Wiki Navigation

RADIUS - FreeRADIUS

The system is documented around FreeRADIUS 2.0.x and you will need to apply the rlm-ldap_getdn.patch patch to use it with LanWarden. As LDAP load-balancing and failover is only available in FreeRADIUS 2.0.x, plus the lanwarden bits can be added as a nice virtual host independent to any current FreeRADIUS infrastructure you are running, and the use of 'unlang'...I'm afraid it is a dependency.

Configuration Files

There is not really much change to the main 'radius.conf' file other than adding '$INCLUDE' directives. These are to attach:

site.include - site specific include file (not really LanWarden but useful)
attrs.site - site specific attribute filtering rules
lanwarden.modules.include - the guts of the FreeRADIUS, LDAP and VLAN deciding interaction
lanwarden-sql-pg.conf - the SQL logging for LanWarden to a PostgreSQL database

proxy.conf

The proxy.conf file is probably the only file you will need to amend if you want to use LanWarden with FreeRADIUS version 1.1.x, only because the syntax has changed.

home_server eduroam-roaming[012].ja.net {
        type                    = auth+acct
        ipaddr                  = 194.82.174.185 (and 194.83.56.(233|249)) 
        port                    = 1812
        secret                  = <SECRET>

        response_window         = 20
        zombie_period           = 40
        revive_interval         = 120
        status_check            = status-server
        check_interval          = 30
        num_answers_to_alive    = 3
}

home_server_pool eduroam {
        type                    = fail-over

        home_server             = eduroam-roaming0.ja.net
        home_server             = eduroam-roaming1.ja.net
        home_server             = eduroam-roaming2.ja.net
}

realm NULL {
}

realm example.com {
}

realm DEFAULT {
        pool                    = eduroam

        nostrip
}

hints.pre

This file is not really necessary for LanWarden to function but is used to fix non-standard attributes in RADIUS requests before they are processed by the core of FreeRADIUS. We need two 'hints' files as there is no 'Follow-Through' functionality available for the 'hints' file so in the first one ('hints.pre') we sanitise non-standard requests whilst in the seconds one ('hints') we check for whether MAC based authentication is taking place.

# Old (pre IOS 12.2(44)) Cisco switches use Cisco-NAS-Port
DEFAULT Cisco-NAS-Port =* ANY, NAS-Port-Id !* ANY
        NAS-Port-Id = "%{Cisco-NAS-Port}"

## Cisco WLC 440x requests
DEFAULT NAS-IP-Address == w.x.y.z, Called-Station-Id =~ "^(.+):(.+)$"
        NAS-Port-Type = Wireless-802.11,
        Called-Station-Id := "%{1}",
        NAS-Port-Id = "%{2}"
# the goddamn WLC does not include the SSID in the Accounting packets but it
# does for the Authentication so we do the following to tidy up
DEFAULT NAS-IP-Address == w.x.y.z, Acct-Status-Type =* ANY, Airespace-Wlan-Id == 1
        NAS-Port-Type = Wireless-802.11,
        NAS-Port-Id = "eduroam"
DEFAULT NAS-IP-Address == w.x.y.z, Acct-Status-Type =* ANY, Airespace-Wlan-Id =* ANY
        NAS-Port-Type = Wireless-802.11,
        NAS-Port-Id = "UNKNOWN SSID ID: %{Airespace-Wlan-Id}"

hints

As well as identifying what a MAC authentication is and re-writing the username with a realm we add a hint so that we do not have to recheck (and make 'users' look untidy) the matching attributes; instead we get to just use 'Hint == dot1x-mac'.

