User Tools

Site Tools

Trace:
radius_on_centos7

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
radius_on_centos7 [2015/06/24 13:51] – created herwarthradius_on_centos7 [2018/02/26 21:36] (current) – [Update to CentOS 7.4] herwarth
Line 1: Line 1:
 ======FreeRadius on CentOS 7 with LDAP support====== ======FreeRadius on CentOS 7 with LDAP support======
 +=====Prerequisite=====
 +  * Download the WPA test script: {{:rad_eap_test.gz|}}
 =====Installation====== =====Installation======
   yum install freeradius-ldap freeradius-utils freeradius   yum install freeradius-ldap freeradius-utils freeradius
  
-  ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldap+  cd /etc/raddb/mods-enabled/ 
 +  ln -s ../mods-available/ldap
  
 =====Configuration===== =====Configuration=====
 +====LDAP====
 +  vi ldap
 +
 +In the ldap section change the following fields. In my example I stall radius on the same machine as the ldap server so I am going to connect to localhost. **The following config is not the complete config, only the changed part!**
 +<code>
 +ldap {
 +        server = "localhost"
 +        port = 389
 +        identity = "cn=manager,dc=helux,dc=nl"
 +        password = mypass
 +        base_dn = "dc=helux,dc=nl"
 +
 +        update {
 +                control:Password-With-Header    += 'userPassword'
 +                control:NT-Password             := 'SambaNTPassword'
 +                reply:Reply-Message             := 'radiusReplyMessage'
 +                reply:Tunnel-Type               := 'radiusTunnelType'
 +                reply:Tunnel-Medium-Type        := 'radiusTunnelMediumType'
 +                reply:Tunnel-Private-Group-ID   := 'radiusTunnelPrivategroupId'
 +        }
 +        user {
 +                access_attribute = "dialupAccess"
 +                access_positive = yes
 +        }
 +}
 +</code>
 +====Clients====
 +  vi /etc/raddb/clients.conf
 +
 +<code>
 +client private-network-1 {
 + ipaddr = 172.16.0.0/16
 + secret = testing123
 +}
 +client private-network-1-ipv6 {
 +        ipv6addr        = 2a02:22a0:bbb7:400::/56
 +        secret          = testing123
 +}
 +</code>
 +
 +====TLS====
 +In this situation I already have a CA and a certificate created on the CA for this machine. So I move the old directory and create a new one!
 +  cd /etc/raddb
 +  mv certs certs.org
 +  mkdir certs
 +  chown root:radiusd certs
 +  chmod 770 certs
 +Now let's copy the necessary files.
 +  * the certificate and private key must be concatenated in server.pem
 +  * the CA certificate must have the name ca.pem
 +  * copy the dh file from the original certs directory
 +  * set the correct permissions
 +Result:
 +  cd /etc/raddb/certs
 +  ls -l
 +<code>
 +total 16
 +-rw-r-----. 1 root radiusd 1375 Jun 24 16:24 ca.pem
 +-rw-r-----. 1 root radiusd  245 Jun 24 16:24 dh
 +-rw-r-----. 1 root radiusd 6297 Jun 24 16:24 server.pem
 +</code>
 +  systemctl enable radiusd
 +  systemctl start radiusd
 +=====Firewall=====
 +  firewall-cmd --permanent --zone=management --add-service=radius
 +  firewall-cmd --permanent --zone=local --add-service=radius
 +  firewall-cmd --reload
 +=====Testing=====
 +Query user for normal access:
 +  radtest <USERNAME> <SECRET> localhost 2 testing123
 +Query user for WPA enterprise:
 +  ./rad_eap_test -H localhost -P 1812 -S testing123 -u <USERNAME> -p <SECRET> -m WPA-EAP -e PEAP -2 MSCHAPV2
 +  ./rad_eap_test -H localhost -P 1812 -S testing123 -u <USERNAME> -p <SECRET> -m WPA-EAP -e TTLS -2 PAP
 +=====Update to CentOS 7.4=====
 +The upgrade to CentOS 7.4 breaks FreeRadius with LDAP. I discovered some errors with dots (.) in the username. So I altered the filter file in /etc/raddb/policy.d
 +
 +THIS CODE IS OBSOLETE
 +<code - /etc/raddb/policy.d/filter>
 +.
 +.
 +.
 +#               if (&User-Name =~ /\.\./ ) {
 +#                       update request {
 +#                               &Module-Failure-Message += 'Rejected: User-Name contains multiple ..s'
 +#                       }
 +#                       reject
 +#               }
 +.
 +.
 +#               if (&User-Name =~ /\.$/ {
 +#                       update request {
 +#                               &Module-Failure-Message += 'Rejected: Realm ends with a dot'
 +#                       }
 +#                       reject
 +#               }
 +.
 +.
 +.
 +</code>
 +===== Peap config change for radius assigned VLAN ====
 +<code - /etc/raddb/mods-available/eap>
 +.
 +.
 +peap {
 +.
 +.
 +                use_tunneled_reply = yes
 +.
 +.
 +</code>
 {{tag>centos}} {{tag>centos}}
radius_on_centos7.1435153862.txt.gz · Last modified: by herwarth

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki