FreeRADIUS Beginner's Guide
()
About this ebook
The Open Source pioneers have proved during the past few decades that their code and projects can indeed be more solid and popular than commercial alternatives. With data networks always expanding in size and complexity FreeRADIUS is at the forefront of controlling access to and tracking network usage. Although many vendors have tried to produce better products, FreeRADIUS has proved over time why it is the champion RADIUS server. This book will reveal everything you need to know to get started with using FreeRADIUS.
FreeRADIUS has always been a back-room boy. It's not easy to measure the size or number of deployments world-wide but all indications show that it can outnumber any commercial alternatives available. This essential server is part of ISPs, universities, and many corporate networks, helping to control access and measure usage. It is a solid, flexible, and powerful piece of software, but can be a mystery to a newcomer.
FreeRADIUS Beginner's Guide is a friend of newcomers to RADIUS and FreeRADIUS. It covers the most popular Linux distributions of today, CentOS, SUSE, and Ubuntu, and discusses all the important aspects of FreeRADIUS deployment: Installing, configuring and testing; security concerns and limitations; LDAP and Active Directory integration.
It contains plenty of practical exercises that will help you with everything from installation to the more advanced configurations like LDAP and Active Directory integration. It will help you understand authentication, authorization and accounting in FreeRADIUS. It uses many practical step-by-step examples, which are discussed in detail to lead you to a thorough understanding of the FreeRADIUS server as well as the RADIUS protocol. A quiz at the end of each chapter validates your understanding.
Not only can FreeRADIUS be used to monitor and limit the network usage of individual users; but large deployments are possible with realms and fail-over functionality. FreeRADIUS can work alone or be part of a chain where the server is a proxy for other institution's users forwarding requests to their servers. FreeRADIUS features one of the most versatile and comprehensive Extensible Authentication Protocol (EAP) implementations. EAP is an essential requirement to implement enterprise WiFi security. FreeRADIUS Beginner's Guide covers all of these aspects.
A comprehensive guide to deployment and administration of FreeRADIUS on Linux
ApproachThis is a fast-paced Beginner's Guide that will take you step by step through the fundamentals of FreeRADIUS and using it in your live projects. It has been structured in a way that will let you get maximum practical information out of it in setting up your own FreeRADIUS server. It will guide you on all the aspects of FreeRADIUS and do much more to get you all the 'A's right.
Who this book is forIf you are an Internet Service Provider (ISPs) or a network manager who needs to track and control network usage, then this is the book for you.
You need to be familiar with Linux and have a solid understanding of TCP/IP. No previous knowledge of RADIUS or FreeRADIUS is required.
Dirk van der Walt
Dirk van der Walt is an Open Source Software Specialist from Pretoria, South Africa. He is a firm believer in the potential of Open Source software. Being a Linux user for almost 10 years it was love at first boot. From then on Dirk has spent his available time sharing his knowledge with others equally passionate about the freedom and affordability Open Source software gives to the community. In 2003 Dirk started coding with Perl as his language of choice and gave his full attention to functional and aesthetic user interface design. He also compiled an on-line Gtk2-Perl study guide to promote the advancement of Perl on the desktop. As Rich Internet Applications (RIA) became more popular, Dirk added the Dojo toolkit and CakePHP to his skills-set to create an AJAX-style front-end to a FreeRADIUS MySQL database. His latest work is YFi Hotspot Manager. Today YFi Hotspot Manager is used in many localities around the globe. With many contributors to the project it proves just how well the Open Source software model can work.
