as a network administrator, you need to hold user information for administration for each network device that you need to manage. However, network devices usually only support limited user management functions. Learn how to use an external RADIUS server on Linux to authenticate users, specifically through an LDAP server to centrally place user information that is stored on the LDAP server and validated by the RADIUS server. This can reduce the administrative overhead of user management and make the remote login process more secure.
Data security, as part of network security in modern systems, is as important as system security, so protecting data-ensuring confidentiality, integrity, and availability-is critical to administrators.
In this article, I'll talk about the confidentiality aspect of data security: Ensure that protected data can only be accessed by authorized users or systems. You will learn how to establish and configure a remote authentication dial-in user Service Server (RADIUS) on a Linux system to perform authentication, authorization, and Accounting (AAA) for users.
introduction of the constituent elements
First let's talk about the RADIUS protocol, the AAA components and how they work, plus the LDAP protocol.
The Remote authentication dial-in User Service protocol is defined in RFC 2865 of IET (see Resources for related links). It allows the network access server (NAS) to perform authentication, authorization, and accounting of users. RADIUS is a client/server protocol based on UDP. A RADIUS client is a network access server, which is typically a router, switch, or wireless access point (the access point is a specially configured node on the network; WAP is a wireless version). A RADIUS server is typically a guardianship program that runs on a UNIX or Windows 2000 Server.
radius and AAA
If the NAS receives a user connection request, it passes them to the specified RADIUS server, which authenticates the user and returns the user's configuration information to the NAS. The NAS then accepts or rejects the connection request.
A full-featured RADIUS server can support many different user authentication mechanisms, in addition to LDAP, including:
PAP (Password authentication Protocol, Password Authentication protocol, used in conjunction with PPP, in which the password is sent to the client for comparison in clear text);
CHAP (Challenge Handshake Authentication Protocol, Challenge Handshake Authentication protocol, more secure than PAP, it uses both username and password);
Local unix/linux System Password database (/ETC/PASSWD);
Other local databases.
In radius, authentication and authorization are grouped together. If a user name is found and the password is correct, the RADIUS server returns a access-accept response that includes some parameters (attribute-value pairs) to guarantee access to the user. These parameters are configured in radius, including the type of access, protocol type, user-specified IP address of the user, and an Access control list (ACL) or static route to be applied on the NAS, plus some other values.
The RADIUS accounting attribute (defined in RFC 2866; see Resources for related links) allows data to be sent at the beginning and end of a connected session, indicating the large amount of resources used during the session that might be used for security or open (billing)-such as time, packets, and bytes.
Lightweight Directory Access Protocol
The Lightweight Directory Access Protocol (lightweight. Protocol,ldap) is an open standard that defines a way to access and update information in a class X.500 directory. LDAP can be used to store user information in a central location so that the same information is not stored on each system. It can also be used to maintain and access information in a consistent, controllable manner.
LDAP simplifies user management by managing users in a centralized directory. In addition to storing user information, defining users in LDAP also enables some optional features to be enabled, such as restricting the number of logins. In this article, you will learn how to configure a RADIUS server to authenticate users based on LDAP--because the focus of this article is on radius, I will not describe the details of the installation and configuration of the LDAP server.
OpenLDAP is an open source implementation of LDAP. You can find more information about it on openldap.org (see Resources for related links).
Scene
Imagine the following scenario:
Users can access his company's intranet through dial-up authentication at home.
Laptops with wireless support can be connected to a campus network via wireless authentication.
Administrators use their workstations to log on to network devices with Telnet or HTTP through administrative user authentication.
All of these verification tasks can be done with a single RADIUS server based on a central LDAP server (see Figure 1).
Figure 1 Authentication with radius and LDAP
In this article, I'll focus on the implementation of the last option as an introduction to this solution. Install the RADIUS server first.
Installing RADIUS
RADIUS server software can be obtained from multiple locations. In this article, I'm going to use Freeradius (see Resources for related links), but Cisco Secure access control Server (ACS) is a centralized user access controls framework that Can be used for user management across multiple Cisco devices on UNIX and Windows, and supports Cisco-specific protocol TACACS + (which is said to have more features on a device that supports TACACS +).
Freeradius is a powerful Linux-based RADIUS server from the open source community that can be used in today's distributed and heterogeneous computing environments. The Freeradius 1.0.2 supports LDAP, MySQL, PostgreSQL, and Oracle databases and is compatible with network protocols such as EAP and Cisco Leap. Freeradius is currently deployed in many large production network systems.
