한국어

네트워킹

온누리070 플레이스토어 다운로드
    acrobits softphone
     온누리 070 카카오 프러스 친구추가온누리 070 카카오 프러스 친구추가친추
     카카오톡 채팅 상담 카톡 채팅 상담
    
     라인상담
     라인으로 공유

     페북공유
    
     PAYPAL
     
     PRICE
     

pixel.gif

    before pay call 0088 from app
■ 해외 로잉 무료 스마트폰 휴대폰 070 인터넷폰 인터넷전화 국내 해외 가입 상사 주재원 교민 유학생 여행 등 ■

Build a RADIUS server on Linux

http://www.ibm.com/developerworks/library/l-radius/

 

http://www.ibm.com/search/csass/search/?sn=dw&lang=en&cc=US&en=utf&hpp=20&dws=dw&q=radius

 

Centralize and secure your remote network logins

Wei Zhang (zhangwd@cn.ibm.com), IT Specialist, IBM, Software Group

Summary:  As a network administrator, you need to keep administrative user information for each network device you need to manage. But network devices usually support only limited functions for user management. Learn how to use an external RADIUS server on Linux™ to authenticate users, particularly against an LDAP server, allowing you to centralize user information stored in the LDAP server and authenticated by the RADIUS server, thereby both reducing administrative overhead on user management and making the remote login process more secure.

Date:  25 May 2005
Level:  Introductory

Activity:  103983 views
Comments:   2 (View | Add comment - Sign in)

Average rating 4 stars based on 194 votes Average rating (194 votes)
Rate this article

Data security is as important a component of network security to contemporary systems as systems security is, so protecting your data -- making sure you provide confidentiality, integrity, and availability -- is a paramount concern to administrators.

In this article, I will address the confidentiality aspect of data security: Making sure protected data can only be accessed by authorized people or systems. You'll learn how to set up and configure a Remote Authentication Dial-In User Service server (RADIUS) on a Linux system to perform authentication, authorization, and accounting (AAA) for users.

Introducing the elements

Let's start by talking about the RADIUS protocol, the AAA components and how they work, and the LDAP protocol.

The Remote Authentication Dial-In User Service protocol is defined in the IETF's RFC 2865 (see Resources for a link). It allows a network access server (NAS) to perform authentication, authorization, and accounting for users. RADIUS is a client/server protocol based on UDP. The RADIUS client, the network access server, is typically a router, switch, or wireless access point (access points are specially configured nodes on networks; WAPs are wireless versions). The RADIUS server is usually a daemon process running on a UNIX or Windows 2000 server.

RADIUS and AAA

If the NAS receives user-connection requests, it passes them to the designated RADIUS server which authenticates the user and returns the user's configuration information to the NAS. Then, the NAS accepts or rejects the connection requests.

A full-featured RADIUS server can support a variety of mechanisms to authenticate users in addition to LDAP, including

  • PAP (Password Authentication Protocol, used with PPP in which the password is sent to the client as clear text for comparison);
  • CHAP (Challenge Handshake Authentication Protocol, more secure than PAP, it uses a username and password);
  • the local UNIX/Linux system password database (/etc/passwd);
  • other local databases.

Authentication and authorization are combined together in RADIUS. If the username is found and the password is correct, the RADIUS server returns an Access-Accept response including some parameters (attribute-value pairs) that grants access to the user. These parameters are configured in RADIUS and include service type, protocol type, IP address to assign the user, an access control list (ACL) or a static route to apply on the NAS, as well as other values.

RADIUS accounting features (as defined in RFC 2866; see Resources for a link) allow data to be sent at the start and end of connection sessions, indicating the amount of resources -- such as time, packets, and bytes -- used during the session which might be used for security or billing needs.

Lightweight Directory Access Protocol

The Lightweight Directory Access Protocol (LDAP) is an open standard that defines a method for accessing and updating information in a X.500-like directory. LDAP can be used to keep user information in a central locale to avoid having to store identical user information on each system; it can also be used to maintain and access the information in a consistent and controlled manner.

LDAP simplifies user administration tasks by managing users in a central directory. In addition to storing user information, defining users in LDAP allows for such optional features as limiting the number of logins. In this article you'll learn how a RADIUS server is configured to authenticate users against LDAP -- since the article focuses on RADIUS, I will not describe the details on the installation and configuration of an LDAP server.

