Radius Server

From Network Security Wiki
Jump to navigation Jump to search

Installing FreeRadius

Installing freeradius in Ubuntu 16.10:

Source: blog.moatazthenervous.com

sudo apt-get install freeradius

Configuration

Edit the freeradius users:

sudo nano /etc/freeradius/users  

Uncomment the user 'John Doe':

"John Doe" Auth-Type := Local, User-Password == "hello"
Reply-Message = "Hello, %u"  

Add a new User with Group Name:

aman            Cleartext-Password := "pwd123"
                Citrix-User-Groups = "S_UA_G_Superuser",
                Reply-Message = "Hello, %{User-Name}"


Test the connectivity from local machine:

sudo radtest "John Doe" hello 127.0.0.1 0 testing123  

Remote access to the radius server

sudo nano /etc/freeradius/clients.conf  

And add the following snippet:

client 0.0.0.0/0 {  
  secret = "mysecret"
  shortname = name
}

Now from another machine, try the following:

radtest "John Doe" "hello" 10.10.40.1 0 "mysecret"

You will get Access-Accept packet and "Hello, John Doe" messages.

Logging

Source: wiki.freeradius.org The "log" section of the radiusd.conf file is where the primary logging configuration for the FreeRADIUS server is located.

log {
    destination = files
    file = ${logdir}/radius.log     # If Server is running in debugging mode, this file is NOT used.
#   requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log
    syslog_facility = daemon
    stripped_names = no
    auth = no
    auth_badpass = no
    auth_goodpass = no
#   msg_goodpass = ""
#   msg_badpass = ""
}

Destination options:

files - log to "file", as defined below.
syslog - send log messages to syslog 
stdout - log to standard output.
stderr - log to standard error.

GUI

DaloRadius

Source: ubuntugeek.com

Installation

Prerequisites:

sudo apt-get install php5-common php5-gd php-pear php-db libapache2-mod-php5 php-mail

Freeradius Installation:

sudo apt-get install freeradius freeradius-mysql freeradius-utils

Database

Create Freeradius Database

sudo mysql -u root -p
mysql> create database radius;
mysql> grant all on radius.* to radius@localhost identified by "password";

Insert the freeradius database scheme:

sudo mysql -u root -p radius < /etc/freeradius/sql/mysql/schema.sql 
sudo mysql -u root -p radius < /etc/freeradius/sql/mysql/nas.sql 

Create new user for radius database

sudo mysql -u root -p
mysql> use radius;
mysql> INSERT INTO radcheck (UserName, Attribute, Value) VALUES (‘sqltest', ‘Password', ‘testpwd');
mysql> exit

Freeradius

You need to edit /etc/freeradius/sql.conf file

sudo nano /etc/freeradius/sql.conf

Make sure you have the following details

database = mysql
login = radius
password = password

Uncomment the following

readclients = yes

Now you need to edit the /etc/freeradius/sites-enabled/default file

sudo vi /etc/freeradius/sites-enabled/default

Uncomment the sql option in the following sections

accounting

# See “Authorization Queries” in sql.conf

sql

session

# See “Authorization Queries” in sql.conf

sql

Post-Auth-Type

# See “Authorization Queries” in sql.conf

sql

Now edit /etc/freeradius/radiusd.conf file

sudo nano /etc/freeradius/radiusd.conf 

Uncomment the following option

   $INCLUDE sql.conf


Restart freeradius server:

sudo /etc/init.d/freeradius stop

Run freeradius in debugging mode. If there is no error, you are ready to go.

sudo freeradius -X

Start the freeradius using the following command

sudo /etc/init.d/freeradius start

Test the radius server using the following command

sudo radtest sqltest testpwd localhost 18128 testing123

Output as follows

Sending Access-Request of id 68 to 127.0.0.1 port 1812
User-Name = "sqltest"
User-Password = "testpwd"
NAS-IP-Address = 127.0.1.1
NAS-Port = 18128
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=68, length=20

Daloradius Installation

Download the Daloradius latest version:

wget https://downloads.sourceforge.net/project/daloradius/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gz
tar xvfz daloradius-0.9-9.tar.gz
mv daloradius-0.9-9 daloradius
mv daloradius /var/www

Change Permissions

sudo chown www-data:www-data /var/www/daloradius -R
sudo chmod 644 /var/www/daloradius/library/daloradius.conf.php

Mysql database need to setup for daloradius by importing the daloradius scheme into 'radius' database.

cd /var/www/daloradius/contrib/db

sudo mysql -u root -p radius < mysql-daloradius.sql

Configure the following daloradius setting:

sudo nano /var/www/daloradius/library/daloradius.conf.php 

Change the database password

$configValues['CONFIG_DB_PASS'] = 'password'; 


Now you need to configure daloradius website under

   sudo nano /etc/apache2/sites-available/daloradius.conf

add the following lines

Alias /daloradius "/var/www/daloradius/"

<Directory /var/www/daloradius/>
Options None
Order allow,deny
allow from all
</Directory> 

Enable and Activate daloradius website using the following command

sudo a2ensite daloradius
sudo service apache2 reload

Daloradius Web GUI

http://10.107.88.93/daloradius

Use the following login details

username: administrator
password: radius

Troubleshooting Daloradius

  • If you get permission denied error when importing schema:
aman@ubuntu:~$ mysql -u root -ppwd@123 radius < /etc/freeradius/sql/mysql/schema.sql
-bash: /etc/freeradius/sql/mysql/schema.sql: Permission denied

Copy the files to home dir & change the file owner:

sudo cp /etc/freeradius/sql/mysql/schema.sql ~
sudo cp /etc/freeradius/sql/mysql/nas.sql ~
sudo chown aman:aman ~/*.sql