The following steps demonstrate how to install and test Freeradius 1.0 on Red Hat Enterprise Linux Advanced Server 3.0.2:
Listing 1 Installation and testing Freeradius
TAR-ZXVF freeradius-1.0.2.tar.gz-extract it with gunzip and tar ./configure Make Make Install-run this command as root RADIUSD Or-start RADIUS Server Radiusd-x-Start RADIUS server in debug mode Radtest test test localhost 0 testing123-test RADIUS server |
If Radtest receives a response, it indicates that the Freeradius server is working properly.
I also recommend another free tool, which is ntradping, which can be used to test authentication and authorization requests from Windows clients. It can display detailed responses sent back from the RADIUS server, such as property values.
Now let's configure Freeradius.
Configure Freeradius
The configuration of the RADIUS server includes the configuration of the server, client, and user (both for authentication and authorization). For different needs, the RADIUS server can be configured differently. Fortunately, most of the configurations are similar.
* Configure Server
The Freeradius configuration file is typically located under the/etc/raddb folder. First, we need to modify the radiusd.conf file as follows.
Listing 2 modifying radiusd.conf
1) Global Settings: Log_auth = Yes-log authentication requests to the log file Log_auth_badpass = No-don ' t log passwords if request rejected Log_auth_goodpass = No-don ' t log passwords if request accepted 2) LDAP Settings: Modules { LDAP { Server = "bluepages.ibm.com"-the hostname or IP address of the LDAP server Port = 636-encrypted Communications BaseDN = "ou=bluepages,o=ibm.com"-Define the base distinguished Names (DN), -Under the Organization (O) "IBM.com", -In the Organization Unit (OU) "Bluepages" Filter = "(mail=%u)"-Specify search criteria Base_filter = "(Objectclass=person)"-Specify Base search criteria } Authenticate {-Enable authentication against LDAP Auth-type LDAP { Ldap } |
parameter is set to use IBM bluepages, which is an instance of the LDAP service. For other LDAP servers, the parameters may vary.
* Configure client
The client is configured in the/etc/raddb/clients.conf file. There are two ways to configure a RADIUS client. You can group the NAS by IP subnet (listing 3), or you can list the NAS by host name or IP address (listing 4). If you follow the second method, you can define both ShortName and Nastype.
Listing 3 grouping the NAS by IP subnet
Client 192.168.0.0/24 { Secret = Mysecret1-the "Secret" should be the same as configured on NAS ShortName = mylan-the "ShortName" can be used for logging Nastype = cisco-the "Nastype" is used for Checkrad and is optional } |
Listing 4 listing NAS by host name or IP address
Client 192.168.0.1 { Secret = Mysecret1 ShortName = MyServer Nastype = Other } |
* Configure users for authentication
The file/etc/raddb/user contains authentication and configuration information for each user.
Listing 5/etc/raddb/user File
1) Authentication type: Auth-type: = Ldap-authenticate against LDAP Auth-type: = Local, User-password = = "MYPASSWD" -Authenticate against the -Password Set In/etc/raddb/user Auth-type: = system-authenticate against the System password file -/ETC/PASSWD Or/etc/shadow 2) Service Type: Service-type = login,-for administrative login |
* Configure user
for authorization the following authentication server property-value pairs (AV) should be configured for user authorization. After the validation is accepted, this property-value pair is returned to the NAS as a response to the administrator login request.
for Cisco routers, there are different permission levels:
Level 1 is unprivileged (non-privileged). The prompt is Router>, which is the default level for login.
Level 15 is privileged (privileged). The prompt is router#, which is the level after entering enable mode.
Levels 2 through 14 are not used in the default configuration.
The following command allows a user to log on from the network access server and gain immediate access to the EXEC command:
Cisco-avpair = "shell:priv-lvl=15"  
The following code handles the same task, This time is for the Cisco wireless access point:
cisco:avpair= "Aironet:admin-capability=write+snmp+ident+firmware+admin"  
Any combination of features is returned with this property:
Cisco:avpair = "Aironet:admin-capability=ident+admin"
Cisco:avpair = "Aironet: Admin-capability=admin " 
Please contact cisco For more information about these commands.
