Radius Server: Difference between revisions

From Network Security Wiki
Content added Content deleted
 
(12 intermediate revisions by the same user not shown)
Line 10: Line 10:
== Configuration ==
== Configuration ==
Edit the freeradius users:
Edit the freeradius users:
sudo nano /etc/freeradius/users
sudo nano /etc/freeradius/3.0/users


Uncomment the user 'John Doe':
Uncomment the user 'John Doe':
Line 16: Line 16:
Reply-Message = "Hello, %u"
Reply-Message = "Hello, %u"


Add a new User with Group Name:
Test teh connectivity from local machine:
aman Cleartext-Password := "pwd123"
Citrix-User-Groups = "S_UA_G_Superuser",
Reply-Message = "Hello, %{User-Name}"


Test the connectivity from local machine:
sudo radtest "John Doe" hello 127.0.0.1 0 testing123
sudo radtest "John Doe" hello 127.0.0.1 0 testing123


Remote access to the radius server
Remote access to the radius server
sudo nano /etc/freeradius/clients.conf
sudo nano /etc/freeradius/3.0/clients.conf


And add the following snippet:
And add the following snippet:
Line 30: Line 36:


Now from another machine, try the following:
Now from another machine, try the following:
radtest "John Doe" "hello" example.com 0 "mysecret"
radtest "John Doe" "hello" 10.10.40.1 0 "mysecret"


You will get Access-Accept packet and "Hello, John Doe" messages.
You will get Access-Accept packet and "Hello, John Doe" messages.


== Logging ==
== Logging ==
Source: [https://wiki.freeradius.org/config/Logging#log-authentication-requests wiki.freeradius.org]

The "log" section of the radiusd.conf file is where the primary logging configuration for the FreeRADIUS server is located.
The "log" section of the radiusd.conf file is where the primary logging configuration for the FreeRADIUS server is located.
<pre>
<pre>
Line 57: Line 63:
stdout - log to standard output.
stdout - log to standard output.
stderr - log to standard error.
stderr - log to standard error.



= GUI =
= GUI =
Line 208: Line 213:
password: radius
password: radius


=== Troubleshooting ===
=== Troubleshooting Daloradius ===


*If you get permission denied error when importing schema:
*If you get permission denied error when importing schema:
Line 220: Line 225:
sudo cp /etc/freeradius/sql/mysql/nas.sql ~
sudo cp /etc/freeradius/sql/mysql/nas.sql ~
sudo chown aman:aman ~/*.sql
sudo chown aman:aman ~/*.sql

*

INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('sqltest', 'Password', ‘testpwd');





Line 234: Line 234:
</pre>
</pre>


Check if all the dependancies are installed or not:
Check if all the dependencies are installed or not:
php -m
php -m


Line 271: Line 271:
Saving the file will allow you in the Landing page.
Saving the file will allow you in the Landing page.



*If you happen to run into this issue
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812

Then edit the below file:
sudo nano /etc/freeradius/sites-available/default

~ line 177 and uncomment sql
<pre>
# Look in an SQL database. The schema of the database
# is meant to mirror the “users” file.
#
# See “Authorization Queries” in sql.conf
sql
</pre>

= Troubleshooting =

If you are unable to use radtest from other servers, check credentials for 0.0.0.0/0 in below file:
sudo nano clients.conf

== Debugging ==
sudo service freeradius stop
sudo freeradius -X

= Misc =

Generating Access-Challenge requests:

test@test-ubuntu:~$ sudo radtest '''-t eap-md5''' aman2 pwd123 10.107.88.93 0 testing123
Sending Access-Request packet to host 10.107.88.93 port 1812, id=46, length=0
User-Name = "aman2"
User-Password = "pwd123"
NAS-IP-Address = 10.107.88.68
NAS-Port = 0
Message-Authenticator = 0x00
EAP-Code = Response
EAP-Type-Identity = 0x616d616e32
EAP-Message = 0x022d000a01616d616e32
Received Access-Challenge packet from host 10.107.88.93 port 1812, id=46, length=80
EAP-Message = 0x012e001604105b198df62a06f8e8b6f45c6e97221cbb
Message-Authenticator = 0x85003a7abf1656a3064b38be08c17409
State = 0xa3a3b720a38db3e96a996e0bad7460b2
EAP-Id = 46
EAP-Code = Request
EAP-Type-MD5-Challenge = 0x105b198df62a06f8e8b6f45c6e97221cbb
Sending Access-Request packet to host 10.107.88.93 port 1812, id=47, length=87
User-Name = "aman2"
User-Password = "pwd123"
NAS-IP-Address = 10.107.88.68
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
EAP-Code = Response
EAP-Type-MD5-Challenge = 0x10c09519c41c4c2384e79a1242928c5f31
EAP-Id = 46
State = 0xa3a3b720a38db3e96a996e0bad7460b2
EAP-Message = 0x022e00160410c09519c41c4c2384e79a1242928c5f31
Received Access-Accept packet from host 10.107.88.93 port 1812, id=47, length=51
EAP-Message = 0x032e0004
Message-Authenticator = 0xfc73020acc54cd6b85a82c8f52c094f5
User-Name = "aman2"
EAP-Id = 46
EAP-Code = Success

Packet flow is as follows:

22:40:29.222278 IP 10.107.88.68.54216 > ubuntu.radius: RADIUS, Access-Request (1), id: 0x2e length: 87
22:40:29.240517 IP ubuntu.radius > 10.107.88.68.54216: RADIUS, '''Access-Challenge''' (11), id: 0x2e length: 80
22:40:29.242083 IP 10.107.88.68.54216 > ubuntu.radius: RADIUS, Access-Request (1), id: 0x2f length: 117
22:40:29.292782 IP ubuntu.radius > 10.107.88.68.54216: RADIUS, Access-Accept (2), id: 0x2f length: 51


Similar Packet capture file:
[[Media:RADIUS2.cap|RADIUS2]]

Forcing EAP for a user:
{{UC}}
Forcing just EAP
{{UC}}




Latest revision as of 17:02, 27 January 2022

Installing FreeRadius

Installing freeradius in Ubuntu 16.10:

Source: blog.moatazthenervous.com 

sudo apt-get install freeradius

Configuration

Edit the freeradius users: 

sudo nano /etc/freeradius/3.0/users

Uncomment the user 'John Doe': 

"John Doe" Auth-Type := Local, User-Password == "hello"
Reply-Message = "Hello, %u"

Add a new User with Group Name: 

aman            Cleartext-Password := "pwd123"
                Citrix-User-Groups = "S_UA_G_Superuser",
                Reply-Message = "Hello, %{User-Name}"


Test the connectivity from local machine: 

sudo radtest "John Doe" hello 127.0.0.1 0 testing123

Remote access to the radius server 

sudo nano /etc/freeradius/3.0/clients.conf

And add the following snippet: 

client 0.0.0.0/0 {  
  secret = "mysecret"
  shortname = name
}

Now from another machine, try the following: 

radtest "John Doe" "hello" 10.10.40.1 0 "mysecret"

You will get Access-Accept packet and "Hello, John Doe" messages.

Logging

Source: wiki.freeradius.org The "log" section of the radiusd.conf file is where the primary logging configuration for the FreeRADIUS server is located. 

log {
    destination = files
    file = ${logdir}/radius.log     # If Server is running in debugging mode, this file is NOT used.
#   requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log
    syslog_facility = daemon
    stripped_names = no
    auth = no
    auth_badpass = no
    auth_goodpass = no
#   msg_goodpass = ""
#   msg_badpass = ""
}

Destination options: 

files - log to "file", as defined below.
syslog - send log messages to syslog 
stdout - log to standard output.
stderr - log to standard error.

GUI

DaloRadius

Source: ubuntugeek.com

Installation

Prerequisites: 

sudo apt-get install php5-common php5-gd php-pear php-db libapache2-mod-php5 php-mail

Freeradius Installation: 

sudo apt-get install freeradius freeradius-mysql freeradius-utils

Database

Create Freeradius Database 

sudo mysql -u root -p

mysql> create database radius;
mysql> grant all on radius.* to radius@localhost identified by "password";

Insert the freeradius database scheme: 

sudo mysql -u root -p radius < /etc/freeradius/sql/mysql/schema.sql 
sudo mysql -u root -p radius < /etc/freeradius/sql/mysql/nas.sql

Create new user for radius database 

sudo mysql -u root -p
mysql> use radius;
mysql> INSERT INTO radcheck (UserName, Attribute, Value) VALUES (‘sqltest', ‘Password', ‘testpwd');
mysql> exit