OpenLDAP is an open source implementation of LDAP; you can find detailed information on it at OpenLDAP.org (see Resources for a link).

The scenario

Imagine the following scenario:

  • The user at home can access his company's intranet by dial-up authentication.
  • Wireless-enabled laptops can be connected to a campus network by wireless authentication.
  • Administrators use their workstations to log into network devices via telnet or HTTP via administrative user authentication.

All the these authentication tasks can be done by a RADIUS server against a central LDAP server (see Figure 1).


Figure 1. Authentication via RADIUS and LDAP
Authentication via RADIUS and LDAP

In this article, I'll focus on implementing the last option as an introduction to the solution. Let's start by installing the RADIUS server.


Installing RADIUS

RADIUS server software can be obtained from several sources. I'll be using FreeRADIUS in this article (see Resources for a link), but the Cisco Secure Access Control Server (ACS) is a centralized user access control framework for user management across Cisco devices that runs on UNIX and Windows and also supports the the Cisco proprietary protocol TACACS+ (which sports more user-management features on TACACS+-enabled devices).

FreeRADIUS is a powerful RADIUS server on Linux from the open source community which can fit in today's distributed and heterogeneous computing environment. FreeRADIUS 1.0.2 supports LDAP, MySQL, PostgreSQL, and Oracle databases and is compatible with such network protocols as EAP and Cisco LEAP. FreeRADIUS is currently being deployed in many large-scale production network systems.

The following steps demonstrate how to install and test FreeRADIUS 1.0.2 on Red Hat Enterprise Linux Advanced Server 3.0:


Listing 1. Installing and testing FreeRADIUS
tar -zxvf freeradius-1.0.2.tar.gz         - extract it with gunzip and tar
./configure
make
make install                              - run this command as root
radiusd or                                - start RADIUS server
radiusd -X                                - start RADIUS server in debug mode
radtest test test localhost 0 testing123  - test RADIUS server

If radtest receives a response, the FreeRADIUS server is working.

I also recommend another free tool, NTRadPing (see Resources for a link), to test authentication and authorization requests from Windows clients. It can display detailed responses such as attributes value sent back from the RADIUS server.

Now let's configure FreeRADIUS.


Configuring FreeRADIUS

Configuring the RADIUS server consists of configuring the server, the client, and the user (both for authentication and authorization). There can be different configurations of the RADIUS server for different needs; fortunately most of the configurations are similar.

Configuring the server

FreeRADIUS configuration files are usually stored in the /etc/raddb folder. First we need to modify the radiusd.conf file as shown.


Listing 2. Modifying radiusd.conf
1) Global settings:

log_auth = yes                - log authentication requests to the log file
log_auth_badpass = no         - don't log passwords if request rejected
log_auth_goodpass = no        - don't log passwords if request accepted

2) LDAP Settings:

modules {
   ldap {
      server = "bluepages.ibm.com"   - the hostname or IP address of the LDAP server
      port = 636                     - encrypted communications
      basedn = "ou=bluepages,o=ibm.com"   - define the base Distinguished Names (DN),
                                          - under the Organization (O) "ibm.com",
                                          - in the Organization Unit (OU) "bluepages"
      filter = "(mail=%u)"                   - specify search criteria
      base_filter = "(objectclass=person)"   - specify base search criteria
   }

authenticate {                - enable authentication against LDAP
   Auth-Type LDAP {
      ldap
   }

The parameters are set for working with IBM BluePages, an instance of an LDAP service. Parameters may be different for other LDAP servers.

Configuring the client

Clients are configured in /etc/raddb/clients.conf. There are two ways to configure RADIUS clients. You can group the NAS by IP subnet (Listing 3) or you can list the NAS by hostname or IP address (Listing 4). When you follow the second method, shortname and nastype can be defined.


Listing 3. Grouping the NAS by IP subnet
client 192.168.0.0/24 {
   secret      = mysecret1   - the "secret" should be the same as configured on NAS
   shortname   = mylan       - the "shortname" can be used for logging
   nastype      = cisco      - the "nastype" is used for checkrad and is optional
}


Listing 4. Listing the NAS by hostname or IP address
client 192.168.0.1 {
   secret      = mysecret1
   shortname   = myserver
   nastype      = other
}

Configuring the user for authentication

The file /etc/raddb/user contains authentication and configuration information for each user.


