Build a RADIUS server on Linux
If the NAS receives user-connection requests, it passes them to the designated RADIUS server which authenticates the user and returns the user’s configuration information to the NAS. Then, the NAS accepts or rejects the connection requests.
A full-featured RADIUS server can support a variety of mechanisms to authenticate users in addition to LDAP, including
- PAP (Password Authentication Protocol, used with PPP in which the password is sent to the client as clear text for comparison);
- CHAP (Challenge Handshake Authentication Protocol, more secure than PAP, it uses a username and password);
- the local UNIX/Linux system password database (/etc/passwd);
- other local databases.
Authentication and authorization are combined together in RADIUS. If the username is found and the password is correct, the RADIUS server returns an Access-Accept response including some parameters (attribute-value pairs) that grants access to the user. These parameters are configured in RADIUS and include service type, protocol type, IP address to assign the user, an access control list (ACL) or a static route to apply on the NAS, as well as other values.
RADIUS accounting features (as defined in RFC 2866; see Resources for a link) allow data to be sent at the start and end of connection sessions, indicating the amount of resources — such as time, packets, and bytes — used during the session which might be used for security or billing needs.
Lightweight Directory Access Protocol
The Lightweight Directory Access Protocol (LDAP) is an open standard that defines a method for accessing and updating information in a X.500-like directory. LDAP can be used to keep user information in a central locale to avoid having to store identical user information on each system; it can also be used to maintain and access the information in a consistent and controlled manner.
LDAP simplifies user administration tasks by managing users in a central directory. In addition to storing user information, defining users in LDAP allows for such optional features as limiting the number of logins. In this article you’ll learn how a RADIUS server is configured to authenticate users against LDAP — since the article focuses on RADIUS, I will not describe the details on the installation and configuration of an LDAP server.
OpenLDAP is an open source implementation of LDAP; you can find detailed information on it at OpenLDAP.org (see Resourcesfor a link).
Imagine the following scenario:
- The user at home can access his company’s intranet by dial-up authentication.
- Wireless-enabled laptops can be connected to a campus network by wireless authentication.
- Administrators use their workstations to log into network devices via telnet or HTTP via administrative user authentication.
All the these authentication tasks can be done by a RADIUS server against a central LDAP server (see Figure 1).
Figure 1. Authentication via RADIUS and LDAP
In this article, I’ll focus on implementing the last option as an introduction to the solution. Let’s start by installing the RADIUS server.
RADIUS server software can be obtained from several sources. I’ll be using FreeRADIUS in this article (see Resources for a link), but the Cisco Secure Access Control Server (ACS) is a centralized user access control framework for user management across Cisco devices that runs on UNIX and Windows and also supports the the Cisco proprietary protocol TACACS+ (which sports more user-management features on TACACS+-enabled devices).
FreeRADIUS is a powerful RADIUS server on Linux from the open source community which can fit in today’s distributed and heterogeneous computing environment. FreeRADIUS 1.0.2 supports LDAP, MySQL, PostgreSQL, and Oracle databases and is compatible with such network protocols as EAP and Cisco LEAP. FreeRADIUS is currently being deployed in many large-scale production network systems.
The following steps demonstrate how to install and test FreeRADIUS 1.0.2 on Red Hat Enterprise Linux Advanced Server 3.0:
Listing 1. Installing and testing FreeRADIUS
tar -zxvf freeradius-1.0.2.tar.gz - extract it with gunzip and tar ./configure make make install - run this command as root radiusd or - start RADIUS server radiusd -X - start RADIUS server in debug mode radtest test test localhost 0 testing123 - test RADIUS server |
If radtest
receives a response, the FreeRADIUS server is working.
I also recommend another free tool, NTRadPing (see Resources for a link), to test authentication and authorization requests from Windows clients. It can display detailed responses such as attributes value sent back from the RADIUS server.
Now let’s configure FreeRADIUS.
Configuring the RADIUS server consists of configuring the server, the client, and the user (both for authentication and authorization). There can be different configurations of the RADIUS server for different needs; fortunately most of the configurations are similar.
FreeRADIUS configuration files are usually stored in the /etc/raddb folder. First we need to modify the radiusd.conf file as shown.