Related to FreeRADIUS Beginner's Guide
Related ebooks
Building Telephony Systems with OpenSIPS - Second Edition Rating: 0 out of 5 stars0 ratingsWindows Server 2012 Unified Remote Access Planning and Deployment Rating: 0 out of 5 stars0 ratingsSquid Proxy Server 3.1 Beginner's Guide Rating: 3 out of 5 stars3/5Nginx HTTP Server - Third Edition Rating: 0 out of 5 stars0 ratingsMastering OpenLDAP: Configuring, Securing and Integrating Directory Services Rating: 0 out of 5 stars0 ratingsMastering Proxmox - Second Edition Rating: 0 out of 5 stars0 ratingsMastering Windows Server 2016 Rating: 5 out of 5 stars5/5SSL VPN : Understanding, evaluating and planning secure, web-based remote access Rating: 0 out of 5 stars0 ratingsWindows Performance Analysis Field Guide Rating: 4 out of 5 stars4/5Troubleshooting Ubuntu Server Rating: 0 out of 5 stars0 ratingsPractical Deployment of Cisco Identity Services Engine (ISE): Real-World Examples of AAA Deployments Rating: 5 out of 5 stars5/5Microsoft Exchange 2013 Cookbook Rating: 0 out of 5 stars0 ratingsMastering VMware Horizon 7 - Second Edition Rating: 0 out of 5 stars0 ratingsHyper-V 2016 Best Practices Rating: 0 out of 5 stars0 ratingsMastering Zabbix - Second Edition Rating: 0 out of 5 stars0 ratingsZabbix Network Monitoring - Second Edition Rating: 0 out of 5 stars0 ratingsGetting Started with Microsoft System Center Operations Manager Rating: 0 out of 5 stars0 ratingsMastering PowerCLI Rating: 0 out of 5 stars0 ratingsOpenFlow Cookbook Rating: 5 out of 5 stars5/5DNS in Action Rating: 0 out of 5 stars0 ratingsNetwork Routing: Algorithms, Protocols, and Architectures Rating: 0 out of 5 stars0 ratingsVoice over Internet Protocol (VoIP) Security Rating: 0 out of 5 stars0 ratingsInstant Debian - Build a Web Server Rating: 0 out of 5 stars0 ratingsMastering Python Networking Rating: 5 out of 5 stars5/5GMPLS: Architecture and Applications Rating: 5 out of 5 stars5/5Netcat Power Tools Rating: 3 out of 5 stars3/5Deploying QoS for Cisco IP and Next Generation Networks: The Definitive Guide Rating: 5 out of 5 stars5/5Networking Fundamentals: Develop the networking skills required to pass the Microsoft MTA Networking Fundamentals Exam 98-366 Rating: 0 out of 5 stars0 ratingsPractical VoIP Security Rating: 0 out of 5 stars0 ratingsNetwork Programming in Python : The Basic: A Detailed Guide to Python 3 Network Programming and Management Rating: 0 out of 5 stars0 ratings
Computers For You
SQL QuickStart Guide: The Simplified Beginner's Guide to Managing, Analyzing, and Manipulating Data With SQL Rating: 4 out of 5 stars4/5Elon Musk Rating: 4 out of 5 stars4/5The Invisible Rainbow: A History of Electricity and Life Rating: 4 out of 5 stars4/5Slenderman: Online Obsession, Mental Illness, and the Violent Crime of Two Midwestern Girls Rating: 4 out of 5 stars4/5Standard Deviations: Flawed Assumptions, Tortured Data, and Other Ways to Lie with Statistics Rating: 4 out of 5 stars4/5Mastering ChatGPT: 21 Prompts Templates for Effortless Writing Rating: 5 out of 5 stars5/5Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Rating: 4 out of 5 stars4/5101 Awesome Builds: Minecraft® Secrets from the World's Greatest Crafters Rating: 4 out of 5 stars4/5CompTIA IT Fundamentals (ITF+) Study Guide: Exam FC0-U61 Rating: 0 out of 5 stars0 ratingsAlan Turing: The Enigma: The Book That Inspired the Film The Imitation Game - Updated Edition Rating: 4 out of 5 stars4/5Procreate for Beginners: Introduction to Procreate for Drawing and Illustrating on the iPad Rating: 0 out of 5 stars0 ratingsThe Hacker Crackdown: Law and Disorder on the Electronic Frontier Rating: 4 out of 5 stars4/5Dark Aeon: Transhumanism and the War Against Humanity Rating: 5 out of 5 stars5/5The ChatGPT Millionaire Handbook: Make Money Online With the Power of AI Technology Rating: 0 out of 5 stars0 ratingsCreating Online Courses with ChatGPT | A Step-by-Step Guide with Prompt Templates Rating: 4 out of 5 stars4/5Childhood Unplugged: Practical Advice to Get Kids Off Screens and Find Balance Rating: 0 out of 5 stars0 ratingsAP Computer Science Principles Premium, 2024: 6 Practice Tests + Comprehensive Review + Online Practice Rating: 0 out of 5 stars0 ratingsCompTIA Security+ Practice Questions Rating: 2 out of 5 stars2/5Grokking Algorithms: An illustrated guide for programmers and other curious people Rating: 4 out of 5 stars4/5Going Text: Mastering the Command Line Rating: 4 out of 5 stars4/5The Professional Voiceover Handbook: Voiceover training, #1 Rating: 5 out of 5 stars5/5People Skills for Analytical Thinkers Rating: 5 out of 5 stars5/5Remote/WebCam Notarization : Basic Understanding Rating: 3 out of 5 stars3/5How to Create Cpn Numbers the Right way: A Step by Step Guide to Creating cpn Numbers Legally Rating: 4 out of 5 stars4/5
Reviews for FreeRADIUS Beginner's Guide
0 ratings0 reviews
Book preview
FreeRADIUS Beginner's Guide - Dirk van der Walt
Table of Contents
FreeRADIUS
Credits
About the Author
About the Reviewers
www.PacktPub.com
Support files, eBooks, discount offers, and more
Why Subscribe?
