Build a RADIUS server in Linux on a detailed

Source: Internet
Author: User
Tags auth ldap ldap protocol rfc openldap freeradius

as a network administrator, you need to hold user information for administration for each network device that you need to manage. However, network devices usually only support limited user management functions. Learn how to use an external RADIUS server on Linux to authenticate users, specifically through an LDAP server to centrally place user information that is stored on the LDAP server and validated by the RADIUS server. This can reduce the administrative overhead of user management and make the remote login process more secure.
Data security, as part of network security in modern systems, is as important as system security, so protecting data-ensuring confidentiality, integrity, and availability-is critical to administrators.
In this article, I'll talk about the confidentiality aspect of data security: Ensure that protected data can only be accessed by authorized users or systems. You will learn how to establish and configure a remote authentication dial-in user Service Server (RADIUS) on a Linux system to perform authentication, authorization, and Accounting (AAA) for users.

introduction of the constituent elements
First let's talk about the RADIUS protocol, the AAA components and how they work, plus the LDAP protocol.
The Remote authentication dial-in User Service protocol is defined in RFC 2865 of IET (see Resources for related links). It allows the network access server (NAS) to perform authentication, authorization, and accounting of users. RADIUS is a client/server protocol based on UDP. A RADIUS client is a network access server, which is typically a router, switch, or wireless access point (the access point is a specially configured node on the network; WAP is a wireless version). A RADIUS server is typically a guardianship program that runs on a UNIX or Windows 2000 Server.
radius and AAA
If the NAS receives a user connection request, it passes them to the specified RADIUS server, which authenticates the user and returns the user's configuration information to the NAS. The NAS then accepts or rejects the connection request.
A full-featured RADIUS server can support many different user authentication mechanisms, in addition to LDAP, including:
PAP (Password authentication Protocol, Password Authentication protocol, used in conjunction with PPP, in which the password is sent to the client for comparison in clear text);
CHAP (Challenge Handshake Authentication Protocol, Challenge Handshake Authentication protocol, more secure than PAP, it uses both username and password);
Local unix/linux System Password database (/ETC/PASSWD);
Other local databases.
In radius, authentication and authorization are grouped together. If a user name is found and the password is correct, the RADIUS server returns a access-accept response that includes some parameters (attribute-value pairs) to guarantee access to the user. These parameters are configured in radius, including the type of access, protocol type, user-specified IP address of the user, and an Access control list (ACL) or static route to be applied on the NAS, plus some other values.
The RADIUS accounting attribute (defined in RFC 2866; see Resources for related links) allows data to be sent at the beginning and end of a connected session, indicating the large amount of resources used during the session that might be used for security or open (billing)-such as time, packets, and bytes.
Lightweight Directory Access Protocol
The Lightweight Directory Access Protocol (lightweight. Protocol,ldap) is an open standard that defines a way to access and update information in a class X.500 directory. LDAP can be used to store user information in a central location so that the same information is not stored on each system. It can also be used to maintain and access information in a consistent, controllable manner.
LDAP simplifies user management by managing users in a centralized directory. In addition to storing user information, defining users in LDAP also enables some optional features to be enabled, such as restricting the number of logins. In this article, you will learn how to configure a RADIUS server to authenticate users based on LDAP--because the focus of this article is on radius, I will not describe the details of the installation and configuration of the LDAP server.
OpenLDAP is an open source implementation of LDAP. You can find more information about it on (see Resources for related links).
Imagine the following scenario:
Users can access his company's intranet through dial-up authentication at home.
Laptops with wireless support can be connected to a campus network via wireless authentication.
Administrators use their workstations to log on to network devices with Telnet or HTTP through administrative user authentication.
All of these verification tasks can be done with a single RADIUS server based on a central LDAP server (see Figure 1).

