Having just followed all of those instructions to build out my production systems, I have a few tweaks to fix all those little things that drive one insane when following someone's instructions because they never tested them. Using FreeRADIUS2 Rick Steeves 091203 freeradius2@corwyn.net Setup, configuration, troubleshooting instructions, on CentOS 5.x Goals: o Authentication telnet sessions for Cisco switches against AD for a specific security group (Infrastructure) o Authentication for VPN users using MSCHAP on a sonicwall firewall using a Windows VPN client with L2TP against AD for a specific security group (VPN_Users) Install The linux site for the rpm download of freeradius2 is: http://people.redhat.com/jdennis/freeradius-rhel-centos Create /etc/yum.repos.d/freeradius2.repo: [freeradius2] name=Freeradius2 baseurl=http://people.redhat.com/jdennis/freeradius-rhel-centos enabled=1 gpgcheck=0 Install freeradius2: yum clean all yum install freeradius2 freeradius2-utils freeradius2-ldap Enable FreeRadius to start on boot: chkconfig radiusd on To start the freeRadius service service radiusd start To run the service in debug mode (which you should be doing until everything works): service radiusd stop radiusd X Quirks If you get an error from the output of radiusd X along the lines of: Exec-Program output: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc0000022) then the issue is that radiusd doesn't have access to the winbindd_privileged folder. You can fix with: chgrp radiusd /var/cache/samba/winbindd_privileged chmod g+rw /var/cache/samba/winbindd_privileged Configuration See http://deployingradius.com/documents/configuration/active_directory.html Note that the configuring of SAMBA, kerberos, and adding to the domain should already be done as part of the default Linux install, see h:\is\operating system\Linux\Guide_linux.doc Verify that a user in the domain can be authenticated: wbinfo -a user%password Try the same login with the ntlm_auth program, which is what FreeRADIUS will be using: ntlm_auth --request-nt-key --domain=MYDOMAIN --username=user --password=password /etc/raddb/radiusd.conf (see Appendix C) Update max_requests to # users * 256 Add to the end of the auth listen {..} (to permit groups of clients) clients = disambiguate Add to the end of the acct listen {..} (to permit groups of clients) clients = disambiguate Add to the end of the modules{..} section: (to enable ntlm_auth as an authentication method) exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth ntlm_auth --request-nt-key --domain=example.com -username=%{mschap:User-Name} --password=%{User-Password}" } In log{..} auth = yes (to log authentication requests) /etc/raddb/huntgroups huntgroups let you restrict which clients are associated with which user. You will need to add each IP of each device that will be using the RADIUS server, and associate it with the correct huntgroup. This will let the /etc/raddb/users file associate the user with the appropriate device: /etc/radbb/huntgroups: Cisco_Huntgroup NAS-IP-Address == 10.100.0.1 Cisco_Huntgroup NAS-IP-Address == 10.100.0.2 Cisco_Huntgroup NAS-IP-Address == 10.100.0.3 VPN_Huntgroup NAS-IP-Address == 10.4.1.2 /etc/raddb/modules/ldap If this file is missing, you need to install the RPM for freeradius2-ldap. This section is one of the biggest pains to configure, as all of your LDAP strings need to be 100% correct, andt hey will be very specific to the environment. Of course, update server, identify, password, basedn for your own environment. You will need a user account in AD to permit the bind to LDAP. In this example, that account is in: CN=_useraccount,OU=Service Accounts,OU=Special User Accounts,OU=Enterprise,DC=example,DC=com In this example, the Security groups are located in (or below): OU=Enterprise,DC=example,DC=com ldap { server = "example.com" identity = "CN=_useraccount,OU=Service Accounts,OU=Special User Accounts,OU=Enterprise,DC=example,DC=com" password = secretpassword basedn = "OU=Enterprise,DC=example,DC=com" filter = (&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person)) groupmembership_attribute = "memberOf" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" } Configuration of different virtual sites For this you'll have 3 general sites, default (used mostly for testing on 127.0.0.1), server_cisco (used to AAA the Cisco users), and server_vpn (used to AAA the VPN users). These live in /etc/raddb/sites-available/ inner-tunnel Add: ntlm_auth to the end of the authenticate{..