Listing 5. The /etc/raddb/user file
1) Authentication type:

Auth-Type := LDAP       - authenticate against LDAP
Auth-Type := Local, User-Password == "mypasswd"
                        - authenticate against the
                        - password set in /etc/raddb/user
Auth-Type := System     - authenticate against the system password file
                        - /etc/passwd or /etc/shadow

2) Service type:

Service-Type = Login,   - for administrative login

Configuring the user for authorization

The following authentication server attribute value (AV) pair should be configured for user authorization. It is returned to the NAS for an administrator login request after authentication is accepted.

For a Cisco router, there are different privilege levels:

  • Level 1 is non-privileged. The prompt is router>, the default level for login.
  • Level 15 is privileged. The prompt is router#, the level after going into enable mode.
  • Levels 2 through 14 are not used in a default configuration.

The following command causes a user logging in from a network access server to have immediate access to EXEC commands:

cisco-avpair ="shell:priv-lvl=15"

The following code handles the same task for a Cisco wireless access point:

Cisco:Avpair = "aironet:admin-capability=write+snmp+ident+firmware+admin"

Any combination of capabilities is returned with this attribute:

Cisco:Avpair = "aironet:admin-capability=ident+admin"
Cisco:Avpair = "aironet:admin-capability=admin"

Contact Cisco for more information on these commands.


Configuring the network access server

Next we'll configure the NAS, first for a Cisco router, then for a Cisco WAP.

For the Cisco IOS 12.1 router, we'll enable AAA, then configure authentication, authorization, and accounting.


Listing 6. Enabling AAA
aaa new-model
radius-server host 192.168.0.100
radius-server key mysecret1

AAA should be enabled on the router. Then, a list of RADIUS servers that will provide AAA services for the NAS can be specified. The encryption key is used to encrypt the data transfer between the NAS and the RADIUS server. It must be identical with the one configured on FreeRADIUS.


Listing 7. Configuring authentication
aaa authentication login default group radius local
line vty 0 4
login authentication default

In this example, network administrators use RADIUS authentication. If a RADIUS server is not available, use the NAS's local user database password.


Listing 8. Configuring authorization
aaa authorization exec default group radius if-authenticated

Allow the user to run an EXEC shell when logging into the NAS.


Listing 9. Configuring accounting
aaa accounting system default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting connection default start-stop group radius
aaa accounting exec default stop-only group radius
aaa accounting commands 1 default stop-only group radius
aaa accounting commands 15 default wait-start group radius

The router must be specifically configured to send accounting records to the RADIUS server. Use the commands in Listing 9 to record accounting information on NAS system events, network connections, outbound connections, EXEC operations, and commands at levels 1 and 15.

That's it. Now let's look at configuring for a Cisco wireless access point. The following configuration applies to the Cisco 1200 Series AP with Firmware 12.01T1. As shown in the screen shot in Figure 2, you:

  • Input the server name or IP address and shared secret.
  • Select type as "Radius" and check "User Authentication."

Figure 2. Configuring NAS for WAP
XML error: The image is not displayed because the width is greater than the maximum of 580 pixels. Please decrease the image width.

Actually, here you can also configure EAP Authentication so FreeRADIUS can be used to authenticate general users to wireless LAN.


Accounting: RADIUS at work

Now that all the configurations have been completed, the FreeRADIUS server can start logging all information sent by NAS, storing it in the /var/log/radius/radius.log file like so:


Listing 10. The /var/log/radius/radius.log file
Thu Mar 3 21:37:32 2005 : Auth: Login OK: [David] (from client
                                mylan port 1 cli 192.168.0.94)
Mon Mar 7 23:39:53 2005 : Auth: Login incorrect: [John] (from
                                client mylan port 1 cli 192.168.0.94)

Detailed accounting information is stored in the /var/log/radius/radacct directory. Listing 11 shows that David logged into router 192.168.0.1 from 192.168.0.94 between 19:40 to 19:51 on March 4, 2005. This level of detailed information will definitely be a help to administrators investigating security incidents and trying to maintain easily auditable records.


