Thursday, October 23, 2014

Cisco and Freeradius configuration

 Installation description

    In our case, the Freeradius aims to authenticate a remote access on network equipment. I have decided to use an existing database (Active directory).

    FreeRadius paquets installations:
    apt-get install freeradius
    apt-get install freeradius-utils
    apt-get install freeradius-ldap


    Configure the radiusd.conf file

    Modify the file radiusd.conf (/etc/freeradius/radiusd.conf) in order to specify the listen ports:
    -          Authentification (2050)
    -          Accounting (2051)

     listen {
            type = auth
            ipaddr = *       
           port = 2050
    }
    listen {
            ipaddr = *
            port = 2051
            type = acct
    }
           auth = yes

     Uncomment the following lines in order to have more details in logs messages:
            msg_goodpass = "Host %n"
            msg_badpass = "Host %n"

    Configure the Users file

    Modify the file users (/etc/freeradius/users) .

    This file includes users which are authorized to take control on 'client' (network equipment for us).
    - We can use a local database:
    Username Cleartext-Password := "Password"
           Service-Type = NAS-Prompt-User,
           Cisco-AVPair = "shell:priv-lvl=15"

    - Or an external database. In this example, only members of groups 'Group_Network_Admin' (Active Directory) are authorized to access:
    DEFAULT         LDAP-Group == "Group_Network_Admin"
                    Service-Type = Administrative-User,
                    Cisco-AVPair = "shell:priv-lvl=15"
    DEFAULT    LDAP-Group != "Group_Network_Admin", Auth-Type := Reject


    Enable authentication via LDAP:

    Modify the file ldap (/etc/freeradius/sites-enabled/ default) by uncommenting the following lines :
    ldap
            Auth-Type LDAP {
                    ldap
            }

    Create clients of the radius server

    Modify the file users (/etc/freeradius/users). Clients are hosts which forward request of authentication to the radius server (ex: Cisco switch).
    In the example below, I have added a complete subnet. All hosts in this subnet are authorized to send request.
    We also defined the share key in this file:

    client 10.110.22.0/24 {
            secret          = SharedKey
            nastype         = cisco
            shortname       = SWITCH-Branch-London
    }


    Configure request to Active Directory

    Modify the file ldap (/etc/freeradius/modules/ldap). You will find below an example of configuration :
    ldap {
            server = 'ldap://mydomain.com'
            identity = "Username@mydomain.com"
            password = "Password"
            basedn = "DC=mydomain,DC=com"
            filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
      
           groupname_attribute = cn
           groupmembership_attribute = "memberOf"
    Uncomment the following lines:
           chase_referrals = yes
            rebind = yes

    No comments:

    Post a Comment