Figure 1 Authentication with radius and LDAP
In this article, I'll focus on the implementation of the last option as an introduction to this solution. Install the RADIUS server first.
Installing RADIUS
RADIUS server software can be obtained from multiple locations. In this article, I'm going to use Freeradius (see Resources for related links), but Cisco Secure access control Server (ACS) is a centralized user access controls framework that Can be used for user management across multiple Cisco devices on UNIX and Windows, and supports Cisco-specific protocol TACACS + (which is said to have more features on a device that supports TACACS +).
Freeradius is a powerful Linux-based RADIUS server from the open source community that can be used in today's distributed and heterogeneous computing environments. The Freeradius 1.0.2 supports LDAP, MySQL, PostgreSQL, and Oracle databases and is compatible with network protocols such as EAP and Cisco Leap. Freeradius is currently deployed in many large production network systems.
The following steps demonstrate how to install and test Freeradius 1.0 on Red Hat Enterprise Linux Advanced Server 3.0.2:
Listing 1 Installation and testing Freeradius

TAR-ZXVF freeradius-1.0.2.tar.gz-extract it with gunzip and tar



Make Install-run this command as root

RADIUSD Or-start RADIUS Server

Radiusd-x-Start RADIUS server in debug mode

Radtest test test localhost 0 testing123-test RADIUS server

If Radtest receives a response, it indicates that the Freeradius server is working properly.
I also recommend another free tool, which is ntradping, which can be used to test authentication and authorization requests from Windows clients. It can display detailed responses sent back from the RADIUS server, such as property values.
Now let's configure Freeradius.
Configure Freeradius
The configuration of the RADIUS server includes the configuration of the server, client, and user (both for authentication and authorization). For different needs, the RADIUS server can be configured differently. Fortunately, most of the configurations are similar.
* Configure Server
The Freeradius configuration file is typically located under the/etc/raddb folder. First, we need to modify the radiusd.conf file as follows.
Listing 2 modifying radiusd.conf

1) Global Settings:

Log_auth = Yes-log authentication requests to the log file

Log_auth_badpass = No-don ' t log passwords if request rejected

Log_auth_goodpass = No-don ' t log passwords if request accepted

2) LDAP Settings:

Modules {


Server = ""-the hostname or IP address of the LDAP server

Port = 636-encrypted Communications

BaseDN = "ou=bluepages,"-Define the base distinguished Names (DN),

-Under the Organization (O) "",

-In the Organization Unit (OU) "Bluepages"

Filter = "(mail=%u)"-Specify search criteria

Base_filter = "(Objectclass=person)"-Specify Base search criteria


Authenticate {-Enable authentication against LDAP

Auth-type LDAP {



parameter is set to use IBM bluepages, which is an instance of the LDAP service. For other LDAP servers, the parameters may vary.
* Configure client
The client is configured in the/etc/raddb/clients.conf file. There are two ways to configure a RADIUS client. You can group the NAS by IP subnet (listing 3), or you can list the NAS by host name or IP address (listing 4). If you follow the second method, you can define both ShortName and Nastype.
Listing 3 grouping the NAS by IP subnet

Client {

Secret = Mysecret1-the "Secret" should be the same as configured on NAS

ShortName = mylan-the "ShortName" can be used for logging

Nastype = cisco-the "Nastype" is used for Checkrad and is optional


Listing 4 listing NAS by host name or IP address

Client {

Secret = Mysecret1

ShortName = MyServer

Nastype = Other


* Configure users for authentication
The file/etc/raddb/user contains authentication and configuration information for each user.
Listing 5/etc/raddb/user File

1) Authentication type:

Auth-type: = Ldap-authenticate against LDAP

Auth-type: = Local, User-password = = "MYPASSWD"

-Authenticate against the

-Password Set In/etc/raddb/user

Auth-type: = system-authenticate against the System password file

-/ETC/PASSWD Or/etc/shadow

2) Service Type:

Service-type = login,-for administrative login

* Configure user
for authorization the following authentication server property-value pairs (AV) should be configured for user authorization. After the validation is accepted, this property-value pair is returned to the NAS as a response to the administrator login request.
for Cisco routers, there are different permission levels:
Level 1 is unprivileged (non-privileged). The prompt is Router>, which is the default level for login.
Level 15 is privileged (privileged). The prompt is router#, which is the level after entering enable mode.
Levels 2 through 14 are not used in the default configuration.
The following command allows a user to log on from the network access server and gain immediate access to the EXEC command:
Cisco-avpair = "shell:priv-lvl=15"  
The following code handles the same task, This time is for the Cisco wireless access point:
cisco:avpair= "Aironet:admin-capability=write+snmp+ident+firmware+admin"  
Any combination of features is returned with this property:
Cisco:avpair = "Aironet:admin-capability=ident+admin"
Cisco:avpair = "Aironet: Admin-capability=admin " 
Please contact  cisco For more information about these commands.
Configure the Network access server
Next we will configure the NAS, which is to configure a Cisco router first, then turn to a Cisco WAP.
for Cisco IOS 12.1 Routers, we will enable AAA and then configure authentication, authorization, and accounting.
Listing 6 enabling AAA