} section default Add: ntlm_auth to the end of the authenticate{..} section server_cisco (see Appendix B) We're going to duplicate the default config, and modify it for that particular virtual server: cp /etc/raddb/sites-available/default /etc/raddb/sites-available/server_cisco Edit server_cisco and change it from server{..} to server server_cisco{..} Since we're not using any of these methods for the Ciscos, in authenticate{..} disable: chap, mschap, suffix, ntdomain, unix, pap Add to the end of the authorize{..} section: ntlm_auth server_vpn (see Appendix A) cp /etc/raddb/sites-available/server_cisco /etc/raddb/sites-available/server_vpn Edit server_vpn and change it from server server_cisco {..} to server server_vpn {..} To get it to restrict who gets authorized based on the LDAP group, add to authorize {..}: if(Huntgroup-Name == "VPN_Huntgroup") { if(Ldap-Group == "VPN_Users") { ok } else { reject } } Link sites-enabled to sites-available: chown root:radiusd /etc/raddb/sites-available/server_cisco chown root:radiusd /etc/raddb/sites-available/server_vpn cd /etc/raddb/sites-enabled ln s ../sites-available/server_cisco server_cisco ln s ../sites-available/server_vpn server_vpn /etc/raddb/clients.conf This defines which individual clients connect to which virtual server, letting you differentiate the server config (including the secret) by client Note: The secret needs to match the secret set on the respective client. Change the secret to an actual secret clients disambiguate { client localhost { ipaddr = 127.0.0.1 secret = testing123 require_message_authenticator = no } client VPN { ipaddr = 10.4.1.2 secret = secret virtual_server = server_vpn } client Cisco { ipaddr = 10.100.0.0 netmask = 16 secret = secret virtual_server = server_cisco nastype = cisco }} /etc/raddb/users This file determines which AAA is done against which device and associates the defined huntgroups with the type of AAA #testuser Huntgroup-Name == Cisco_Huntgroup, Cleartext-Password:="testpass" # Service-Type:=NAS-Prompt-User,cisco-avpair:="shell:priv-lvl=15" DEFAULT Huntgroup-Name == Cisco_Huntgroup, Auth-Type:=ntlm_auth, Ldap-Group == "Infrastructure" Service-Type:=NAS-Prompt-User,cisco-avpair:="shell:priv-lvl=15" DEFAULT Huntgroup-Name == VPN_Huntgroup, Ldap-Group == "VPN_Users" /etc/raddb/modules/mschap mschap { ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain:-example.com} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } Cisco config On each switch, you have to point the authentication, authorization, and accounting to the RADIUS server. You'll want to have defined login and enable passwords already in case you screw up. you can then just bring the RADIUS server down and it will default to the next form of authentication: aaa authentication login default group radius line aaa authentication enable default group radius enable aaa authorization exec default group radius if-authenticated aaa accounting exec default start-stop group radius aaa accounting system default start-stop group radius aaa accounting network default start-stop group radius aaa accounting connection default start-stop group radius aaa accounting commands 1 default stop-only group radius aaa accounting commands 15 default wait-start group radius radius host 10.10.20.23 auth-port 1812 acct-port 1813 timeout 3 radius host 10.11.20.25 auth-port 1812 acct-port 1813 timeout 3 radius host 10.10.20.24 auth-port 1812 acct-port 1813 timeout 3 radius-server directed-request restricted radius key <sharedsecret> radius retransmit 0 privilege exec level 1 show configuration For local LAN switches (to control which IP