Free Access for Packt account holders
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Time for action – heading
What just happened?
Pop quiz – heading
Have a go hero – heading
Reader feedback
Customer support
Errata
Piracy
Questions
1. Introduction to AAA and RADIUS
Authentication, Authorization, and Accounting
Authentication
Authorization
Accounting
RADIUS
RADIUS protocol (RFC2865)
The data packet
Code
Identifier
Length
Authenticator
Attributes
Conclusion
AVPs
Type
Length
Value
Vendor-Specific Attributes (VSAs)
Proxying and realms
RADIUS server
RADIUS client
RADIUS accounting (RFC2866)
Operation
Packet format
Acct-Status-Type (Type40)
Acct-Input-Octets (Type42)
Acct-Output-Octets (Type43)
Acct-Session-Id (Type44)
Acct-Session-Time (Type46)
Acct-Terminate-Cause (Type49)
Conclusion
RADIUS extensions
Dynamic Authorization extension (RFC5176)
Disconnect-Message (DM)
Change-of-Authorization Message (CoA)
RADIUS support for EAP (RFC3579)
FreeRADIUS
History
Strengths
Weaknesses
The competition
Summary
Pop quiz – RADIUS knowledge
2. Installation
Before you start
Pre-built binary
Time for action – installing FreeRADIUS
What just happened?
Advantages
Extra packages
Available packages
CentOS
SUSE
Ubuntu
Special considerations
Remember the firewall
CentOS
SUSE
Have a go hero – installing from source
Building from source
Advantages of building packages
CentOS
Time for action – building CentOS RPMs
What just happened?
Installing rpm-build
The source RPM package
The package name
Updating an existing installation
SUSE
Time for action – SUSE: from tarball to RPMs
Adding an OpenSUSE repository
What just happened?
zypper or yast -i
Tweaks done by hand
Ubuntu
Time for action – Ubuntu: from tarball to debs
What just happened?
Installing dpkg-dev
Using build-dep
fakeroot
dpkg-buildpackage
Installing the debs
For those preferring the old school
Installed executables
Running as root or not
Dictionary access for client programs
Ensure proper start-up
Summary
Pop quiz – installation
3. Getting Started with FreeRADIUS
A simple setup
Time for action – configuring FreeRADIUS
What just happened?
Configuring FreeRADIUS
Clients
Sections
Client identification
Shared secret
Message-Authenticator
Nastype
Common errors
Users
Files module
PAP module
Users file
Check items
Reply items
Operators
Substitution
DEFAULT user
Login-Time
Simultaneous-Use
Framed-IP-Address
Radtest
Helping yourself
Installed documentation
Man pages
Time for action – discovering available man pages for FreeRADIUS
dpkg systems
rpm systems
radtest revisited
Radclient
What just happened?
Have a go hero – adding more AVPs to the auth request
Configuration file comments
Pop quiz – clients.conf
Online documentation
Online help
Golden rules
Inside radiusd
Configuration files
Important includes
Libraries and dictionaries
FreeRADIUS-specific AVPs
Running as ...
