This page is part of the LIFE project.
RADIUS Server Configuration
FreeRADIUS on a machine running FreeBSD can be used to authenticate and authorise users as well as keep track of their account information. FreeRADIUS is one of many possible RADIUS implementations and is found in the FreeBSD "/usr/ports/net/freeradius" directory for installation. The following commands in the "/usr/ports/net/freeradius" directory will install FreeRADIUS:
radiusServ#make fetch
radiusServ#make build && make install
When we installed FreeRADIUS all files in the "/usr/local/etc/raddb/users" directory ended with the .sample suffix. For our purpose, it was enough to edit some of these files and remove the .sample suffix as we only required a simple configuration.
radius.conf
The first file we edited in the "/usr/local/etc/raddb/" directory was the radius.conf file. In this file general RADIUS settings can be changed depending on the service that is to be offered. Under PROXY CONFIGURATION we changed the following:
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
to
proxy_requests = no
# $INCLUDE ${confdir}/proxy.conf
This was because our setup has only one RADIUS server and does not need to consult other RADIUS servers to validate a client, thus the proxy.conf file does not need to be included. This step was not required, but according to the radius.conf file it reduces a portion of resource use.
clients.conf
The "/usr/local/etc/raddb/clients.conf" file is used to specify to the RADIUS server the RADIUS client/clients whose Access-Request messages it is to accept and process. The RADIUS server and its clients validate each other's identity by the use of a secret key that is sent in messages between them. The following values were edited in our clients.conf file:
client 127.0.0.1 {
secret = mylittlesecret # the secret key used between the RADIUS server and the NAS}
shortname = localhost
nastype = other # localhost is a FreeBSD machine, not a real NAS
client 136.186.229.238/24 { # this is the IP address of the closest and most preffered NAS
secret = mylittlesecret # the secret key shared with this NAS}
shortname = bart0 # the name of the NAS
users
The "/usr/local/etc/raddb/users" file lists the username/password combinations the RADIUS server may authenticate. In larger environments all usernames, passwords and accounting information would be located in a separate database the RADIUS server would consult. Since we only need a limited number of users for our system, we uncommented and edited the sample user "steve" in the users file.
| steve | Auth-Type := Local, User-Password == "testing" |
| Service-Type = Framed-User, | |
| Framed-Protocol = PPP, | |
| Framed-IP-Address = 10.0.4.2, # this is the address allocated to the user's side of the PPP tunnel | |
| Framed-IP-Netmask = 255.255.255.0, | |
| Framed-Routing = Broadcast-Listen, | |
| Framed-MTU = 1500 |
ifconfig
The following is the ifconfig of the RADIUS server interface sis0:
| sis0: | flags=8843 |
| inet 136.186.229.225 netmask 0xffffff00 broadcast 136.186.229.255 | |
| inet6 fe80::20c:6eff:fed1:4d7d%sis0 prefixlen 64 scopeid 0x1 | |
| ether 00:0c:6e:d1:4d:7d | |
| media: Ethernet autoselect (100baseTX | |
| status: active |
rc.conf
The following is an extract of the "/etc/rc.conf" file for the RADIUS server:
defaultrouter="136.186.229.1"
hostname="radiusServ.caia.swin.edu.au"
ifconfig_sis0="inet 136.186.229.225 netmask 255.255.255.0"
As we have seen, configuring the RADIUS server was quite simple and only involved installing FreeRADIUS, renaming the .sample suffix of all FreeRADIUS files and editing a small number of variables in the radius.conf, clients.conf and users files. It is important to remember that the secret key between the RADIUS server and NAS must be specified and must be the same. Also note that although FreeRADIUS supports accounting we did not configure it for our system.
Starting FreeRADIUS
To start FreeRADIUS on the FreeBSD machine we entered the following command on the user prompt:
radiusServ#radiusd
This would start FreeRADIUS on the 1812 port. To specify the historically used RADIUS port 1645 enter the command:
radiusServ#radiusd -p 1645
For more information on RADIUS options see the FreeBSD radiusd man file.
| ||||||||||||||||
|
