<span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; "><div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; "><br>
</span></div>Ugh. Please ignore my previous post to the list, gmail 'plain text' mode ate most of the message.</span><div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; "><br>
</span></div><div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; ">All, this is my attempt at giving back to the freeradius community. Maybe others will find my configuration useful in their efforts.</span></div>
<div><font class="Apple-style-span" face="arial, sans-serif"><span class="Apple-style-span" style="border-collapse: collapse;"><br></span></font><div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; ">I'm a network guy, and I do quite a bit of consulting work for various companies. I have a customer in particular who (prior to this) wasusing a very out-of-date Cisco ACS Server, and couldn't afford the renewal/licensing fees to bring it uptodate. They are using Microsoft's Active Directory on Windows Server 2000 as the primary database for all identities/passwords. </span></div>
<div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; "><br></span></div><div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; ">The goals of this configuration are:</span></div>
<div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; ">1. Provide AAA for administrative access to network devices (mostly, SSH access to Cisco routers/switches/firewalls)<br>
2. Provide AAA for 802.11 WLAN users who are using Windows XP and "Wireless Zero" clients. (Cisco 1231 series access points)<br>3. Provide AAA for VPN Users who use cisco Secure VPN client from remote locations (cisco 3000 series concentrators)</span></div>
<div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; "><br>The freeradius server itself will run on a CentOS 5.4 Linux box. The company doesn't like "make install" application installs (nor do I), so I simply grabbed the SRPM from the Fedora project's KOJI build server for the latest freeradius, and built it. This process is outside the scope of this particular posting, as I want to focus on Freeradius itself.</span></div>
<div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; "><br>The Fedora spec file builds multiple binary packages that you can install based on what you want to do with freeradius. These are the packages I'm using:</span></div>
<div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; "><br>freeradius-utils-2.1.8-2<br>freeradius-2.1.8-2<br>freeradius-ldap-2.1.8-2</span></div><div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; "><br>
The company has one Active Directory forest, and one subdomain. Users exist under both. So, for this configuration, we'll call the primary zone <a href="http://COMPANY.COM" target="_blank" style="color: rgb(42, 93, 176); ">COMPANY.COM</a> and SU<a href="http://SUB.COMPANY.COM" target="_blank" style="color: rgb(42, 93, 176); ">B.COMPANY.COM</a>. Both domains must be queried for authorization & authentication. The following rules apply for access:</span></div>
<div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; "><br>1. User must exist within the AD forest. (as defined by my LDAP search parameters)<br>2. User must be a member of a particular group (defined by the Users file) for certain types of access:<br>
a) For administrative access to network device, the user must be a member of the group networkteam.<br> b) Access to use the VPN, user must be a member of the group vpnusers.<br> c) Access to the Wireless network, user must be a member of group wifiusers.</span></div>
<div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; "><br>VPN and Network-Admin users achieve both Authorization and Authentication using nothing more than the rlm_ldap module. Wireless users do not use ldap at all, but instead, they use the eap and mschap modules. The mschap module is configured to use ntlm_auth which requires samba's winbind to be configured on the backend.</span></div>
<div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; "><br>It took me some time (and I will not admit how much time) to figure out how to make this all work. I blame most of this on the fact that freeradius has been around a long time, and as result there's lots of obsolete documentation out there for google to find. I believe this configuration uses mostly uptodate syntax, however I'm always interested in advice on improvements.</span></div>
<div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; "><br>Interestingly, this process gave me quite a case of dejavu. I wrote a combination tacacs/radius server WAY back when the Livingston Portmaster 2 series was king of dialup. Many sers on the livingston mailing list used my source code. This really made me feel old. :(</span></div>
<div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; "><br>Anyway, on to the good stuff:</span></div><div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; "><br>
