A Radius Server, is a daemon for un*x operating systems which allows one to set up (guess what!) a radius protocol server, which is usually used for authentication and accounting of dial-up users. To use server, you also need a correctly setup client which will talk to it, usually a terminal server or a PC with appropriate which emulates it (PortSlave, radiusclient etc). [From the freeradius FAQ]
Radius has its own database of users, anyway, since this information is already contained in LDAP, it will be more convenient to use it!
There are several freeware Radius servers, the one that has good support for LDAP is the FreeRadius server (http://www.freeradius.org), it is still a development version, anyway the LDAP module works fine.
Once you have installed the server you have to configure it using the configuration files, that are located under /etc/raddb (or /usr/local/etc/raddb)
In the radiusd.conf file edit :
[...omissis] # Uncomment this if you want to use ldap (Auth-Type = LDAP) # Also uncomment it in the authenticate{} block below ldap { server = ldap.yourorg.com #login = "cn=admin,o=My Org,c=US" #password = mypass basedn = "ou=users,dc=yourorg,dc=com" filter = "(posixAccount)(uid=%u))" } [...omissis] # Authentication types, Auth-Type = System and PAM for now. authenticate { pam unix # sql # sql2 # Uncomment this if you want to use ldap (Auth-Type = LDAP) ldap } [...omissis] |
Also edit the dictionary file:
[...omissis] # # Non-Protocol Integer Translations # VALUE Auth-Type Local 0 VALUE Auth-Type System 1 VALUE Auth-Type SecurID 2 VALUE Auth-Type Crypt-Local 3 VALUE Auth-Type Reject 4 VALUE Auth-Type ActivCard 4 VALUE Auth-Type LDAP 5 [...omissis] |
And the users file to have a default authorization entry:
[...omissis] DEFAULT Auth-Type := LDAP Fall-Through = 1 [...omissis] |
If you alreay set up an LDAP server for Un*x accounts management, this is enough.
On the LDAP server ensure also that the radius server can read the all the posixAccount attributes (expecially uid and userpassword).
To test everything server start radiusd in debugging mode:
/usr/local/sbin/radiusd -X -A |
Then use the radtest program whith a syntax like
radtest username "password" radius.yourorg.com 1 testing123 |
If everything went fine you should receive an Acces-Accept packet from the Radius server.
You can also use stunnel in client mode to provide SSL in the connection between the Radius server and the LDAPS server. For details on SSL refer to Section 10.
Just for completeness, here is a sample Cisco IOS configuration. Anyway, this is outside the purpose of the HOWTO so it may not suit your needs.
[...omissis] aaa new-model aaa authentication login default radius enable aaa authentication ppp default radius aaa authorization network radius [...omissis] radius-server host 192.168.10.1 radius-server timeout 10 radius-server key cisco [...omissis] |
Note: Almost all NAS use port 1645 for radius, check it out and configure the server appropriately.
Space for these documents provided by
Ben Spade
in support of the Linux community.
Change happens - click for HOWTO index |