Scribd
Upload
199 views17 pages

Freeradius en Part2 PDF

Uploaded by

dpsguard-buy8922
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
199 views17 pages

Freeradius en Part2 PDF

Uploaded by

dpsguard-buy8922
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

freeRADIUS

A High Performance, Open Source, Pluggable, Scalable


(but somewhat complex)

RADIUS Server
Aurélien Geron, Wifirst, 7 janvier 2011

vendredi 21 janvier 2011


Roadmap
• Multiple protocoles :
RADIUS, EAP...

• An Open-Source
(GPLv2) server

• A powerful configu-
ration system

• Many expansion
modules

• Writing your own


modules Source image: http://crshare.com/abstract-backgrounds-vector-clipart/

vendredi 21 janvier 2011


The freeRADIUS project
• FreeRADIUS (GPLv2) is a fork of Cistron (GPL),
which is itself inspired by Livingston (BSD)
• It was started in 1999 by Alan DeKok and Miquel
van Smoorenburg (author of Cistron)
• It is available on all platforms, Un*x, MacOSX, and
Windows (but the Windows version is a bit old)
• It is now far ahead its competitors (in terms of
performance, fonctionnalities, modularity...)

vendredi 21 janvier 2011


Documentation
• The entry point to the documentation is:
http://freeradius.org/doc/
• Some useful info is available on the Wiki, but some
of it is outdated or incomplete:
http://wiki.freeradius.org/
• A lot of useful info is available in the man pages:
http://freeradius.org/radiusd/man/index.html
• It is also good to read the comments in the
configuration files located in /etc/freeradius
on Debian, and /etc/raddb on other platforms
vendredi 21 janvier 2011
Documentation
• The mailing list is active and responsive:
http://freeradius.org/list/users.html
• All in all, the documentation is a bit too
spread apart, and sometimes outdated
• Moreover, the information that can be found
on the Internet (in blogs, forums...) is more
often than not outdated or just wrong
Beware of the info found in forums
and blogs: always check the version of
freeRADIUS that the info is about
vendredi 21 janvier 2011
Installation
On Debian Squeeze
# the base
aptitude update
aptitude install freeradius

# then add the desired modules,


# for example:
aptitude install freeradius-mysql

vendredi 21 janvier 2011


Packages on Debian

$ aptitude search freeradius


p freeradius - a high-performance and highly configurable RADIUS server
p freeradius-common - FreeRadius common files
p freeradius-dbg - ...; debug symbols
p freeradius-dialupadmin - set of PHP scripts for administering a FreeRADIUS server
p freeradius-iodbc - iODBC module for FreeRADIUS server
p freeradius-krb5 - kerberos module for FreeRADIUS server
p freeradius-ldap - LDAP module for FreeRADIUS server
p freeradius-mysql - MySQL module for FreeRADIUS server
p freeradius-postgresql - PostgreSQL module for FreeRADIUS server
p freeradius-utils - FreeRadius client utilities
p libfreeradius-dev - FreeRADIUS shared library development files
p libfreeradius2 - FreeRADIUS shared library

vendredi 21 janvier 2011


What about Debian Lenny?
• Unfortunately, due to a licensing issue, Debian
did not provide a freeRADIUS package
compiled with OpenSSL
• This problem was solved in freeRADIUS
version 2.1.8
• But the freeRADIUS version included in
Debian Lenny is 2.0.4 (Squeeze is at 2.1.9)

In order to use EAP/TLS, PEAP or


TTLS on Lenny: use the backports
vendredi 21 janvier 2011
Backports for Lenny
See: http://www.backports.org/

vendredi 21 janvier 2011


Compiling freeRADIUS
• To use experimental modules or on platforms that do not
have a package for freeRADIUS >= 2.1.8

• Download the sources and compile them:


http://freeradius.org/download.html
$ tar zxvf freeradius-[version].tar.gz!
$ ./configure # add the desired options here
$ make!
$ su - root!
# make install

• For more info, for example to build your own clean


freeRADIUS package for Debian (or other distributions):
http://wiki.freeradius.org/Build
vendredi 21 janvier 2011
Creating your own
Debian package
$ wget http://ftp.de.debian.org/debian/pool/main/f/freeradius/freeradius_2.1.9+dfsg-1.dsc
$ wget http://ftp.de.debian.org/debian/pool/main/f/freeradius/freeradius_2.1.9+dfsg.orig.tar.gz
$ wget http://ftp.de.debian.org/debian/pool/main/f/freeradius/freeradius_2.1.9+dfsg-1.diff.gz
$ tar xvzf freeradius_2.1.9+dfsg.orig.tar.gz
$ cd freeradius-server-2.1.9
$ zcat ../freeradius_2.1.9+dfsg-1.diff.gz | patch -p1
$ rm debian/patches/lt_dladvise.diff # => pour éviter une dépendance vers libtool 2.2
$ sed -i -e '/lt_dladvise.diff/d' debian/patches/series
$ dch -i # => préciser la version 2.1.9+dfsg-1~bpo50+1, des commentaires et coordonnées
$ dpkg-buildpackage -rfakeroot -uc -us -S
$ cd ..
$ sudo pbuilder --build freeradius_2.1.9+dfsg-1~bpo50+1.dsc
$ ls /var/cache/pbuilder/result/*freeradius*2.1.9*

vendredi 21 janvier 2011


freeRADIUS 2
• Version 1 lacked clarity and flexibility
(config files were confusing)
• Config files in version 2 are now better
organized and clearer
• The python module (which allows you to
write your own modules in python rather
than in C) is not experimental anymore, so
it is included by default in the packages (it
used to be necessary to recompile)
Use freeRADIUS 2 rather than 1, and
if possible a version >= 2.1.8
vendredi 21 janvier 2011
Installed files
$ dpkg -L freeradius | sort # then shortened a bit
/etc/freeradius
/etc/freeradius/eap.conf
/etc/freeradius/...
/etc/freeradius/modules
This directory only contains /etc/freeradius/modules/sql
/etc/freeradius/modules/...
symbolic links to the desired /etc/freeradius/sites-available
files located in sites- /etc/freeradius/sites-available/default
/etc/freeradius/sites-available/inner-tunnel
available (just like in /etc/freeradius/sites-available/...
ln -s
Apache, for example) /etc/freeradius/sites-enabled
/etc/freeradius/sites-enabled/default
/etc/freeradius/...
/etc/init.d/freeradius
/etc/logrotate.d/freeradius This script starts or
freeRADIUS is installed with a /etc/pam.d/radiusd stops the server
pam module /usr/lib/freeradius
(see http://fr.wikipedia.org/wiki/ /usr/lib/freeradius/rlm_sql-2.1.8.so
/usr/lib/freeradius/rlm_sql.so
Pluggable_Authentication_Modules)
/usr/lib/freeradius/...
/usr/sbin/checkrad
/usr/sbin/freeradius
Modules binaries
This binary is the /usr/sbin/raddebug
/usr/sbin/radmin
freeRADIUS server itself /usr/sbin/radwatch
/usr/share/doc/freeradius/...
/var/log/freeradius

vendredi 21 janvier 2011


Installed files
$ dpkg -L freeradius-common | sort # then shortened
RADIUS dictionary (this file /etc/freeradius
can be personalized) /etc/freeradius/dictionary
/etc/freeradius/radiusd.conf $INCLUDE
/usr/share/doc/freeradius-common/...
/usr/share/freeradius
Entry point to the /usr/share/freeradius/dictionary
$INCLUDE
/usr/share/freeradius/dictionary.3com
configuration of the server /usr/share/freeradius/dictionary.3gpp
/usr/share/freeradius/dictionary.3gpp2 These files must not
/usr/share/freeradius/dictionary.acc
/usr/share/freeradius/dictionary.acme be modified
/usr/share/freeradius/dictionary.airespace
/usr/share/freeradius/dictionary.alcatel
/usr/share/freeradius/dictionary...
/usr/share/man/man1
The manuals. List them using /usr/share/man/man1/radclient.1.gz
the following command: /usr/share/man/man1/radeapclient.1.gz
/usr/share/man/man1/...
dpkg -L freeradius-common /usr/share/man/man5
/usr/share/man/man5/acct_users.5.gz
/usr/share/man/man5/clients.conf.5.gz
/usr/share/man/man5/...
then, for example: /usr/share/man/man8
/usr/share/man/man8/freeradius.8.gz
man 5 acct_users /usr/share/man/man8/raddebug.8.gz
/usr/share/man/man8/...

vendredi 21 janvier 2011


Starting / stopping

$ /etc/init.d/freeradius
Usage: /etc/init.d/freeradius start|stop|restart|force-reload

vendredi 21 janvier 2011


Debugging
$ /etc/init.d/freeradius stop
Stopping FreeRADIUS daemon: freeradius.

$ freeradius -X
FreeRADIUS Version 2.1.8, for host x86_64-pc-linux-gnu, built on Jan 3 2010 at 14:14:04
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
...
listen {
type = "auth"
ipaddr = 10.1.2.3
port = 0
}
listen {
type = "acct"
ipaddr = 10.1.2.3
port = 0
}
Listening on authentication address 10.1.2.3 port 1812
Listening on accounting address 10.1.2.3 port 1813
Listening on proxy address 10.1.2.3 port 1814
Ready to process requests.

vendredi 21 janvier 2011


Questions?

vendredi 21 janvier 2011

You might also like