Configuring RADIUS for LDAP

Configuring RADIUS for LDAP

Many network equipment manufacturers use an authorization scheme called RADIUS to filter the types of activities a user can do. The Linux FreeRADIUS server can be configured to talk to a Linux LDAP server to handle login authentication services. In other words, the user logs into the equipment, which then sends a username/password combination to the RADIUS server, the RADIUS server queries the LDAP server to see if the user is a valid one, and then replies to the network equipment with the desired login privileges if the LDAP query is successful.

You'll have to refer to your manufacturer's manuals on how to configure RADIUS, but fortunately researching how the FreeRADIUS server interacts with the Linux LDAP server is much simpler. Here are the steps.

Download and Install the FreeRADIUS Packages

Most Red Hat and Fedora Linux software products are available in the RPM format. When searching for the file, remember that the FreeRADIUS RPM's filename usually starts with freeradius followed by a version number, as in freeradius-0.9.1-1.i386.rpm.

Starting and Stopping FreeRADIUS

You can use the chkconfig command to get the FreeRADIUS daemon, radiusd, configured to start at boot:

     [root@bigboy tmp]# chkconfig radiusd on

To start, stop, and restart radiusd after booting, use:

     [root@bigboy tmp]# service radiusd start
     [root@bigboy tmp]# service radiusd stop
     [root@bigboy tmp]# service radiusd restart

Remember to restart the radiusd process every time you make a change to the configuration files for the changes to take effect on the running process.

Configuring the /etc/raddb/radiusd.conf File

The /etc/raddb/radiusd.conf file stores the main RADIUS configuration parameters. You'll have to update some of the settings to allow LDAP queries from RADIUS:

authorize {
    ...
    ...
    #
    #  The ldap module will set Auth-Type to LDAP if it has not
    #  already been set
    Ldap
    ...
    ...
}

Auth-Type LDAP {
    ldap
}

ldap {
    # Define the LDAP server and the base domain name

    server = "localhost"
    basedn = "dc=example,dc=com"

    # Define which attribute from an LDAP "ldapsearch" query
    # is the password. Create a filter to extract the password
    # from the "ldapsearch" output

    password_attribute = "userPassword"
    filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"

    # The following are RADIUS defaults
    start_tls = no
    dictionary_mapping = ${raddbdir}/ldap.attrmap
    ldap_connections_number = 5
    timeout = 4
    timelimit = 3
    net_timeout = 1
}

These configuration steps only cover how to configure RADIUS to interact with LDAP. You'll have to define the login attributes and privileges each user will receive and the IP addresses of the various RADIUS clients. We'll cover these topics next.

Configuring the /etc/raddb/users File

The /etc/raddb/users file defines the types of attributes a user receives upon login. In the case of a router, this may include allowing some user groups to login to a device in a privileged mode, while allowing other only basic access.

One of the first entries in this file is to check the local server's /etc/passwd file. The very next entry should be one referring to your LDAP server with a fall through statement that will allow additional authorizations to be granted to the LDAP user further down the file based on other sets of criteria.

     #
     # First setup all accounts to be checked against the UNIX /etc/passwd.
     #
     DEFAULT Auth-Type = System
        Fall-Through = 1

     #
     # Defaults for LDAP
     #
     DEFAULT Auth-Type := LDAP
        Fall-Through = 1

Configuring the /etc/raddb/clients.conf File

You can define a shared secret password key to be used by the RADIUS server and its clients in the /etc/raddb/clients.conf file.

Passwords can be allocated for ranges of IP addresses in each network block using the secret keyword. The next example defines the password testing123 for all queries from localhost, but s3astar for the 192.168.1.0/24 network and shrtp3nc1l for the 172.16.1.0/24 network. All RADIUS clients have to peer with the RADIUS server from these networks using the correct password before logins are correctly accepted.

     client 127.0.0.1 {
        secret = testing123
        shortname = localhost
     }

     client 192.168.1.0/24 {
        secret = s3astar
        shortname = home-network
     }

     client 172.16.1.0/24 {
        secret = shrtp3nc1l
        shortname = office-network
}

Troubleshooting and Testing RADIUS

You can now test the various elements of the RADIUS setup.

Server Setup

To test the server, run radiusd in debug mode to see verbose messages about the status of the RADIUS queries. These messages are much more informative than those provided in the /var/log/messages and /var/log/radius/radius.log files.

     [root@bigboy tmp]# /usr/sbin/radiusd -X -A

After testing is complete, you must start the radiusd daemon in the normal manner using the command service radiusd start.

Linux Client Setup

For Linux clients, you can perform RADIUS queries with the radtest command. The arguments are the LDAP username, the LDAP user's password, the LDAP server IP address, an NAS port value (any value between 1 and 100 will work here), and the RADIUS client-server shared secret password key. Successful queries will show an Access-Accept message.

A successful test from the RADIUS server looks like this:

     [root@bigboy tmp]# radtest ldapuser "ldapuser-password" \
       localhost 2 testing123
     ...
     rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=99,
     length=20
     ...
     [root@bigboy tmp]#

A successful test from a Linux RADIUS client looks like this:

     [root@smallfry bin]# radtest ldapuser "ldapuser-password"
     192.168.1.100 2 s3astar
     ...
     rad_recv: Access-Accept packet from host 192.168.1.100:1812, id=51,
     length=20
     ...
     [root@smallfry bin]#

In this case, freeradius was installed solely for the purposes of testing the shared secret password key from another network. This is a good troubleshooting tip to verify remote client access before deploying network equipment.

Cisco Client Setup

Here is a sample snippet of how to set up a Cisco device to use a RADIUS server. You can find full coverage of Cisco authentication, authorization, and accounting (AAA) setup using RADIUS on Cisco's corporate Web site at www.cisco.com.

     aaa new-model
     aaa authentication login default radius enable
     aaa authentication ppp default radius
     aaa authorization network radius

     radius-server host 192.168.1.100
     radius-server timeout 10
     radius-server key shrtp3nc1l

The important thing to note in relation to the example setup is that the radius-server statements define the RADIUS server's IP address and the shared secret password key.

Errors with Fedora Core 2

The interaction between LDAP and RADIUS on Fedora Core 2 seems to be plagued with a segmentation fault error that you can see on the RADIUS server when running in debug mode. The error looks like this:

     ldap_get_conn: Got Id: 0
     rlm_ldap: attempting LDAP reconnection
     rlm_ldap: (re)connect to localhost:389, authentication 0
     rlm_ldap: bind as / to localhost:389
     Segmentation fault

The only solution I have found is to install the Fedora Core 1 versions of the RADIUS and LDAP RPMs and to edit the /etc/yum.conf file to prevent them from being automatically updated to newer versions.