radiusd.conf
---------------------------------------------------------------------------------------------
# freeradius config for a typical company using Active Directory for password management
# George Shearer (doc at lame dot org)
# Primary uses:
# 1. AAA for admin access to network devices (ldap)
# 2. AAA for user access to 802.11 Wireless Networks (WPA2-Enterprise / EAP-PEAP / EAP-MSCHAPv2)
# 3. AAA for remote user access to VPN (ldap)
name = radiusd
# Locations
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
# Security
#chroot = /path/to/chroot/directory
user = radiusd
group = radiusd
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
# Network
hostname_lookups = yes
proxy_requests = no
listen {
type = auth
ipaddr = ip-addr-of-eth0
port = 1812
}
listen {
type = acct
ipaddr = ip-addr-of-eth0
port = 1813
}
listen {
type = control
socket = ${run_dir}/${name}.sock
mode = ro
}
# Performance
max_request_time = 10
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
thread pool {
start_servers = 5
max_servers = 15
min_spare_servers = 3
max_spare_servers = 5
max_requests_per_server = 0
}
# Logging
log {
destination = syslog
syslog_facility = authpriv
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = no
}
# freeradius modules
modules {
# Create unique acct ID's per session -- so tell network devices to use common id's and let radiusd handle
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
preprocess {
huntgroups = ${confdir}/huntgroups
}
detail {
detailfile = ${radacctdir}/%{Huntgroup-Name}/detail-%Y%m%d
detailperm = 0600
header = "%t"
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
ldap {
server = "ip-addr-of-domain-contoller"
port = 3268
identity = "CN=myqueryacct,OU=System Accounts,DC=mycompany,DC=com"
password = "mypassword"
basedn = "DC=mycompany,DC=com"
filter = "(&(objectCategory=person)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))"
groupname_attribute = "cn"
groupmembership_filter = "(&(objectClass=group)(member=%{control:Ldap-UserDn}))"
groupmembership_attribute = memberOf
ldap_connections_number = 3
timeout = 4
timelimit = 3
net_timeout = 1
directory_mappings = ${confdir}/ldap.attrmap
}
eap {
default_eap_type = peap
timer_expire = 60
max_sessions = 500
ignore_unknown_eap_types = no
tls {
cert_dir = ${confdir}/certs
rsa_key_length = 2048
dh_key_length = 2048
private_key_password = password-for-my-encrypted-key
private_key_file = ${cert_dir}/combined-cert-and-key-file.pem
certificate_file = ${private_key_file}
CA_file = ${cert_dir}/my-ca-cert-file.pem
dh_file = ${cert_dir}/dh
random_file = ${cert_dir}/random
fragment_size = 1024
include_length = yes
cipher_list = "DEFAULT"
cache {
enable = yes
lifetime = 24
max_entries = 500
}
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-None} --domain=%{%{mschap:NT-Domain}:-EDLENDING} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00} --require-membership-of=wifiusers"
}
radutmp {
filename = ${logdir}/radutmp
username = %{%{Stripped-User-Name}:-%{User-Name}}
case_sensitive = yes
check_with_nas = yes
perm = 0600
}
realm ntdomain {
format = prefix
delimiter = "\\"
}
}
instantiate {
}
authorize {
preprocess
eap {
ok = return
updated = return
}
# The eap {} stuff above prevents your ldap server from being used for wireless users. Since we handle this via ntlm, no need to bug ldap.
# also, the ntdomain stuff isnt even needed because the mschap module has variables to do the stripping built in..
ntdomain
files
ldap
}
authenticate {
Auth-Type LDAP {
ldap
}
Auth-Type MS-CHAP {
mschap
}
eap
}
preacct {
preprocess
update request {
NAS-Port = 1
# Cisco ASA's annoyingly do not include NAS-Port for administrative logins. This breaks radwho. The
# above statement forces Nas-Port to be '1' if it doesn't already exist.
}
ntdomain
acct_unique
}
accounting {
detail
radutmp
}
session {
radutmp
}
# Realms (domains)
realm MYCOMPANY {
authhost = LOCAL
accthost = LOCAL
type = radius
}
realm SUB {
authhost = LOCAL
accthost = LOCAL
type = radius
}
realm NULL {
authhost = LOCAL
accthost = LOCAL
type = radius
realm = MYCOMPANY
}
# Include our clients
$INCLUDE clients.conf
---------------------------------------------------------------------------------------------
huntgroups
# All devices that network-admins want to log into for administrative access
# Cisco sends "Virtual" for type on most things I've tried for SSH access
network-admin NAS-IP-Address == ipaddr1, NAS-Port-Type == "Virtual"
network-admin NAS-IP-Address == ipaddr2, NAS-Port-Type == "Virtual"
network-admin NAS-IP-Address == ipaddr3, NAS-Port-Type == "Virtual"
network-admin NAS-IP-Address == ipaddr4, NAS-Port-Type == "Virtual"
# Cisco 1200 series WAPs
# Since I handle AAA for wireless via ntlm_auth (not LDAP), this group isnt even necessary
# However you could expand upon my config and use this group to create a seperate
# accounting file, or various other uses.
wireless NAS-IP-Address == ipaddr1, NAS-Port-Type == "Wireless-802.11"
wireless NAS-IP-Address == ipaddr2, NAS-Port-Type == "Wireless-802.11"
wireless NAS-IP-Address == ipaddr3, NAS-Port-Type == "Wireless-802.11"
# Cisco 3000 Concentrators
# These also send "VirtuaL" as type for users connecting via IPsec. Unfortunately,
# the 3000 platform does not support radius AAA for administrative access :(
vpn NAS-IP-Address == ipaddr1, NAS-Port-Type == "Virtual"
vpn NAS-IP-Address == ipaddr2, NAS-Port-Type == "Virtual"
---------------------------------------------------------------------------------------------
users
# this 'locally managed' account matches the same account thats in the local configs on the devices
# various scripts use this account for things like downloading configs or whatever. And its not in
# active directory. It also has a limited security level.
admin Huntgroup-Name == "network-admin", Cleartext-Password := "localadminaccountpw"
Service-Type := NAS-Prompt-User,
cisco-avpair := "shell:priv-lvl=2"
# This drops all users who are a member of the 'networkteam' group right into an "enabled" prompt
# Unfortunately, PIX/ASA's do not support this cisco-avpair on Radius, so you'll still type 'enable'
# but when you're asked for a password, you'll give your AD account password again as opposed to
# the real enable password. The only time you should need the real enable password for any device
# is when the radius server is down
DEFAULT Huntgroup-Name == "network-admin", Ldap-Group == "networkteam"
Service-Type := NAS-Prompt-User,
cisco-avpair := "shell:priv-lvl=15",
Auth-Type := LDAP
DEFAULT Huntgroup-Name == "vpn", Ldap-Group == "vpnusers"
Auth-Type := LDAP
DEFAULT Auth-Type := Reject
Reply-Message := "Access Denied. Your attempt has been logged.",
---------------------------------------------------------------------------------------------
Cisco IOS based device config: (relevant parts, anyway)
aaa new-model
aaa authentication login networkteam group radius local-case
aaa authentication login wifi-access group radius
aaa authorization exec default group radius local
aaa accounting session-duration ntp-adjusted
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa session-id common
!
! Obviously you dont need the wireless stuff for non-access points
dot11 ssid OURSSID
authentication open eap wifi-access
authentication key-management wpa
accounting default
!
! The "accounting-default" statement is what causes IOS to send accounting packets for that SSID
radius-server host my-radius-server auth-port 1812 acct-port 1813 key myradiuskey
!
line con 0
login authentication networkteam
line vty 0 15
login authentication networkteam
---------------------------------------------------------------------------------------------
Cisco ASA/PIX config:
username admin password whatever
aaa-server radius protocol radius
max-failed-attempts 3
aaa-server radius (INSIDE) host my-radius-server
timeout 3
key slxradkey2010
authentication-port 1812
accounting-port 1813
aaa authentication ssh console radius LOCAL
aaa authentication enable console radius LOCAL
aaa authentication serial console radius LOCAL
aaa authentication telnet console radius LOCAL
aaa authentication http console radius LOCAL
aaa accounting ssh console radius
aaa accounting telnet console radius
aaa accounting serial console radius