Listing 11. Sample of the RADIUS-supplied accounting details
Fri Mar  4 19:40:12 2005
        NAS-IP-Address = 192.168.0.1
        NAS-Port = 1
        NAS-Port-Type = Virtual
        User-Name = "David"
        Calling-Station-Id = "192.168.0.94"
        Acct-Status-Type = Start
        Acct-Authentic = RADIUS
        Service-Type = NAS-Prompt-User
        Acct-Session-Id = "00000026"
        Acct-Delay-Time = 0
        Client-IP-Address = 192.168.0.1
        Acct-Unique-Session-Id = "913029a52dacb116"
        Timestamp = 1109936412

Fri Mar  4 19:51:17 2005
        NAS-IP-Address = 192.168.0.1
        NAS-Port = 1
        NAS-Port-Type = Virtual
        User-Name = "David"
        Calling-Station-Id = "192.168.0.94"
        Acct-Status-Type = Stop
        Acct-Authentic = RADIUS
        Service-Type = NAS-Prompt-User
        Acct-Session-Id = "00000026"
        Acct-Terminate-Cause = Idle-Timeout
        Acct-Session-Time = 665
        Acct-Delay-Time = 0
        Client-IP-Address = 192.168.0.1
        Acct-Unique-Session-Id = "913029a52dacb116"
        Timestamp = 1109937077


Conclusion

By following the simple steps outlined in this article, you can set up a Remote Authentication Dial-In User Service server that uses an external LDAP server to handle authentication, authorization, and accounting for your network security issues. This article has provided the following to help you accomplish this task:

  • An introduction to the RADIUS and LDAP servers and to the AAA concept.
  • A scenario to put the installation and implementation into context.
  • Instructions on installing and configuring the RADIUS server.
  • Details on configuring the network access server.
  • A sample of the detailed information that RADIUS will provide and manage.

These instructions can make quick work of the task of making sure protected data can only be accessed by authorized entities on your Linux system.


Resources

About the author

Wei Zhang is a network and information security specialist. He designed and implemented various large-scale network systems in the past six years covering a broad range of technologies, from SNA, VoIP, IDS, VPN, and firewalls to wireless LAN. He joined in IBM as an IT specialist in 2003. Currently, his concentration is information security technology and management. You can reach him at zhangwd@cn.ibm.com.

