LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: October 24th, 2014
Linux Security Week: October 20th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Authentication Server: Setting up FreeRADIUS

3. Authentication Server: Setting up FreeRADIUS

FreeRADIUS is a fully GPLed RADIUS server implementation. It supports a wide range of authentication mechanisms, but PEAP is used for the example in this document.

3.1. Installing FreeRADIUS

Installing FreeRADIUS

  1. Head over to the FreeRADIUS site, http://www.freeradius.org/, and download the latest release.

    
   # cd /usr/local/src
       # wget ftp://ftp.freeradius.org/pub/radius/freeradius-1.0.0.tar.gz
       # tar zxfv freeradius-1.0.0.tar.gz
       # cd freeradius-1.0.0
      
  2. Configure, make and install:

    
    # ./configure
        # make
        # make install
       

    You can pass options to configure. Use ./configure --help or read the README file, for more information.

The binaries are installed in /usr/local/bin and /usr/local/sbin. The configuration files are found under /usr/local/etc/raddb.

If something went wrong, check the INSTALL and README included with the source. The RADIUS FAQ also contains valuable information.

3.2. Configuring FreeRADIUS

FreeRADIUS has a big and mighty configuration file. It's so big, it has been split into several smaller files that are just "included" into the main radius.conf file.

There is numerous ways of using and setting up FreeRADIUS to do what you want: i.e., fetch user information from LDAP, SQL, PDC, Kerberos, etc. In this document, user information from a plain text file, users, is used.

Tip

The configuration files are thoroughly commented, and, if that is not enough, the doc/ folder that comes with the source contains additional information.

Configuring FreeRADIUS

  1. The configuration files can be found under /usr/local/etc/raddb/

    
    # cd /usr/local/etc/raddb/
       
  2. Open the main configuration file radiusd.conf, and read the comments! Inside the encrypted PEAP tunnel, an MS-CHAPv2 authentication mechanism is used.

    1. MPPE [RFC3078] is responsible for sending the PMK to the AP. Make sure the following settings are set:

      
    # under MODULES, make sure mschap is uncommented!
          mschap {
            # authtype value, if present, will be used
            # to overwrite (or add) Auth-Type during
            # authorization. Normally, should be MS-CHAP
            authtype = MS-CHAP
      
            # if use_mppe is not set to no, mschap will
            # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
            # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
            #
            use_mppe = yes
      
            # if mppe is enabled, require_encryption makes
            # encryption moderate
            #
            require_encryption = yes
      
            # require_strong always requires 128 bit key
            # encryption
            #
            require_strong = yes
      
            authtype = MS-CHAP
            # The module can perform authentication itself, OR
            # use a Windows Domain Controller. See the radius.conf file
            # for how to do this.
          }
          
    2. Also make sure the "authorize" and "authenticate" contains:

      
    authorize {
              preprocess
              mschap
      	suffix
      	eap
      	files
          }
          
          authenticate {
               
               #
               #  MSCHAP authentication.    
               Auth-Type MS-CHAP {
                     mschap
                }
      	
      	 #
               #  Allow EAP authentication.
               eap
           }
          
  3. Then, change the clients.conf file to specify what network it's serving:

    
   # Here, we specify which network we're serving
       client 192.168.0.0/16 { 
            # This is the shared secret between the Authenticator (the 
    	# access point) and the Authentication Server (RADIUS).
            secret          = SharedSecret99
            shortname       = testnet
        }
       
  4. The eap.conf should also be pretty straightforward.

    1. Set "default_eap_type" to "peap":

      
      default_eap_type = peap
           
    2. Since PEAP is using TLS, the TLS section must contain:

      
    tls { 
              # The private key password
              private_key_password = SecretKeyPass77
      	# The private key
              private_key_file = ${raddbdir}/certs/cert-srv.pem
              #  Trusted Root CA list
              CA_file = ${raddbdir}/certs/demoCA/cacert.pem
              dh_file = ${raddbdir}/certs/dh
              random_file = /dev/urandom
      	}
          
    3. Find the "peap" section, and make sure it contain the following:

      
      peap {
              #  The tunneled EAP session needs a default
              #  EAP type, which is separate from the one for
              #  the non-tunneled EAP module.  Inside of the
              #  PEAP tunnel, we recommend using MS-CHAPv2,
              #  as that is the default type supported by
              #  Windows clients.
              default_eap_type = mschapv2
            }
            
  5. The user information is stored in a plain text file users. A more sophisticated solution to store user information may be preferred (SQL, LDAP, PDC, etc.).

    Make sure the users file contains the following entry:

    
   "testuser"      User-Password == "Secret149"
       
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Pro-Privacy Senator Wyden on Fighting the NSA From Inside the System
NIST to hypervisor admins: secure your systems
Quick PHP patch beats slow research reveal
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.