      login           = client-username
      password        = client-password
}


    
login and password are optional and are used when RADIUS
    must connect to the client via a login session for certain
    operations (such as detecting simultaneous use).

    
radiusd.conf

    
I could not get the default configuration (system
    authentication) to work. I downloaded, compiled and installed
    the source from http://freeradius.org and got exactly the same
    error.

    
I am not sure that all of the following are required - I was
    less than methodical in my testing - but the following did make
    file authentication work (reading passwords directly instead of
    making system calls).


 user = root
 group = root


    
RADIUS must be able to read /etc/shadow for "file" (as
    opposed to system) authentication to work. I will take up this
    matter on the freeradius mailiing list to get some insight.
    sudo or chroot might be alternatives. ip access control is
    inherent in freeradius (see clients.conf above).


 log_auth = yes


    
Enables writing requests to /var/log/radius/radius.log. We
    use this file often to check for failed logins.


 log_auth_badpass = yes
 log_auth_goodpass = yes


    
Logging bad passwords is essential to good management.
    Logging good passwords in clear text is not such a good idea
    but while setting up radius it does tell you whether there was
    no password or a good password (no passwords being a common
    error). Obviously permissions of this file (running as root)
    should be 600. Once user, group and permissions are worked out,
    they should be added to msec.


 lower_user = yes
 lower_pass = yes
 nospace_user = after
 nospace_pass = after


    
These are convenience items of debateable merit and
    security. Mixing case in passwords is good for security but the
    cause of much headaches for sysadmins.


 proxy_requests  = no
 #$INCLUDE  ${confdir}/proxy.conf


    
There is no good reason to require proxy configuration for a
    basic install. This turns it off.


               cache = yes


    
Essential for performance on Linux systems. This does
    require a "HUP" (reload) when users are added.


                       passwd = /etc/passwd
                       shadow = /etc/shadow
                       group = /etc/group


    
I think the default is adequate but I uncommented all three.
    /etc/shadow has all the information required.


       sql


    
I added this to the accounting section after unix and before
    radutmp which enabled logging to mysql and requires setting up
    sql.conf.

    
sql.conf


       password = ""


    
I simply turned off the root password for sql. I only permit
    root from localhost and I find this preferable to having the
    root password lying around in clear text.


       sqltrace = yes


    
This logs every sql operation. This can be enormously
    helpful in debugging more complex installations and even when
    rebuilding access records.

    
cisco aaa

    
The cisco readme in freeradius is misleading and
    inappropriate for simple freeradius configurations and
    inadequate for complex configurations.


aaa new-model
aaa authentication login default local
aaa authentication login console enable
aaa authentication login vty local
aaa authentication login dialin group radius local
aaa authentication ppp dialin if-needed group radius
aaa authorization network default none
aaa accounting delay-start
aaa accounting network default start-stop group radius
aaa processes 6
...
radius-server host aaa.bbb.ccc.ddd auth-port 1812 acct-port 1813
radius-server retransmit 3
radius-server key radius-secret
!
line con 0
 exec-timeout 0 0
 login authentication console
line 1 48
 login authentication dialin
 modem Dialin
 autoselect during-login
 autoselect ppp
line aux 0
 login authentication console
line vty 0 4
 exec-timeout 0 0
 password 7 xxxxxxxxx
 login authentication vty
 transport input telnet


    
Simply configured, freeradius has no clue about
    authorization (as opposed to authentication). So we simply turn
    authorization off. The readme does not tell you where to invoke
    the aaa lists (the book is no better).

    
Observations.

    
With the modest configuration changes above I have system
    authentication, that is every user in /etc/shadow is granted
    access. This is both simple and fast. Some users could be
    blocked in the "users" configuration file (such as root) but
    one is in deep trouble if the root password is compromised
    anyway.

    
The radius database sql create file is missing from the
    package. This is a mistake. I got it from the tarball. Setting
    up the radius database could be done in a postinstallation
    script. Once that is done the sql entry in accounting gives me
    a database of authentications as well as detail records, a
    sequential file of logins and the "radutmp" record. Oddly
    enough, I use all four forms for different reasons.

    
There are much more complex configurations of interest (e.g.
    LDAP) but I have a lot of other basic work to do and basic
    simplicity is my only defense.

    
I think Oden's package has real merit on Mandrake systems.
    Otherwise you wind up with file locations more suitable for
    RedHat or Debian. A postinstall script or a wizard would be a
    nice touch.

    
The addition of a GUI would be a plus (perhaps as a webmin
    plugin). The current version supplied with freeradius is
    broken. All of the alternatives (and dialup-admin) expect sql
    authentication as well as accounting. A truly competent GUI
    would provide for all combinations of aaa methods - no small
    task.

    
With increasing use of RADIUS, this package is a significant
    contribution to the Mandrake Linux as a server.

Reply via email to