. .

Freeradius special setup

Written by at May 10, 2012

Some special setup which you may find useful when configure Freeradius.

Authenticate username with domain using MS-Chap v2

During the MS-Chap v2 authentication, the challenge and response including user name while MS-Chap v1 only contain password. Such that, you can’t use the stripped username & NT-Password in LDAP to match the challenge and response.

Our setup will generate a stripped username in authorize session, such that the LDAP module could get the NT password from Samba LDAP by searching the LDAP using the stripped username. Then, Freeradius could compare the challenge and response using the NT password and the un-stripped username.

  • Suppose your site store user entry in LDAP, e.g., Samba using LDAP backend
  • Suppose user entries are storing uid=xxxx, where no realm, e.g, not xxxx@xx.com
  • setup proxy.conf, the realm is authenticate with local 
    realm "qstation" {
      nostrip
      authhost        = LOCAL
      accthost        = LOCAL
}
  • Stripped the username for LDAP seaching, in authorize session in site-enabled/default, before ldap 
            #  The ldap module will set Auth-Type to LDAP if it has not
        #  already been set
        if("%{User-Name}"){
           if("%{User-Name}" =~ /^(.*)@qstation$/){  
                update request {
                        Stripped-User-Name := "%{1}"
                }
           }
           # Username in unrecognised format
           #else{
           #        reject
           #}
        }
        ldap

Seperate detail log for proxy realm

Default installation, all accounting packet including proxied packet are stored in detail log. For ease of administration, it may be a good idea to separate them by each realm. You may not have interest for this setup if you are using SQL DB for accounting.

  • Suppose realm ‘qstation’ is proxied to other Radius, in proxy.conf 
    realm qstation {
        pool = qstation_pool
        nostrip
}

    • Create modules/detail.qstation

    detail detail.qstation {
        detailfile = ${radacctdir}/qstation/detail-%Y%m%d
}
  • In accounting session in sites-enabled/default 
      if("%{User-Name}" =~ /^(.*)@qstation$/) {
        detail.qstation
  }
  else {
        # All other packet logged as usual using detail
        detail
  }

Simultaneous login for Realm

It is common for your RADIUS need to handle realm redirection and answering request for NULL realm.

  • In proxy.conf 
    realm NULL {  
        authhost        = LOCAL
        accthost        = LOCAL
        Realm = "NULL"
}
  • In users 
    # Limit Simultaneous-Use for realm NULL only
DEFAULT Realm == "NULL", Pool-Name := "main_pool", Simultaneous-Use := 1
            Fall-Through = Yes

DEFAULT Framed-Protocol == PPP, Pool-Name := "main_poolx"
        Framed-Protocol = PPP,
        Framed-Compression = Van-Jacobson-TCP-IP