CubelaPetar/notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

20250726-regular commit

Browse Source
This commit is contained in:
Petar Cubela
2025-07-26 11:50:53 +02:00
parent b79839500c
commit c83d178b77
21 changed files with 1085 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

178
projects/gg/freeradius/20250725-radius-laerning-01.md Normal file
View File

@@ -0,0 +1,178 @@
### **FreeRADIUS Crash Course for a School Environment with AD Integration (IPv4-Only)**
*(Softbox MSP Focus: IPv4-Only, No IPv6 Support)*
---
### **1. What is RADIUS?**
**RADIUS (Remote Authentication Dial-In User Service)** is a network protocol for centralized authentication, authorization, and accounting (AAA). Its used in:
- **Wireless networks** (802.1X)
- **DSL modems**
- **VPN gateways**
- **Switches/APs**
**Key Components:**
- **Client (NAS):** Network Access Server (e.g., switch, AP, firewall) that sends user credentials to the RADIUS server.
- **Server (RADIUS):** Validates credentials against a backend (e.g., AD, LDAP, SQL).
- **Protocol Flow:**
1. User authenticates (e.g., via Wi-Fi, SSH, or PPP).
2. NAS sends an **Access-Request** to the RADIUS server.
3. Server checks credentials against a backend (e.g., AD).
4. Server replies with **Access-Accept**, **Access-Reject**, or **Accounting-Request**.
---
### **2. Key Features of FreeRADIUS**
FreeRADIUS is an open-source RADIUS server with:
- **Modular architecture** (plugins for LDAP, SQL, EAP, etc.).
- **IPv4 support** (standard for Softbox MSP).
- **EAP (Extensible Authentication Protocol)** for secure 802.1X.
- **Accounting** for usage tracking (e.g., bandwidth, login times).
- **Proxying** for load balancing or multi-site setups.
---
### **3. Architecture for Your School Use Case**
**Scenario:**
- **MS DC/AD** handles user identities (e.g., `students`, `staff`, `guests`).
- **FreeRADIUS** acts as the central AAA server.
- **NAS devices** (e.g., Proxmox VMs, VMware ESXi hosts, APs) forward RADIUS requests.
**Workflow:**
1. **User connects** to the network (e.g., via Wi-Fi).
2. **NAS** sends user credentials to **FreeRADIUS** (via IPv4).
3. **FreeRADIUS** queries **AD/LDAP** for authentication.
4. **FreeRADIUS** authorizes the user (e.g., assign VLANs, limit bandwidth).
5. **Accounting** logs are stored for billing/monitoring.
---
### **4. Step-by-Step Setup (IPv4-Only)**
#### **A. Prerequisites**
- **Linux Server** (e.g., Ubuntu/Debian/Proxmox VM).
- **IPv4 connectivity** (ensure `ipv4` is enabled in kernel and network).
- **AD/LDAP integration** (e.g., Microsoft Active Directory).
- **TLS/SSL** for secure communication (required for RADIUS).
---
#### **B. Install FreeRADIUS**
```bash
# Debian/Ubuntu
sudo apt update
sudo apt install freeradius freeradius-utils
```
---
#### **C. Configure FreeRADIUS for AD Integration**
1. **LDAP Configuration (AD):**
Edit `/etc/freeradius/3.0/sites-enabled/inner-tunnel` (or `default`):
```ini
ldap {
server = "ad.example.com" # AD DC IPv4 address
base_dn = "DC=example,DC=com"
bind_dn = "CN=radius,CN=Users,DC=example,DC=com"
bind_password = "your-ad-password"
filter = "(sAMAccountName=%{User-Name})"
attribute = sAMAccountName
timeout = 5
start_tls = yes
}
```
**Note:** Use `ldapsearch` to test LDAP connectivity.
2. **Authentication Method:**
In `/etc/freeradius/3.0/sites-enabled/inner-tunnel`, replace `auth` with:
```ini
authenticate {
ldap
}
```
3. **Authorization Rules:**
Add policies to assign VLANs or bandwidth limits:
```ini
authorize {
ldap
policy filter-ipv4 {
if (User-Name =~ /^student/) {
Tunnel-Type = VLAN
Tunnel-Medium-Type = 6
Tunnel-Client-Endpoint = "ipv4"
}
}
}
```
---
#### **D. Configure RADIUS Clients (NAS)**
Edit `/etc/freeradius/3.0/clients.conf`:
```ini
client NAS-IPv4-Address {
ipaddr = 192.168.1.1 # Replace with NAS's IPv4 address
secret = "your-shared-secret"
short_name = "NAS-Name"
require_message_integrity = yes
nastype = other
}
```
**Note:** Ensure NAS devices are configured with the same shared secret and IPv4 address.
---
#### **E. TLS/SSL for Secure Communication**
1. **Generate Certificates (self-signed or CA-signed):**
Use `openssl` to create a certificate chain. Store in `/etc/freeradius/3.0/certs/`.
2. **Configure TLS in `radiusd.conf`:**
```ini
tls {
ca_file = "/etc/freeradius/3.0/certs/ca.pem"
cert_file = "/etc/freeradius/3.0/certs/server.pem"
key_file = "/etc/freeradius/3.0/certs/server.key"
dh_file = "/etc/freeradius/3.0/certs/dh2048.pem"
verify_client = yes
}
```
3. **NAS Configuration:**
Ensure NAS devices are configured to use TLS and trust the CA certificate.
---
#### **F. Test the Setup**
1. **Simulate a RADIUS Request:**
```bash
radtest user@example.com password 192.168.1.1 0 your-shared-secret
```
Check `/var/log/freeradius/radius.log` for output.
2. **Use Wireshark:**
Capture IPv4 RADIUS packets (port 1812/1813) to debug.
---
### **5. Security Best Practices**
- **Firewall Rules:** Ensure only trusted NAS devices can communicate with the RADIUS server on ports 1812 (authentication) and 1813 (accounting).
- **Shared Secrets:** Use strong, unique shared secrets for each NAS device.
- **TLS Enforcement:** Require TLS for all RADIUS communication to prevent eavesdropping.
---
### **6. Common Pitfalls**
- **IP Address Mismatch:** Ensure the NAS's IP address in `clients.conf` matches its actual IPv4 address.
- **LDAP Configuration Errors:** Double-check `bind_dn`, `base_dn`, and `filter` settings in the LDAP block.
- **TLS Certificate Issues:** Verify the CA certificate is trusted by the NAS and the certificate chain is complete.
---
### **7. Next Steps for You**
1. **Provision a FreeRADIUS VM** in Proxmox with IPv4 support.
2. **Integrate with AD** using LDAP (test via `ldapsearch`).
3. **Secure TLS** and configure NAS devices.
4. **Monitor logs** and test with real users.
Let me know if you need scripts for LDAP testing, TLS certificate generation, or IPv4 subnet planning! 🚀

0
projects/gg/freeradius/20250725_init.md Normal file
View File