Configure the Network access server
Next we will configure the NAS, which is to configure a Cisco router first, then turn to a Cisco WAP.
for Cisco IOS 12.1 Routers, we will enable AAA and then configure authentication, authorization, and accounting.
Listing 6 enabling AAA
AAA New-model Radius-server Host 192.168.0.100 Radius-server Key Mysecret1 |
AAA should be enabled on the router. Then, specify a list of RADIUS servers that can provide AAA services to the NAS. The encryption key is used to encrypt data transfer between the NAS and the RADIUS server. It must be the same as configured on the Freeradius.
Listing 7 Configuration Validation
AAA Authentication Login Default Group RADIUS local Line vty 0 4 Login authentication Default |
In this example, the network administrator uses RADIUS authentication. If the RADIUS server is not available, the local user database password for the NAS is used.
Listing 8 Configuring authorization
AAA Authorization Exec Default group radius if-authenticated |
Allows the user to run the EXEC shell when logging on to the NAS.
Listing 9 Configuration Accounting
AAA Accounting System default Start-stop group radius AAA Accounting Network Default start-stop group radius AAA Accounting Connection Default Start-stop group radius AAA Accounting Exec default stop-only group radius AAA Accounting Commands 1 default stop-only group radius AAA Accounting Commands default Wait-start group radius |
The router must be specifically configured to send accounting records to the RADIUS server. Use the commands in Listing 9 to record accounting information about NAS system events, network connections, output connections, exec operations, and commands on level 1 and level 15.
That's good. Now let's look at the configuration for the Cisco wireless access point. The following configuration applies to Cisco Series APS with firmware 12.01t1. As shown in the screenshot in 2, you:
* Enter the server name or IP address and shared secret.
* Select "Radius" as the type and select "User Authentication".
Figure 2 Configuring the NAS for WAP
In fact, here you can also configure the EAP authentication so that Freeradius can be used to authenticate the general user of the wireless LAN.
Accounting: Radius at work
Now that all the configuration is complete, the Freeradius server can start recording all the information sent by the NAS and store that information in the/var/log/radius/radius.log file, like this:
Listing 10/var/log/radius/radius.log File
  thu Mar 3 21:37:32 2005:auth:login OK: [David] (from client mon Mar 7 23:39:53 2005:auth:login incorrect: [John] (from & nbsp; client Mylan Port 1 CLI 192.168.0.94) |
Detailed accounting information is stored in the/VAR/LOG/RADIUS/RADACCT directory. Listing 11 shows that David logged in from 192.168.0.94 to router 192.168.0.1 from 19:40 to 19:51 on March 4, 2005. Such detailed information is undoubtedly a big help for administrators who are investigating security incidents and trying to maintain records that are easy to audit.
Example of accounting details provided by RADIUS of a list
Fri Mar 4 19:40:12 2005 Nas-ip-address = 192.168.0.1 Nas-port = 1 Nas-port-type = Virtual User-name = "David" Calling-station-id = "192.168.0.94" Acct-status-type = Start Acct-authentic = RADIUS Service-type = Nas-prompt-user Acct-session-id = "00000026" Acct-delay-time = 0 Client-ip-address = 192.168.0.1 Acct-unique-session-id = "913029a52dacb116" Timestamp = 1109936412 Fri Mar 4 19:51:17 2005 Nas-ip-address = 192.168.0.1 Nas-port = 1 Nas-port-type = Virtual User-name = "David" Calling-station-id = "192.168.0.94" Acct-status-type = Stop Acct-authentic = RADIUS Service-type = Nas-prompt-user Acct-session-id = "00000026" Acct-terminate-cause = Idle-timeout Acct-session-time = 665 Acct-delay-time = 0 Client-ip-address = 192.168.0.1 Acct-unique-session-id = "913029a52dacb116" Timestamp = 1109937077 |
Conclusion
By following the simple steps outlined in this article, you can establish a Remote authentication dial-in User Service server that uses an external LDAP server to handle authentication, authorization, and accounting for network security issues. This article provides the following to help you accomplish this task:
* Introduction to the RADIUS and LDAP server as well as the AAA concept.
* A scenario that incorporates installation and configuration tasks.
* Instructions for installing and configuring a RADIUS server.
* Details on configuring the network access server.
* RADIUS will provide an example of detailed information and management.
These instructions can quickly ensure that the protected data is accessible only to authorized entities on the Linux system.
Build a RADIUS server in Linux on a detailed