Listing 2. Modifying radiusd.conf
1) Global settings: log_auth = yes - log authentication requests to the log file log_auth_badpass = no - don't log passwords if request rejected log_auth_goodpass = no - don't log passwords if request accepted 2) LDAP Settings: modules { ldap { server = "bluepages.ibm.com" - the hostname or IP address of the LDAP server port = 636 - encrypted communications basedn = "ou=bluepages,o=ibm.com" - define the base Distinguished Names (DN), - under the Organization (O) "ibm.com", - in the Organization Unit (OU) "bluepages" filter = "(mail=%u)" - specify search criteria base_filter = "(objectclass=person)" - specify base search criteria } authenticate { - enable authentication against LDAP Auth-Type LDAP { ldap } |
The parameters are set for working with IBM BluePages, an instance of an LDAP service. Parameters may be different for other LDAP servers.
Clients are configured in /etc/raddb/clients.conf. There are two ways to configure RADIUS clients. You can group the NAS by IP subnet (Listing 3) or you can list the NAS by hostname or IP address (Listing 4). When you follow the second method,shortname
and nastype
can be defined.
Listing 3. Grouping the NAS by IP subnet
client 192.168.0.0/24 { secret = mysecret1 - the "secret" should be the same as configured on NAS shortname = mylan - the "shortname" can be used for logging nastype = cisco - the "nastype" is used for checkrad and is optional } |
Listing 4. Listing the NAS by hostname or IP address
client 192.168.0.1 { secret = mysecret1 shortname = myserver nastype = other } |
Configuring the user for authentication
The file /etc/raddb/user contains authentication and configuration information for each user.
Listing 5. The /etc/raddb/user file
1) Authentication type: Auth-Type := LDAP - authenticate against LDAP Auth-Type := Local, User-Password == "mypasswd" - authenticate against the - password set in /etc/raddb/user Auth-Type := System - authenticate against the system password file - /etc/passwd or /etc/shadow 2) Service type: Service-Type = Login, - for administrative login |
Configuring the user for authorization
The following authentication server attribute value (AV) pair should be configured for user authorization. It is returned to the NAS for an administrator login request after authentication is accepted.
For a Cisco router, there are different privilege levels:
- Level 1 is non-privileged. The prompt is
router>
, the default level for login. - Level 15 is privileged. The prompt is
router#
, the level after going into enable mode. - Levels 2 through 14 are not used in a default configuration.
The following command causes a user logging in from a network access server to have immediate access to EXEC commands:
cisco-avpair ="shell:priv-lvl=15"
The following code handles the same task for a Cisco wireless access point:
Cisco:Avpair = "aironet:admin-capability=write+snmp+ident+firmware+admin"
Any combination of capabilities is returned with this attribute:
Cisco:Avpair = "aironet:admin-capability=ident+admin"
Cisco:Avpair = "aironet:admin-capability=admin"
Contact Cisco for more information on these commands.
Configuring the network access server
Next we’ll configure the NAS, first for a Cisco router, then for a Cisco WAP.
For the Cisco IOS 12.1 router, we’ll enable AAA, then configure authentication, authorization, and accounting.
Listing 6. Enabling AAA
aaa new-model radius-server host 192.168.0.100 radius-server key mysecret1 |
AAA should be enabled on the router. Then, a list of RADIUS servers that will provide AAA services for the NAS can be specified. The encryption key is used to encrypt the data transfer between the NAS and the RADIUS server. It must be identical with the one configured on FreeRADIUS.
Listing 7. Configuring authentication
aaa authentication login default group radius local line vty 0 4 login authentication default |
In this example, network administrators use RADIUS authentication. If a RADIUS server is not available, use the NAS’s local user database password.
Listing 8. Configuring authorization
aaa authorization exec default group radius if-authenticated |
Allow the user to run an EXEC shell when logging into the NAS.
Listing 9. Configuring accounting
aaa accounting system default start-stop group radius aaa accounting network default start-stop group radius aaa accounting connection default start-stop group radius aaa accounting exec default stop-only group radius aaa accounting commands 1 default stop-only group radius aaa accounting commands 15 default wait-start group radius |
The router must be specifically configured to send accounting records to the RADIUS server. Use the commands in Listing 9 to record accounting information on NAS system events, network connections, outbound connections, EXEC operations, and commands at levels 1 and 15.
That’s it. Now let’s look at configuring for a Cisco wireless access point. The following configuration applies to the Cisco 1200 Series AP with Firmware 12.01T1. As shown in the screen shot in Figure 2, you:
- Input the server name or IP address and shared secret.
- Select type as “Radius” and check “User Authentication.”
Figure 2. Configuring NAS for WAP
XML error: The image is not displayed because the width is greater than the maximum of 580 pixels. Please decrease the image width. |
Actually, here you can also configure EAP Authentication so FreeRADIUS can be used to authenticate general users to wireless LAN.
