Getting started with FreeRADIUS
- AAA is a security architecture model.
- RADIUS is a specific implementation of AAA.
- FreeRADIUS is a practical application of RADIUS.
- Thus we have AAA → RADIUS → FreeRADIUS.
- RADIUS is all about central control and is the de facto standard supported by NAS vendors.
- RADIUS is a client/server protocol. It uses UDP and listens on port 1812 for authentication and port 1813 for accounting requests.
- RADIUS data packets have a code field, which specifies the type of RADIUS packet.
- RADIUS data packets have zero or more AVPs, which contain the data used in RADIUS.
- FreeRADIUS implements the RADIUS protocol along with its various extensions as specified in RFCs.
- FreeRADIUS is a very popular, widely used, and very flexible RADIUS server.
For more information on AAA, please visit here (https://www.golinuxcloud.com/aaa-network-policy-server/)
In this article, we will focus on installing, configuring and testing FreeRADIUS with a couple of authentication methods (PAP and CHAP).
Different Authentication Protocols (PAP and CHAP)
Password Authentication Protocol (PAP)
PAP was one of the first protocols used to facilitate the supply of a username and password when making point-to-point connections. With PAP the NAS takes the PAP ID and password and sends them in an Access-Request packet as the User-Name and User-Password. PAP is simpler compared to CHAP and MS-CHAP because the NAS simply hands the RADIUS server a username and password, which are then checked. This username and password come directly from the user through the NAS to the server in a single action.
If PAP is used inside a secure tunnel it is as secure as the tunnel. This is similar to when your credit card details are tunnelled inside an HTTPS connection and delivered to a secure web server.
Challenge-Handshake Authentication Protocol (CHAP)
CHAP was designed as an improvement to PAP. It prevents you from transmitting a cleartext password.
After a link is established to the NAS, the NAS generates a random challenge and sends it to the user. The user then responds to this challenge by returning a one-way hash calculated on an identifier (sent along with the challenge), the challenge, and the user's password. The user's response is then used by the NAS to create an Access-Request packet, which is sent to the RADIUS server. Depending on the reply from the RADIUS server, the NAS will return CHAP Success or CHAP Failure to the user.
Password Authentication Protocol (PAP) with FreeRADIUS
FreeRADIUS contains configuration files and common modules. When we need to change something, we will modify these files and modules. Imagine that you have two network administration group, Network Admins and Network Operators who manage your network with different level of access privileges.
We will implement this scenario, using a Cisco router as a Network Access Server (NAS) and FreeRADIUS as a RADIUS server that provides authentication service.
Step-1: Configure authentication on the router (NAS)
Enable aaa service globally.
! aaa new-model !
Define a RADIUS server with parameters like shared secret (key), IP address of the RADIUS server and ports for authentication and accounting
! radius server FreeRADIUS address ipv4 192.168.1.42 auth-port 1812 acct-port 1813 key celaldogan !
Define a radius server group and associate previously defined RADIUS server name with the group.
! aaa group server radius Radius_Servers server name FreeRADIUS !
Define an authentication list which authenticates users against the RADIUS server and when the NAS fails to reach the RADIUS server, then it should use local database as backup source to authenticate the user.
! aaa authentication login VTY_auth_list group Radius_Servers local !
Associate the authentication list with Virtual Teletype (VTY) and finish the authentication configuration.
! line vty 0 4 login authentication VTY_auth_list !
Because of I have not configured FreeRADIUS, when I tried to log in to the router, the request timed out. Following shows the request packet in Wireshark.
Install FreeRADIUS
The installation process is pretty straightforward. Follow the steps below.
Step-1: I will install it on Ubuntu 19.04. You can print the distribution-specific information with the command below.
celal@freeradius:~$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 19.04 Release: 19.04 Codename: disco
Step-2: Update package information from all the configured sources.
celal@freeradius:~$ sudo apt-get update
Step-3: I will install FreeRADIUS with all utilities and other packages with adding “*” to the end of the package.
celal@freeradius:~$ sudo apt-get install freeradius*
Step-4: Now that we have installed the server. Apply the command below to confirm if it has successfully installed.
celal@freeradius:~$ freeradius -v radiusd: FreeRADIUS Version 3.0.20, for host x86_64-pc-linux-gnu, built on Jan 25 2020 at 06:11:13 FreeRADIUS Version 3.0.20 Copyright (C) 1999-2019 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT celal@freeradius:~$
Step-5: Check the service status with the following command. As you can see my server is not running yet.
celal@freeradius:~$ systemctl status freeradius
freeradius.service - FreeRADIUS multi-protocol policy server
Loaded: loaded (/lib/systemd/system/freeradius.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:radiusd(8)
man:radiusd.conf(5)
http://wiki.freeradius.org/
http://networkradius.com/doc/
celal@freeradius:~$
As you noticed, the installation is pretty simple.
Configure FreeRADIUS
After the installation, FreeRADIUS comes with modules and configuration files. We will modify some of them.
Step-1: Configure a radius client.
Since an ordinary user can not modify the files, change your user with the command below.
celal@freeradius:/$ sudo su
Open “clients.conf
” with your preferred text editor.
root@freeradius:/# nano /etc/freeradius/3.0/clients.conf
I will add a new client with the configuration below and save the file.
client cisco_router { ipaddr = 192.168.1.15 secret = celaldogan }
Step-2: Configure a user.
Open “users” with your preferred text editor.
root@freeradius:/# nano /etc/freeradius/3.0/users
I will add a new user (jane with clear text password) with the configuration below and save the file.
jane Cleartext-Password :="password"
Step-3: Define a virtual server
FreeRADIUS supports creating virtual servers. For instance, you may need two radius servers, one for wired network and the other for wireless network. The virtual servers must listen different ports or IP addresses. You can separate the policies this way. FreeRADIUS stores virtual servers in “/etc/freeradius/3.0/sites-enabled/
” folder. This folders ships with two virtual servers, "default" and "inner-tunnel". We do not need them right now. I will back them up and remove them from the folder, and create my own server.
Create a new folder as "backups" and copy the original files (servers) to that folder like below and remove them from "/etc/freeradius/3.0/sites-enabled/
".
root@freeradius:/# mkdir backups root@freeradius:/# sudo cp /etc/freeradius/3.0/sites-enabled/default ./backups/ root@freeradius:/# sudo cp /etc/freeradius/3.0/sites-enabled/inner-tunnel ./backups/ root@freeradius:/# sudo rm /etc/freeradius/3.0/sites-enabled/default root@freeradius:/# sudo rm /etc/freeradius/3.0/sites-enabled/inner-tunnel root@freeradius:/# sudo ls /etc/freeradius/3.0/sites-enabled/
Open a new file as “my_server” and configure the virtual server like below.
root@freeradius:/# sudo nano /etc/freeradius/3.0/sites-enabled/my_server
For learning purpose, I will not add a tone of configuration. Following shows a simple configuration:
server my_server { listen { type = auth ipaddr = * port = 1812 } authorize { chap files pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } } }
The server contains 3 main blocks:
Listen: It is used to specify the port, the IP address to listen. For more information, see the “default” server.
Authorize: With this block, we instruct the server to check what authentication method is used in the radius packet. It will check “pap” and “chap” methods. When it finds a match, it uses “file” module to look for end users in “users” file.
Authenticate: We add the authentication modules here.
Step-4: At this point the simple configuration has finished. Launch FreeRADIUS with debug mode which is great for knowing what is going on at the background.
root@freeradius:/# freeradius -X
When I ran the command, I got an error like below.
It is because, when FreeRADIUS loads the module, it checks if the relevant configuration is in the “virtual server”. Since I deleted the “default” virtual server which contained the configuration, I have that error now. I do not need “eap” module and will backup it up, then delete it from “mods-enabled” folder with the command below.
root@freeradius:/# rm /etc/freeradius/3.0/mods-enabled/eap
I tried running again, now it is successful like below.
Testing Password Authentication Protocol (PAP)
Step-1: Go and login to the router through ssh while capturing packets with Wireshark. Following output shows the request and response packets.
Everything looks great except that we have forgotten to authorize the user with relevant privileges. Following output is the debug created by FreeRADIUS during the authentication.
Step-2: Defining groups (Network Admin and Network Operators)
Open “dictionary” file with nano, add “ATTRIBUTE My_Group 3000 string” and save the file.
root@freeradius:/# nano /etc/freeradius/3.0/dictionary
Open "/etc/freeradius/3.0/users
" file with nano editor and add lines below, if you configured before, then just modify it.
jane My_Group:="Network_Admin", Cleartext-Password :="password" john My_Group:="Network_Operator", Cleartext-Password :="passme"
We need to check the group and assign the proper privileges in the “post-aut” block in “my_server”. Add the block below to “my_server” file.
post-auth { if (&control:My_Group == 'Network_Admin') { update reply { Cisco-AVPair = "shell:priv-lvl=15" } } if (&control:My_Group == 'Network_Operator') { update reply { Cisco-AVPair = "shell:priv-lvl=7" } } }
Test it again with jane user.
Testing Challenge Handshake Authentication Protocol (CHAP)
We already enabled chap authentication on the virtual server. I will add another RADIUS client and test the chap method.
Step-1: Open “/etc/freeradius/3.0/clients.conf” file and add the lines below and save the file.
client my_ubuntu { ipaddr = 192.168.1.41 secret = celaldogan }
Step-2: Open a shell and apply the command below.
root@ubuntu19:/home/celal# radtest -t chap john passme 192.168.1.42 1812 celaldogan
“radtest” tool is used to test authentication methods. Instead of localhost, I used a different client to test it. If you want to test it on the same machine you can use it like “radtest -t chap john passme 127.0.0.1 1812 testing123”. Following screenshots captured from Wireshark when applying the command above. As you see, the authentication is successful and returns a vendor specific attribute.
We can see the similar result from FreeRADIUS debug logs below.
Final thoughts
FreeRADIUS is a modular and high-performance radius server. It can be used for AAA services. It also provides some utilities to test various authentication methods.