Difference between revisions of "Bering-uClibc 4.x - User Guide - Advanced Topics - Setting Up a RADIUS Server"
Davidmbrooke (Talk | contribs) (Expanded Confguration section) |
Davidmbrooke (Talk | contribs) (General improvements) |
||
Line 24: | Line 24: | ||
==Packages== | ==Packages== | ||
− | The main Package | + | The main Package is <code class="filename">radius.lrp</code> which is dependent on the following Packages: |
− | + | ||
* <code class="filename">lpthread.lrp</code> | * <code class="filename">lpthread.lrp</code> | ||
* <code class="filename">libcrpto.lrp</code> | * <code class="filename">libcrpto.lrp</code> | ||
* <code class="filename">libssl.lrp</code> | * <code class="filename">libssl.lrp</code> | ||
+ | |||
+ | There is a separate, optional Package <code class="filename">radutils.lrp</code> containing some RADIUS utilities, specifically: | ||
+ | * radclient | ||
+ | * radeapclient | ||
+ | * radlast | ||
+ | ** This does not currently work because the Busybox "last" command does not accept command-line arguments | ||
+ | * radsniff | ||
+ | ** This has a further dependency, on <code class="filename">libpcap.lrp</code> | ||
+ | * radtest | ||
+ | * radwho | ||
+ | * radzap | ||
When connecting to different types of back-end server further Packages are required: | When connecting to different types of back-end server further Packages are required: | ||
− | ; | + | ; ldap : <code class="filename">libldap.lrp</code> |
+ | ; sql_mysql : <code class="filename">libmysql.lrp</code>, <code class="filename">libz.lrp</code> | ||
In addition, for installation and configuration of some aspects of FreeRADIUS the following additional Package is typically required: | In addition, for installation and configuration of some aspects of FreeRADIUS the following additional Package is typically required: | ||
Line 86: | Line 97: | ||
} | } | ||
where "''secret-password''" matches the entry in the "Shared Key" field. | where "''secret-password''" matches the entry in the "Shared Key" field. | ||
+ | |||
+ | |||
+ | ==Logging== | ||
+ | Except when started in debug mode (e.g. as "<tt>radiusd -X</tt>") the RADIUS daemon writes log output to file <code class="filename">/var/log/radius/radius.log</code>. | ||
+ | |||
+ | This log file is "rotated" on a daily basis by a RADIUS-specific cron script - <code class="filename">/etc/cron.daily/radiusd</code>. | ||
+ | |||
+ | Individual client authentication transactions are not logged by default. To enable this behaviour edit <code class="filename">radiusd.conf</code> and specify "<tt>auth = yes</tt>" in the "<tt>log</tt>" configuration section. | ||
+ | |||
+ | Further logfiles are created in the <code class="filename">/var/log/radius/</code> directory: | ||
+ | * radutmp | ||
+ | * radwtmp | ||
+ | The <code class="filename">radwtmp</code> file is "rotated" on a monthly basis by cron script <code class="filename">/etc/cron.monthly/radiusd</code>. | ||
+ | |||
+ | Still further files are created under the <code class="filename">/var/log/radius/radacct/</code> directory, in per-client sub-directories. | ||
+ | These "<tt>detail</tt>" files are automatically created in date-stamped files (e.g. <code class="filename">detail-20110411</code>, for 11 Apr 2011). | ||
+ | Files more than 7 days old are deleted by cron script <code class="filename">/etc/cron.weekly/radiusd</code> | ||
Revision as of 17:16, 12 April 2011
Advanced Topics - Setting Up a RADIUS Server | ||
---|---|---|
Prev | Bering-uClibc 4.x - User Guide | Next |
Warning: This page is written for the new FreeRADIUS version 2 variant of radius.lrp
, not the old Cistron RADIUS v1.6.8
radius.lrp
which is included in Bering-uClibc 4.0.
The new Package, based on FreeRADIUS version 2.1.10, is expected to be included in Bering-uClibc 4.1. Davidmbrooke 14:15, 9 April 2011 (UTC)
Contents
Introduction
This page provides some guidance on setting up a Remote Authentication Dial In User Service (RADIUS) server on Bering-uClibc 4.x using the FreeRADIUS software.
