Configure and Test FreeRADIUS PAP & CHAP Authentication


Wireshark

Author: Celal Dogan
Reviewer: Deepak Prasad

Getting started with FreeRADIUS

  • AAA is a security architecture model.
  • RADIUS is a specific implementation of AAA.
  • FreeRADIUS is a practical application of RADIUS.
  • Thus we have AAA → RADIUS → FreeRADIUS.
  • RADIUS is all about central control and is the de facto standard supported by NAS vendors.
  • RADIUS is a client/server protocol. It uses UDP and listens on port 1812 for authentication and port 1813 for accounting requests.
  • RADIUS data packets have a code field, which specifies the type of RADIUS packet.
  • RADIUS data packets have zero or more AVPs, which contain the data used in RADIUS.
  • FreeRADIUS implements the RADIUS protocol along with its various extensions as specified in RFCs.
  • FreeRADIUS is a very popular, widely used, and very flexible RADIUS server.

For more information on AAA, please visit here (https://www.golinuxcloud.com/aaa-network-policy-server/)

In this article, we will focus on installing, configuring and testing FreeRADIUS with a couple of authentication methods (PAP and CHAP).

 

Different Authentication Protocols (PAP and CHAP)

Password Authentication Protocol (PAP)

PAP was one of the first protocols used to facilitate the supply of a username and password when making point-to-point connections. With PAP the NAS takes the PAP ID and password and sends them in an Access-Request packet as the User-Name and User-Password. PAP is simpler compared to CHAP and MS-CHAP because the NAS simply hands the RADIUS server a username and password, which are then checked. This username and password come directly from the user through the NAS to the server in a single action.

If PAP is used inside a secure tunnel it is as secure as the tunnel. This is similar to when your credit card details are tunnelled inside an HTTPS connection and delivered to a secure web server.

 

Challenge-Handshake Authentication Protocol (CHAP)

CHAP was designed as an improvement to PAP. It prevents you from transmitting a cleartext password.

After a link is established to the NAS, the NAS generates a random challenge and sends it to the user. The user then responds to this challenge by returning a one-way hash calculated on an identifier (sent along with the challenge), the challenge, and the user's password. The user's response is then used by the NAS to create an Access-Request packet, which is sent to the RADIUS server. Depending on the reply from the RADIUS server, the NAS will return CHAP Success or CHAP Failure to the user.

 

Password Authentication Protocol (PAP) with FreeRADIUS

FreeRADIUS contains configuration files and common modules. When we need to change something, we will modify these files and modules. Imagine that you have two network administration group, Network Admins and Network Operators who manage your network with different level of access privileges.

Configure and Test FreeRADIUS PAP & CHAP Authentication

 

We will implement this scenario, using a Cisco router as a Network Access Server (NAS) and FreeRADIUS as a RADIUS server that provides authentication service.

Step-1:  Configure authentication on the router (NAS)

Enable aaa service globally.

!
aaa new-model
!

Define a RADIUS server with parameters like shared secret (key), IP address of the RADIUS server and ports for authentication and accounting

!
radius server FreeRADIUS
 address ipv4 192.168.1.42 auth-port 1812 acct-port 1813
 key celaldogan
!

 

Define a radius server group and associate previously defined RADIUS server name with the group.

!
aaa group server radius Radius_Servers
 server name FreeRADIUS
!

Define an authentication list which authenticates users against the RADIUS server and when the NAS fails to reach the RADIUS server, then it should use local database as backup source to authenticate the user.

!
aaa authentication login VTY_auth_list group Radius_Servers local
!

Associate the authentication list with Virtual Teletype (VTY) and finish the authentication configuration.

!
line vty 0 4
 login authentication VTY_auth_list
!

Because of I have not configured FreeRADIUS, when I tried to log in to the router, the request timed out. Following shows the request packet in Wireshark.

Configure and Test FreeRADIUS PAP & CHAP Authentication

 

Install FreeRADIUS

The installation process is pretty straightforward. Follow the steps below.

Step-1: I will install it on Ubuntu 19.04. You can print the distribution-specific information with the command below.

celal@freeradius:~$ lsb_release  -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 19.04
Release:        19.04
Codename:       disco

 

Step-2: Update package information from all the configured sources.

celal@freeradius:~$ sudo apt-get update

 

Step-3: I will install FreeRADIUS with all utilities and other packages with adding “*” to the end of the package.

celal@freeradius:~$ sudo apt-get install freeradius*

 

Step-4: Now that we have installed the server. Apply the command below to confirm if it has successfully installed.

celal@freeradius:~$ freeradius -v
radiusd: FreeRADIUS Version 3.0.20, for host x86_64-pc-linux-gnu, built on Jan 25 2020 at 06:11:13
FreeRADIUS Version 3.0.20
Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
celal@freeradius:~$

 

Step-5: Check the service status with the following command. As you can see my server is not running yet.

celal@freeradius:~$ systemctl status freeradius
freeradius.service - FreeRADIUS multi-protocol policy server
   Loaded: loaded (/lib/systemd/system/freeradius.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:radiusd(8)
           man:radiusd.conf(5)
           http://wiki.freeradius.org/
           http://networkradius.com/doc/
celal@freeradius:~$

As you noticed, the installation is pretty simple.

 

Configure FreeRADIUS

After the installation, FreeRADIUS comes with modules and configuration files. We will modify some of them.

Step-1: Configure a radius client.

Since an ordinary user can not modify the files, change your user with the command below.

celal@freeradius:/$ sudo su

Open “clients.conf” with your preferred text editor.

root@freeradius:/# nano /etc/freeradius/3.0/clients.conf

I will add a new client with the configuration below and save the file.

client cisco_router {
                     ipaddr = 192.168.1.15
                     secret = celaldogan
}

 

Step-2: Configure a user.

Open “users” with your preferred text editor.

root@freeradius:/# nano /etc/freeradius/3.0/users

I will add a new user (jane with clear text password) with the configuration below and save the file.

jane Cleartext-Password :="password"

 

Step-3: Define a virtual server

FreeRADIUS supports creating virtual servers. For instance, you may need two radius servers, one for wired network and the other for wireless network. The virtual servers must listen different ports or IP addresses. You can separate the policies this way. FreeRADIUS stores virtual servers in “/etc/freeradius/3.0/sites-enabled/” folder. This folders ships with two virtual servers, "default" and "inner-tunnel". We do not need them right now. I will back them up and remove them from the folder, and create my own server.

Create a new folder as "backups" and copy the original files (servers) to that folder like below and remove them from "/etc/freeradius/3.0/sites-enabled/".

root@freeradius:/# mkdir backups
root@freeradius:/# sudo cp /etc/freeradius/3.0/sites-enabled/default  ./backups/
root@freeradius:/# sudo cp /etc/freeradius/3.0/sites-enabled/inner-tunnel  ./backups/
root@freeradius:/# sudo rm  /etc/freeradius/3.0/sites-enabled/default
root@freeradius:/# sudo rm /etc/freeradius/3.0/sites-enabled/inner-tunnel
root@freeradius:/# sudo ls /etc/freeradius/3.0/sites-enabled/

Open a new file as “my_server” and configure the virtual server like below.

root@freeradius:/# sudo nano /etc/freeradius/3.0/sites-enabled/my_server

For learning purpose, I will not add a tone of configuration. Following shows a simple configuration:

server my_server {
  listen {
        type = auth
        ipaddr = *
        port = 1812
  }
  authorize {
        chap
       files
        pap
  }
  authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type CHAP {
                chap
        }
  }
}

The server contains 3 main blocks:

Listen: It is used to specify the port, the IP address to listen. For more information, see the “default” server.

Authorize: With this block, we instruct the server to check what authentication method is used in the radius packet. It will check “pap” and “chap” methods. When it finds a match, it uses “file” module to look for end users in “users” file.