Now that all the configurations have been completed, the FreeRADIUS server can start logging all information sent by NAS, storing it in the /var/log/radius/radius.log file like so:
Listing 10. The /var/log/radius/radius.log file
Thu Mar 3 21:37:32 2005 : Auth: Login OK: [David] (from client mylan port 1 cli 192.168.0.94) Mon Mar 7 23:39:53 2005 : Auth: Login incorrect: [John] (from client mylan port 1 cli 192.168.0.94) |
Detailed accounting information is stored in the /var/log/radius/radacct directory. Listing 11 shows that David logged into router 192.168.0.1 from 192.168.0.94 between 19:40 to 19:51 on March 4, 2005. This level of detailed information will definitely be a help to administrators investigating security incidents and trying to maintain easily auditable records.
Listing 11. Sample of the RADIUS-supplied accounting details
Fri Mar 4 19:40:12 2005 NAS-IP-Address = 192.168.0.1 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = "David" Calling-Station-Id = "192.168.0.94" Acct-Status-Type = Start Acct-Authentic = RADIUS Service-Type = NAS-Prompt-User Acct-Session-Id = "00000026" Acct-Delay-Time = 0 Client-IP-Address = 192.168.0.1 Acct-Unique-Session-Id = "913029a52dacb116" Timestamp = 1109936412 Fri Mar 4 19:51:17 2005 NAS-IP-Address = 192.168.0.1 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = "David" Calling-Station-Id = "192.168.0.94" Acct-Status-Type = Stop Acct-Authentic = RADIUS Service-Type = NAS-Prompt-User Acct-Session-Id = "00000026" Acct-Terminate-Cause = Idle-Timeout Acct-Session-Time = 665 Acct-Delay-Time = 0 Client-IP-Address = 192.168.0.1 Acct-Unique-Session-Id = "913029a52dacb116" Timestamp = 1109937077 |
By following the simple steps outlined in this article, you can set up a Remote Authentication Dial-In User Service server that uses an external LDAP server to handle authentication, authorization, and accounting for your network security issues. This article has provided the following to help you accomplish this task:
- An introduction to the RADIUS and LDAP servers and to the AAA concept.
- A scenario to put the installation and implementation into context.
- Instructions on installing and configuring the RADIUS server.
- Details on configuring the network access server.
- A sample of the detailed information that RADIUS will provide and manage.
These instructions can make quick work of the task of making sure protected data can only be accessed by authorized entities on your Linux system.
- RADIUS is described by RFC 2865 of the Internet Engineering Task Force. RFC 2866 describes a protocol for specifying accounting information.
- Configuring RADIUS describes the RADIUS security system, defines its operation, and identifies appropriate and inappropriate network environments for using RADIUS.
- Visit OpenLDAP.org for more information on OpenLDAP.
- Understanding LDAP – Design and Implementation (IBM Redbooks, June 2004) introduces LDAP concepts and architecture and the IBM Tivoli Directory Server.
- This LDAP Linux HOWTO is chock full of information about installing, configuring, running, and maintaining a LDAP server on a Linux system.
- Authenticating Linux users with IBM Directory Server (developerWorks, September 2003) describes how to use the IBM Directory Server to authenticate Linux users.
- Securing Linux, Part 1: Introduction (developerWorks, July 2004) shows you how to use an LDAP server for user information and authentication.
- AIX RADIUS server, Part 1: Authentication and accounting protocols (developerWorks, January 2005) discusses the authentication and accounting protocols and explains the basic RADIUS packet flow using a modem example.
- Get the latest version of OpenLDAP at the OpenLDAP Web site.
- Get FreeRADIUS at the FreeRADIUS Web site.
- NTRadPing lets you test authentication and authorization requests from a Windows client.
- To learn more about Cisco Secure Access Control Server (ACS) and AAA implementation on network devices, visit Cisco Systems.
- Visit IETF to learn more about RADIUS, RADIUS accounting, and LDAP authentication methods.
- PADL Software provides a roundup of Linux/LDAP documentation and resources.
- Find more resources for Linux developers in the developerWorks Linux zone.
- Get involved in the developerWorks community by participating in developerWorks blogs.
- Browse for books on these and other technical topics.
- Innovate your next Linux development project with IBM trial software, available for download directly from developerWorks.
Wei Zhang is a network and information security specialist. He designed and implemented various large-scale network systems in the past six years covering a broad range of technologies, from SNA, VoIP, IDS, VPN, and firewalls to wireless LAN. He joined in IBM as an IT specialist in 2003. Currently, his concentration is information security technology and management. You can reach him at .com.