address is used to connect to RADIUS, important since the clients are by IP) ip radius source-interface Vlan100 What this config does is set the sequence of things the Cisco switch tries to use to authenticate (and authorize) the user. Example: aaa authentication login default group radius line means, for login, check: group radius: The defined RADIUS servers line: the password for line input Others are: enable: the password for enable input local: a locally defined AAA user accout, configured with username <username> password <password> SonicWall config Sorry, outside the scope of this document. Adding/changing Devices To add a new Cisco Switch Add the switch to the appropriate huntgroup in /etc/raddb/huntgroups so it associates with the correct user authorization method in /etc/raddb/users Add a new client entry for the switch in /etc/raddb/clients.conf. The name of the client is what's used in the log entries. To add/change user authentication Update the entries in /etc/raddb/users. If you actually need to add a totally new authentication method, you'll have to update the appropriate entries in the individual server config, and likely update the config for the individual authentication module in /etc/raddb/modules Checking Logs Logs for the main RADIUS server are in /var/log/radius/radius.log Logs for Accounting for individual devices are in /var/log/radius/radacct/<ip address of client> Troubleshooting: If you're having problems, the easiest thing to do it stop the service and restart in debug mode: service radiusd stop radiusd X and then try the thing that's failng again and look at the logs. To authenticate against a specific RADIUS server, you can specify the RADIUS server in the user login with: userid@ip.add.r.ess (this works because of the radius-server directed-request restricted entry on the switch) Different Testing methods From Windows: Ntradping.exe From Linux: radtest testuser testpass localhost 0 testing123 ntlm_auth --request-nt-key --domain=example.com --username=testuser --password=testpass Appendix A server_vpn server server_vpn { authorize { preprocess mschap files ldap if(Huntgroup-Name == "VPN_Huntgroup") { if(Ldap-Group == "VPN_Users") { ok } else { reject } } } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } ntlm_auth } preacct { preprocess acct_unique files } accounting { detail radutmp attr_filter.accounting_response } session { radutmp } post-auth { exec Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { } } Appendix B: server_cisco server server_cisco { authorize { preprocess mschap files ldap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } ntlm_auth } preacct { preprocess acct_unique files } accounting { detail radutmp attr_filter.accounting_response } session { radutmp } post-auth { exec Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { } } Appendix C radiusd.conf prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct name = radiusd confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name} db_dir = ${raddbdir} libdir = /usr/lib/freeradius pidfile = ${run_dir}/${name}.pid user = radiusd group = radiusd max_request_time = 30 cleanup_delay = 5 max_requests = 25600 listen { type = auth ipaddr = * port = 0 clients = disambiguate } listen { ipaddr = * port = 0 type = acct clients = disambiguate } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = no $INCLUDE proxy.conf $INCLUDE clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { $INCLUDE ${confdir}/modules/ exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth ntlm_auth --request-nt-key --domain=example.com --username=%{mschap:User-Name} --password=%{User-Password}" } } instantiate { exec expr } $INCLUDE policy.conf $INCLUDE sites-enabled/ At 06:31 PM 12/1/2009, freeradius@corwyn.net wrote:
Well, thanks to an inordinate amount of help, I've got my RADIUS server up and running exactly how I want it to.
As part of my business process, I've got a detailed doc on how the server is/was constructed. I'd like to contribute that to the wiki, but I don't see that I can create an account.
