Basic freeradius Configuration
Posted by admin on 03 May 2009 at 05:07 pm | Tagged as: Centos 5.x, IT Stuff, authentication, radius
This is a very basic configuration for freeradius to allow authentication from passwd and shadow files. It has been tested on Centos 5.3
(1) The freeradius configuraton files are usually in /etc/raddb; make a subdirectory /etc/raddb/etc
(2) copy your /etc/passwd and /etc/shadow files to /etc/raddb/etc
(3) edit the /etc/raddb/etc/passwd and /etc/raddb/etc/shadow files to remove all entries except for those that you want to authenticate with radius
(4) edit the /etc/raddb/radiusd.conf file; find the section:
unix {
...
and set the values for the passwd and shadow files so they read:
passwd = /etc/raddb/etc/passwd
shadow = /etc/raddb/etc/shadow
(5) save radiusd.conf
(6) make sure the radiusd user can read the files
chmod -R 644 /etc/raddb/etc
(7) check the /etc/raddb/users file to ensure that the following exists:
DEFAULT Auth-Type = System
Fall-Through = 1
(8) Assuming you have entries in the /etc/raddb/etc/passwd and /etc/raddb/etc/shadow for a user ‘jdoe’ with password of ’secret’ you can test your radius configuration by:
(a) start the radius daemon with ‘/etc/init.d/radiusd start’; you should see some output something like:
[root@myserver raddb]# /etc/init.d/radiusd start
Starting RADIUS server: Sun May 3 13:26:37 2009 : Info: Starting - reading configuration files … [ OK ]
(b) execute the command ‘radtest jdoe secret 127.0.0.1 10 testing123′. Assuming it all works you should see output something like:
[root@myserver raddb]# radtest jdoe secret 127.0.0.1 10 testing123
Sending Access-Request of id 65 to 127.0.0.1 port 1812
User-Name = “jdoe”
User-Password = “secret”
NAS-IP-Address = 255.255.255.255
NAS-Port = 10
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=65, length=20
Note that the radius client password is the cleartext password specified for the client in clients.conf and the nas-port-number parameter can be any value between 0 and 2^31 so 10 is fine.
If you received the Access-Accept message then congratulations, you have radius working, if not then go back and check your configuration and permissions.
(9) You can have the radius daemon start automatically by executing ‘chkconfig radiusd on’
Leave a reply
You must be logged in to post a comment.
