Professional Documents
Culture Documents
Summary: As a network administrator, you need to keep administrative user information for each
network device you need to manage. But network devices usually support only limited functions for user
management. Learn how to use an external RADIUS server on Linux™ to authenticate users, particularly
against an LDAP server, allowing you to centralize user information stored in the LDAP server and
authenticated by the RADIUS server, thereby both reducing administrative overhead on user management
and making the remote login process more secure.
In this article, I will address the confidentiality aspect of data security: Making sure protected data can
only be accessed by authorized people or systems. You'll learn how to set up and configure a Remote
Authentication Dial-In User Service server (RADIUS) on a Linux system to perform authentication,
authorization, and accounting (AAA) for users.
Let's start by talking about the RADIUS protocol, the AAA components and how they work, and the
LDAP protocol.
The Remote Authentication Dial-In User Service protocol is defined in the IETF's RFC 2865 (see
Resources for a link). It allows a network access server (NAS) to perform authentication, authorization,
and accounting for users. RADIUS is a client/server protocol based on UDP. The RADIUS client, the
network access server, is typically a router, switch, or wireless access point (access points are specially
configured nodes on networks; WAPs are wireless versions). The RADIUS server is usually a daemon
process running on a UNIX or Windows 2000 server.
If the NAS receives user-connection requests, it passes them to the designated RADIUS server which
authenticates the user and returns the user's configuration information to the NAS. Then, the NAS accepts
or rejects the connection requests.
A full-featured RADIUS server can support a variety of mechanisms to authenticate users in addition to
LDAP, including
PAP (Password Authentication Protocol, used with PPP in which the password is sent to the
client as clear text for comparison);
CHAP (Challenge Handshake Authentication Protocol, more secure than PAP, it uses a username
and password);
the local UNIX/Linux system password database (/etc/passwd);
other local databases.
Authentication and authorization are combined together in RADIUS. If the username is found and the
password is correct, the RADIUS server returns an Access-Accept response including some parameters
(attribute-value pairs) that grants access to the user. These parameters are configured in RADIUS and
include service type, protocol type, IP address to assign the user, an access control list (ACL) or a static
route to apply on the NAS, as well as other values.
RADIUS accounting features (as defined in RFC 2866; see Resources for a link) allow data to be sent at
the start and end of connection sessions, indicating the amount of resources -- such as time, packets, and
bytes -- used during the session which might be used for security or billing needs.
The Lightweight Directory Access Protocol (LDAP) is an open standard that defines a method for
accessing and updating information in a X.500-like directory. LDAP can be used to keep user information
in a central locale to avoid having to store identical user information on each system; it can also be used
to maintain and access the information in a consistent and controlled manner.
LDAP simplifies user administration tasks by managing users in a central directory. In addition to storing
user information, defining users in LDAP allows for such optional features as limiting the number of
logins. In this article you'll learn how a RADIUS server is configured to authenticate users against LDAP
-- since the article focuses on RADIUS, I will not describe the details on the installation and configuration
of an LDAP server.
OpenLDAP is an open source implementation of LDAP; you can find detailed information on it at
OpenLDAP.org (see Resources for a link).
The scenario
The user at home can access his company's intranet by dial-up authentication.
Wireless-enabled laptops can be connected to a campus network by wireless authentication.
Administrators use their workstations to log into network devices via telnet or HTTP via
administrative user authentication.
All the these authentication tasks can be done by a RADIUS server against a central LDAP server (see
Figure 1).
Installing RADIUS
RADIUS server software can be obtained from several sources. I'll be using FreeRADIUS in this article
(see Resources for a link), but the Cisco Secure Access Control Server (ACS) is a centralized user access
control framework for user management across Cisco devices that runs on UNIX and Windows and also
supports the the Cisco proprietary protocol TACACS+ (which sports more user-management features on
TACACS+-enabled devices).
FreeRADIUS is a powerful RADIUS server on Linux from the open source community which can fit in
today's distributed and heterogeneous computing environment. FreeRADIUS 1.0.2 supports LDAP,
MySQL, PostgreSQL, and Oracle databases and is compatible with such network protocols as EAP and
Cisco LEAP. FreeRADIUS is currently being deployed in many large-scale production network systems.
The following steps demonstrate how to install and test FreeRADIUS 1.0.2 on Red Hat Enterprise Linux
Advanced Server 3.0:
I also recommend another free tool, NTRadPing (see Resources for a link), to test authentication and
authorization requests from Windows clients. It can display detailed responses such as attributes value
sent back from the RADIUS server.
