CubelaPetar/notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c83d178b7709663439b6e20d29156ab80d9f3005
notes/projects/gg/freeradius/20250725-radius-laerning-01.md
Petar Cubela c83d178b77 20250726-regular commit
2025-07-26 11:50:53 +02:00

178 lines
5.9 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
### **FreeRADIUS Crash Course for a School Environment with AD Integration (IPv4-Only)**
*(Softbox MSP Focus: IPv4-Only, No IPv6 Support)*
---
### **1. What is RADIUS?**
**RADIUS (Remote Authentication Dial-In User Service)** is a network protocol for centralized authentication, authorization, and accounting (AAA). Its used in:
- **Wireless networks** (802.1X)
- **DSL modems**
- **VPN gateways**
- **Switches/APs**
**Key Components:**
- **Client (NAS):** Network Access Server (e.g., switch, AP, firewall) that sends user credentials to the RADIUS server.
- **Server (RADIUS):** Validates credentials against a backend (e.g., AD, LDAP, SQL).
- **Protocol Flow:**
1. User authenticates (e.g., via Wi-Fi, SSH, or PPP).
2. NAS sends an **Access-Request** to the RADIUS server.
3. Server checks credentials against a backend (e.g., AD).
4. Server replies with **Access-Accept**, **Access-Reject**, or **Accounting-Request**.
---
### **2. Key Features of FreeRADIUS**
FreeRADIUS is an open-source RADIUS server with:
- **Modular architecture** (plugins for LDAP, SQL, EAP, etc.).
- **IPv4 support** (standard for Softbox MSP).
- **EAP (Extensible Authentication Protocol)** for secure 802.1X.
- **Accounting** for usage tracking (e.g., bandwidth, login times).
- **Proxying** for load balancing or multi-site setups.
---
### **3. Architecture for Your School Use Case**
**Scenario:**
- **MS DC/AD** handles user identities (e.g., `students`, `staff`, `guests`).
- **FreeRADIUS** acts as the central AAA server.
- **NAS devices** (e.g., Proxmox VMs, VMware ESXi hosts, APs) forward RADIUS requests.
**Workflow:**
1. **User connects** to the network (e.g., via Wi-Fi).
2. **NAS** sends user credentials to **FreeRADIUS** (via IPv4).
3. **FreeRADIUS** queries **AD/LDAP** for authentication.
4. **FreeRADIUS** authorizes the user (e.g., assign VLANs, limit bandwidth).
5. **Accounting** logs are stored for billing/monitoring.
---
### **4. Step-by-Step Setup (IPv4-Only)**
#### **A. Prerequisites**
- **Linux Server** (e.g., Ubuntu/Debian/Proxmox VM).
- **IPv4 connectivity** (ensure `ipv4` is enabled in kernel and network).
- **AD/LDAP integration** (e.g., Microsoft Active Directory).
- **TLS/SSL** for secure communication (required for RADIUS).
---
#### **B. Install FreeRADIUS**
```bash
# Debian/Ubuntu
sudo apt update
sudo apt install freeradius freeradius-utils
```
---
#### **C. Configure FreeRADIUS for AD Integration**
1. **LDAP Configuration (AD):**
Edit `/etc/freeradius/3.0/sites-enabled/inner-tunnel` (or `default`):
```ini
ldap {
server = "ad.example.com" # AD DC IPv4 address
base_dn = "DC=example,DC=com"
bind_dn = "CN=radius,CN=Users,DC=example,DC=com"
bind_password = "your-ad-password"
filter = "(sAMAccountName=%{User-Name})"
attribute = sAMAccountName
timeout = 5
start_tls = yes
}
```
**Note:** Use `ldapsearch` to test LDAP connectivity.
2. **Authentication Method:**
In `/etc/freeradius/3.0/sites-enabled/inner-tunnel`, replace `auth` with:
```ini
authenticate {
ldap
}
```
3. **Authorization Rules:**
Add policies to assign VLANs or bandwidth limits:
```ini
authorize {
ldap
policy filter-ipv4 {
if (User-Name =~ /^student/) {
Tunnel-Type = VLAN
Tunnel-Medium-Type = 6
Tunnel-Client-Endpoint = "ipv4"
}
}
}
```
---
#### **D. Configure RADIUS Clients (NAS)**
Edit `/etc/freeradius/3.0/clients.conf`:
```ini
client NAS-IPv4-Address {
ipaddr = 192.168.1.1 # Replace with NAS's IPv4 address
secret = "your-shared-secret"
short_name = "NAS-Name"
require_message_integrity = yes
nastype = other
}
```
**Note:** Ensure NAS devices are configured with the same shared secret and IPv4 address.
---
#### **E. TLS/SSL for Secure Communication**
1. **Generate Certificates (self-signed or CA-signed):**
Use `openssl` to create a certificate chain. Store in `/etc/freeradius/3.0/certs/`.
2. **Configure TLS in `radiusd.conf`:**
```ini
tls {
ca_file = "/etc/freeradius/3.0/certs/ca.pem"
cert_file = "/etc/freeradius/3.0/certs/server.pem"
key_file = "/etc/freeradius/3.0/certs/server.key"
dh_file = "/etc/freeradius/3.0/certs/dh2048.pem"
verify_client = yes
}
```
3. **NAS Configuration:**
Ensure NAS devices are configured to use TLS and trust the CA certificate.
---
#### **F. Test the Setup**
1. **Simulate a RADIUS Request:**
```bash
radtest user@example.com password 192.168.1.1 0 your-shared-secret
```
Check `/var/log/freeradius/radius.log` for output.
2. **Use Wireshark:**
Capture IPv4 RADIUS packets (port 1812/1813) to debug.
---
### **5. Security Best Practices**
- **Firewall Rules:** Ensure only trusted NAS devices can communicate with the RADIUS server on ports 1812 (authentication) and 1813 (accounting).
- **Shared Secrets:** Use strong, unique shared secrets for each NAS device.
- **TLS Enforcement:** Require TLS for all RADIUS communication to prevent eavesdropping.
---
### **6. Common Pitfalls**
- **IP Address Mismatch:** Ensure the NAS's IP address in `clients.conf` matches its actual IPv4 address.
- **LDAP Configuration Errors:** Double-check `bind_dn`, `base_dn`, and `filter` settings in the LDAP block.
- **TLS Certificate Issues:** Verify the CA certificate is trusted by the NAS and the certificate chain is complete.
---
### **7. Next Steps for You**
1. **Provision a FreeRADIUS VM** in Proxmox with IPv4 support.
2. **Integrate with AD** using LDAP (test via `ldapsearch`).
3. **Secure TLS** and configure NAS devices.
4. **Monitor logs** and test with real users.
Let me know if you need scripts for LDAP testing, TLS certificate generation, or IPv4 subnet planning! 🚀
Reference in New Issue View Git Blame Copy Permalink