1 / 9

Configuring Linux Radius Server

Configuring Linux Radius Server. Objectives This chapter will show you how to install and use Radius Contents An Overview Of How Radius Works Configruation of Radius Testing Radius server Setting up Aironet Cisco1200 for radius Client Setup Windows XP with wireless pccard Practical

nayef
Télécharger la présentation

Configuring Linux Radius Server

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Configuring Linux Radius Server • Objectives • This chapter will show you how to install and use Radius • Contents • An Overview Of How Radius Works • Configruation of Radius • Testing Radius server • Setting up Aironet Cisco1200 for radius • Client Setup Windows XP with wireless pccard • Practical • Implementing Radius server

  2. Introducing the elements • NAS • Network Access Server (NAS) perform authentication, authorization, and accounting for users. • The network access server, is typically a router, switch, or wireless access point • NAS act as a relay that pass or block traffic to and from authenticated clients • RADIUS and AAA • The RADIUS server is usually a daemon process running on a UNIX or Windows 2003 server. • Authentication and authorization plus accounting are combined together in RADIUS • LDAP • The Lightweight Directory Access Protocol (LDAP) is an open standard • It defines a method for accessing and updating information in a X.500-like directory. • LDAP simplifies user administration tasks by managing users in a central directory.

  3. Authentication via RADIUS and LDAP

  4. Installing FreeRADIUS • Add a testuser • Add a password for your testuser • Building from source • Usally a good idea for best optimized code • Start radiusd in debug mode • To see if any errors arrives • Modify /etc/shadow permission • Make the first radius auth test • Simulate a user trying to atenticate against the radius server 0 = fake NAS port testing123 is the mandatory common secret for localhost NAS clients is found in /etc/raddb/clients.conf • If radtest receives a response, the FreeRADIUS server is working. # useradd kalle # passwd kalle # tar -zxvf freeradius-1.0.2.tar.gz # ./configure # make # make install # radiusd -X # chmod g+r /etc/shadow # radtest kalle 123456 localhost 0 testing123

  5. Configure FreeRADIUS • FreeRADIUS configuration files are usually stored in the /etc/raddb folder • Modifying radiusd.conf to activate logging • Find and correct • Setup to enable unix account to serve as autentication and add default authentication port’s. Cisco ports can also be used, then change this. • Tell radius where you store the users to authenticate log_auth = yes log_auth_badpass = yes log_auth_goodpass = no port = 0 files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users compat = no }

  6. Configure FreeRADIUS for NAS clients • Check that clients.conf is declared in radiusd.conf • Adding the NAS clients in /etc/raddb/clients.conf • Add your access points • Security is sligthly higher if you point out each NAS with IP and have various password for them • Best match is used by radius server • Here is a subnet declaration for NAS # Cisco Aironet 1235AP client 192.168.1.253 { secret = mypass shortname = ap nastype = other } client 192.168.1.0/24 { secret = testing123 shortname = office-network nastype = other }

  7. FreeRADIUS MAC authentication setting. • The file /etc/raddb/users contains authentication and configuration information for each user. • Add change thenfollowing links, place after the informative heater text: • We prepare for MAC authentication for users authenticate through the NAS • Authentication will be invisible for the enduser • For more users just add more MAC addresses • This can be used for almost any Cisco Switch or router. • Authentication is invisible, users does not need to enter something. # user-id (MAC) Authentication type password=MAC 00054e4d3d08 Auth-Type := Local, User-Password == "00054e4d3d08" 00186e8dc079 Auth-Type := Local, User-Password == "00186e8dc079"

  8. Configuring the Aironet 1200 (1/2) • For No security (open network), login to your AP and goto Express Security • Enter your SSID cisco • No VLAN (you can have VLAN for your different SSID if you like) • No security Click on APPLY • Activate your WLAN interfaces • Menu Security, check None or a WEP/Chiper if you like. We choose none for best network prestanda Customer is adviced to use cisco VPN client for security or similar. • Menu Security Server Manager • Select RADIUS in Current Server List, list should show <NEW> • Enter your radius server IP address and Shared secret • Standard radius Authentication port 1812 and Accounting port 1813 • Click Apply • Goto SSID manager and pick your SSID • Check Open Authentication and chose with MAC Authentication • At server priorities chose Customize and at priority 1 pick your radius server IP address. • Click APPLY

  9. Configuring the Aironet 1200 (2/2) • Next you need to set the AP to use MAC authentication. • Again it is the Security panel, goto local RADIUS settings • Chose general set-up menu and check MAC at Enable Authentication Protocols • Click apply • Last you need to set the authentication order, here we use ONLY the radius server, no local lists. • Select MAC Addresses Authenticated by Authentication Server Only • If you click on security the server based security should look something like this now: • Looking on the SSID on same panel, it should look like this:

More Related