This page is part of the LIFE project.
RADIUS Client Configuration on the NAS
The NAS acts as the RADIUS client, allowing authorised users to pass onto the network. In our system, when the user PPP's into the NAS, the NAS consults the RADIUS server to authenticate the username/password combination sent by the user. Upon authentication, the NAS allows the user to complete their PPP connection. A PPP tunnel is created and the user communicates with the network through the NAS.
Our NAS has two interfaces, fxp0 and fxp1. The fxp0 interface connects to the switch and is used to communicate with the RADIUS server and ITS. The fxp1 interface is directly connected to the user machine for the PPP connection. This was done in order to separate the client side of the NAS from the network side.
If the client were connected to the same switch as the NAS and RADIUS server this would create a security issue. This security issue could be overcome with assigning VLANs. VLAN 1 would be assigned to the user machine and the fxp1 interface of the NAS. VLAN 2 would be assigned to the RADIUS server, the fxp0 interface of the NAS and ITS. When a client is authenticated it would allow them access to VLAN 2. To keep the system simple it was decided that this approach would not be taken.
tun0
The first step in enabling PPP on a machine is to add the psuedo-device tun into the FreeBSD kernel. This is for the PPP connection to tunnel between the user machine and the NAS. It is done by adding the following line to the file "/usr/src/sys/i386/conf/GENERIC" and recompiling the kernel:
psuedo-device tun N # where N is the number of tunnel devices you want to add, this can be left as blank
ppp.conf
The following is the configuration added to our "/etc/ppp/ppp.conf" file:
ppp-in:
set timeout 0 # never timeout the connectionThis configuration specifies the private class A IP addresses that are to be allocated to both sides of the PPP tunnel. It also specifies that both the PAP and CHAP protocols can be used to authenticate the username/password of the user and the location of the radius configuration file.
set ifaddr 10.0.4.1/0 10.0.4.2/0 255.255.255.0 0.0.0.0
add default HISADDR
allow users
enable pap
enable chap
set radius /etc/radius.conf
Between the PAP and CHAP, CHAP is the preferred protocol as it sends passwords in encrypted form and challenges the user at random times to revalidate their identity. Since both PAP and CHAP have been enabled and the user machine supports both protocols the NAS chooses CHAP to authenticate the user in our system.
radius.conf
As specified in the ppp.conf file, the "/etc/radius.conf" file gives the IP address of the RADIUS server and the secret key shared between the NAS and RADIUS server. The following line is the contents of the radius.conf file for our system:
auth 136.186.229.225 mylittlesecret
services
When the NAS receives a request on the ppp-in port, it knows that it must read the "ppp-in:" block in the ppp.conf file by reading the following command that must be added to the "/etc/services" file:
ppp-in 6669/tcp # incoming PPP connections over TCP
ifconfig
The following is the ifconfig of the NAS interfaces fxp0 and fxp1:
| fxp0: | flags=8843 |
| inet 136.186.229.238 netmask 0xffffff00 broadcast 136.186.229.255 | |
| inet6 fe80::203:47ff:fe74:7417%fxp0 prefixlen 64 scopeid 0x1 | |
| ether 00:03:47:74:74:17 | |
| media: Ethernet autoselect (100baseTX | |
| status: active | |
| fxp1: | flags=8843 |
| inet 192.168.10.3 netmask 0xffffff00 broadcast 192.168.10.255 | |
| inet6 fe80::202:b3ff:fe0a:af7e%fxp1 prefixlen 64 scopeid 0x2 | |
| ether 00:02:b3:0a:af:7e | |
| media: Ethernet autoselect (100baseTX | |
| status: active |
rc.conf
The following is an extract of the "/etc/rc.conf" file for the NAS:
defaultrouter="136.186.229.1"
hostname="bart0.caia.swin.edu.au"
ifconfig_fxp0="inet 136.186.229.238 netmask 255.255.255.0"
ifconfig_fxp1="inet 192.168.10.3 netmask 255.255.255.0"
| ||||||||||||||||
|