Configuring FreeRADIUS
Configuring the RADIUS server consists of configuring the server, the client, and the user (both for
authentication and authorization). There can be different configurations of the RADIUS server for
different needs; fortunately most of the configurations are similar.
Configuring the server
FreeRADIUS configuration files are usually stored in the /etc/raddb folder. First we need to modify the
radiusd.conf file as shown.
1) Global settings:
2) LDAP Settings:
modules {
ldap {
server = "bluepages.ibm.com" - the hostname or IP address of the LDAP server
port = 636 - encrypted communications
basedn = "ou=bluepages,o=ibm.com" - define the base Distinguished Names (DN),
- under the Organization (O) "ibm.com",
- in the Organization Unit (OU) "bluepages"
filter = "(mail=%u)" - specify search criteria
base_filter = "(objectclass=person)" - specify base search criteria
}
The parameters are set for working with IBM BluePages, an instance of an LDAP service. Parameters
may be different for other LDAP servers.
Clients are configured in /etc/raddb/clients.conf. There are two ways to configure RADIUS clients. You
can group the NAS by IP subnet (Listing 3) or you can list the NAS by hostname or IP address (Listing
4). When you follow the second method, shortname and nastype can be defined.
The file /etc/raddb/user contains authentication and configuration information for each user.
2) Service type:
The following authentication server attribute value (AV) pair should be configured for user authorization.
It is returned to the NAS for an administrator login request after authentication is accepted .
Level 1 is non-privileged. The prompt is router>, the default level for login.
Level 15 is privileged. The prompt is router#, the level after going into enable mode.
Levels 2 through 14 are not used in a default configuration.
The following command causes a user logging in from a network access server to have immediate access
to EXEC commands:
cisco-avpair ="shell:priv-lvl=15"
The following code handles the same task for a Cisco wireless access point:
Cisco:Avpair = "aironet:admin-capability=write+snmp+ident+firmware+admin"
Cisco:Avpair = "aironet:admin-capability=ident+admin"
Cisco:Avpair = "aironet:admin-capability=admin"
Next we'll configure the NAS, first for a Cisco router, then for a Cisco WAP.
For the Cisco IOS 12.1 router, we'll enable AAA, then configure authentication, authorization, and
accounting.
AAA should be enabled on the router. Then, a list of RADIUS servers that will provide AAA services for the NAS
can be specified. The encryption key is used to encrypt the data transfer between the NAS and the RADIUS server.
It must be identical with the one configured on FreeRADIUS.
In this example, network administrators use RADIUS authentication. If a RADIUS server is not available, use the
NAS's local user database password.
Allow the user to run an EXEC shell when logging into the NAS.
The router must be specifically configured to send accounting records to the RADIUS server. Use the
commands in Listing 9 to record accounting information on NAS system events, network connections,
outbound connections, EXEC operations, and commands at levels 1 and 15.
That's it. Now let's look at configuring for a Cisco wireless access point. The following configuration
applies to the Cisco 1200 Series AP with Firmware 12.01T1. As shown in the screen shot in Figure 2,
you:
Actually, here you can also configure EAP Authentication so FreeRADIUS can be used to
authenticate general users to wireless LAN.
Now that all the configurations have been completed, the FreeRADIUS server can start logging all
information sent by NAS, storing it in the /var/log/radius/radius.log file like so:
Detailed accounting information is stored in the /var/log/radius/radacct directory. Listing 11 shows that David
logged into router 192.168.0.1 from 192.168.0.94 between 19:40 to 19:51 on March 4, 2005. This level of detailed
information will definitely be a help to administrators investigating security incidents and trying to maintain easily
auditable records.
Listing 11. Sample of the RADIUS-supplied accounting details
Fri Mar 4 19:40:12 2005
NAS-IP-Address = 192.168.0.1
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = "David"
Calling-Station-Id = "192.168.0.94"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Service-Type = NAS-Prompt-User
Acct-Session-Id = "00000026"
Acct-Delay-Time = 0
Client-IP-Address = 192.168.0.1
Acct-Unique-Session-Id = "913029a52dacb116"
Timestamp = 1109936412
Conclusion
By following the simple steps outlined in this article, you can set up a Remote Authentication Dial-In
User Service server that uses an external LDAP server to handle authentication, authorization, and
accounting for your network security issues. This article has provided the following to help you
accomplish this task:
An introduction to the RADIUS and LDAP servers and to the AAA concept.
A scenario to put the installation and implementation into context.
Instructions on installing and configuring the RADIUS server.
Details on configuring the network access server.
A sample of the detailed information that RADIUS will provide and manage.
These instructions can make quick work of the task of making sure protected data can only be accessed
by authorized entities on your Linux system