Difference between revisions of "Bering-uClibc 4.x - User Guide - Advanced Topics - Setting Up a RADIUS Server"

Revision as of 17:16, 12 April 2011

Advanced Topics - Setting Up a RADIUS Server
Prev	Bering-uClibc 4.x - User Guide	Next

Warning: This page is written for the new FreeRADIUS version 2 variant of radius.lrp, not the old Cistron RADIUS v1.6.8 radius.lrp which is included in Bering-uClibc 4.0. The new Package, based on FreeRADIUS version 2.1.10, is expected to be included in Bering-uClibc 4.1. Davidmbrooke 14:15, 9 April 2011 (UTC)

Introduction

This page provides some guidance on setting up a Remote Authentication Dial In User Service (RADIUS) server on Bering-uClibc 4.x using the FreeRADIUS software.

A RADIUS server provides an Authentication, Authorization and Accounting (AAA) service. Typical use cases include:

Authenticating Wireless Network clients which use the "WPA-Enterprise" (as opposed to "WPA-PSK") authentication model where a Wireless Network Access Point is often configured to talk the RADIUS protocol to a server which knows how to authenticate users/clients.

Read the following in conjunction with the standard FreeRADIUS documentation located here.

Packages

The main Package is radius.lrp which is dependent on the following Packages:

lpthread.lrp
libcrpto.lrp
libssl.lrp

There is a separate, optional Package radutils.lrp containing some RADIUS utilities, specifically:

radclient
radeapclient
radlast
- This does not currently work because the Busybox "last" command does not accept command-line arguments
radsniff
- This has a further dependency, on libpcap.lrp
radtest
radwho
radzap

When connecting to different types of back-end server further Packages are required:

ldap: libldap.lrp
sql_mysql: libmysql.lrp, libz.lrp

In addition, for installation and configuration of some aspects of FreeRADIUS the following additional Package is typically required:

openssl.lrp

Installation

Some manual installation steps are required before running FreeRADIUS for the first time.

Generate Digital Certificate Files

The "bootstrap" script needs to be run to generate files required to support Digital Certificate processing. This is the (only) step that needs the openssl.lrp Package to be installed.

Tip: Do not add openssl.lrp to leaf.cfg but instead install it manually with a command like:

apkg -i /mnt/openssl.lrp

so that openssl.lrp will be removed at the next reboot.

Run the "bootstrap" script as follows:

cd /etc/raddb/certs/
sh bootstrap

This will create quite a number of "example" Digital Certificate files in directory /etc/raddb/certs/. FreeRADIUS will try to do this automatically the first time it runs but on Bering-uClibc 4.x this will fail, so the script must be run manually - or the relevant files installed by hand.

Run RADIUS Daemon in Debug Mode

To check the configuration settings it is highly recommended to run radiusd in debug mode, from the command line:

cd /root/
radiusd -X

Configuration

Overview

FreeRADIUS has many configuration files stored in directory /etc/raddb/ and its sub-directories. Some, but not all, of these are listed in the "radius" section of the LEAF Packages configuration menu.

All of the files under /etc/raddb/ are backed up when the LEAF configuration is saved.

Filename paths below are relative to the /etc/raddb/ directory.

Clients

From a RADIUS perspective, a "client" is a device which connects to the RADIUS server using the RADIUS protocol. It is typically either a Network Access Server (NAS) or, for a Wireless Network, an Access Point (AP).

FreeRADIUS requires that clients are defined in configuration file clients.conf. Refer to the excellent comments in the sample file.

As an example, the 3com OfficeConnect Wireless 108Mbps 11g PoE Access Point has the following fields in its web-based administration interface:

Radius Server settings for a 3com Access Point

Assuming this Access Point is at IP address 192.168.1.101 the corresponding FreeRADIUS client entry would look like:

client SC55835A {
        ipaddr = 192.168.1.101
        secret = secret-password
        require_message_authenticator = yes
}

where "secret-password" matches the entry in the "Shared Key" field.

Logging

Except when started in debug mode (e.g. as "radiusd -X") the RADIUS daemon writes log output to file /var/log/radius/radius.log.

This log file is "rotated" on a daily basis by a RADIUS-specific cron script - /etc/cron.daily/radiusd.

Individual client authentication transactions are not logged by default. To enable this behaviour edit radiusd.conf and specify "auth = yes" in the "log" configuration section.

Further logfiles are created in the /var/log/radius/ directory:

radutmp
radwtmp

The radwtmp file is "rotated" on a monthly basis by cron script /etc/cron.monthly/radiusd.

Still further files are created under the /var/log/radius/radacct/ directory, in per-client sub-directories. These "detail" files are automatically created in date-stamped files (e.g. detail-20110411, for 11 Apr 2011). Files more than 7 days old are deleted by cron script /etc/cron.weekly/radiusd

@@ Line 24: / Line 24: @@
 ==Packages==
-The main Package required is <code class="filename">radius.lrp</code>.
+The main Package is <code class="filename">radius.lrp</code> which is dependent on the following Packages:
-For normal operation the following Packages are also required.
 * <code class="filename">lpthread.lrp</code>
 * <code class="filename">libcrpto.lrp</code>
 * <code class="filename">libssl.lrp</code>
+There is a separate, optional Package <code class="filename">radutils.lrp</code> containing some RADIUS utilities, specifically:
+* radclient
+* radeapclient
+* radlast
+** This does not currently work because the Busybox "last" command does not accept command-line arguments
+* radsniff
+** This has a further dependency, on <code class="filename">libpcap.lrp</code>
+* radtest
+* radwho
+* radzap
 When connecting to different types of back-end server further Packages are required:
-; LDAP : <code class="filename">libldap.lrp</code>
+; ldap : <code class="filename">libldap.lrp</code>
+; sql_mysql : <code class="filename">libmysql.lrp</code>, <code class="filename">libz.lrp</code>
 In addition, for installation and configuration of some aspects of FreeRADIUS the following additional Package is typically required:
@@ Line 86: / Line 97: @@
   }
 where "''secret-password''" matches the entry in the "Shared Key" field.
+==Logging==
+Except when started in debug mode (e.g. as "<tt>radiusd -X</tt>") the RADIUS daemon writes log output to file <code class="filename">/var/log/radius/radius.log</code>.
+This log file is "rotated" on a daily basis by a RADIUS-specific cron script - <code class="filename">/etc/cron.daily/radiusd</code>.
+Individual client authentication transactions are not logged by default. To enable this behaviour edit <code class="filename">radiusd.conf</code> and specify "<tt>auth = yes</tt>" in the "<tt>log</tt>" configuration section.
+Further logfiles are created in the <code class="filename">/var/log/radius/</code> directory:
+* radutmp
+* radwtmp
+The <code class="filename">radwtmp</code> file is "rotated" on a monthly basis by cron script <code class="filename">/etc/cron.monthly/radiusd</code>.
+Still further files are created under the <code class="filename">/var/log/radius/radacct/</code> directory, in per-client sub-directories.
+These "<tt>detail</tt>" files are automatically created in date-stamped files (e.g. <code class="filename">detail-20110411</code>, for 11 Apr 2011).
+Files more than 7 days old are deleted by cron script <code class="filename">/etc/cron.weekly/radiusd</code>

Difference between revisions of "Bering-uClibc 4.x - User Guide - Advanced Topics - Setting Up a RADIUS Server"

Revision as of 17:16, 12 April 2011

Contents

Introduction

Packages

Installation

Generate Digital Certificate Files

Run RADIUS Daemon in Debug Mode

Configuration

Overview

Clients

Logging

Further Reading

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools