separating Users?

freeradius at corwyn.net freeradius at corwyn.net
Wed Dec 2 00:31:10 CET 2009



Well, thanks to an inordinate amount of help, 
I've got my RADIUS server up and running exactly how I want it to.

As part of my business process, I've got a 
detailed doc on how the server is/was 
constructed. I'd like to contribute that to the 
wiki, but I don't see that I can create an account.

Also, since it drives me nuts when I'm searching 
on line for a fix, and an email thread ends JUST 
before I have the data that I need, or a piece is 
missing, here's that documentation as well

Rick Steeves – 091201
freeradius2 at corwyn.net

Setup and configuration instructions, on CentOS 5.x
Goals:
o       Authentication telnet sessions for Cisco 
switches against AD for a specific security group (Infrastructure)
o       Authentication for VPN users using MSCHAP 
on a sonicwall firewall using a Windows VPN 
client with L2TP against AD for a specific security group (VPN_Users)
Install
The linux site for the rpm download of freeradius2 is:
http://people.redhat.com/jdennis/freeradius-rhel-centos

Create /etc/yum.repos.d/freeradius2.repo:

[freeradius2]
name=Freeradius2
baseurl=http://people.redhat.com/jdennis/freeradius-rhel-centos
enabled=1
gpgenabled=0

Install freeradius2:
yum install freeradius2 freeradius2-utils freeradius2-ldap

Enable FreeRadius to start on boot:
chkconfig radiusd on

To start the freeRadius service
service radiusd start

To run the service in debug mode (which you 
should be doing until everything works):
service radiusd stop
radiusd –X
Configuration
http://deployingradius.com/documents/configuration/active_directory.html

Note that the configuring of SAMBA, kerberos, and 
adding to the domain should already be done as 
part of the default Linux install, see 
h:\is\operating system\Linux\Guide_linux.doc
Verify that a user in the domain can be authenticated:
wbinfo -a user%password
Try the same login with the ntlm_auth program, 
which is what FreeRADIUS will be using:
ntlm_auth --request-nt-key --domain=MYDOMAIN 
--username=user --password=password
./raddb/radiusd.conf  (see Appendix C)

Update max_requests to # users * 256

Add to the end of the auth listen {..}
         clients = disambiguate

Add to the end of the acct listen {..}
         clients = disambiguate

Add to the end of the modules{..} section:

exec ntlm_auth {
      wait = yes
      program = "/usr/bin/ntlm_auth ntlm_auth 
--request-nt-key --domain=example.com 
-username=%{mschap:User-Name} --password=%{User-Password}"
}

In log {..}

auth = yes
huntgroups
huntgroups let you restrict which clients are 
associated with which user. You will need to add 
each IP of each device that will be using the 
RADIUS server, and associate it with the correct 
huntgroup. This will let the ./users file 
associate the user with the appropriate device:

/etc/radbb/huntgroups:
Cisco_Huntgroup         NAS-IP-Address == 10.100.0.1
Cisco_Huntgroup         NAS-IP-Address == 10.100.0.2
Cisco_Huntgroup         NAS-IP-Address == 10.100.0.3


VPN_Huntgroup           NAS-IP-Address == 10.4.1.2
./raddb/modules/ldap (See appendix D)
If this file is missing, you need to install the RPM for freeradius2-ldap.

This section is one of the biggest pains to 
configure, as all of your LDAP strings need to be 
100% correct, andt hey will be very specific to 
the environment. Of course, update server, 
identify, password, basedn for your own environment.

You will need a user account in AD to permit the 
bind to LDAP. In this example, that account is in:
CN=_useraccount,OU=Service Accounts,OU=Special 
User Accounts,OU=Enterprise,DC=example,DC=com

In this example, the Security groups are located in (or below):
OU=Enterprise,DC=example,DC=com

ldap {
         server = "example.com"
         identity = "CN=_useraccount,OU=Service 
Accounts,OU=Special User Accounts,OU=Enterprise,DC=example,DC=com"
         password = secretpassword
         basedn = "OU=Enterprise,DC=example,DC=com"
         filter = 
(&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person))
         groupmembership_attribute = "memberOf"
         ldap_connections_number = 5
         timeout = 4
         timelimit = 3
         net_timeout = 1
         tls {
                 start_tls = no
         }
         dictionary_mapping = ${confdir}/ldap.attrmap
         edir_account_policy_check = no
         groupname_attribute = cn
         groupmembership_filter = 
"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
}
Configuration of different virtual sites
For this you'll have 3 general sites, default 
(used mostly for testing on 127.0.0.1), 
server_cisco (used to AAA the Cisco users), and 
server_vpn (used to AAA the VPN users).
inner-tunnel
Add:
ntlm_auth
to the end of the authenticate{..} section
default
Add:
  ntlm_auth
to the end of the authenticate{..} section
server_cisco (see Appendix B)
We're going to duplicate the default config, and 
modify it for that particular virtual server:

cp /etc/raddb/sites-available/default  /etc/raddb/sites-available/server_cisco

Edit server_cisco and change it from server{..} to server server_cisco{..}

Since we're not using any of these methods for 
the Ciscos, in authenticate{..} disable:   chap, 
mschap, suffix, ntdomain, unix, pap

Add to the end of the authorize{..} section:
ntlm_auth
server_vpn (see Appendix A)
cp /etc/raddb/sites-available/server_cisco 
/etc/raddb/sites-available/server_vpn
Edit server_vpn and change it from server 
server_cisco {..} to server server_vpn {..}

To get it to restrict who gets authorized based 
on the LDAP group, add to authorize {..}:
if(Huntgroup-Name == "VPN_Huntgroup") {
      if(Ldap-Group == "VPN_Users") {
         ok
      }
      else {
           reject
      }
}