</span></div><div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; ">Annoyances: </span></div><div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; "><br>
</span></div><div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; ">1. Cisco does not support command accounting via Radius. Only Tacacs. Why? They want you to buy ACS ! Sorry Cisco, I love ya, but.. cmon!</span></div>
<div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; ">2. Cisco PIX/ASA do not support radius for command authorization. So, you have to type 'enable' and your AD account password AGAIN.</span></div>
<div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; ">3. Cisco 1231-series access points running IOS 12.3(8)JED or earlier do not include NAS-Port-Type in subsequent password attempts for SSH access. So, you only get one shot at typing your password right when you SSH for admin access into a WAP. It'll ask you for your password again, and it'll try to get approval from your Radius server, however, it will not include the port type in the request. So freeradius will not classify the request in the proper huntgroup. Unfortunately, you may think you just keep fat fingering your password, so you just keep trying. This will eventually get your AD account locked and you'll have to bug the windows guys to re-enable it. :)</span></div>
<div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; ">4. Cisco 3000 platform does not support AAA for admin access.. again, only with tacacs. I know, I know, this platform is OLD, but... you have to admit, it has to be one of the most reliable platforms cisco has ever sold. It's hard to say goodbye.</span></div>
<div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; "><br></span></div><div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; "><div>
radiusd.conf</div><div>---------------------------------------------------------------------------------------------</div><div># freeradius config for a typical company using Active Directory for password management</div>
<div># George Shearer (doc at lame dot org)</div><div># Primary uses:</div><div># 1. AAA for admin access to network devices (ldap)</div><div># 2. AAA for user access to 802.11 Wireless Networks (WPA2-Enterprise / EAP-PEAP / EAP-MSCHAPv2)</div>
<div># 3. AAA for remote user access to VPN (ldap)</div><div><br></div><div>name = radiusd</div><div><br></div><div># Locations</div><div>prefix = /usr</div><div>exec_prefix = /usr</div><div>sysconfdir = /etc</div><div>localstatedir = /var</div>
<div>sbindir = /usr/sbin</div><div>logdir = ${localstatedir}/log/radius</div><div>raddbdir = ${sysconfdir}/raddb</div><div>radacctdir = ${logdir}/radacct</div><div>confdir = ${raddbdir}</div><div>run_dir = ${localstatedir}/run/${name}</div>
<div>db_dir = ${raddbdir}</div><div>libdir = /usr/lib/freeradius</div><div>pidfile = ${run_dir}/${name}.pid</div><div><br></div><div># Security</div><div>#chroot = /path/to/chroot/directory</div><div>user = radiusd</div><div>
group = radiusd</div><div>security {</div><div> max_attributes = 200</div><div> reject_delay = 1</div><div> status_server = yes</div><div>}</div><div><br></div><div># Network</div><div>hostname_lookups = yes</div>
<div>proxy_requests = no</div><div>listen {</div><div> type = auth</div><div> ipaddr = ip-addr-of-eth0</div><div> port = 1812</div><div>}</div><div>listen {</div><div> type = acct</div><div> ipaddr = ip-addr-of-eth0</div>
<div> port = 1813</div><div>}</div><div>listen {</div><div> type = control</div><div> socket = ${run_dir}/${name}.sock</div><div> mode = ro</div><div>}</div><div><br></div><div># Performance</div>
<div>max_request_time = 10</div><div>cleanup_delay = 5</div><div>max_requests = 1024</div><div>allow_core_dumps = no</div><div>regular_expressions = yes</div><div>extended_expressions = yes</div><div>thread pool {</div><div>
start_servers = 5</div><div> max_servers = 15</div><div> min_spare_servers = 3</div><div> max_spare_servers = 5</div><div> max_requests_per_server = 0</div><div>}</div><div><br></div><div>
# Logging</div><div>log {</div><div> destination = syslog</div><div> syslog_facility = authpriv</div><div> stripped_names = no</div><div> auth = yes</div><div> auth_badpass = yes</div><div>
auth_goodpass = no</div><div>}</div><div><br></div><div># freeradius modules</div><div>modules {</div><div><br></div><div> # Create unique acct ID's per session -- so tell network devices to use common id's and let radiusd handle</div>
<div> acct_unique {</div><div> key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"</div><div> }</div><div><br></div><div> preprocess {</div><div> huntgroups = ${confdir}/huntgroups</div>
<div> }</div><div><br></div><div> detail {</div><div> detailfile = ${radacctdir}/%{Huntgroup-Name}/detail-%Y%m%d</div><div> detailperm = 0600</div><div> header = "%t"</div>
<div> }</div><div><br></div><div> files {</div><div> usersfile = ${confdir}/users</div><div> acctusersfile = ${confdir}/acct_users</div><div> compat = no</div><div>