  • If the page stops loading after login, and you get similar errors in apache error logs:
[Sat Aug 05 20:10:51.734692 2017] [:error] [pid 22226] [client 10.101.255.53:59948] PHP Warning:  include_once(DB.php): failed to open stream: No such file or directory in /var/www/daloradius/library/opendb.php on line 84, referer: http://10.107.88.93/daloradius/login.php
[Sat Aug 05 20:10:51.734877 2017] [:error] [pid 22226] [client 10.101.255.53:59948] PHP Warning:  include_once(): Failed opening 'DB.php' for inclusion (include_path='.:/usr/share/php') in /var/www/daloradius/library/opendb.php on line 84, referer: http://10.107.88.93/daloradius/login.php
[Sat Aug 05 20:10:51.734988 2017] [:error] [pid 22226] [client 10.101.255.53:59948] PHP Fatal error:  Uncaught Error: Class 'DB' not found in /var/www/daloradius/library/opendb.php:86\nStack trace:\n#0 /var/www/daloradius/dologin.php(49): include()\n#1 {main}\n  thrown in /var/www/daloradius/library/opendb.php on line 86, referer: http://10.107.88.93/daloradius/login.php

Check if all the dependencies are installed or not:

php -m

If DB is missing, install it:

sudo pear install DB
  • If above issue still persists, then the Problem is, i had PHP7.0 installed, but daloradius is only supported until 5.0

So we have to change the rules for syntax reading:

Make Sure you got all necessary packages

sudo apt-get install php-common php-gd php-curl php-mail php-mail-mime php-pear php-db
pear install DB

Change Syntax:

cd /var/www/html/daloradius/library/
vim daloradius.conf.php -> CONFIG_DB_ENGINE auf "mysqli"         # from mysql to mysqli
vim opendb.php -> $dbSocket->query("SET GLOBAL sql_mode = ;"); #append this line at the end of the file

Now we have to give the db-user freeradius super rights with:

mysql -u root -p 
mysql> GRANT SUPER ON *.* TO 'freeradius'@'localhost' IDENTIFIED BY 'password';
mysql> flush privileges;

You might have to import a mysql schema with:

cd /var/www/html/daloradius/contrib/db/
mysql -u root -p radius <mysql-daloradius.sql
  • If you get DB connection failed error:
sudo nano /var/www/daloradius/library/daloradius.conf.php
$configValues['CONFIG_DB_USER'] = 'root';
$configValues['CONFIG_DB_PASS'] = 'ppwd@123';

Saving the file will allow you in the Landing page.


  • If you happen to run into this issue
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812

Then edit the below file:

sudo nano /etc/freeradius/sites-available/default

~ line 177 and uncomment sql

# Look in an SQL database. The schema of the database
# is meant to mirror the “users” file.
#
# See “Authorization Queries” in sql.conf
sql

Troubleshooting

If you are unable to use radtest from other servers, check credentials for 0.0.0.0/0 in below file:

sudo nano clients.conf

Debugging

sudo service freeradius stop
sudo freeradius -X

Misc

Generating Access-Challenge requests:

test@test-ubuntu:~$ sudo radtest -t eap-md5 aman2 pwd123 10.107.88.93 0 testing123
Sending Access-Request packet to host 10.107.88.93 port 1812, id=46, length=0
       User-Name = "aman2"
       User-Password = "pwd123"
       NAS-IP-Address = 10.107.88.68
       NAS-Port = 0
       Message-Authenticator = 0x00
       EAP-Code = Response
       EAP-Type-Identity = 0x616d616e32
       EAP-Message = 0x022d000a01616d616e32
Received Access-Challenge packet from host 10.107.88.93 port 1812, id=46, length=80
       EAP-Message = 0x012e001604105b198df62a06f8e8b6f45c6e97221cbb
       Message-Authenticator = 0x85003a7abf1656a3064b38be08c17409
       State = 0xa3a3b720a38db3e96a996e0bad7460b2
       EAP-Id = 46
       EAP-Code = Request
       EAP-Type-MD5-Challenge = 0x105b198df62a06f8e8b6f45c6e97221cbb
Sending Access-Request packet to host 10.107.88.93 port 1812, id=47, length=87
       User-Name = "aman2"
       User-Password = "pwd123"
       NAS-IP-Address = 10.107.88.68
       NAS-Port = 0
       Message-Authenticator = 0x00000000000000000000000000000000
       EAP-Code = Response
       EAP-Type-MD5-Challenge = 0x10c09519c41c4c2384e79a1242928c5f31
       EAP-Id = 46
       State = 0xa3a3b720a38db3e96a996e0bad7460b2
       EAP-Message = 0x022e00160410c09519c41c4c2384e79a1242928c5f31
Received Access-Accept packet from host 10.107.88.93 port 1812, id=47, length=51
       EAP-Message = 0x032e0004
       Message-Authenticator = 0xfc73020acc54cd6b85a82c8f52c094f5
       User-Name = "aman2"
       EAP-Id = 46
       EAP-Code = Success

Packet flow is as follows:

22:40:29.222278 IP 10.107.88.68.54216 > ubuntu.radius: RADIUS, Access-Request (1), id: 0x2e length: 87
22:40:29.240517 IP ubuntu.radius > 10.107.88.68.54216: RADIUS, Access-Challenge (11), id: 0x2e length: 80
22:40:29.242083 IP 10.107.88.68.54216 > ubuntu.radius: RADIUS, Access-Request (1), id: 0x2f length: 117
22:40:29.292782 IP ubuntu.radius > 10.107.88.68.54216: RADIUS, Access-Accept (2), id: 0x2f length: 51


Similar Packet capture file: RADIUS2

Forcing EAP for a user:

   Paste.png     This section is under construction.

Forcing just EAP

   Paste.png     This section is under construction.



References





blog comments powered by Disqus