Difference between revisions of "Bering-uClibc 4.x - User Guide - Advanced Topics - Setting Up a RADIUS Server"

Revision as of 16:36, 11 April 2011

Warning: This page is written for the new FreeRADIUS version 2 variant of radius.lrp, not the old Cistron RADIUS v1.6.8 radius.lrp which is included in Bering-uClibc 4.0. The new Package, based on FreeRADIUS version 2.1.10, is expected to be included in Bering-uClibc 4.1. Davidmbrooke 14:15, 9 April 2011 (UTC)

Introduction

This page provides some guidance on setting up a Remote Authentication Dial In User Service (RADIUS) server on Bering-uClibc 4.x using the FreeRADIUS software.

A RADIUS server provides an Authentication, Authorization and Accounting (AAA) service. Typical use cases include:

• Authenticating Wireless Network clients which use the "WPA-Enterprise" (as opposed to "WPA-PSK") authentication model where a Wireless Network Access Point is often configured to talk the RADIUS protocol to a server which knows how to authenticate users/clients.

Read the following in conjunction with the standard FreeRADIUS documentation located here.

Packages

The main Package required is radius.lrp. For normal operation the following Packages are also required.

• lpthread.lrp
• libcrpto.lrp
• libssl.lrp

When connecting to different types of back-end server further Packages are required:

LDAP 

libldap.lrp

In addition, for installation and configuration of some aspects of FreeRADIUS the following additional Package is typically required:

• openssl.lrp

Installation

Some manual installation steps are required before running FreeRADIUS for the first time.

Generate Digital Certificate Files

The "bootstrap" script needs to be run to generate files required to support Digital Certificate processing. This is the (only) step that needs the openssl.lrp Package to be installed.

Tip: Do not add openssl.lrp to leaf.cfg but instead install it manually with a command like:

apkg -i /mnt/openssl.lrp

so that openssl.lrp will be removed at the next reboot.

Run the "bootstrap" script as follows:

cd /etc/raddb/certs/
sh bootstrap

This will create quite a number of "example" Digital Certificate files in directory /etc/raddb/certs/. FreeRADIUS will try to do this automatically the first time it runs but on Bering-uClibc 4.x this will fail, so the script must be run manually - or the relevant files installed by hand.

Run RADIUS Daemon in Debug Mode

To check the configuration settings it is highly recommended to run radiusd in debug mode, from the command line:

cd /root/
radiusd -X

Configuration

Overview

FreeRADIUS has many configuration files stored in directory /etc/raddb/ and its sub-directories. Some, but not all, of these are listed in the "radius" section of the LEAF Packages configuration menu.

All of the files under /etc/raddb/ are backed up when the LEAF configuration is saved.

Filename paths below are relative to the /etc/raddb/ directory.

Clients

From a RADIUS perspective, a "client" is a device which connects to the RADIUS server using the RADIUS protocol. It is typically either a Network Access Server (NAS) or, for a Wireless Network, an Access Point (AP).

FreeRADIUS requires that clients are defined in configuration file clients.conf. Refer to the excellent comments in the sample file.

As an example, the 3com OfficeConnect Wireless 108Mbps 11g PoE Access Point has the following fields in its web-based administration interface:

Radius Server settings for a 3com Access Point

Assuming this Access Point is at IP address 192.168.1.101 the corresponding FreeRADIUS client entry would look like:

client SC55835A {
        ipaddr = 192.168.1.101
        secret = secret-password
        require_message_authenticator = yes
}

where "secret-password" matches the entry in the "Shared Key" field.

Further Reading

• Standard FreeRADIUS Documentation and Wiki
• FreeRADIUS + 802.1x/WPA + OpenLDAP HOWTO