Pages

Sep 21, 2010

Radius Server Installation Guide

I'm using freeradius as the radius server and i installed it on centos OS, the command would be slightly different depends on OS used.

Installing freeradius

To install freeradius in RedHat Linux or CentOS operating system, type this command in the terminal:

# yum install freeradius

Type ‘y’ when ‘Is this ok [y/N]:’prompt. Below is the example output of the command entered:

[root@radius01 ~]# yum install freeradius
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * addons: mirror.nus.edu.sg
 * base: mirror.nus.edu.sg
 * extras: mirror.nus.edu.sg
 * updates: mirror.nus.edu.sg
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package freeradius.i386 0:1.1.3-1.5.el5_4 set to be updated
--> Processing Dependency: net-snmp-utils for package: freeradius
--> Processing Dependency: net-snmp for package: freeradius
--> Processing Dependency: perl(DBI) for package: freeradius
--> Running transaction check
---> Package net-snmp.i386 1:5.3.2.2-7.el5_4.2 set to be updated
--> Processing Dependency: libsensors.so.3 for package: net-snmp
---> Package net-snmp-utils.i386 1:5.3.2.2-7.el5_4.2 set to be updated
---> Package perl-DBI.i386 0:1.52-2.el5 set to be updated
--> Running transaction check
---> Package lm_sensors.i386 0:2.10.7-4.el5 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package              Arch       Version                    Repository     Size
================================================================================
Installing:
 freeradius           i386       1.1.3-1.5.el5_4            updates       1.1 M
Installing for dependencies:
 lm_sensors           i386       2.10.7-4.el5               base          513 k
 net-snmp             i386       1:5.3.2.2-7.el5_4.2        updates       696 k
 net-snmp-utils       i386       1:5.3.2.2-7.el5_4.2        updates       185 k
 perl-DBI             i386       1.52-2.el5                 base          600 k

Transaction Summary
================================================================================
Install      5 Package(s)
Update       0 Package(s)
Remove       0 Package(s)

 Total download size: 3.1 M
Is this ok [y/N]: y
Downloading Packages:
(1/5): net-snmp-utils-5.3.2.2-7.el5_4.2.i386.rpm         | 176 kB     00:00
http://mirror.nus.edu.sg/centos/5.4/updates/i386/RPMS/net-snmp-utils-5.3.2.2-7.el5_4.2.i386.rpm: [Errno 4] Socket Error: timed out
Trying other mirror.
(1/5): net-snmp-utils-5.3.2.2-7.el5_4.2.i386.rpm         | 185 kB     00:00
(2/5): lm_sensors-2.10.7-4.el5.i386.rpm                  | 513 kB     00:00
(3/5): perl-DBI-1.52-2.el5.i386.rpm                      | 576 kB     00:00
http://mirror.nus.edu.sg/centos/5.4/os/i386/CentOS/perl-DBI-1.52-2.el5.i386.rpm: [Errno 4] Socket Error: timed out
Trying other mirror.
(3/5): perl-DBI-1.52-2.el5.i386.rpm                      | 600 kB     00:00
(4/5): net-snmp-5.3.2.2-7.el5_4.2.i386.rpm               | 696 kB     00:00
(5/5): freeradius-1.1.3-1.5.el5_4.i386.rpm               | 1.1 MB     00:24
--------------------------------------------------------------------------------
Total                                            27 kB/s | 3.1 MB     01:56
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : perl-DBI                                                 1/5
  Installing     : lm_sensors                                               2/5
  Installing     : net-snmp                                                 3/5
  Installing     : net-snmp-utils                                           4/5
  Installing     : freeradius                                               5/5

Installed:
  freeradius.i386 0:1.1.3-1.5.el5_4

Dependency Installed:
  lm_sensors.i386 0:2.10.7-4.el5            net-snmp.i386 1:5.3.2.2-7.el5_4.2
  net-snmp-utils.i386 1:5.3.2.2-7.el5_4.2   perl-DBI.i386 0:1.52-2.el5

Complete!
 
At this point you have successfully installed the radius server, next you have to verify that the radius server is installed.

Check the Server Radius System Version

To check the version of the Radius Server that has been installed, use this command:
# rpm -qa freeradius

Below is the example output of the command entered:
root@radius01 ~]# rpm -qa freeradius
freeradius-1.1.3-1.5.el5_4


radiusd.conf configuration 

Next you have to configure the radiusd.conf file based on your network details, in this tutorial, the example show the details of my network configuration.

Using vi text editor, edit the radiusd.conf file using the following configuration. Firstly, enter this command to edit the radius.conf file in the terminal console:
vi /etc/raddb/radiusd.conf
vi /etc/raddb/radiusd.conf
ldap {
                server = "192.168.4.41"
                # identity = "cn=admin,o=My Org,c=UA"
                # password =secret
                basedn = "ou=people,o=mydomain.gov.my,o=gov"
                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
    password_attribute = "userPassword"
                # base_filter = "(objectclass=radiusprofile)"
password_attribute = userPassword
#access_attr = "dialupAccess"
authorize {
        #
        #  The preprocess module takes care of sanitizing some bizarre
        #  attributes in the request, and turning them into attributes
        #  which are more standard.
        #
        #  The ldap module will set Auth-Type to LDAP if it has not
        #  already been set
        ldap

#     $INCLUDE  ${confdir}/sql.conf
authenticate {
        #
        # PAP authentication, when a back-end database listed
        # in the 'authorize' section supplies a password.  The
        # password can be clear-text, or encrypted.
        # Uncomment it if you want to use ldap for authentication
        # Note that this means "check plain-text password against
        # the ldap database", which means that EAP won't work,
        # as it does not supply a plain-text password.
        Auth-Type LDAP {
                ldap
        }

 
Save the configuration before exit by typing ‘:wq’ and enter.

Users configuration

Edit the users by using vi text editor, use following configuration. To edit the users, enter this command in the terminal console:
vi /etc/raddb/Users

Below is the users configuration:
vi /etc/raddb/Users
DEFAULT Auth-Type = System
        Fall-Through = 1

DEFAULT Auth-Type := LDAP
        Fall-Through = 1


Save the configuration before exit by typing ‘:wq’ and enter.

Client.conf configuration

Edit the Client.conf file by using vi text editor, use following configuration. To edit the Client.conf, enter following command in the terminal console:
vi /etc/raddb/Client.conf

Below is the Client.conf configuration:

vi /etc/raddb/Client.conf
client 192.168.0.0/16 {
       secret          = test
       shortname       = private-network-2
}

Save the configuration before exit by typing ‘:wq’ and enter.

Start radius server.

In order to start the radius server, use following command in the terminal console:
# /etc/init.d/radiusd start

Stop radius server.

In order to stop the radius server, use following command in the terminal console:
# /etc/init.d/radiusd stop

Restart radius server.

In order to restart the radius server, use following command in the terminal console:
# /etc/init.d/radiusd restart
Below is the example of the output of restart command entered:
[root@radius01 raddb]# /etc/init.d/radiusd restart
Stopping RADIUS server:                                    [  OK  ]
Starting RADIUS server: Tue Apr 13 11:00:48 2010 : Info: Starting - reading configuration files ...
                                                           [  OK  ]
 
For information, radius server is not automatically start after the operating system is rebooted, so you have to manually enter the start or restart command.

Test The radius Configuration

In order to check the radius server is working and functioning, use following command:
 

  radtest {username} {password} {hostname} 10 {radius_secret}

                                      
If the authentication is not successfull, Access-reject message will be display. Access-accept will be display if the authentication is successful.


Related Posts with Thumbnails