Scribd Logo
Carica

Benvenuto in Scribd!

  • Freeradius On Debian 7

    Caricato da

    Ahmad Sofyan
    39 visualizzazioni4 pagine
    The document provides instructions for installing and configuring Freeradius on Debian 7 to authenticate users connecting to a wireless network against an OpenLDAP database. It includes steps for installing and testing basic authentication with Freeradius, configuring EAP-TTLS authentication, associating Freeradius with the LDAP server, filtering users by LDAP group, and adding Cisco and TP-Link access points as clients.

    Descrizione originale:

    konfigurasi freradius dengan menggunakan debian7

    Titolo originale

    Freeradius on Debian 7

    Copyright

    © © All Rights Reserved

    Formati disponibili

    DOC, PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    The document provides instructions for installing and configuring Freeradius on Debian 7 to authenticate users connecting to a wireless network against an OpenLDAP database. It includes steps for installing and testing basic authentication with Freeradius, configuring EAP-TTLS authentication, associating Freeradius with the LDAP server, filtering users by LDAP group, and adding Cisco and TP-Link access points as clients.

    Copyright:

    © All Rights Reserved
    Scarica in formato DOC, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    39 visualizzazioni4 pagine

    Freeradius On Debian 7

    Caricato da

    Ahmad Sofyan
    The document provides instructions for installing and configuring Freeradius on Debian 7 to authenticate users connecting to a wireless network against an OpenLDAP database. It includes steps for installing and testing basic authentication with Freeradius, configuring EAP-TTLS authentication, associating Freeradius with the LDAP server, filtering users by LDAP group, and adding Cisco and TP-Link access points as clients.

    Copyright:

    © All Rights Reserved
    Scarica in formato DOC, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 4

    Freeradius on Debian 7

    Posted on 26 September 2014


    Hi,
    Recently I deployed the wifi in an association in my city. The infrastructure is composed by a
    central GNU/Linux server which supports all the classical services (DHCP, DNS, OpenLDAP,
    Samba 3 DC, Squid/SquidGuard proxy). The user’s informations are stored in the openldap
    database. Freeradius will be coupled to the LDAP database in order to authenticate the users on the
    wifi.
    For the hardware I bought two Cisco Small Business access points and two tp-link power injector.

    Installation & basic authentication


    Installation via apt:
    apt-get install freeradius

    Add a test user “testuser” whith “testpassword” as password:


    vim /etc/freeradius/users
    # test user, remember to delete after testing
    testuser Cleartext-Password := "testpassword"

    service freeradius restart

    Authentication test:
    radtest testuser testpassword localhost 0 testing123

    Add the end of the precedent command there is a passphrase (“testing123”). This parameter is
    defined in /etc/freeradius/clients.conf. In this file you need to add all the clients that are allowed to
    request user authentication, typically the access points. By default localhost il allowed with
    “testing123” as passphrase.

    EAP-TTLS
    By default, EAP-TTLS is well configured. In this part we will just check if the authentication is fine
    with the eapol_test tool.
    eapol_test installation:
    apt-get install build-essential libssl-dev
    wget http://w1.fi/releases/wpa_supplicant-0.7.3.tar.gz
    tar -xvf wpa_supplicant-0.7.3.tar.gz
    cd wpa_supplicant-0.7.3/wpa_supplicant
    cp defconfig .config
    make eapol_test
    cp eapol_test /usr/local/bin

    eapol_test EAP-TTLS authentication test:


    To work, eapol_test must have a valid configuration file that defines the authentication method, the
    eap type, the user and password…
    vim /root/eapol_config
    network={
    eap=TTLS
    eapol_flags=0
    key_mgmt=IEEE8021X
    identity="testuser"
    password="testpassword"
    phase2="auth=PAP"
    }

    Run the test:


    eapol_test -c /root/eapol_config -a 127.0.0.1 -p 1812 -s testing123 -r 1

    If
    everything is fine, “SUCCESS” will appear at the end of the standard output. You can follow the
    logs in the log file located in /var/log/freeradius/radius.log. If you have an error, you will see
    something like this:
    tail -f /var/log/freeradius/radius.log

    Logs configuration
    I wanted that the logs are more verbose and specially show the users authentication. These changes
    are made in /etc/freeradius/radiusd.conf.
    vim /etc/freeradius/radiusd.conf
    auth = yes #print authentication in logs
    auth_badpass = yes #print bad passwords
    auth_goodpass = yes #print good passwords

    service freeradius restart


    tail -f /var/log/freeradius/radius.log

    LD
    AP association
    Now the basic server works well. It’s time to associate the freeradius server to the central LDAP
    server.

    Basic installation
    apt-get install freeradius-ldap
    vim /etc/freeradius/modules/ldap
    server = "192.168.10.1"
    identity = "cn=admin,dc=mydomain,dc=com"
    password = ldappassword
    basedn = "dc=mydomain,dc=com"

    Uncomment the following lines in the two configuration files:


    vim /etc/freeradius/sites-available/default
    ldap
    Auth-Type LDAP {
    ldap
    }

    vim /etc/freeradius/sites-available/inner-tunnel
    ldap
    Auth-Type LDAP {
    ldap
    }

    service freeradius restart

    Do the same test than before with a user in the LDAP database.

    Group filter:
    We wanted that only the persons in the “wifi” group can connect to the wifi.
    vim /etc/freeradius/modules/ldap
    groupname_attribute = cn
    groupmembership_filter = "(&(objectClass=posixGroup)(memberUid=%{User-Name}))"

    At the end of /etc/freeradius/users add these three lines:


    vim /etc/freeradius/users
    DEFAULT LDAP-Group == "wifi"
    DEFAULT Auth-Type := Reject
    Reply-Message = "Sorry, you're not part of an authorized group! Ask ITOPS for
    authorization."
    service freeradius restart

    Add the access points to freeradius


    Now than your freeradius server is configured and coupled to LDAP you can add you access points
    to the clients.conf file.
    vim /etc/freeradius/clients.conf
    client 192.168.10.100 {
    secret = sharedsecret
    shortname = ap-1
    }

    client 192.168.10.101 {
    secret = sharedsecret
    shortname = ap-2
    }

    service freeradius restart

    The last point is to configure your acces points to communicate with you freeradius server.
    Have Fun =)

    Potrebbero piacerti anche