Listen section
Log files
radiusd
Who was logged in and when?
Who is logged in right now?
Summary
4. Authentication
Authentication protocols
PAP
CHAP
MS-CHAP
FreeRADIUS—authorize before authenticate
Time for action – authenticating a user with FreeRADIUS
What just happened?
Access-Request arrives
Authorization
Authorize set Auth-Type
Authorization in action
Authentication
Post-Auth
Finish
Conclusion
Have a go hero – using other authentication protocols
Storing passwords
Hash formats
Time for action – hashing our password
Crypt-Password
MD5-Password
SMD5-Password
SHA-Password
SSHA-Password
NT-Password or LM-Password
What just happened?
Hash formats and authentication protocols
Other authentication methods
One-time passwords
Certificates
Summary
Pop quiz – authentication
5. Sources of Usernames and Passwords
User stores
System users
Time for action – incorporating Linux system users in FreeRADIUS
Preparing rights
SUSE is different
CentOS
Activating system users
What just happened?
Authorize using the unix module
Authenticating using pap
Tips for including system users
MySQL as a user store
Time for action – incorporating a MySQL database in FreeRADIUS
Installing MySQL
Installing FreeRADIUS's MySQL package
Preparing the database
Configuring FreeRADIUS
Connection information
Including the SQL configuration
Virtual server
Testing the MySQL user store
What just happened?
Advantages of SQL over flat files
Other uses for the SQL database
Duplicate users
The database schema
Groups
Have a go hero – exploring group usage
Using SQL Groups
Controlling the use of groups
Profiles
LDAP as a user store
Time for action – connecting FreeRADIUS to LDAP
Installing slapd
Configuring slapd
CentOS
SUSE
Ubuntu
Adding the radiusProfile schema
Populating the LDAP directory
Installing FreeRADIUS's LDAP package
Configuring the ldap module
Testing the LDAP user store
What just happened?
Binding as a user
Advanced use of LDAP
Have a go hero – explore advanced use of LDAP
Ldap-Group and User-Profile AVP
Reading passwords from LDAP
Active Directory as a user store
Time for action – connecting FreeRADIUS to Active Directory
Installing Samba
Configuring Samba
Joining the domain
CentOS
SUSE
Ubuntu
FreeRADIUS and ntlm_auth
PAP Authentication
MS-CHAP Authentication
Summary
Linux system users
SQL database
LDAP directory
Active Directory
Pop quiz – user stores
6. Accounting
Requirements for this chapter
Basic accounting
Time for action – simulate accounting from an NAS
Files for simulation
Starting a session
Ending a session
Orphan sessions
What just happened?
Independence of accounting
NAS: important AVPs
Acct-Status-Type
Acct-Session-Id
AVPs indicating usage
NAS: included AVPs
FreeRADIUS: pre-accounting section
Realms
Setting Acct-Type
FreeRADIUS: accounting section
Minimising orphan sessions
radwho
radzap
Limiting a user's simultaneous sessions
Time for action – limiting a user's simultaneous sessions
What just happened?
Session section
Problems with orphan sessions
checkrad
Limiting the usage of a user
30 minutes per day in total
How FreeRADIUS can help
Time for action – limiting a user's usage
Activating a daily counter
Terminating the session at a specified time
What just happened?
rlm_counter
Have a go hero – using a single database for various counters
Using rlm_sqlcounter
Resetting the counter
SQL module instance
Special variables inside the query
Empty account records
Counters that reset daily
Counting octets
Housekeeping of accounting data
Web-based tools
Summary
Pop quiz – accounting
7. Authorization
Implementing restrictions
Authorization in FreeRADIUS
Introduction to unlang
Using conditional statements
Time for action – using the if statement in unlang
Obtaining a return code using the if statement
Authorizing a user using the if statement
What just happened?
Module return codes
Keywords in unlang
Have a go hero – other tests using conditional statements
Checking if an attribute exists
Using logical expressions to authenticate a user
Attributes and variables
Attribute lists
Time for action – referencing attributes
Attributes in the if statement
What just happened?
Referencing attributes in a condition
Comparison operators
Attribute manipulation
Variables
Time for action – SQL statements as variables
What just happened?