Freeradius

You need to edit /etc/freeradius/sql.conf file 

sudo nano /etc/freeradius/sql.conf

Make sure you have the following details 

database = mysql
login = radius
password = password

Uncomment the following 

readclients = yes

Now you need to edit the /etc/freeradius/sites-enabled/default file 

sudo vi /etc/freeradius/sites-enabled/default

Uncomment the sql option in the following sections 

accounting

# See “Authorization Queries” in sql.conf

sql

session

# See “Authorization Queries” in sql.conf

sql

Post-Auth-Type

# See “Authorization Queries” in sql.conf

sql

Now edit /etc/freeradius/radiusd.conf file 

sudo nano /etc/freeradius/radiusd.conf

Uncomment the following option 

   $INCLUDE sql.conf


Restart freeradius server: 

sudo /etc/init.d/freeradius stop

Run freeradius in debugging mode. If there is no error, you are ready to go. 

sudo freeradius -X

Start the freeradius using the following command 

sudo /etc/init.d/freeradius start

Test the radius server using the following command 

sudo radtest sqltest testpwd localhost 18128 testing123

Output as follows 

Sending Access-Request of id 68 to 127.0.0.1 port 1812
User-Name = "sqltest"
User-Password = "testpwd"
NAS-IP-Address = 127.0.1.1
NAS-Port = 18128
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=68, length=20

Daloradius Installation

Download the Daloradius latest version: 

wget https://downloads.sourceforge.net/project/daloradius/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gz
tar xvfz daloradius-0.9-9.tar.gz
mv daloradius-0.9-9 daloradius
mv daloradius /var/www

Change Permissions 

sudo chown www-data:www-data /var/www/daloradius -R
sudo chmod 644 /var/www/daloradius/library/daloradius.conf.php

Mysql database need to setup for daloradius by importing the daloradius scheme into 'radius' database. 

cd /var/www/daloradius/contrib/db

sudo mysql -u root -p radius < mysql-daloradius.sql

Configure the following daloradius setting: 

sudo nano /var/www/daloradius/library/daloradius.conf.php

Change the database password 

$configValues['CONFIG_DB_PASS'] = 'password';


Now you need to configure daloradius website under 

   sudo nano /etc/apache2/sites-available/daloradius.conf

add the following lines 

Alias /daloradius "/var/www/daloradius/"

<Directory /var/www/daloradius/>
Options None
Order allow,deny
allow from all
</Directory>

Enable and Activate daloradius website using the following command 

sudo a2ensite daloradius
sudo service apache2 reload

Daloradius Web GUI 

http://10.107.88.93/daloradius

Use the following login details 

username: administrator
password: radius

Troubleshooting Daloradius

  • If you get permission denied error when importing schema:
aman@ubuntu:~$ mysql -u root -ppwd@123 radius < /etc/freeradius/sql/mysql/schema.sql
-bash: /etc/freeradius/sql/mysql/schema.sql: Permission denied

Copy the files to home dir & change the file owner: 

sudo cp /etc/freeradius/sql/mysql/schema.sql ~
sudo cp /etc/freeradius/sql/mysql/nas.sql ~
sudo chown aman:aman ~/*.sql


  • If the page stops loading after login, and you get similar errors in apache error logs:
[Sat Aug 05 20:10:51.734692 2017] [:error] [pid 22226] [client 10.101.255.53:59948] PHP Warning:  include_once(DB.php): failed to open stream: No such file or directory in /var/www/daloradius/library/opendb.php on line 84, referer: http://10.107.88.93/daloradius/login.php
[Sat Aug 05 20:10:51.734877 2017] [:error] [pid 22226] [client 10.101.255.53:59948] PHP Warning:  include_once(): Failed opening 'DB.php' for inclusion (include_path='.:/usr/share/php') in /var/www/daloradius/library/opendb.php on line 84, referer: http://10.107.88.93/daloradius/login.php
[Sat Aug 05 20:10:51.734988 2017] [:error] [pid 22226] [client 10.101.255.53:59948] PHP Fatal error:  Uncaught Error: Class 'DB' not found in /var/www/daloradius/library/opendb.php:86\nStack trace:\n#0 /var/www/daloradius/dologin.php(49): include()\n#1 {main}\n  thrown in /var/www/daloradius/library/opendb.php on line 86, referer: http://10.107.88.93/daloradius/login.php

Check if all the dependencies are installed or not: 

php -m

If DB is missing, install it: 

sudo pear install DB
  • If above issue still persists, then the Problem is, i had PHP7.0 installed, but daloradius is only supported until 5.0

So we have to change the rules for syntax reading:

Make Sure you got all necessary packages 

sudo apt-get install php-common php-gd php-curl php-mail php-mail-mime php-pear php-db
pear install DB