}</div><div><br></div><div> ldap {</div><div> server = "ip-addr-of-domain-contoller"</div><div> port = 3268</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># Global Catalog port not LDAP. This allows combined searches of both <a href="http://SUB.MYCOMPANY.COM">SUB.MYCOMPANY.COM</a> and <a href="http://MYCOMPANY.COM">MYCOMPANY.COM</a></div>
<div> identity = "CN=myqueryacct,OU=System Accounts,DC=mycompany,DC=com"</div><div> password = "mypassword"</div><div><br></div><div> basedn = "DC=mycompany,DC=com"</div>
<div> filter = "(&(objectCategory=person)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))"</div><div> groupname_attribute = "cn"</div><div> groupmembership_filter = "(&(objectClass=group)(member=%{control:Ldap-UserDn}))"</div>
<div> groupmembership_attribute = memberOf</div><div><br></div><div> ldap_connections_number = 3</div><div> timeout = 4</div><div> timelimit = 3</div><div> net_timeout = 1</div>
<div> directory_mappings = ${confdir}/ldap.attrmap</div><div> }</div><div><br></div><div> eap {</div><div> default_eap_type = peap</div><div> timer_expire = 60</div>
<div> max_sessions = 500</div><div> ignore_unknown_eap_types = no</div><div> tls {</div><div> cert_dir = ${confdir}/certs</div><div> rsa_key_length = 2048</div>
<div> dh_key_length = 2048</div><div> private_key_password = password-for-my-encrypted-key</div><div> private_key_file = ${cert_dir}/combined-cert-and-key-file.pem</div>
<div> certificate_file = ${private_key_file}</div><div> CA_file = ${cert_dir}/my-ca-cert-file.pem</div><div> dh_file = ${cert_dir}/dh</div><div> random_file = ${cert_dir}/random</div>
<div> fragment_size = 1024</div><div> include_length = yes</div><div> cipher_list = "DEFAULT"</div><div> cache {</div><div>
enable = yes</div><div> lifetime = 24</div><div> max_entries = 500</div><div> }</div><div> }</div>
<div> peap {</div><div> default_eap_type = mschapv2</div><div> }</div><div> mschapv2 {</div><div> }</div><div> }</div><div><br></div>
<div> mschap {</div><div> use_mppe = yes</div><div> require_encryption = yes</div><div> require_strong = yes</div><div> with_ntdomain_hack = yes</div><div>
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-None} --domain=%{%{mschap:NT-Domain}:-EDLENDING} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00} --require-membership-of=wifiusers"</div>
<div> }</div><div><br></div><div> radutmp {</div><div> filename = ${logdir}/radutmp</div><div> username = %{%{Stripped-User-Name}:-%{User-Name}}</div><div> case_sensitive = yes</div>
<div> check_with_nas = yes</div><div> perm = 0600</div><div> }</div><div><br></div><div> realm ntdomain {</div><div> format = prefix</div><div> delimiter = "\\"</div>
<div> }</div><div>}</div><div><br></div><div><br></div><div>instantiate {</div><div>}</div><div><br></div><div>authorize {</div><div> preprocess</div><div> eap {</div><div> ok = return</div>
<div> updated = return</div><div> }</div><div># The eap {} stuff above prevents your ldap server from being used for wireless users. Since we handle this via ntlm, no need to bug ldap.</div><div># also, the ntdomain stuff isnt even needed because the mschap module has variables to do the stripping built in..</div>
<div> ntdomain</div><div> files</div><div> ldap</div><div>}</div><div><br></div><div>authenticate {</div><div> Auth-Type LDAP {</div><div> ldap</div><div> }</div><div> Auth-Type MS-CHAP {</div>
<div> mschap</div><div> }</div><div> eap</div><div>}</div><div><br></div><div>preacct {</div><div> preprocess</div><div> update request {</div><div> NAS-Port = 1</div>
<div>#<span class="Apple-tab-span" style="white-space:pre"> </span>Cisco ASA's annoyingly do not include NAS-Port for administrative logins. This breaks radwho. The</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>above statement forces Nas-Port to be '1' if it doesn't already exist.</div>
<div> }</div><div> ntdomain</div><div> acct_unique</div><div>}</div><div><br></div><div>accounting {</div><div> detail</div><div> radutmp</div><div>}</div><div><br></div><div>session {</div>
<div> radutmp</div><div>}</div><div><br></div><div># Realms (domains)</div><div>realm MYCOMPANY {</div><div> authhost = LOCAL</div><div> accthost = LOCAL</div><div> type = radius</div><div>}</div>
<div><br></div><div>realm SUB {</div><div> authhost = LOCAL</div><div> accthost = LOCAL</div><div> type = radius</div><div>}</div><div><br></div><div>realm NULL {</div><div> authhost = LOCAL</div>
<div> accthost = LOCAL</div><div> type = radius</div><div> realm = MYCOMPANY</div><div>}</div><div><br></div><div># Include our clients</div><div>$INCLUDE clients.conf</div><div><br></div><div>---------------------------------------------------------------------------------------------</div>
<div>huntgroups</div><div><br></div><div># All devices that network-admins want to log into for administrative access</div><div># Cisco sends "Virtual" for type on most things I've tried for SSH access</div>