Authenticate: We add the authentication modules here.

 

Step-4: At this point the simple configuration has finished. Launch FreeRADIUS with debug mode which is great for knowing what is going on at the background.

root@freeradius:/# freeradius -X

When I ran the command, I got an error like below.

Configure and Test FreeRADIUS PAP & CHAP Authentication

 

It is because, when FreeRADIUS loads the module, it checks if the relevant configuration is in the “virtual server”. Since I deleted the “default” virtual server which contained the configuration, I have that error now. I do not need “eap” module and will backup it up, then delete it from “mods-enabled” folder with the command below.

root@freeradius:/# rm /etc/freeradius/3.0/mods-enabled/eap

I tried running again, now it is successful like below.

Configure and Test FreeRADIUS PAP & CHAP Authentication

 

Testing Password Authentication Protocol (PAP)

Step-1: Go and login to the router through ssh while capturing packets with Wireshark. Following output shows the request and response packets.

Configure and Test FreeRADIUS PAP & CHAP Authentication

Configure and Test FreeRADIUS PAP & CHAP Authentication

Everything looks great except that we have forgotten to authorize the user with relevant privileges. Following output is the debug created by FreeRADIUS during the authentication.

Configure and Test FreeRADIUS PAP & CHAP Authentication

 

Step-2: Defining groups (Network Admin and Network Operators)

Open “dictionary” file with nano, add “ATTRIBUTE My_Group 3000 string” and save the file.

root@freeradius:/# nano /etc/freeradius/3.0/dictionary

Open "/etc/freeradius/3.0/users" file with nano editor and add lines below, if you configured before, then just modify it.

jane My_Group:="Network_Admin", Cleartext-Password :="password"
john My_Group:="Network_Operator", Cleartext-Password :="passme"

We need to check the group and assign the proper privileges in the “post-aut” block in “my_server”. Add the block below to “my_server” file.

post-auth {

if (&control:My_Group == 'Network_Admin') {
        update reply {
                Cisco-AVPair = "shell:priv-lvl=15"
    }
}

if (&control:My_Group == 'Network_Operator') {
        update reply {
                Cisco-AVPair = "shell:priv-lvl=7"
    }
}
}

Test it again with jane user.

Configure and Test FreeRADIUS PAP & CHAP Authentication

 

Testing Challenge Handshake Authentication Protocol (CHAP)

We already enabled chap authentication on the virtual server. I will add another RADIUS client and test the chap method.

Step-1: Open “/etc/freeradius/3.0/clients.conf” file and add the lines below and save the file.

client my_ubuntu {
   ipaddr = 192.168.1.41
   secret = celaldogan
}

 

Step-2: Open a shell and apply the command below.

root@ubuntu19:/home/celal# radtest -t chap john passme 192.168.1.42 1812 celaldogan

Configure and Test FreeRADIUS PAP & CHAP Authentication

“radtest” tool is used to test authentication methods. Instead of localhost, I used a different client to test it. If you want to test it on the same machine you can use it like “radtest -t chap john passme 127.0.0.1 1812 testing123”. Following screenshots captured from Wireshark when applying the command above. As you see, the authentication is successful and returns a vendor specific attribute.

Configure and Test FreeRADIUS PAP & CHAP Authentication

Configure and Test FreeRADIUS PAP & CHAP Authentication

We can see the similar result from FreeRADIUS debug logs below.

Configure and Test FreeRADIUS PAP & CHAP Authentication

 

Final thoughts

FreeRADIUS is a modular and high-performance radius server. It can be used for AAA services. It also provides some utilities to test various authentication methods.

 

Celal Dogan

Celal Dogan

He is proficient in System Administration, Python, Computer Network, Network Engineering, PHP, Web Testing, Penetration Testing, Wireshark, RADIUS, Cisco Router, TCP/IP, Kali Linux, OSPF, NPS, and Multiprotocol BGP. You can connect with him on his LinkedIn Profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

Leave a Comment