Change Syntax: 

cd /var/www/html/daloradius/library/
vim daloradius.conf.php -> CONFIG_DB_ENGINE auf "mysqli"         # from mysql to mysqli
vim opendb.php -> $dbSocket->query("SET GLOBAL sql_mode = ;"); #append this line at the end of the file

Now we have to give the db-user freeradius super rights with: 

mysql -u root -p 
mysql> GRANT SUPER ON *.* TO 'freeradius'@'localhost' IDENTIFIED BY 'password';
mysql> flush privileges;

You might have to import a mysql schema with: 

cd /var/www/html/daloradius/contrib/db/
mysql -u root -p radius <mysql-daloradius.sql
  • If you get DB connection failed error:
sudo nano /var/www/daloradius/library/daloradius.conf.php

$configValues['CONFIG_DB_USER'] = 'root';
$configValues['CONFIG_DB_PASS'] = 'ppwd@123';

Saving the file will allow you in the Landing page.


  • If you happen to run into this issue
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812

Then edit the below file: 

sudo nano /etc/freeradius/sites-available/default

~ line 177 and uncomment sql 

# Look in an SQL database. The schema of the database
# is meant to mirror the “users” file.
#
# See “Authorization Queries” in sql.conf
sql

Troubleshooting

If you are unable to use radtest from other servers, check credentials for 0.0.0.0/0 in below file: 

sudo nano clients.conf

Debugging

sudo service freeradius stop
sudo freeradius -X

Misc

Generating Access-Challenge requests: 

test@test-ubuntu:~$ sudo radtest -t eap-md5 aman2 pwd123 10.107.88.93 0 testing123
Sending Access-Request packet to host 10.107.88.93 port 1812, id=46, length=0
       User-Name = "aman2"
       User-Password = "pwd123"
       NAS-IP-Address = 10.107.88.68
       NAS-Port = 0
       Message-Authenticator = 0x00
       EAP-Code = Response
       EAP-Type-Identity = 0x616d616e32
       EAP-Message = 0x022d000a01616d616e32
Received Access-Challenge packet from host 10.107.88.93 port 1812, id=46, length=80
       EAP-Message = 0x012e001604105b198df62a06f8e8b6f45c6e97221cbb
       Message-Authenticator = 0x85003a7abf1656a3064b38be08c17409
       State = 0xa3a3b720a38db3e96a996e0bad7460b2
       EAP-Id = 46
       EAP-Code = Request
       EAP-Type-MD5-Challenge = 0x105b198df62a06f8e8b6f45c6e97221cbb
Sending Access-Request packet to host 10.107.88.93 port 1812, id=47, length=87
       User-Name = "aman2"
       User-Password = "pwd123"
       NAS-IP-Address = 10.107.88.68
       NAS-Port = 0
       Message-Authenticator = 0x00000000000000000000000000000000
       EAP-Code = Response
       EAP-Type-MD5-Challenge = 0x10c09519c41c4c2384e79a1242928c5f31
       EAP-Id = 46
       State = 0xa3a3b720a38db3e96a996e0bad7460b2
       EAP-Message = 0x022e00160410c09519c41c4c2384e79a1242928c5f31
Received Access-Accept packet from host 10.107.88.93 port 1812, id=47, length=51
       EAP-Message = 0x032e0004
       Message-Authenticator = 0xfc73020acc54cd6b85a82c8f52c094f5
       User-Name = "aman2"
       EAP-Id = 46
       EAP-Code = Success

Packet flow is as follows: 

22:40:29.222278 IP 10.107.88.68.54216 > ubuntu.radius: RADIUS, Access-Request (1), id: 0x2e length: 87
22:40:29.240517 IP ubuntu.radius > 10.107.88.68.54216: RADIUS, Access-Challenge (11), id: 0x2e length: 80
22:40:29.242083 IP 10.107.88.68.54216 > ubuntu.radius: RADIUS, Access-Request (1), id: 0x2f length: 117
22:40:29.292782 IP ubuntu.radius > 10.107.88.68.54216: RADIUS, Access-Accept (2), id: 0x2f length: 51


Similar Packet capture file: RADIUS2

Forcing EAP for a user:

        This section is under construction.

Forcing just EAP

        This section is under construction.



References





{{#widget:DISQUS |id=networkm |uniqid=Radius Server |url=https://aman.awiki.org/wiki/Radius_Server }}

Retrieved from "https://aman.awiki.org/wiki/Radius_Server?oldid=4606"