Time for action – setting default values for variables
What just happened?
Time for action – using command substitution
What just happened?
Time for action – using regular expressions
What just happened?
Practical unlang
Limiting data usage
Time for action – using unlang to create a data counter
Defining custom attributes
32-bit limitation
Using the perl module
reset_time.pl
check_usage.pl
Installing the perl module on CentOS
Updating the dictionary files
The recommended way of updating dictionaries
Preparing the users file
Preparing the SQL database
Adding unlang code to the virtual server
The SUSE and Ubuntu bug
Pre-loading Perl library
Testing the data counter
Clean-up
Summary
Pop quiz – authorization
8. Virtual Servers
Why use virtual servers?
Defining and enabling virtual servers
Time for action – creating two virtual servers
What just happened?
Available sub-sections
Enabling and disabling virtual servers
Using enabled virtual servers
Time for action – using a virtual server
What just happened?
Including a virtual server
Handling Post-Auth-Type correctly
Taking care of Type attributes
Virtual server for happy hour
Time for action – incorporating the Hotspot Happy Hour policy
Enabling the Happy Hour virtual server
Adding the virtual server to a client
What just happened?
Defining clients in SQL
Consolidating an existing setup using a virtual server
Time for action – creating a virtual server for the Computer Science faculty
Consolidation implementation
A named files section
A virtual server for the Computer Science faculty
Incorporating the new virtual server
What just happened?
What about users stored in SQL?
When IP addresses and ports clash
Local listen and client sections
IPv6
Listen section → type directive
Pre-defined virtual servers
Summary
Pop quiz – virtual servers
9. Modules
Installed, available, and missing modules
Time for action – discovering available modules
Locating installed modules
What just happened?
Naming convention
Adding alternative paths
Available modules
Missing modules
Including and configuring a module
Time for action – incorporating expiration and linelog modules
What just happened?
Configuring a module
Using modules
Sections that can contain modules
Using one module with different configurations
Have a go hero – creating multiple instances of a module
What just happened?
Order of modules and return codes
Time for action – investigating the order of modules
Access-Request
Return codes
Some interesting modules
Summary
Pop quiz – modules
10. EAP
EAP basics
EAP components
Authenticator
Supplicant
Backend authentication server
EAP conversation
EAPOL-Start
EAPOL-Packet
Practical EAP
Time for action – testing EAP on FreeRADIUS with JRadius Simulator
Preparing FreeRADIUS
Configuring JRadius Simulator
What just happened?
Configuring the eap module
The user store
EAP on the client
EAP in production
Public Key Infrastructure in brief
Creating a PKI
Time for action – creating a RADIUS PKI for you organization
What just happened?
Why use a PKI?
Adding a CA to the client
Configuring the inner-tunnel virtual server
Time for action – testing authentication on the inner-tunnel virtual server
What just happened?
The difference between inner and outer identities
Have a go hero – using JRadius Simulator to test with two identities
What just happened?
Naming conventions for the outer identity
Disabling unused EAP methods
Time for action – disabling unused EAP methods
What just happened?
Message-Authenticator
Summary
Pop quiz – EAP
11. Dictionaries
Why do we need dictionaries?
Parsing requests
Generating responses
How to include dictionaries
Time for action – including new dictionaries
What just happened?
How FreeRADIUS includes dictionary files
Including your own dictionary files
Including dictionary files already installed
Adding private attributes
Updating an existing dictionary
Time for action – updating the MikroTik dictionary
What just happened?
Finding the latest supported attributes
Location of updated dictionary files
Order of inclusions
Attribute names
Upgrading FreeRADIUS
Format of dictionary files
Notes inside the comments
Vendor definitions
Attributes and values
Name field
Number field
Type field
Optional vendor field
Value definitions
Accessing dictionary files
Summary
Pop quiz – dictionaries
12. Roaming and Proxying
Roaming—an overview
Agreement between an ISP and a Telco
Agreement between two organizations
Realms
Time for action – investigating the default realms in FreeRADIUS
What just happened?
Suffix module
NULL realm
Enabling an instance of the realm module
Defining the NULL realm
Time for action – activating the NULL realm
What just happened?
