I'm a newbie and looking for instructions on how to setup FreeRADIUS Version 1.1.7 on a SLES 10 linux box to use for authenication and logging for a cisco 2801 router. I want to track users connecting from the outside world using Cisco's vpn client and cisco sayes radius is the answer. I'd like to start with just allowing users from the linux /etc/passwd access and then move onto authenication from my Netware 6.5 LDAP server. I've read all I can find on freeradius.org and cisco, but still don't understand....hard learner I guess. radiusd -xx gives: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Initializing the thread pool... thread: start_servers = 5 thread: max_servers = 32 thread: min_spare_servers = 3 thread: max_spare_servers = 10 thread: max_requests_per_server = 0 thread: cleanup_delay = 5 Thread spawned new child 1. Total threads in pool: 1 Thread spawned new child 2. Total threads in pool: 2 Thread spawned new child 3. Total threads in pool: 3 Thread spawned new child 4. Total threads in pool: 4 Thread 1 waiting to be assigned a request Thread 2 waiting to be assigned a request Thread 3 waiting to be assigned a request Thread 4 waiting to be assigned a request Thread 5 waiting to be assigned a request Thread spawned new child 5. Total threads in pool: 5 Thread pool initialized Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. My radius.conf is what was installed as default. Q1? Do I need to add anything other than the below to client.conf? In my client.conf I've added: # Test on cisco 2801 router(internal ip of router) client 192.168.135.3 { secret =xxxxxxx shortname =myrouter nastype =cisco } I believe the relavent part of the users file is: DEFAULT Auth-Type = System Fall-Through = 1 and DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes Notes I've read say to change this to 255.255.255.255 ?? Q2? I believe I also need to add something similar to the below in the users file? youruser Cleartext-Password := "somepass" Service-Type = NAS-Prompt-User, cisco-avpair = "shell:priv-lvl=15" Q3? Does "youruser" and "somepass" need to be a valid user from /etc/passwd? I'm unclear if there is a link between users in this file and valid users in /etc/passwd of the linux box. My cisco 2801 currently has info like: aaa new-model ! ! aaa authentication login default local aaa authorization exec default local if-authenticated aaa authorization network default local ! aaa session-id common ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group VPNCLIENTS key xxxxxxx dns 192.168.135.15 domain xxxxxxx.com pool CLIENTPOOL acl 150 netmask 255.255.255.0 crypto isakmp profile IKE1 match identity group VPNCLIENTS client authentication list default isakmp authorization list default client configuration address respond ! Q4? Do I need to remove any of this info, or just replace the stuff at the top with something like: aaa new-model aaa authentication login default group radius local aaa authentication login localauth local aaa authentication ppp default if-needed group radius local aaa authorization exec default group radius local aaa authorization network default group radius local aaa accounting delay-start aaa accounting exec default start-stop group radius aaa accounting network default start-stop group radius aaa processes 6 aaa accounting delay-start Q5? Do I also need a line similar to below on the cisco? radius-server host 192.168.135.3 radius-server key xxxx radius-server auth-port 1812 I guessing that my radius.log will then show when users login. thx in advance, -Jim McIver
My radius.conf is what was installed as default. Q1? Do I need to add anything other than the below to client.conf?
In my client.conf I've added: # Test on cisco 2801 router(internal ip of router) client 192.168.135.3 { secret =xxxxxxx shortname =myrouter nastype =cisco }
I believe the relavent part of the users file is:
DEFAULT Auth-Type = System Fall-Through = 1
and
DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes
Notes I've read say to change this to 255.255.255.255 ??
That looks fine. Notes are likely about the netmask not IP address.
Q2? I believe I also need to add something similar to the below in the users file?
youruser Cleartext-Password := "somepass" Service-Type = NAS-Prompt-User, cisco-avpair = "shell:priv-lvl=15"
Remove the password. You said that it will be stored in /etc/passwd. If you put the password here you dont need /etc/passwd check (Auth-Type System) at all.
Q3? Does "youruser" and "somepass" need to be a valid user from /etc/passwd? I'm unclear if there is a link between users in this file and valid users in /etc/passwd of the linux box.
Link is the username. You want to store password in /etc/passwd and reply attributes in users file.
My cisco 2801 currently has info like: aaa new-model ! ! aaa authentication login default local aaa authorization exec default local if-authenticated aaa authorization network default local ! aaa session-id common ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group VPNCLIENTS key xxxxxxx dns 192.168.135.15 domain xxxxxxx.com pool CLIENTPOOL acl 150 netmask 255.255.255.0 crypto isakmp profile IKE1 match identity group VPNCLIENTS client authentication list default isakmp authorization list default client configuration address respond !
Q4? Do I need to remove any of this info, or just replace the stuff at the top with something like:
aaa new-model aaa authentication login default group radius local aaa authentication login localauth local aaa authentication ppp default if-needed group radius local aaa authorization exec default group radius local aaa authorization network default group radius local aaa accounting delay-start aaa accounting exec default start-stop group radius aaa accounting network default start-stop group radius aaa processes 6 aaa accounting delay-start
This is from here: http://wiki.freeradius.org/Cisco
Q5? Do I also need a line similar to below on the cisco? radius-server host 192.168.135.3 radius-server key xxxx radius-server auth-port 1812
That IP address is the same as the one for the router. That can't be correct - linux box IP should go here. You have not set up accounting - and that was the whole point of this exercise. Add that. If radius IP is also on the private subnet it's quite likely that you wont have to force the router to use the IP address defined in clients.conf - it should select it on it's own. If it doesn't you can force radius source interface in router config. Ivan Kalik Kalik Informatika ISP
Jim McIver wrote:
I'm a newbie and looking for instructions on how to setup FreeRADIUS Version 1.1.7 on a SLES 10 linux box to use for authenication and logging for a cisco 2801 router. I want to track users connecting from the outside world using Cisco's vpn client and cisco sayes radius is the answer.
Yes.
I'd like to start with just allowing users from the linux /etc/passwd access and then move onto authenication from my Netware 6.5 LDAP server.
See the FAQ for getting started with FreeRADIUS.
I've read all I can find on freeradius.org and cisco, but still don't understand....hard learner I guess.
radiusd -xx gives: ... Ready to process requests.
And no packets. The server has to receive a request for it to be able to do something.
My radius.conf is what was installed as default. Q1? Do I need to add anything other than the below to client.conf?
No.
I believe the relavent part of the users file is:
DEFAULT Auth-Type = System Fall-Through = 1
Yes.
Notes I've read say to change this to 255.255.255.255 ??
Maybe. Only if you're assigning IP addresses.
Q2? I believe I also need to add something similar to the below in the users file?
Not if the users are being authenticated from /etc/passwd.
Q3? Does "youruser" and "somepass" need to be a valid user from /etc/passwd? I'm unclear if there is a link between users in this file and valid users in /etc/passwd of the linux box.
They are independent. Alan DeKok.
participants (3)
-
Alan DeKok -
Ivan Kalik -
Jim McIver