Also, since it drives me nuts when I'm searching on line for a fix, and an email thread ends JUST before I have the data that I need, or a piece is missing, here's that documentation as well
Rick Steeves 091201 freeradius2@corwyn.net
Setup and configuration instructions, on CentOS 5.x Goals: o Authentication telnet sessions for Cisco switches against AD for a specific security group (Infrastructure) o Authentication for VPN users using MSCHAP on a sonicwall firewall using a Windows VPN client with L2TP against AD for a specific security group (VPN_Users) Install The linux site for the rpm download of freeradius2 is: http://people.redhat.com/jdennis/freeradius-rhel-centos
Create /etc/yum.repos.d/freeradius2.repo:
[freeradius2] name=Freeradius2 baseurl=http://people.redhat.com/jdennis/freeradius-rhel-centos enabled=1 gpgenabled=0
Install freeradius2: yum install freeradius2 freeradius2-utils freeradius2-ldap
Enable FreeRadius to start on boot: chkconfig radiusd on
To start the freeRadius service service radiusd start
To run the service in debug mode (which you should be doing until everything works): service radiusd stop radiusd X Configuration http://deployingradius.com/documents/configuration/active_directory.html
Note that the configuring of SAMBA, kerberos, and adding to the domain should already be done as part of the default Linux install, see h:\is\operating system\Linux\Guide_linux.doc Verify that a user in the domain can be authenticated: wbinfo -a user%password Try the same login with the ntlm_auth program, which is what FreeRADIUS will be using: ntlm_auth --request-nt-key --domain=MYDOMAIN --username=user --password=password ./raddb/radiusd.conf (see Appendix C)
Update max_requests to # users * 256
Add to the end of the auth listen {..} clients = disambiguate
Add to the end of the acct listen {..} clients = disambiguate
Add to the end of the modules{..} section:
exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth ntlm_auth --request-nt-key --domain=example.com -username=%{mschap:User-Name} --password=%{User-Password}" }
In log {..}
auth = yes huntgroups huntgroups let you restrict which clients are associated with which user. You will need to add each IP of each device that will be using the RADIUS server, and associate it with the correct huntgroup. This will let the ./users file associate the user with the appropriate device:
/etc/radbb/huntgroups: Cisco_Huntgroup NAS-IP-Address == 10.100.0.1 Cisco_Huntgroup NAS-IP-Address == 10.100.0.2 Cisco_Huntgroup NAS-IP-Address == 10.100.0.3 VPN_Huntgroup NAS-IP-Address == 10.4.1.2 ./raddb/modules/ldap (See appendix D) If this file is missing, you need to install the RPM for freeradius2-ldap.
This section is one of the biggest pains to configure, as all of your LDAP strings need to be 100% correct, andt hey will be very specific to the environment. Of course, update server, identify, password, basedn for your own environment.
You will need a user account in AD to permit the bind to LDAP. In this example, that account is in: CN=_useraccount,OU=Service Accounts,OU=Special User Accounts,OU=Enterprise,DC=example,DC=com
In this example, the Security groups are located in (or below): OU=Enterprise,DC=example,DC=com
ldap { server = "example.com" identity = "CN=_useraccount,OU=Service Accounts,OU=Special User Accounts,OU=Enterprise,DC=example,DC=com" password = secretpassword basedn = "OU=Enterprise,DC=example,DC=com" filter = (&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person)) groupmembership_attribute = "memberOf" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" } Configuration of different virtual sites For this you'll have 3 general sites, default (used mostly for testing on 127.0.0.1), server_cisco (used to AAA the Cisco users), and server_vpn (used to AAA the VPN users). inner-tunnel Add: ntlm_auth to the end of the authenticate{..} section default Add: ntlm_auth to the end of the authenticate{..} section server_cisco (see Appendix B) We're going to duplicate the default config, and modify it for that particular virtual server:
cp /etc/raddb/sites-available/default /etc/raddb/sites-available/server_cisco
Edit server_cisco and change it from server{..} to server server_cisco{..}
Since we're not using any of these methods for the Ciscos, in authenticate{..} disable: chap, mschap, suffix, ntdomain, unix, pap
Add to the end of the authorize{..} section: ntlm_auth server_vpn (see Appendix A) cp /etc/raddb/sites-available/server_cisco /etc/raddb/sites-available/server_vpn Edit server_vpn and change it from server server_cisco {..} to server server_vpn {..}