AAA New-model

Radius-server Host

Radius-server Key Mysecret1

AAA should be enabled on the router. Then, specify a list of RADIUS servers that can provide AAA services to the NAS. The encryption key is used to encrypt data transfer between the NAS and the RADIUS server. It must be the same as configured on the Freeradius.
Listing 7 Configuration Validation

AAA Authentication Login Default Group RADIUS local

Line vty 0 4

Login authentication Default

In this example, the network administrator uses RADIUS authentication. If the RADIUS server is not available, the local user database password for the NAS is used.
Listing 8 Configuring authorization

AAA Authorization Exec Default group radius if-authenticated

Allows the user to run the EXEC shell when logging on to the NAS.
Listing 9 Configuration Accounting

AAA Accounting System default Start-stop group radius

AAA Accounting Network Default start-stop group radius

AAA Accounting Connection Default Start-stop group radius

AAA Accounting Exec default stop-only group radius

AAA Accounting Commands 1 default stop-only group radius

AAA Accounting Commands default Wait-start group radius

The router must be specifically configured to send accounting records to the RADIUS server. Use the commands in Listing 9 to record accounting information about NAS system events, network connections, output connections, exec operations, and commands on level 1 and level 15.
That's good. Now let's look at the configuration for the Cisco wireless access point. The following configuration applies to Cisco Series APS with firmware 12.01t1. As shown in the screenshot in 2, you:
* Enter the server name or IP address and shared secret.
* Select "Radius" as the type and select "User Authentication".

Figure 2 Configuring the NAS for WAP

In fact, here you can also configure the EAP authentication so that Freeradius can be used to authenticate the general user of the wireless LAN.

Accounting: Radius at work
Now that all the configuration is complete, the Freeradius server can start recording all the information sent by the NAS and store that information in the/var/log/radius/radius.log file, like this:
Listing 10/var/log/radius/radius.log File


thu Mar 3 21:37:32 2005:auth:login OK: [David] (from client

mon Mar 7 23:39:53 2005:auth:login incorrect: [John] (from

   & nbsp;                             client Mylan Port 1 CLI

Detailed accounting information is stored in the/VAR/LOG/RADIUS/RADACCT directory. Listing 11 shows that David logged in from to router from 19:40 to 19:51 on March 4, 2005. Such detailed information is undoubtedly a big help for administrators who are investigating security incidents and trying to maintain records that are easy to audit.
Example of accounting details provided by RADIUS of a list

Fri Mar 4 19:40:12 2005

Nas-ip-address =

Nas-port = 1

Nas-port-type = Virtual

User-name = "David"

Calling-station-id = ""

Acct-status-type = Start

Acct-authentic = RADIUS

Service-type = Nas-prompt-user

Acct-session-id = "00000026"

Acct-delay-time = 0

Client-ip-address =

Acct-unique-session-id = "913029a52dacb116"

Timestamp = 1109936412

Fri Mar 4 19:51:17 2005

Nas-ip-address =

Nas-port = 1

Nas-port-type = Virtual

User-name = "David"

Calling-station-id = ""

Acct-status-type = Stop

Acct-authentic = RADIUS

Service-type = Nas-prompt-user

Acct-session-id = "00000026"

Acct-terminate-cause = Idle-timeout

Acct-session-time = 665

Acct-delay-time = 0

Client-ip-address =

Acct-unique-session-id = "913029a52dacb116"

Timestamp = 1109937077

By following the simple steps outlined in this article, you can establish a Remote authentication dial-in User Service server that uses an external LDAP server to handle authentication, authorization, and accounting for network security issues. This article provides the following to help you accomplish this task:
* Introduction to the RADIUS and LDAP server as well as the AAA concept.
* A scenario that incorporates installation and configuration tasks.
* Instructions for installing and configuring a RADIUS server.
* Details on configuring the network access server.
* RADIUS will provide an example of detailed information and management.
These instructions can quickly ensure that the protected data is accessible only to authorized entities on the Linux system.

Build a RADIUS server in Linux on a detailed

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.