<div>network-admin NAS-IP-Address == ipaddr1, NAS-Port-Type == "Virtual"</div><div>network-admin NAS-IP-Address == ipaddr2, NAS-Port-Type == "Virtual"</div><div>network-admin NAS-IP-Address == ipaddr3, NAS-Port-Type == "Virtual"</div>
<div>network-admin NAS-IP-Address == ipaddr4, NAS-Port-Type == "Virtual"</div><div><br></div><div># Cisco 1200 series WAPs</div><div># Since I handle AAA for wireless via ntlm_auth (not LDAP), this group isnt even necessary</div>
<div># However you could expand upon my config and use this group to create a seperate</div><div># accounting file, or various other uses.</div><div>wireless NAS-IP-Address == ipaddr1, NAS-Port-Type == "Wireless-802.11"</div>
<div>wireless NAS-IP-Address == ipaddr2, NAS-Port-Type == "Wireless-802.11"</div><div>wireless NAS-IP-Address == ipaddr3, NAS-Port-Type == "Wireless-802.11"</div><div><br></div><div># Cisco 3000 Concentrators</div>
<div># These also send "VirtuaL" as type for users connecting via IPsec. Unfortunately,</div><div># the 3000 platform does not support radius AAA for administrative access :( </div><div>vpn NAS-IP-Address == ipaddr1, NAS-Port-Type == "Virtual"</div>
<div>vpn NAS-IP-Address == ipaddr2, NAS-Port-Type == "Virtual"</div><div><br></div><div>---------------------------------------------------------------------------------------------</div><div>users</div>
<div><br></div><div># this 'locally managed' account matches the same account thats in the local configs on the devices</div><div># various scripts use this account for things like downloading configs or whatever. And its not in</div>
<div># active directory. It also has a limited security level.</div><div>admin Huntgroup-Name == "network-admin", Cleartext-Password := "localadminaccountpw"</div><div> Service-Type := NAS-Prompt-User,</div>
<div> cisco-avpair := "shell:priv-lvl=2"</div><div><br></div><div># This drops all users who are a member of the 'networkteam' group right into an "enabled" prompt</div><div># Unfortunately, PIX/ASA's do not support this cisco-avpair on Radius, so you'll still type 'enable'</div>
<div># but when you're asked for a password, you'll give your AD account password again as opposed to</div><div># the real enable password. The only time you should need the real enable password for any device</div>
<div># is when the radius server is down</div><div>DEFAULT Huntgroup-Name == "network-admin", Ldap-Group == "networkteam"</div><div> Service-Type := NAS-Prompt-User,</div><div> cisco-avpair := "shell:priv-lvl=15",</div>
<div> Auth-Type := LDAP</div><div><br></div><div>DEFAULT Huntgroup-Name == "vpn", Ldap-Group == "vpnusers"</div><div> Auth-Type := LDAP</div><div><br></div><div><br>
</div><div>DEFAULT Auth-Type := Reject</div><div> Reply-Message := "Access Denied. Your attempt has been logged.",</div><div><br></div><div>---------------------------------------------------------------------------------------------</div>
<div>Cisco IOS based device config: (relevant parts, anyway)</div><div><br></div><div>aaa new-model</div><div>aaa authentication login networkteam group radius local-case</div><div>aaa authentication login wifi-access group radius</div>
<div>aaa authorization exec default group radius local</div><div>aaa accounting session-duration ntp-adjusted</div><div>aaa accounting exec default start-stop group radius</div><div>aaa accounting network default start-stop group radius</div>
<div>aaa session-id common</div><div>!</div><div>! Obviously you dont need the wireless stuff for non-access points</div><div>dot11 ssid OURSSID</div><div> authentication open eap wifi-access</div><div> authentication key-management wpa</div>
<div> accounting default</div><div>!</div><div>! The "accounting-default" statement is what causes IOS to send accounting packets for that SSID</div><div>radius-server host my-radius-server auth-port 1812 acct-port 1813 key myradiuskey</div>
<div>!</div><div>line con 0</div><div>login authentication networkteam</div><div>line vty 0 15</div><div>login authentication networkteam</div><div><br></div><div>---------------------------------------------------------------------------------------------</div>
<div>Cisco ASA/PIX config:</div><div><br></div><div>username admin password whatever</div><div>aaa-server radius protocol radius</div><div> max-failed-attempts 3</div><div>aaa-server radius (INSIDE) host my-radius-server</div>
<div> timeout 3</div><div> key slxradkey2010</div><div> authentication-port 1812</div><div> accounting-port 1813</div><div>aaa authentication ssh console radius LOCAL</div><div>aaa authentication enable console radius LOCAL</div>
<div>aaa authentication serial console radius LOCAL</div><div>aaa authentication telnet console radius LOCAL</div><div>aaa authentication http console radius LOCAL</div><div>aaa accounting ssh console radius</div><div>aaa accounting telnet console radius</div>
<div>aaa accounting serial console radius</div><div><br></div></span></div></div>