Stripped-User-Name and realm
LOCAL realm
Actions for a realm
Defining a proper realm
Time for action – defining the realm
What just happened?
Rejecting usernames without a realm
Time for action – rejecting requests without a realm
What just happened?
DEFAULT realm
In closing
Proxying
Time for action – configuring proxying between two organizations
What just happened?
Proxying authentication requests
home_server
home_server_pool
Flow chart of an authentication proxy request
Suffix setting control: Proxy-To-Realm
Pre-proxy section
Post-proxy section
EAP and dynamic VLANs
Have a go hero – testing proxying of EAP authentication
Removing and replacing reply attributes
Time for action – filtering reply attributes returned by a home server
What just happened?
Status of the home servers
Time for action – using the preferred way for status checking
Proxying accounting requests
Time for action – simulating proxied accounting
What just happened?
Flow of an accounting proxy request
Updating accounting records after a server outage
Have a go hero – implementing robust-proxy-accounting functionality
Summary
Pop quiz – roaming and proxying
13. Troubleshooting
Basic principles
FreeRADIUS does not start up
Who's using my port?
Checking the configuration
Finding a missing module or library
Fixing a broken external component
FreeRADIUS refuses to start
FreeRADIUS runs despite the display of an error message
FreeRADIUS only reports a problem when answering a request
Using the startup script
FreeRADIUS is slow
Time for action – performing baseline speed testing
What just happened?
Tuning the performance of FreeRADIUS
Main server
LDAP Module
SQL Module
Redundancy and load-balancing
Things beyond our control
FreeRADIUS dies
Client-related problems
Testing UDP connectivity to a RADIUS server
The control-socket virtual server
Time for action – using the control-socket and raddebug for troubleshooting
CentOS
SUSE
Ubuntu
Using raddebug
What just happened?
Remember the log output
Spotting a mismatched shared secret
Options for raddebug
Raddebug auto termination
If there's no output from raddebug
Authenticating users
Editing the users file
Using raddebug
When passwords change
Password length
EAP problems
The CA certificate
Identify where a problem is located
Problems with proxying
Online resources
Using the mailing list
Summary
Pop quiz – troubleshooting
A. Pop Quiz Answers
Chapter 1
Pop quiz – RADIUS knowledge
Chapter 2
Pop quiz – installation
Chapter 3
Pop quiz – clients.conf
Chapter 4
Pop quiz – authentication
Chapter 5
Pop quiz – user stores
Chapter 6
Pop quiz – accounting
Chapter 7
Pop quiz – authorization
Chapter 8
Pop quiz – virtual servers
Chapter 9
Pop quiz – modules
Chapter 10
Pop quiz – EAP
Chapter 11
Pop quiz – dictionaries
Chapter 12
Pop quiz – roaming and proxying
Chapter 13
Pop quiz – troubleshooting
Index
FreeRADIUS
Beginner's Guide
FreeRADIUS
Beginner's Guide
Copyright © 2011 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: September 2011
Production Reference: 1260811
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham B3 2PB, UK.
ISBN 978-1-849514-08-8
www.packtpub.com
Cover Image by Asher Wishkerman (<a.wishkerman@mpic.de>)
Credits
Author
Dirk van der Walt
Reviewers
Ante Gulam
Atif Razzaq
Acquisition Editor
Chaitanya Apte
Development Editors
Kartikey Pandey
Alina Lewis
Technical Editor
Vanjeet D'souza
Copy Editor
Neha Shetty
Project Coordinator
Srimoyee Ghoshal
Proofreader
Chris Smith
Indexers
Hemangini Bari
Tejal Daruwale
Graphics
Nilesh Mohite
Production Coordinator
Adline Swetha Jesuthas
Cover Work
Adline Swetha Jesuthas
About the Author
Dirk van der Walt is an open source software specialist from Pretoria, South Africa. He is a firm believer in the potential of open source software. Being a Linux user for almost ten years, it was love at first boot. From then on Dirk spent his available time sharing his knowledge with others equally passionate about the freedom and affordability open source software gives to the community.
In 2003, Dirk started coding with Perl as his language of choice and gave his full attention to functional and aesthetic user interface design. He also compiled an online Gtk2-Perl study guide to promote the advancement of Perl on the desktop.
As Rich Internet Applications (RIA) became more popular, Dirk added the Dojo toolkit and CakePHP to his skills set to create an AJAX-style front-end to a FreeRADIUS MySQL database. His latest work is YFi Hotspot Manager. Today YFi Hotspot Manager is used in many localities around the globe. With many contributors to the project it proves just how well the open source software model can work.
I'd like to thank the Lord Jesus for life and light, my wife Petra and daughter Daniélle for all their support and understanding, my brother Karel for his interest and help. I would also like to thank the people involved with the FreeRADIUS project, from the coders to the commenters. Lastly I'd like to thank Packt Publishing for supporting Open Source software the way they do.
About the Reviewers
Ante Gulam is a 26-year-old software and system engineer with more than seven years of working experience in various segments of the IT industry. He has worked as a consultant and system engineer on POSIX-compliant systems (Linux, BSD, SCO, and others), and lately has focused mainly on security, design, and administration of Microsoft-based enterprise solutions. Ante is currently working as a system engineer and software developer, primarily on MS platforms (.NET) in Ri-ing d.o.o., a medium-sized software development company.
Being involved in security for several years Ante gained experience in the development of various security tools based on many different technologies and has written articles and co-edited Phearless Security Ezine actively for the last four years. Presently, he is working on large networking projects and enterprise environments; adopting them for standards like PCI-DSS enables him to stay in touch with security on the enterprise level.
I would like to thank my family, my friends, and my girlfriend for the their patience. Also all the guys from the gn00bz
team for all the hours full of fun and knowledge while playing CTF for the past couple of years.
Atif Razzaq holds an MSc degree from Strathclyde University, Glasgow, UK in Communication, Control, and Digital Signal Processing, and a BSc degree in Computer Science from NUCES, Pakistan. After his MSc degree, he started his career as a software engineer in the area of Mobile Application Development in J2ME in Tricastmedia, Glasgow, UK. During this period he also published an article at Java.net titled Getting Started with BlackBerry J2ME Development.
He is currently working as the Development Manager at Terminus Technologies who specializes in telecom billing software development. His responsibilities include the development of the billing system and its integration with other applications both proprietary and open source (Asterisk, FreeSwitch, FreeRADIUS, and others). Prior to joining Terminus Technologies, he worked on telecom billing at Comcerto, Bahrain. He has been working on telecom billing and VoIP/SIP Telephony for about three years.
In his free time, he writes his own blog on different ICT topics available at http://atif-razzaq.blogspot.com. He can be contacted at
It has been a great experience working on this project. I'd like to thank the whole team working on this project: the author and all members from Packt Publishing. I'd like to thank my family for giving up their share of time which I gave to this project. Finally, I'd thank the Great Lord for everything and then my parents who taught me and made me what I am.
www.PacktPub.com
Support files, eBooks, discount offers, and more
You might want to visit www.PacktPub.com for support files and downloads related to your book.
Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at
At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks.
http://PacktLib.PacktPub.com
Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can access, read, and search across Packt's entire library of books.
Why Subscribe?
Fully searchable across every book published by Packt
Copy and paste, print and bookmark content
On demand and accessible via web browser
Free Access for Packt account holders
If you have an account with Packt at www.PacktPub.com, you can use this to access PacktLib today and view nine entirely free books. Simply use your login credentials for immediate access.
Preface
FreeRADIUS Beginner's Guide contains plenty of practical exercises that will help you with everything from basic installation to the more advanced configurations like LDAP and Active Directory integration. This book will help you understand authentication, authorization, and accounting in FreeRADIUS using the most popular Linux distributions of today. Larger deployments with realms and fail-over configuration are also covered along with tips. A quiz at the end of each chapter validates your understanding.
What this book covers
The book can be divided into three sections:
Introduction and installation (Chapter 1 to Chapter 3)
AAA functions of FreeRADIUS (Chapter 4 to Chapter 7)
Advanced topics (Chapter 8 to Chapter 13)
Let's see what each chapter deals with:
Chapter 1, Introduction to AAA and RADIUS, introduces FreeRADIUS and the RADIUS protocol. It highlights some key RADIUS concepts, which help the user avoid common misunderstandings.
