Radius Server (FreeRadius)

The Radius Server is a daemon that runs radius protocol server, used for a AAA (Authentication, Authorization and Accounting).

Authentication - check if user is one who claims to be
Authorization - grant access to resources
Accounting - track consumption of resources

Setup of Radius client (on another machine) is also needed.  

In this article I am using 'FreeRADIUS' server. 

Installation of freeradius from sunfreeware.com

Get the file from sunfreeware.com and unzip it. 

> gunzip freeradius-1.1.7-sol10-sparc-local.gz

> pkgtrans freeradius-1.1.7-sol10-sparc-local .

The following packages are available:
  1  SMCfradius     freeradius
                    (sparc) 1.1.7

Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]:
Transferring  package instance

> pkgadd -d . SMCfradius

Done.

Start Radius server

> /usr/local/sbin/radiusd
Thu Apr 15 17:06:19 2010 : Info: Starting - reading configuration files ...


If you have problem starting Radius server, do radiusd -X to start in debugging mode and see what's wrong. 

Note: if there is no issue and you use debugging mode during start, you should see bunch of lines with last three:
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.


In order to test Radius server, setup server also as client. 

Have next lines in the client config file /usr/local/etc/raddb/clients.conf
client 127.0.0.1 {
	secret		= mysecret	# used to encrypt/sign packets between Client/Radius server
	shortname       = localhost
	nastype     	= other     # localhost isn't usually a NAS (Network Access Server)


For testing, use the script /usr/local/bin/radtest
Usage: radtest user passwd radius-server[:port] nas-port-number secret [ppphint] [nasname]


Deliberately type user/passwd/secret wrong:

> radtest test test localhost 0 test
Sending Access-Request of id 24 to 127.0.0.1 port 1812
        User-Name = "test"
        User-Password = "test"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=24, length=20
rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812 with invalid signature (err=2)!  (Shared secret is incorrect.)


Now type correct 'secret':

> radtest test test localhost 0 mysecret
Sending Access-Request of id 29 to 127.0.0.1 port 1812
        User-Name = "test"
        User-Password = "test"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=29, length=20


And now type everything correct:

> radtest root rootpasswd localhost 0 mysecret
Sending Access-Request of id 34 to 127.0.0.1 port 1812
        User-Name = "root"
        User-Password = "rootpasswd"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=34, length=20


How Radius server think and work? 

1. Radius client is sending authentication request to Radius Server. 
   Request has username and password (hashed with secret).

2. Radius server takes presented info and compare with passwd file or NIS or something else. 

Once we verify that Radius server works with itself (also as radius client), we need to add real radius client (other machine) to file /usr/local/etc/raddb/clients.conf, something like:

client 192.168.xx.xxx {
        secret 		= mysecret
        shortname   	= clients_hostname
        nastype         = other
}


Radius client configuration

Basically we want some service (on Radius client) to authenticate from Radisu server. 
Let's work with ProFTPD, making it to authenticate users using Radius. 

On ProFTPD server (our Radius client), add next lines to /etc/opt/csw/proftpd/proftpd.conf file. 

Check more details about  ProFTPD .

# Use this module only for authentication
AuthOrder               mod_radius.c

# Tell module to use Radius, or use off instead of commenting all radius lines 
RadiusEngine            on  

# Define radius server for authentication, note default port is 1812
# server:port shared-secret and timeout [if omitted, the default is 30 sec]
RadiusAuthServer        radius-server:1812 	mysecret	 20

# Define radius server for accounting, note default port is 1813
# server:port shared-secret and timeout [if omitted, the default is 30 sec]
RadiusAcctServer        radius-server:1813 	mysecret	 20

# Log file
RadiusLog               /var/log/proftpd/radius.log

# Without this, Radius server can do simple yes/no authentication
# This returns additional info to radius client, like UID, GID, home and shell
# Syntax: RadiusUserInfo uid gid home shell
# $(atribute-id:value) atribute-id are some random numbers 
RadiusUserInfo          $(1:3000) $(2:3001) $(3:/ftpuser) $(4:/usr/bin/tcsh)


After this, reset ProFTPD service and test your authentication. 