A RADIUS server provides an Authentication, Authorization and Accounting (AAA) service. Typical use cases include:
- Authenticating Wireless Network clients which use the "WPA-Enterprise" (as opposed to "WPA-PSK") authentication model where a Wireless Network Access Point is often configured to talk the RADIUS protocol to a server which knows how to authenticate users/clients.
Read the following in conjunction with the standard FreeRADIUS documentation located here.
Packages
The main Package is radius.lrp
which is dependent on the following Packages:
-
lpthread.lrp
-
libcrpto.lrp
-
libssl.lrp
There is a separate, optional Package radutils.lrp
containing some RADIUS utilities, specifically:
- radclient
- radeapclient
- radlast
- This does not currently work because the Busybox "last" command does not accept command-line arguments
- radsniff
- This has a further dependency, on
libpcap.lrp
- This has a further dependency, on
- radtest
- radwho
- radzap
When connecting to different types of back-end server further Packages are required:
- ldap
-
libldap.lrp
- sql_mysql
-
libmysql.lrp
,libz.lrp
In addition, for installation and configuration of some aspects of FreeRADIUS the following additional Package is typically required:
-
openssl.lrp
Installation
Some manual installation steps are required before running FreeRADIUS for the first time.
Generate Digital Certificate Files
The "bootstrap" script needs to be run to generate files required to support Digital Certificate processing.
This is the (only) step that needs the openssl.lrp
Package to be installed.
Tip: Do not add openssl.lrp
to leaf.cfg
but instead install it manually with a command like:
apkg -i /mnt/openssl.lrp
so that openssl.lrp
will be removed at the next reboot.
Run the "bootstrap" script as follows:
cd /etc/raddb/certs/ sh bootstrap
This will create quite a number of "example" Digital Certificate files in directory /etc/raddb/certs/
.
FreeRADIUS will try to do this automatically the first time it runs but on Bering-uClibc 4.x this will fail, so the script must be run manually - or the relevant files installed by hand.
Run RADIUS Daemon in Debug Mode
To check the configuration settings it is highly recommended to run radiusd in debug mode, from the command line:
cd /root/ radiusd -X
Configuration
Overview
FreeRADIUS has many configuration files stored in directory /etc/raddb/
and its sub-directories.
Some, but not all, of these are listed in the "radius" section of the LEAF Packages configuration menu.
All of the files under /etc/raddb/
are backed up when the LEAF configuration is saved.
Filename paths below are relative to the /etc/raddb/
directory.
Clients
From a RADIUS perspective, a "client" is a device which connects to the RADIUS server using the RADIUS protocol. It is typically either a Network Access Server (NAS) or, for a Wireless Network, an Access Point (AP).
FreeRADIUS requires that clients are defined in configuration file clients.conf
.
Refer to the excellent comments in the sample file.
As an example, the 3com OfficeConnect Wireless 108Mbps 11g PoE Access Point has the following fields in its web-based administration interface:
Assuming this Access Point is at IP address 192.168.1.101 the corresponding FreeRADIUS client entry would look like:
client SC55835A { ipaddr = 192.168.1.101 secret = secret-password require_message_authenticator = yes }
where "secret-password" matches the entry in the "Shared Key" field.
Logging
Except when started in debug mode (e.g. as "radiusd -X") the RADIUS daemon writes log output to file /var/log/radius/radius.log
.
This log file is "rotated" on a daily basis by a RADIUS-specific cron script - /etc/cron.daily/radiusd
.
Individual client authentication transactions are not logged by default. To enable this behaviour edit radiusd.conf
and specify "auth = yes" in the "log" configuration section.
Further logfiles are created in the /var/log/radius/
directory:
- radutmp
- radwtmp
The radwtmp
file is "rotated" on a monthly basis by cron script /etc/cron.monthly/radiusd
.
Still further files are created under the /var/log/radius/radacct/
directory, in per-client sub-directories.
These "detail" files are automatically created in date-stamped files (e.g. detail-20110411
, for 11 Apr 2011).
Files more than 7 days old are deleted by cron script /etc/cron.weekly/radiusd
Further Reading
- Standard FreeRADIUS Documentation and Wiki
- FreeRADIUS + 802.1x/WPA + OpenLDAP HOWTO
Prev | Up | Next |