Installing Freeradius on Debian 7
Hi
Recently
I deployed the wifi in an association in my city. The infrastructure is
composed by a
central
GNU/Linux server which supports all the classical services (DHCP, DNS,
OpenLDAP, Samba 3 DC, Squid/SquidGuard proxy). The user’s informations are
stored in the openldap database. Freeradius will be coupled to the LDAP database in order
to authenticate the users on the wifi.
For the hardware I
bought two Cisco Small Business access points and two tp-link power
injector.
Installation & basic authentication
Installation via apt:
apt-get install freeradius
Add a test user “testuser” whith “testpassword” as password:
vim /etc/freeradius/users # test user, remember to delete after testing testuser Cleartext-Password := "testpassword" service freeradius restart
Authentication test:
radtest testuser testpassword localhost 0 testing123
Add the end of the precedent command there is a passphrase (“testing123”). This parameter is defined in /etc/freeradius/clients.conf. In this file you need to add all the clients that are allowed to request user authentication, typically the access points. By default localhost il allowed with “testing123” as passphrase.
EAP-TTLS
By default, EAP-TTLS is well configured. In this part we will just check if the authentication is fine with the eapol_test tool.
eapol_test installation:
apt-get install build-essential libssl-dev
wget http://w1.fi/releases/wpa_supplicant-0.7.3.tar.gz
tar -xvf wpa_supplicant-0.7.3.tar.gz
cd wpa_supplicant-0.7.3/wpa_supplicant
cp defconfig .config
make eapol_test
cp eapol_test /usr/local/bin
eapol_test EAP-TTLS authentication test:
To work, eapol_test must have a valid configuration file that defines the authentication method, the eap type, the user and password…
vim /root/eapol_config
network={
eap=TTLS
eapol_flags=0
key_mgmt=IEEE8021X
identity="testuser"
password="testpassword"
phase2="auth=PAP"
}
Run the test:
eapol_test -c /root/eapol_config -a 127.0.0.1 -p 1812 -s testing123 -r 1
If everything is fine, “SUCCESS” will appear at the end of the standard output. You can follow the logs in the log file located in /var/log/freeradius/radius.log. If you have an error, you will see something like this:tail -f /var/log/freeradius/radius.log
Logs configuration
I wanted that the logs are more verbose and specially show the users authentication. These changes are made in /etc/freeradius/radiusd.conf.
vim /etc/freeradius/radiusd.conf auth = yes #print authentication in logs auth_badpass = yes #print bad passwords auth_goodpass = yes #print good passwords service freeradius restart tail -f /var/log/freeradius/radius.log
LDAP association
Now the basic server works well. It’s time to associate the freeradius server to the central LDAP server.
Basic installation
apt-get install freeradius-ldap vim /etc/freeradius/modules/ldap server = "192.168.10.1" identity = "cn=admin,dc=mydomain,dc=com" password = ldappassword basedn = "dc=mydomain,dc=com"
Uncomment the following lines in the two configuration files:
vim /etc/freeradius/sites-available/default
ldap
Auth-Type LDAP {
ldap
}
vim /etc/freeradius/sites-available/inner-tunnel
ldap
Auth-Type LDAP {
ldap
}
service freeradius restart
Do the same test than before with a user in the LDAP database.
Group filter:
We wanted that only the persons in the “wifi” group can connect to the wifi.
vim /etc/freeradius/modules/ldap
groupname_attribute = cn
groupmembership_filter = "(&(objectClass=posixGroup)(memberUid=%{User-Name}))"
At the end of /etc/freeradius/users add these three lines:
vim /etc/freeradius/users DEFAULT LDAP-Group == "wifi" DEFAULT Auth-Type := Reject Reply-Message = "Sorry, you're not part of an authorized group! Ask ITOPS for authorization."
service freeradius restart
Add the access points to freeradius
Now than your freeradius server is configured and coupled to LDAP you can add you access points to the clients.conf file.
vim /etc/freeradius/clients.conf
client 192.168.10.100 {
secret = sharedsecret
shortname = ap-1
}
client 192.168.10.101 {
secret = sharedsecret
shortname = ap-2
}
service freeradius restart
The last point is to configure your acces points to communicate with you freeradius server.
0 komentar: