Configuring very basic radius server

From Notes_Wiki
Revision as of 04:27, 7 November 2012 by Saurabh (talk | contribs) (Created page with "=Configuring very basic radius server with local user file based authentication= #Do 'chkconfig radiusd on' to enable radius server on PC startup. #Run 'service radiusd start...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Configuring very basic radius server with local user file based authentication

  1. Do 'chkconfig radiusd on' to enable radius server on PC startup.
  2. Run 'service radiusd start' to see that the current configuration is correct and it does not give any error.
    While configuring server after making small changes to configuration we try to start server with new configuration and test the new settings. If new settings work fine then only we proceed for further configuration. This way it is easier to debug in case we make mistake as we just have to check the last change done and not all changes.
  3. Go to directory '/etc/raddb'
  4. Open file 'users' and add following line
    "Saurabh Barjatiya" User-Password=="iiit123"
    • This line defines login parameters for user "Saurabh Barjatiya". since username has space we have enclosed it in double quotes. The parameters defined on first line are check parameters. Here we have defined only one check parameter, that is, 'User-Password'. Then we have used operator '==' to indicate to octave that 'User-Password' mentioned here should exactly match the 'User-Password' supplied by user during authentication. We have not specified any reply parameters or any other check /optional parameters as these are more then enough for simple login.
    • Do not add this line as bottom of configuration file. Read the comments and add this entry after initial comments of denying specific user and groups are over and before the lines which get applied in default case. In my version of radius I added the entry around line 90, before example of John Doe.
  5. We can now test our configuration with command 'service radiusd restart'. In case we have made any mistake we may see the error message and service may fail to start. Even better way is to stop service using 'service radiusd stop' command and start radius server using command '/usr/sbin/radiusd -X' so that we can see all the debug messages.
  6. Test the user configuration is working or not by using following command
    radtest 'Saurabh Barjatiya' 'iiit123' 127.0.0.1 1812 testing123
    Just type 'radtest' and press enter to see the syntax of radtest command. The above command should give some output like 'rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=204, length=20' to indicate the authentication was successful. Here 1812 is default port number (it is taken from /etc/services file). 'testing123' is default password mentioned in 'clients.conf' file for localhost(127.0.0.1).
  7. Now open file 'clients.conf' so that we can configure which clients are allowed to authenticate using radius server. We will also configure a shared secret in this file so that messages between server and client can be encrypted using that shared secret.
  8. Enter below line in 'clients.conf' file
    client 10.3.3.253 {
    secret = 'radiuspass'
    shortname = linksys_lab320
    }
    • This means that client will have IP address 10.3.3.253. We can also enter FQDN of client in place of IP address.
    • Stop '/usr/sbin/radiusd -X' if it is still running with 'Ctrl+C' and now start again after doing client configuration. Only if you do not see any errors then proceed. Else first try to debug the problem before proceeding.
    • Now configure firewall to allow incoming connections on UDP port 1812.
    • Now test the radius configuration from some client machine. Keep the radius server running with command '/usr/sbin/radiusd -X' so that you can see the messages printed by radius server.