CubelaPetar/notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c83d178b7709663439b6e20d29156ab80d9f3005
notes/projects/gg/freeradius/20250725-radius-laerning-01.md
Petar Cubela c83d178b77 20250726-regular commit
2025-07-26 11:50:53 +02:00

5.9 KiB
Raw Blame History

FreeRADIUS Crash Course for a School Environment with AD Integration (IPv4-Only)

(Softbox MSP Focus: IPv4-Only, No IPv6 Support)

1. What is RADIUS?

RADIUS (Remote Authentication Dial-In User Service) is a network protocol for centralized authentication, authorization, and accounting (AAA). Its used in:

  • Wireless networks (802.1X)
  • DSL modems
  • VPN gateways
  • Switches/APs

Key Components:

  • Client (NAS): Network Access Server (e.g., switch, AP, firewall) that sends user credentials to the RADIUS server.
  • Server (RADIUS): Validates credentials against a backend (e.g., AD, LDAP, SQL).
  • Protocol Flow:
    1. User authenticates (e.g., via Wi-Fi, SSH, or PPP).
    2. NAS sends an Access-Request to the RADIUS server.
    3. Server checks credentials against a backend (e.g., AD).
    4. Server replies with Access-Accept, Access-Reject, or Accounting-Request.

2. Key Features of FreeRADIUS

FreeRADIUS is an open-source RADIUS server with:

  • Modular architecture (plugins for LDAP, SQL, EAP, etc.).
  • IPv4 support (standard for Softbox MSP).
  • EAP (Extensible Authentication Protocol) for secure 802.1X.
  • Accounting for usage tracking (e.g., bandwidth, login times).
  • Proxying for load balancing or multi-site setups.

3. Architecture for Your School Use Case

Scenario:

  • MS DC/AD handles user identities (e.g., students, staff, guests).
  • FreeRADIUS acts as the central AAA server.
  • NAS devices (e.g., Proxmox VMs, VMware ESXi hosts, APs) forward RADIUS requests.

Workflow:

  1. User connects to the network (e.g., via Wi-Fi).
  2. NAS sends user credentials to FreeRADIUS (via IPv4).
  3. FreeRADIUS queries AD/LDAP for authentication.
  4. FreeRADIUS authorizes the user (e.g., assign VLANs, limit bandwidth).
  5. Accounting logs are stored for billing/monitoring.

4. Step-by-Step Setup (IPv4-Only)

A. Prerequisites

  • Linux Server (e.g., Ubuntu/Debian/Proxmox VM).
  • IPv4 connectivity (ensure ipv4 is enabled in kernel and network).
  • AD/LDAP integration (e.g., Microsoft Active Directory).
  • TLS/SSL for secure communication (required for RADIUS).

B. Install FreeRADIUS

# Debian/Ubuntu
sudo apt update
sudo apt install freeradius freeradius-utils

C. Configure FreeRADIUS for AD Integration

  1. LDAP Configuration (AD):
    Edit /etc/freeradius/3.0/sites-enabled/inner-tunnel (or default):

    ldap {
    server = "ad.example.com"  # AD DC IPv4 address
    base_dn = "DC=example,DC=com"
    bind_dn = "CN=radius,CN=Users,DC=example,DC=com"
    bind_password = "your-ad-password"
    filter = "(sAMAccountName=%{User-Name})"
    attribute = sAMAccountName
    timeout = 5
    start_tls = yes
}

    Note: Use ldapsearch to test LDAP connectivity.

  2. Authentication Method:
    In /etc/freeradius/3.0/sites-enabled/inner-tunnel, replace auth with:

    authenticate {
    ldap
}

  3. Authorization Rules:
    Add policies to assign VLANs or bandwidth limits:

    authorize {
    ldap
    policy filter-ipv4 {
        if (User-Name =~ /^student/) {
            Tunnel-Type = VLAN
            Tunnel-Medium-Type = 6
            Tunnel-Client-Endpoint = "ipv4"
        }
    }
}

D. Configure RADIUS Clients (NAS)

Edit /etc/freeradius/3.0/clients.conf:

client NAS-IPv4-Address {
    ipaddr = 192.168.1.1  # Replace with NAS's IPv4 address
    secret = "your-shared-secret"
    short_name = "NAS-Name"
    require_message_integrity = yes
    nastype = other
}

Note: Ensure NAS devices are configured with the same shared secret and IPv4 address.

E. TLS/SSL for Secure Communication

  1. Generate Certificates (self-signed or CA-signed):
    Use openssl to create a certificate chain. Store in /etc/freeradius/3.0/certs/.

  2. Configure TLS in radiusd.conf:

    tls {
    ca_file = "/etc/freeradius/3.0/certs/ca.pem"
    cert_file = "/etc/freeradius/3.0/certs/server.pem"
    key_file = "/etc/freeradius/3.0/certs/server.key"
    dh_file = "/etc/freeradius/3.0/certs/dh2048.pem"
    verify_client = yes
}

  3. NAS Configuration:
    Ensure NAS devices are configured to use TLS and trust the CA certificate.

F. Test the Setup

  1. Simulate a RADIUS Request:

    radtest user@example.com password 192.168.1.1 0 your-shared-secret

    Check /var/log/freeradius/radius.log for output.

  2. Use Wireshark:
    Capture IPv4 RADIUS packets (port 1812/1813) to debug.

5. Security Best Practices

  • Firewall Rules: Ensure only trusted NAS devices can communicate with the RADIUS server on ports 1812 (authentication) and 1813 (accounting).
  • Shared Secrets: Use strong, unique shared secrets for each NAS device.
  • TLS Enforcement: Require TLS for all RADIUS communication to prevent eavesdropping.

6. Common Pitfalls

  • IP Address Mismatch: Ensure the NAS's IP address in clients.conf matches its actual IPv4 address.
  • LDAP Configuration Errors: Double-check bind_dn, base_dn, and filter settings in the LDAP block.
  • TLS Certificate Issues: Verify the CA certificate is trusted by the NAS and the certificate chain is complete.

7. Next Steps for You

  1. Provision a FreeRADIUS VM in Proxmox with IPv4 support.
  2. Integrate with AD using LDAP (test via ldapsearch).
  3. Secure TLS and configure NAS devices.
  4. Monitor logs and test with real users.

Let me know if you need scripts for LDAP testing, TLS certificate generation, or IPv4 subnet planning! 🚀

Reference in New Issue View Git Blame Copy Permalink