Chapter 2, Installation, describes how to build and install FreeRADIUS from source on popular Linux distributions. It also covers installing the FreeRADIUS packages included with popular Linux distributions. Ubuntu, SUSE, and CentOS will be used to ensure a wide coverage.
Chapter 3, Getting Started with FreeRADIUS, gives a brief introduction on the various components of FreeRADIUS. It also discusses the process of handling a basic authentication request.
Chapter 4, Authentication, teaches authentication methods and how they work. Extensible Authentication Protocol (EAP) is covered later in a dedicated chapter.
Chapter 5, Sources of Usernames and Passwords, covers various places where username/password combinations can be stored. It shows which modules are involved and how to configure FreeRADIUS to utilize these stores.
Chapter 6, Accounting, discusses the need for accounting and the options available to record accounting data. It also discusses implementing a policy that includes limiting sessions and/or time and/or data.
Chapter 7, Authorization, discusses various aspects of authorization including the use of unlang.
Chapter 8, Virtual Servers, discusses various aspects of virtual servers and where they can potentially be used.
Chapter 9, Modules, discusses the various modules used by FreeRADIUS and how to configure multiple instances of a certain module.
Chapter 10, EAP, a dedicated chapter on EAP, is a one stop for EAP (802.11x and WiFi).
Chapter 11, Dictionaries, introduces dictionaries, which are used to map the names seen and used by an administrator, to the numbers used by the RADIUS protocol.
Chapter 12, Roaming and Proxying, deals with the RADIUS protocol, which allows the proxying of authorization and accounting requests. This makes roaming possible. This chapter covers various aspects of proxying in FreeRADIUS.
Chapter 13, Troubleshooting, works through many common problems, giving examples of what to look for, and how to fix the issue.
What you need for this book
You need to be familiar with Linux and have a solid understanding of TCP/IP. No previous knowledge of RADIUS or FreeRADIUS is required.
To get the most out of the practical exercises you will need a clean install of Ubuntu, SUSE or CentOS
Who this book is for
If you are an Internet Service Provider (ISPs) or a network manager who needs to track and control network usage, then this is the book for you.
Conventions
In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.
Time for action – heading
Action 1
Action 2
Action 3
Instructions often need some extra explanation so that they make sense, so they are followed with:
What just happened?
This heading explains the working of tasks or instructions that you have just completed.
You will also find some other learning aids in the book, including:
Pop quiz – heading
These are short multiple choice questions intended to help you test your own understanding.
Have a go hero – heading
These set practical challenges and give you ideas for experimenting with what you have learned.
Code words in text are shown as follows: The rlm_sqlcounter module allows defining various counters (time or data based) to keep track of a user's usage.
A block of code is set as follows:
if(control:Auth-Type == 'PAP'){
update reply {
Reply-Message := '/bin/echo We are using %{control:Auth-Type}'
}
}
When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:
if(control:Auth-Type == 'PAP'){
update reply {
Reply-Message := '/bin/echo We are using %{control:Auth-Type}'
}
}
Any command-line input or output is written as follows:
INSERT INTO radcheck (username, attribute, op, value) VALUES ('bob', 'Cleartext-Password', ':=', 'passbob');
New terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes for example, appear in the text like this: clicking the Next button moves you to the next screen
.
Note
Warnings or important notes appear in a box like this.
Tip
Tips and tricks appear like this.
Reader feedback
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or may have disliked. Reader feedback is important for us to develop titles that you really get the most out of.
To send us general feedback, simply send an e-mail to <feedback@packtpub.com>, and mention the book title via the subject of your message.
If there is a book that you need and would like to see us publish, please send us a note in the SUGGEST A TITLE form on www.packtpub.com or e-mail
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide on www.packtpub.com/authors.
Customer support
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
Note
Downloading the example code for this book
You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the files e-mailed directly to you.
Errata
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you would report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/support, selecting your book, clicking on the errata submission form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded on our website, or added to any list of existing errata, under the Errata section of that title. Any existing errata can be viewed by selecting your title from http://www.packtpub.com/support.
Piracy
Piracy of copyright material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works, in any form, on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at <copyright@packtpub.com> with a link to the suspected pirated