Quick Install FreeRadius on CentOS7 - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Friday, May 1, 2020

Quick Install FreeRadius on CentOS7

There are many ways to install FreeRadius with / without MySql, with/without Web GUI manager daloRadius. This post is to summarize the quickest steps to install FreeRadius on CentOS7.
It is assumed you have installed CentOS7 with minimal installation and updated to latest using 'yum -y update' command.

Install FreeRadius Components

[root@freeradius ~]# yum install freeradius freeradius-utils freeradius-mysql freeradius-perl –y

Before going to start configuration, we will now check whether our RADIUS server is running or not with the following command where radiusd is freeRADIUS daemon in CentOS Linux Distribution.
[root@freeradius ~]# systemctl status radiusd
If you found that your radius daemon (radiusd) is not running, issue the following command to start radius daemon.
[root@freeradius ~]# systemctl start radiusd
Now you will find that your RADIUS server in running if you issue the status command again. Also issue the following command so that your radius daemon can run at the time of system restart.
[root@freeradius ~]# systemctl enable radiusd


FreeRADIUS Basic Configuration


After successful freeRADIUS installation, localhost has be defined as a NAS device (RADIUS client) and bob will be enabled as a test user by us. After we have defined the client and the test user, we will use the radtest program to fill the role of a RADIUS client and test the authentication of bob.
FreeRADIUS is set up by modifying configuration files. The default location of freeRADIUS configuration file in CentOS 7 is /etc/raddb. So, go to this directory and issue ls command to view available configuration files and directories.
[root@freeradius raddb]# cd /etc/raddb
The following instructions will show how to define a radius client and user in client and user configuration file.
  • Ensure that your working directory is /etc/radddb.
  • FreeRADIUS includes a default client called localhost. This client can be used by RADIUS client programs on the localhost to help with troubleshooting and testing. Open client.conf file with command "vi client.conf" and confirm that the following entry exists in the clients.conf
client localhost {
ipaddr = 127.0.0.1
secret = testing123
require_message_authenticator = no
nas_type = other
}
  • Define bob as a FreeRADIUS test user. Open users file with vim editor (vim users) and un-comment or add the following lines at the top of the users file. (actually line "Framed-IP-Address = 192.168.10.10," is not necessary)
    bob Cleartext-Password := “hello”
         Framed-IP-Address = 192.168.10.10,
         Reply-Message = “Hello, %{User-Name}”
  • Whenever you update your radius configuration, you have to restart your radius daemon otherwise your configuration will not be applied. To restart or reload your configuration, issue the following command from your CentOS 7 command prompt.
[root@freeradius ~]# systemctl restart radiusd

  • RADIUS Server listen Authentication request on UDP port 1812 and Accounting request on UDP port 1813. If you got the above message, your freeRADIUS server is ready to accept RADIUS client request and provide reply.
  • Authenticate bob user using the following radtest command where bob is a test user and password is the password of bob user defined in users file. 127.0.0.1 (localhost) is IP address of NAS device, 100 is NAS port and testing123 is the NAS password defined in client.conf file.
    [root@localhost raddb]# radtest bob hello 127.0.0.1 0 testing123
    Sent Access-Request Id 159 from 0.0.0.0:57237 to 127.0.0.1:1812 length 73
            User-Name = "bob"
            User-Password = "hello"
            NAS-IP-Address = 127.0.0.1
            NAS-Port = 0
            Message-Authenticator = 0x00
            Cleartext-Password = "hello"
    Received Access-Accept Id 159 from 127.0.0.1:1812 to 0.0.0.0:0 length 32
            Reply-Message = "Hello, bob"
Radtest will show the response of the FreeRADIUS server like the above output. That means, your freeRADIUS server is completely ready to accept RADIUS clients and users request.

Now, let’s verify above config from different computer, using another windows computer you can test it using NTRadPing Test Utility.Add a new client into client into clients.conf file.


[root@localhost raddb]# vi clients.conf

client test1 {
        secret = Cyberark1
        ipaddr = 192.168.2.69
}

Run NTRadPing test utility from machine 192.168.2.69.
Please use this link to download the NTRadPing tool:  https://www.novell.com/coolsolutions/tools/14377.html

Debug RADIUS Server

We’ll need to test the RADIUS server in debug mode, which means we’ll have to run the service. The problem is that the server’s already running from earlier, and running in debug mode will fail to bind ports, as such we’ll have to kill the radius service first:
Now run the RADIUS server in debug mode to check if everything’s working:
[root@localhost~]# radiusd –X
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 47797
Listening on proxy address :: port 60742
Ready to process requests





YouTube Video:

No comments:

Post a Comment