I test with 2 account (they don't exist on Radius client and machine is also not NIS client):

1. The first one is local account on Radius server, defined in /etc/passwd file (localuser)
2. The second one is NIS account, and Radius server is NIS client (nisuser)

Test is simple, just run 'ftp ftpserver'

It's good idea to watch log files during test/troubleshoot.

Radius server log file /usr/local/var/log/radius/radius.log shows:

Wed May 12 14:56:25 2010 : Auth: Login OK: [localuser/localpasswd] (from client oryx port 21 cli 135.225.31.12)
Wed May 12 14:56:54 2010 : Auth: Login OK: [nisuser/nispasswd] (from client oryx port 21 cli 135.225.31.12)


Note: password is seen as clear text.

ProFTPD log file /var/log/proftpd/radius.log shows (for nisuser):

mod_radius/0.9[15729]: sending auth request packet
mod_radius/0.9[15729]: sending packet to 192.168.20.222:1812
mod_radius/0.9[15729]: receiving auth response packet
mod_radius/0.9[15729]: packet receive succeeded
mod_radius/0.9[15729]: verifying packet
mod_radius/0.9[15729]: authentication successful for user 'nisuser'
mod_radius/0.9[15729]: parsing packet for RadiusUserInfo attributes
mod_radius/0.9[15729]: packet includes invalid length (0) for attribute type 0,  rejecting
mod_radius/0.9[15729]: packet lacks 'Unix' Vendor-Specific Attribute 1 for user ID: defaulting to '3000'
mod_radius/0.9[15729]: packet includes invalid length (0) for attribute type 0,  rejecting
mod_radius/0.9[15729]: packet lacks 'Unix' Vendor-Specific Attribute 2 for group ID: defaulting to '3001'
mod_radius/0.9[15729]: packet includes invalid length (0) for attribute type 0,  rejecting
mod_radius/0.9[15729]: packet lacks 'Unix' Vendor-Specific Attribute 3 for home directory: defaulting to '/ftpuser'
mod_radius/0.9[15729]: packet includes invalid length (0) for attribute type 0,  rejecting
mod_radius/0.9[15729]: packet lacks 'Unix' Vendor-Specific Attribute 4 for shell: defaulting to '/usr/bin/tcsh'
mod_radius/0.9[15729]: sending start acct request packet
mod_radius/0.9[15729]: sending packet to 192.168.20.222:1813
mod_radius/0.9[15729]: receiving acct response packet
mod_radius/0.9[15729]: packet receive succeeded
mod_radius/0.9[15729]: verifying packet
mod_radius/0.9[15729]: accounting started for user 'nisuser'


Works.

Note (about other services using Radius)

Many application (like SSH, telnet) uses a PAM (Pluggable Authentication Modules) to authenticate users.

In case I need this, I would install CSWlinuxpam from Blastwave.com

{oryx}/opt/csw/sbin> pkginfo CSWlinuxpam
application CSWlinuxpam linuxpam - Pluggable Authentication Modules

But I am surprised to learn that this package doesn't have PAM to Radius, so from freeradius.org we also need pam_radius-1.3.17.tar. 
Here is how to install it (on Solaris 10).

- Untar the file in /tmp
- cd /tmp/pam_radius-1.3.17.tar
- Edit Makefile adding CC=/usr/sfw/bin/gcc and LD=/usr/ccs/bin/ld to appropriate places.
- Run gmake
- This will make pam_radius_auth.so
- Copy this to /usr/lib/security/pam_radius_auth.so.1
- Add line in file /etc/pam.conf

login  auth       sufficient   /usr/lib/security/pam_radius_auth.so.1

  BEFORE

login   auth       required     /usr/lib/security/pam_unix_auth.so.1

- I will not finish this configuration here (honestly I didn't work much with this). 

It's also required to edit the file pam_radius_auth.conf (comes with other files) and copy it to the file /etc/raddb/server

This file defines Radius server, so most important lines are something like:
# server[:port] 		shared_secret      timeout (s)
radiusserver_name:1812          mysecret             3