To get it to restrict who gets authorized based on the LDAP group, add to authorize {..}: if(Huntgroup-Name == "VPN_Huntgroup") { if(Ldap-Group == "VPN_Users") { ok } else { reject } }
Link sites-enabled to sites-available: cd /etc/raddb/sites-enabled ln s ../sites-available/server_cisco server_cisco ln s ../sites-available/server_vpn server_vpn ./raddb/clients.conf This defines which individual clients connect to which virtual server, letting you differentiate the server config (including the secret) by client
Note: The secret needs to match the secret set on the respective client. Change the secret to an actual secret
clients disambiguate { client localhost { ipaddr = 127.0.0.1 secret = testing123 require_message_authenticator = no } client VPN { ipaddr = 10.4.1.2 secret = secret virtual_server = server_vpn }
client Cisco { ipaddr = 10.100.0.0 netmask = 16 secret = secret virtual_server = server_cisco nastype = cisco }}
./raddb/users This file determines which AAA is done against which device and associates the defined huntgroups with the type of AAA
#testuser Huntgroup-Name == Cisco_Huntgroup, Cleartext-Password:="testpass" # Service-Type:=NAS-Prompt-User,cisco-avpair:="shell:priv-lvl=15" DEFAULT Huntgroup-Name == Cisco_Huntgroup, Auth-Type:=ntlm_auth, Ldap-Group == "Infrastructure" Service-Type:=NAS-Prompt-User,cisco-avpair:="shell:priv-lvl=15" DEFAULT Huntgroup-Name == VPN_Huntgroup, Ldap-Group == "VPN_Users" Cisco config
On each switch, you have to point the authentication, authorization, and accounting to the RADIUS server. You'll want to have defined login and enable passwords already in case you screw up. you can then just bring the RADIUS server down and it will default to the next form of authentication:
aaa authentication login default group radius line aaa authentication enable default group radius line aaa authorization exec default group radius none no aaa accounting exec default start-stop group radius no aaa accounting system default start-stop group radius no aaa accounting network default start-stop group radius no aaa accounting connection default start-stop group radius no aaa accounting commands 1 default stop-only group radius no aaa accounting commands 15 default wait-start group radius radius host 10.10.20.24 auth-port 1812 acct-port 1813 timeout 3 radius key <mysharedsecret> radius retransmit 2 sonicwall config Sorry, outside the scope of this document. Different Testing methods From Windows: Ntradping.exe
From Linux: radtest testuser testpass localhost 0 testing123 ntlm_auth --request-nt-key --domain=example.com --username=testuser --password=testpass
Troubleshooting: If you get an error from the output of radiusd X along the lines of:
Exec-Program output: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc0000022)
hen the issue is that radiusd doesn't have access to the winbindd_privileged folder. you can fix with:
chgrp radiusd /var/cache/samba/winbindd_privileged chmod g+rw /var/cache/samba/winbindd_privileged
Appendix A server_vpn server server_vpn { authorize { preprocess mschap files ldap if(Huntgroup-Name == "VPN_Huntgroup") { if(Ldap-Group == "VPN_Users") { ok } else { reject } } } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } ntlm_auth } preacct { preprocess acct_unique files } accounting { detail radutmp attr_filter.accounting_response } session { radutmp } post-auth { exec Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { } }
Appendix B: server_cisco server server_cisco { authorize { preprocess mschap files ldap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } ntlm_auth } preacct { preprocess acct_unique files } accounting { detail radutmp attr_filter.accounting_response } session { radutmp } post-auth { exec Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { } }
Appendix C radiusd.conf
prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct name = radiusd confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name} db_dir = ${raddbdir} libdir = /usr/lib/freeradius pidfile = ${run_dir}/${name}.pid user = radiusd group = radiusd max_request_time = 30 cleanup_delay = 5 max_requests = 25600 listen { type = auth ipaddr = * port = 0 clients = disambiguate } listen { ipaddr = * port = 0 type = acct clients = disambiguate } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = yes $INCLUDE proxy.conf $INCLUDE clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { $INCLUDE ${confdir}/modules/ exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth ntlm_auth --request-nt-key --domain=example.com --username=%{mschap:User-Name} --password=%{User-Password}" } } instantiate { exec expr expiration logintime } $INCLUDE policy.conf $INCLUDE sites-enabled/
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html