{"id":502,"date":"2012-05-09T00:45:59","date_gmt":"2012-05-08T16:45:59","guid":{"rendered":"http:\/\/www.q-station.net\/kb\/?p=502"},"modified":"2012-05-10T00:05:33","modified_gmt":"2012-05-09T16:05:33","slug":"freeradius-configuration","status":"publish","type":"post","link":"https:\/\/kb.q-station.net\/index.php\/2012\/05\/09\/freeradius-configuration\/","title":{"rendered":"Freeradius configuration"},"content":{"rendered":"

Freeradius is powerful, however, you may find it is difficult to do configuration. This post try to include common configuration such that you may find useful for your setup.
\n<\/p>\n

User authentication using system user, e.g. \/etc\/passwd, \/etc\/shadow…<\/h1>\n
    \n
  1. Ensure getent passwd & getent shadow<\/strong> work as expected<\/li>\n
  2. Uncomment unix<\/strong> within authorize<\/strong> in site-enabled\/default<\/strong><\/li>\n
  3. Uncomment unix<\/strong> within authenticate<\/strong> in site-enabled\/default<\/strong> is NOT<\/strong> necessary<\/li>\n
  4. Ensure Auth-Type PAP { pap }<\/strong> within authenticate<\/strong> in site-enabled\/default<\/strong> is defined<\/li>\n<\/ol>\n

    Freeradius will use pap<\/strong> module to authenticate system user. This setup couldn’t authenticate MS-CHAP client, since MS-CHAP client won’t send you the clear text password.<\/p>\n

    Authenticate MS-CHAP client using ntlm_auth<\/h1>\n
      \n
    1. Edit \/etc\/radiusclient\/dictionary<\/strong>, append following in the end\n
      INCLUDE \/etc\/radiusclient\/dictionary.merit\r\nINCLUDE \/etc\/radiusclient\/dictionary.microsoft<\/pre>\n<\/li>\n
    2. Setup necessary secret word to the radius server in \/etc\/radiusclient\/servers<\/strong>, you should also define secret word even your radius server is local host<\/li>\n
    3. Ensure mschap<\/strong> within authorize<\/strong> in site-enabled\/default<\/strong> is defined<\/li>\n
    4. Ensure Auth-Type MS-CHAP { mschap }<\/strong> within authenticate<\/strong> in site-enabled\/default<\/strong> is defined<\/li>\n
    5. Ensure winbindd & sambe is well setup and ntlm_auth could authenticate user<\/li>\n
    6. setup ntlm_auth<\/strong> in modules\/mschap<\/strong><\/li>\n<\/ol>\n
      Authenticate MS-CHAP client using Samba with LDPA backend<\/h1>\n
      You could simply authenticate the user using ntlm_auth<\/strong> as above. However, Freeradius could get the sambaNTPassword from LDAP and authenticate the MS-CHAP request.<\/p>\n
        \n
      1. Edit \/etc\/radiusclient\/dictionary<\/strong>, append following in the end\n
        INCLUDE \/etc\/radiusclient\/dictionary.merit\r\nINCLUDE \/etc\/radiusclient\/dictionary.microsoft<\/pre>\n<\/li>\n
      2. Ensure the following mapping is exist in ldap.attrmap<\/strong>\n
        checkItem       LM-Password                     lmPassword\r\ncheckItem       NT-Password                     ntPassword \r\ncheckItem       LM-Password                     sambaLmPassword\r\ncheckItem       NT-Password                     sambaNtPassword<\/pre>\n<\/li>\n
      3. Setup ldap connection parameter in modules\/ldap<\/strong><\/li>\n
      4. Uncomment ldap<\/strong> in authorize<\/strong> in site-enabled\/default<\/strong><\/li>\n<\/ol>\n
        Authenticate with LDAP<\/h1>\n
          \n
        1. Setup ldap connection parameter in modules\/ldap<\/strong><\/li>\n
        2. Uncomment ldap<\/strong> in authorize<\/strong> in site-enabled\/default<\/strong><\/li>\n
        3. Ensure Auth-Type LDAP { ldap }<\/strong> is defined within authenticate in site-enable\/default <\/strong><\/li>\n
        4. Please note that clear text password is required, so MS-CHAP is not supported<\/strong><\/li>\n<\/ol>\n
          Setup a pool of IP address for client<\/h1>\n
            \n
          1. Setup range-start<\/strong> and range-stop<\/strong> in modules\/ippool<\/strong>, e.g., named main_pool<\/strong><\/li>\n
          2. Uncomment main_pool<\/strong> in accounting<\/strong> and post-auth<\/strong> sections in sites-enabled\/default<\/strong><\/li>\n
          3. Assign check-item Pool-Name<\/strong> in users<\/strong>file, e.g.,\n
            DEFAULT Framed-Protocol == PPP, Pool-Name := \"main_pool\"\r\n        Framed-Protocol = PPP, \r\n        Framed-Compression = Van-Jacobson-TCP-IP<\/pre>\n
            All ppp client will be assign an IP adress from main_pool<\/li>\n<\/ol>\n
            Realm support<\/h1>\n
            You can proxy access and accounting request to other RADIUS server base on realm, e.g., uid@realm<\/p>\n
              \n
            1. Ensure suffix<\/strong> is defined in authorize<\/strong> and preacct<\/strong> sessions in sites-enabled\/default<\/strong><\/li>\n
            2. define the realm in proxy.conf<\/strong>, e.g., to redirect @qstation request to xx.xx.xx.xx,\n
              \r\nrealm \"qstation\" {\r\n#      nostrip\r\n      authhost        = xx.xx.xx.xx\r\n      accthost        = xx.xx.xx.xx\r\n      secret xyzxyzxyz\r\n}\r\n<\/pre>\n
              In case, the realm is handle by local, you may<\/p>\n
              \r\nrealm \"qstation\" {\r\n      nostrip\r\n      authhost        = LOCAL\r\n      accthost        = LOCAL\r\n}\r\n<\/pre>\n
              For other detail setup, please refer to the comment of the file.\n<\/li>\n<\/ol>\n
              Simultaneous-Use<\/h1>\n
              You can limit the number of con-current connection by a user, we don’t use any SQL in our setup but using flat files only, radutmp & radwtmp<\/strong> only.<\/p>\n
                \n
              1. Ensue radlast<\/strong> & radwho<\/strong> work correctly, in case your radwho compile couldn’t find sradutmp<\/strong>, you could enable sradutmp<\/strong> module or symbolic link to radutmp<\/strong> as dirty hack.<\/li>\n
              2. In user<\/strong> file, add ‘Simultaneous-Use’ as check item, e.g.,\n
                \r\n  DEFAULT Group == \"staff\", Simultaneous-Use := 4\r\n          Fall-Through = 1\r\n  DEFAULT Group == \"business\", Simultaneous-Use := 2\r\n          Fall-Through = 1\r\n  DEFAULT Simultaneous-Use := 1\r\n          Fall-Through = 1\r\n<\/pre>\n<\/li>\n<\/ol>\n
                Radius accounting report<\/h1>\n
                We do not use SQL as accounting, you may refer to the follow site to do RADIUS accounting<\/p>\n