90 likes | 526 Views
Configuring Linux Radius Server. Objectives This chapter will show you how to install and use Radius Contents An Overview Of How Radius Works Configruation of Radius Testing Radius server Setting up Aironet Cisco1200 for radius Client Setup Windows XP with wireless pccard Practical
E N D
Configuring Linux Radius Server • Objectives • This chapter will show you how to install and use Radius • Contents • An Overview Of How Radius Works • Configruation of Radius • Testing Radius server • Setting up Aironet Cisco1200 for radius • Client Setup Windows XP with wireless pccard • Practical • Implementing Radius server
Introducing the elements • NAS • Network Access Server (NAS) perform authentication, authorization, and accounting for users. • The network access server, is typically a router, switch, or wireless access point • NAS act as a relay that pass or block traffic to and from authenticated clients • RADIUS and AAA • The RADIUS server is usually a daemon process running on a UNIX or Windows 2003 server. • Authentication and authorization plus accounting are combined together in RADIUS • LDAP • The Lightweight Directory Access Protocol (LDAP) is an open standard • It defines a method for accessing and updating information in a X.500-like directory. • LDAP simplifies user administration tasks by managing users in a central directory.
Installing RADIUS • Add a testuser • Add a password for your testuser • Building from source • Usally a good idea for best optimized code • Start radiusd in debug mode • To see if any errors arrives • Modify /etc/shadow permission • Make the first radius auth test • Simulate a user trying to atenticate against the radius server 0 = fake NAS port testing123 is the mandatory common secret for localhost NAS clients is found in /etc/raddb/clients.conf • If radtest receives a response, the FreeRADIUS server is working. # useradd kalle # passwd kalle # tar -zxvf freeradius-1.0.2.tar.gz # ./configure # make # make install # radiusd -X # chmod g+r /etc/shadow # radtest kalle 123456 localhost 0 testing123
Configure FreeRADIUS • FreeRADIUS configuration files are usually stored in the /etc/raddb folder • Modifying radiusd.conf to activate logging • Find and correct • Setup to enable unix account to serve as autentication and add cisco authentication port log_auth = yes log_auth_badpass = yes log_auth_goodpass = no port = 1645 passwd = /etc/passwd shadow = /etc/shadow group = /etc/group
Configure FreeRADIUS for NAS clients • Adding the NAS clients in /etc/raddb/clients.conf • You can add single clients or subnets if your like • Security is sligthly higher if you point out each NAS with IP and have various password for them • Here is a subnet declaration for NAS client 192.168.1.254/24 { secret = mysecret1 shortname = ap1200 nastype = cisco } client 192.168.2.0/24 { secret = mysecret1 shortname = myserver nastype = other }
Configuring the user for authentication • The file /etc/raddb/users contains authentication and configuration information for each user. • Add change thenfollowing links, place after the informative heater text: • We prepare for LDAP and LOCAL authentication for users authenticate through the NAS • The file /etc/raddb/eap.conf sets the user cryptation methodes (there are many) • Change/add the following: Auth-Type := LDAP Auth-Type := Local, User-Password == "mypasswd" Auth-Type := System Service-Type = Login default_eap_type = md5 auth_type = PAP md5 { } leap{ }
Configuring the Aironet 1200 • For EAP security, login to your AP and goto express security • Enter your SSID cisco • No VLAN • Security EAP Enter IP address of your Radius server: 192.168.1.10 Enter the Server Secret: mysecret1 Click on APPLY • For WPA security, login to your AP and goto express security • Enter your SSID cisco • No VLAN • Security WPA Enter IP address of your Radius server: 192.168.1.10 Enter the Server Secret: mysecret1 Click on APPLY
Configuring the user CPE equipment • In this particular case we have windows xp as CPE • Install your