Link sites-enabled to sites-available:
cd /etc/raddb/sites-enabled
ln –s ../sites-available/server_cisco server_cisco
ln –s ../sites-available/server_vpn server_vpn
./raddb/clients.conf
This defines which individual clients connect to 
which virtual server, letting you differentiate 
the server config (including the secret) by client

Note: The secret needs to match the secret set on 
the respective client. Change the secret to an actual secret

clients disambiguate {
client localhost {
         ipaddr = 127.0.0.1
         secret = testing123
         require_message_authenticator = no
}
client VPN {
         ipaddr = 10.4.1.2
         secret = secret
         virtual_server = server_vpn
}

client Cisco {
         ipaddr = 10.100.0.0
         netmask = 16
         secret = secret
         virtual_server = server_cisco
         nastype = cisco
}}

./raddb/users
This file determines which AAA is done against 
which device and associates the defined huntgroups with the type of AAA

#testuser Huntgroup-Name == Cisco_Huntgroup, Cleartext-Password:="testpass"
#        Service-Type:=NAS-Prompt-User,cisco-avpair:="shell:priv-lvl=15"
DEFAULT Huntgroup-Name == Cisco_Huntgroup, 
Auth-Type:=ntlm_auth, Ldap-Group == "Infrastructure"
         Service-Type:=NAS-Prompt-User,cisco-avpair:="shell:priv-lvl=15"
DEFAULT Huntgroup-Name == VPN_Huntgroup, Ldap-Group == "VPN_Users"
Cisco config

On each switch, you have to point the 
authentication, authorization, and accounting to 
the RADIUS server. You'll want to have defined 
login and enable passwords already in case you 
screw up. you can then just bring the RADIUS 
server down and it will default to the next form of authentication:

aaa authentication login default group radius line
aaa authentication enable default group radius line
aaa authorization exec default group radius none
no aaa accounting exec default start-stop group radius
no aaa accounting system default start-stop group radius
no aaa accounting network default start-stop group radius
no aaa accounting connection default start-stop group radius
no aaa accounting commands 1 default stop-only group radius
no aaa accounting commands 15 default wait-start group radius
radius host 10.10.20.24 auth-port 1812 acct-port 1813 timeout 3
radius key <mysharedsecret>
radius retransmit 2
sonicwall config
Sorry, outside the scope of this document.
Different Testing methods
 From Windows:
Ntradping.exe

 From Linux:
radtest testuser testpass  localhost  0  testing123
ntlm_auth --request-nt-key --domain=example.com 
--username=testuser --password=testpass

Troubleshooting:
If you get an error from the output of radiusd –X along the lines of:

Exec-Program output: winbind client not 
authorized to use winbindd_pam_auth_crap.  Ensure 
permissions on 
/var/cache/samba/winbindd_privileged are set correctly. (0xc0000022)

hen the issue is that radiusd doesn't have access 
to the winbindd_privileged folder. you can fix with:

chgrp radiusd /var/cache/samba/winbindd_privileged
chmod g+rw /var/cache/samba/winbindd_privileged

Appendix A – server_vpn
server server_vpn {
authorize {
         preprocess
         mschap
         files
         ldap
if(Huntgroup-Name == "VPN_Huntgroup") {
      if(Ldap-Group == "VPN_Users") {
         ok
      }
      else {
           reject
      }
}
}
authenticate {
         Auth-Type PAP {
                 pap
         }
         Auth-Type CHAP {
                 chap
         }
         Auth-Type MS-CHAP {
                 mschap
         }
  ntlm_auth
}
preacct {
         preprocess
         acct_unique
         files
}
accounting {
         detail
         radutmp
         attr_filter.accounting_response
}
session {
         radutmp
}
post-auth {
         exec
         Post-Auth-Type REJECT {
                 attr_filter.access_reject
         }
}
pre-proxy {
}
post-proxy {
}
}

Appendix B: server_cisco
server server_cisco {
authorize {
         preprocess
         mschap
         files
         ldap
}
authenticate {
         Auth-Type PAP {
                 pap
         }
         Auth-Type CHAP {
                 chap
         }
         Auth-Type MS-CHAP {
                 mschap
         }
ntlm_auth
}
preacct {
         preprocess
         acct_unique
         files
}
accounting {
         detail
         radutmp
         attr_filter.accounting_response
}
session {
         radutmp
}
post-auth {
         exec
         Post-Auth-Type REJECT {
                 attr_filter.access_reject
         }
}
pre-proxy {
}
post-proxy {
}
}

Appendix C – radiusd.conf

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
user = radiusd
group = radiusd
max_request_time = 30
cleanup_delay = 5
max_requests = 25600
listen {
         type = auth
         ipaddr = *
         port = 0
         clients = disambiguate
}
listen {
         ipaddr = *
         port = 0
         type = acct
         clients = disambiguate
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions     = yes
extended_expressions    = yes
log {
         destination = files
         file = ${logdir}/radius.log
         syslog_facility = daemon
         stripped_names = no
         auth = yes
         auth_badpass = no
         auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
         max_attributes = 200
         reject_delay = 1
         status_server = yes
}
proxy_requests  = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
         start_servers = 5
         max_servers = 32
         min_spare_servers = 3
         max_spare_servers = 10
         max_requests_per_server = 0
}
modules {
         $INCLUDE ${confdir}/modules/
exec ntlm_auth {
                 wait = yes
                 program = "/usr/bin/ntlm_auth 
ntlm_auth --request-nt-key --domain=example.com 
--username=%{mschap:User-Name} --password=%{User-Password}"
         }
}
instantiate {
         exec
         expr
         expiration
         logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/





More information about the Freeradius-Users mailing list