Freeradius configuration
Freeradius is powerful, however, you may find it is difficult to do configuration. This post try to include common configuration such that you may find useful for your setup.
User authentication using system user, e.g. /etc/passwd, /etc/shadow…
- Ensure getent passwd & getent shadow work as expected
- Uncomment unix within authorize in site-enabled/default
- Uncomment unix within authenticate in site-enabled/default is NOT necessary
- Ensure Auth-Type PAP { pap } within authenticate in site-enabled/default is defined
Freeradius will use pap module to authenticate system user. This setup couldn’t authenticate MS-CHAP client, since MS-CHAP client won’t send you the clear text password.
Authenticate MS-CHAP client using ntlm_auth
- Edit /etc/radiusclient/dictionary, append following in the end
INCLUDE /etc/radiusclient/dictionary.merit INCLUDE /etc/radiusclient/dictionary.microsoft
- Setup necessary secret word to the radius server in /etc/radiusclient/servers, you should also define secret word even your radius server is local host
- Ensure mschap within authorize in site-enabled/default is defined
- Ensure Auth-Type MS-CHAP { mschap } within authenticate in site-enabled/default is defined
- Ensure winbindd & sambe is well setup and ntlm_auth could authenticate user
- setup ntlm_auth in modules/mschap
Authenticate MS-CHAP client using Samba with LDPA backend
You could simply authenticate the user using ntlm_auth as above. However, Freeradius could get the sambaNTPassword from LDAP and authenticate the MS-CHAP request.
- Edit /etc/radiusclient/dictionary, append following in the end
INCLUDE /etc/radiusclient/dictionary.merit INCLUDE /etc/radiusclient/dictionary.microsoft
- Ensure the following mapping is exist in ldap.attrmap
checkItem LM-Password lmPassword checkItem NT-Password ntPassword checkItem LM-Password sambaLmPassword checkItem NT-Password sambaNtPassword
- Setup ldap connection parameter in modules/ldap
- Uncomment ldap in authorize in site-enabled/default
Authenticate with LDAP
- Setup ldap connection parameter in modules/ldap
- Uncomment ldap in authorize in site-enabled/default
- Ensure Auth-Type LDAP { ldap } is defined within authenticate in site-enable/default
- Please note that clear text password is required, so MS-CHAP is not supported
Setup a pool of IP address for client
- Setup range-start and range-stop in modules/ippool, e.g., named main_pool
- Uncomment main_pool in accounting and post-auth sections in sites-enabled/default
- Assign check-item Pool-Name in usersfile, e.g.,
DEFAULT Framed-Protocol == PPP, Pool-Name := "main_pool" Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IPAll ppp client will be assign an IP adress from main_pool
Realm support
You can proxy access and accounting request to other RADIUS server base on realm, e.g., uid@realm
- Ensure suffix is defined in authorize and preacct sessions in sites-enabled/default
- define the realm in proxy.conf, e.g., to redirect @qstation request to xx.xx.xx.xx,
realm "qstation" { # nostrip authhost = xx.xx.xx.xx accthost = xx.xx.xx.xx secret xyzxyzxyz }In case, the realm is handle by local, you may
realm "qstation" { nostrip authhost = LOCAL accthost = LOCAL }For other detail setup, please refer to the comment of the file.
Simultaneous-Use
You can limit the number of con-current connection by a user, we don’t use any SQL in our setup but using flat files only, radutmp & radwtmp only.
- Ensue radlast & radwho work correctly, in case your radwho compile couldn’t find sradutmp, you could enable sradutmp module or symbolic link to radutmp as dirty hack.
- In user file, add ‘Simultaneous-Use’ as check item, e.g.,
DEFAULT Group == "staff", Simultaneous-Use := 4 Fall-Through = 1 DEFAULT Group == "business", Simultaneous-Use := 2 Fall-Through = 1 DEFAULT Simultaneous-Use := 1 Fall-Through = 1
Radius accounting report
We do not use SQL as accounting, you may refer to the follow site to do RADIUS accounting