조회 수 :
12413
등록일 :
2013.03.23
13:28:57 (*.160.42.88)
엮인글 :
http://webs.co.kr/index.php?document_srl=18974&act=trackback&key=ac1
게시글 주소 :
http://webs.co.kr/index.php?document_srl=18974
List of Articles
번호 제목 글쓴이 날짜 조회 수
106 리눅스 서버 유지보수 점검 메인터넌스 상황 파악 admin 2018-04-14 15
105 Top 20 OpenSSH Server Best Security Practices 보안 대책 실제 적용 admin 2018-04-14 15
104 Start Stop Restart Apache 2 Web Server Command Debian Ubuntu CentOS RHEL Fedora admin 2018-04-14 13
103 리눅스 한글 2014 뷰어 다운로드 - hwpviewer admin 2018-03-28 131
102 리눅스를 백업 복구 tar admin 2018-03-28 160
101 zip 압축 파일 및 텍스트 파일의 한글 깨짐 해결 방법 admin 2018-03-28 185
100 Lnux export how to admin 2017-12-17 1195
99 What's the difference between “adduser” and “useradd”? admin 2017-12-15 1258
98 useradd Command 리눅스 admin 2017-12-15 1374
97 How To Install Java with Apt-Get on Ubuntu 16.04 oracle java admin 2017-10-13 2037
96 우분투 Linux(Ubuntu)에 Java설치 및 환경 설정하는 방법 admin 2017-10-13 2094
95 우분투 다운로드 사이트 주소 ubuntu download 16.04.3 17.04 site link admin 2017-10-13 2200
94 How to install Java on linux with no Internet connectivity (using local repository) admin 2017-10-01 2103
93 윈도우 ssh 접속 프로그램 admin 2017-09-29 2264
92 openvpn Easy Windows Guide admin 2017-09-20 2388
91 OpenVPN - Getting started How-To admin 2017-09-20 2549
90 openssl 을 이용한 인증서 생성 절차를 정리한다. 개인키 CSR SSL 인증서 파일 생성 admin 2017-09-14 2394
89 How to Manually Unblock / Unban IP Address in fail2ban 차단풀기 admin 2017-09-12 2497
88 How To Protect SSH with fail2ban on Debian 7 데비안 ssh 방어 무작위 로그인 admin 2017-09-12 2786
87 SSH 무작위 로그인 시도 막기(With Fail2Ban on CentOS 6/7 + selinux) admin 2017-09-12 2526
86 리눅스 데비안 네트워크 설정 유선랜 무선랜 linux debian network setting 설정 admin 2017-09-07 3139
85 linux debian 계열 network 설정 테트워크 데비안 admin 2017-09-07 2345
84 PUTTY DOWNLOAD - FREE SSH & TELNET CLIENT admin 2017-09-03 3263
83 debian 8.8 download cd1 cd2 cd3 etc admin 2017-09-03 2454
82 Debian Download 데비안 리눅스 다운로드 admin 2017-09-02 2960
81 데비안 리눅스 부팅시에 방화벽 서버에 자동실행 되게 설정 해보자 admin 2017-08-30 2451
80 리눅스 시작시에 부팅시 프로세스 프로그램 자동 실행 설정 admin 2017-08-30 2815
79 리눅스 시작시 부팅 시, 프로그램 자동실행 등록하기 admin 2017-08-30 3515
78 리눅스 부팅시 시작시 프로그램 명령어 실행하기 (Linux Init script) admin 2017-08-30 2930
77 리눅스 부팅시 자동 실행 명령스크립트 실행하기 만들기 이해 linux booting admin 2017-08-30 3174
76 부팅시 자동실행 명령어 스크립트, rc.local admin 2017-08-30 4513
75 the world’s most widely deployed RADIUS server document admin 2017-08-29 2859
74 네트워크 디바이스명 변경 리눅스 eth0 eth1 admin 2017-08-29 3987
73 Cloned VMware CentOS6 Server "device eth0 does not seem to be present, admin 2017-08-29 2569
72 VMWARE VM Error boot loader install grub - install /dev/sda or /dev/hda MBR linux admin 2016-01-27 3149
71 Linux and Unix touch command admin 2015-11-15 3552
70 Configuration of Red Hat 5.4 Xen for SR-IOV Support admin 2015-08-02 3567
69 apt-get install linux-image-2.6.26-2-686-bigmem admin 2015-06-27 3696
68 intel i210 driver install and compile debian admin 2015-06-27 5491
67 Debian / Ubuntu Linux Install Kernel Headers Package admin 2015-06-27 3678
66 mount -t auto /dev/sdb1 /mnt && ls /mnt admin 2015-06-27 3652
65 kali linux 해킹 hacking attack DDOS etc tools admin 2015-06-24 4231
64 sources.list lenny admin 2015-02-03 4494
63 Ubuntu 14.04 원격 접속(xrdp) 설정 admin 2014-12-21 11531