# mac-auth-bypass support (we would like to check 'Calling-Station-Id') however
# it's uppercase for Cisco whilst the username and password arrive lowercased :(
#
# this works for Cisco IOS, you might find your own kit is different though and
# you will have to re-write this line apprioately.
DEFAULT Proxy-State !* ANY, EAP-Message !* ANY, FreeRADIUS-Proxied-To !* ANY, NAS-Port-Type == Ethernet, Service-Type == Call-Check, User-Name =~ "^[0-9a-f]{12}$", User-Password == "%{User-Name}"
        User-Name := "%{User-Name}@example.com",
        Hint = dot1x-mac

huntgroups

Used to simply identify groups of RADIUS clients in a single statement in the 'users' file, although not shown here we internally have entries for our Opengear serial console servers.

# JANET eduroam roaming[012].ja.net
eduroam         Client-IP-Address == 194.82.174.185
eduroam         Client-IP-Address == 194.83.56.233
eduroam         Client-IP-Address == 194.83.56.249

switch          Client-IP-Address =~ "^a\.b\.c\."

users

The guts of choosing what is happening. We are (un)fortunate to have eDirectory with Universal Password enabled so we have access to the plaintext password. This means with 'Autz' the user rather than 'Auth' them, of course for you this might be different.

# highly recommended to force every login to need a realm unless you know you will *never* proxy requests
DEFAULT Realm == NULL, Auth-Type := Reject

## JANET (eduroam) roaming sanity checking
# reject asking us about non-example.com realms
DEFAULT Proxy-State =* ANY, Realm != example.com, Auth-Type := Reject
        Reply-Message += "you can only proxy to us the 'example.com' realm"
#DEFAULT        Proxy-State =* ANY, Realm == example.com, FreeRADIUS-Proxied-To !* ANY, EAP-Message !* ANY, Auth-Type := Reject
#       Reply-Message += "Sorry We Only Accept Proxied EAP Requests"

# handle eduroam users
DEFAULT Realm != example.com, Post-Auth-Type := LDAP-dot1x-eduroam

# get the user credentials from eDirectory (only needed for edirectory)
# N.B. it's *all* example.com below here so not worth checking for anymore
DEFAULT Autz-Type := LDAP
        Fall-Through = Yes

[insert here your non-LanWarden related RADIUS entries]

# mac-auth-bypass from your average Cisco switch (reset Auth/Autz to not take place)
DEFAULT Hint == dot1x-mac, Auth-Type := Accept, Autz-Type := Local, Post-Auth-Type := LDAP-dot1x-mac

# permit EAP MD5 for *registration* on switches for admin's only
DEFAULT Huntgroup-Name == switch, EAP-Type == MD5-Challenge, LDAP-Group == admins, Post-Auth-Type := LDAP-dot1x-mac
DEFAULT Huntgroup-Name == switch, EAP-Type == MD5-Challenge, Auth-Type := Reject

# regular run of the mill 802.1x
# N.B. policy is effectively defined in eap.conf for permitted EAP types
DEFAULT Proxy-State !* ANY, Post-Auth-Type := LDAP-dot1x

sites-enabled/default

This file is rather large and so I have not put it here inline, instead you can browse it seperately. It shows how LDAP resilence and load-balancing has been included and where the SQL logging calls are placed.

Attachments

site.include (262 bytes) -file that sets some local specific FreeRADIUS behaviour, added by alex on 03/07/08 15:47:28.
attrs.site (1.0 kB) -proxy attribute filtering, not really LanWarden but helpful never-the-less, added by alex on 03/07/08 15:50:55.
rlm-ldap_getdn.patch (1.5 kB) -patch permits you to just get the DN of an object in FreeRADIUS, added by alex on 03/12/08 16:04:21.
default (2.0 kB) -sites-enabled/default example configuration, added by alex on 03/12/08 16:18:24.
lanwarden.modules.include (4.4 kB) -guts of the FreeRADIUS, LDAP and VLAN deciding code, added by alex on 03/12/08 16:21:38.
lanwarden-sql-pg.conf (2.2 kB) -LanWarden's SQL logging to a PostgreSQL database include file, added by alex on 03/12/08 16:23:15.

Download in other formats:

Plain Text