62 Remote Desktop Connection from Windows 7/8 to Ubuntu 14.04 admin 2014-12-21 5072
61 Using Windows RDP to Access your Ubuntu Instance admin 2014-12-21 4728
60 Install GUI on Ubuntu Server admin 2014-12-21 4892
59 How to start GUI from command line? admin 2014-12-21 4912
58 Download all files in a directory using WGET admin 2014-12-16 4989
57 문서 편집기 vi vim command 명령어 정리 admin 2014-10-29 6509
56 find 명령 사용 예제들 admin 2014-10-29 5529
55 특정 IP 엑세스 못하게 하는방법 admin 2014-10-29 5631
54 scp 명령어를 이용한 파일 복사 및 전송 admin 2014-10-29 6652
53 [리눅스] 소프트웨어 레이드의 리빌딩 및 리싱킹 속도를 높이는 5가지 방법 admin 2014-10-17 5910
52 /bin/false, /sbin/nologin 의 차이점 admin 2014-10-13 6883
51 리눅스 시스템 유저 추가 명령어 useradd 사용하기 admin 2014-08-09 6164
50 리눅스 시스템 시작시에 자동 실행할 파일 등록하기 admin 2014-03-22 29781
49 linux 에티터 명령어 정리 포그라운드 전환 : ctrl + z 다시 vi 모드로 돌아오려면 fg admin 2014-03-05 9074
48 Linux Memory Management – Virtual Memory and Demand Paging admin 2014-03-03 7775
47 iptables rules tcp drop all port except tcp 22 admin 2014-02-26 9177
46 seagate HD 시게이트 하드 디스크 A/S 에이에스 기간 조회 및 받는 3가지 방법 admin 2013-12-09 9739
45 SSH Without Authentication Using Key Files (CentOS 5.6) admin 2013-11-22 8552
44 Getting started with SSH public key cryptography admin 2013-09-05 13796
43 암호 없이 SSH 접속하기 admin 2013-09-05 9041
42 Linux Date Command Examples to Display and Set System Date Time admin 2013-07-11 10732
41 FreeRADIUS 설치(freeradius-sever-2.1.8) admin 2013-04-19 18531
40 Radius를 이용한 ssh 인증 서버 구축하기 admin 2013-04-19 14052
39 CentOS 5.4에서 RADIUS 서버 설치하기 admin 2013-04-19 22376
38 Event IP 20187 admin 2013-04-08 8904
37 리눅스에서 자바(JDK) 설치하기 admin 2013-04-08 9990
36 리눅스 네트워크 설정 멸령어 Linux admin 2013-04-08 10127
35 [linux]리눅스 버전및 CPU등 환경정보 확인하기 admin 2013-04-08 34982
34 Linux 시스템 백업과 복원 admin 2013-04-04 9435
33 tar로 전체시스템 백업 LINUX Backup admin 2013-04-04 21347
32 다운된 리눅스서버 응급복구 admin 2013-03-28 13005
» Build a RADIUS server on Linux admin 2013-03-23 12413
30 Deploying FreeRADIUS with the MySQL Cluster Database file admin 2013-03-22 9480
29 FREE RADIUS 활용및 응용 admin 2013-02-23 20961
28 리눅스에 RADIUS 서버 구현하기 admin 2012-09-01 46608
27 Debian CD DVD 다운로드 링크 헤메지말고 바로 다운로드하지요 admin 2012-08-18 10051
26 Site builder shootout: Drupal vs. Joomla vs. WordPress admin 2012-07-15 30475
25 WinXP 부팅안되는 현상 NTLDR is missing 메세지 admin 2012-07-12 10704
24 윈도우XP 알면 정말 편한 숨겨진 기능 60가지 admin 2012-05-11 13687
23 한국인/국내기업은 얼마나 Linux Kernel에 기여할까? admin 2012-04-29 11719
22 scp, ssh, rsync등을 사용할때에 SSH 비밀번호 묻는것 피하기 admin 2012-04-15 11390
21 [Linux/SSL] 리눅스 서버에 Apache 2 설치 및 SSL 설정하기(mod_ssl, openssl) admin 2012-04-15 12229
20 리눅스의 막강한 네트워크 필터 iptables admin 2012-04-15 10670
19 Centos net install web http admin 2012-03-02 14172
18 Linux 시스템 백업과 복원 admin 2012-02-28 11651
17 검색 파일리스트 만든 다음 여러파일 한방에 압축하기 admin 2012-02-14 12301
16 linux 파티션 디렉토리 용량 확인방법 전체 폴더 크기 사이즈 admin 2012-01-05 12689
15 How to disable IPv6 in Debian Lenny and Squeeze admin 2011-12-29 10676
14 리눅스 네트워크 설정 LINUX admin 2011-12-19 11678
13 다양한 사운드 파일있는곳 admin 2011-12-19 9770
12 모든 CPU 벤치마크 수치 admin 2011-12-16 11695
11 Wireshark admin 2011-12-16 10016
10 스트리밍서버 / 윈도우서버 admin 2011-12-16 11274
9 무료백신 여러가지 분류해놓은곳 admin 2011-12-16 10318
8 윈도우 2003 작업 스케줄러 설정 admin 2011-12-16 15268
7 파이썬 설치 및 사용하기 admin 2011-12-16 12924
■ 해외 로잉 무료 스마트폰 휴대폰 070 인터넷폰 인터넷전화 국내 해외 가입 상사 주재원 교민 유학생 여행 등 ■