AGLARBRI PROJECT AFRICAN GREAT LAKES RURAL BROADBAND RESEARCH INFRASTRUCTURE. RADIUS installation and configuration

Transcription

1 AGLARBRI PROJECT AFRICAN GREAT LAKES RURAL BROADBAND RESEARCH INFRASTRUCTURE RADIUS installation and configuration Project Manager: Miguel Sosa Member Position and number of credits Antonio Fiallos Mobilization manager, Network services team (30 hec) Merabi Kechkhoshvili Media manager, Mobilization team (15 hec) Iskandar Rahmonov Network infrastructure team (15 hec) Miguel Sosa Project manager, Network services team (30 hec) Amy Skinner Webmaster, Network infrastructure team (15 hec) Goce Talaganov Network manager (15 hec) Dragan Cabarkapa Services manager (30 hec) KTH Information and Communication Technology November,

2 Table of Contents TABLE OF CONTENTS INTRODUCTION PURPOSE SCOPE AUDIENCE REQUIREMENTS SYSTEM DESCRIPTION RADIUS-SERVER INSTALLATION AND CONFIGURATION RADIUS-CLIENT CONFIGURATION VERIFYING REFERENCES

3 1. Introduction 1.1. Purpose The aim of this paper is to explain the procedure of RADIUS deployment in relation to our network proposal for the AGLARBRI network [1]. The AGLARBRI network [2] is a continuation of an existing concept that is already implemented, the Serengeti Broadband network [3]. The aim of the network infrastructure team is to compile a set of technical manuals for implementing the final network topology [1]. The purpose is to assist network administrators in Africa regions around Lake Victoria to install and configure a network based on our proposal as well as future CSD AGLARBRI teams. It is always difficult for an administrator to remember different and complicated username/passwords for each server he/she must maintain and for the ordinary users to access the services. The more the servers/services, the more it gets difficult to remember all the passwords. There are many solutions to this problem and one of them is centralizing the access to server/services using Remote Authentication Dial-In User Service (shortly RADIUS). With a RADIUS server, each of the administrators/users will have only one individual (usually difficult to compromise) password that can be used to establish an SSH connection and login into the system. With RADIUS you get convenience with regard to synchronizing/centralizing passwords and precise control over the access to the network nodes Scope This document describes the process of RADIUS installation and configuration based on an open source server named FreeRADIUS Audience This document is intended for the project coaches, AGLARBRI team and those who will do the actual implementation of the project services. 2. Requirements Linux (Ubuntu 10 or higher) 3. System description The RADIUS enabled systems have 3 main components: RADIUS server RADIUS client User The RADIUS server is hosted on one of the virtualized servers to provide a centralized access granting system to all the users connecting to RADIUS clients (AGLARBRI servers). In our implementation all the users are authenticated against the file etc/passwd on RADIUS server. 3

4 Though there are different methods and techniques to hold the user credentials, like MySQL server and LDAP directories, the /etc/passwd file was chosen as the easiest and at the same time secure solution. RADIUS client (also known as NAS Network Access Server) is the AGLARBRI server with which the users establish an SSH connection. Clients do not hold users passwords locally. All the credentials together with the permissions are stored on the RADIUS server. All the incoming authentication/authorization requests are redirected to the RADIUS server, and this process is completely hidden from the users. User is an administrator or any other user who wants to establish an SSH connection towards any of the RADIUS clients. To be granted access, users must be registered in the RADIUS server s database. 4. RADIUS server installation and configuration 1. There are two ways of installing the server: either with apt-get or manual compilation. The first is easier and requires less time, therefore we stick with this type of installation. # apt-get install freeradius 2. Edit the file /etc/freeradius/radius to define the IP address/es the server must listen to receive authentication and authorization messages [4]. listen { ipaddr = port = 0 type = auth listen { ipaddr = port = 0 type = acct listen { ipaddr = port = 0 type = auth listen { ipaddr = port = 0 type = acct *Note: port = 0 means "use /etc/services for the proper port", well-known ports for radius are 1812 and 1813 for authentication and authorization respectively. 3. Disable proxying in the same configuration file: proxy_requests = no 4

5 4. Register RADIUS clients in the file /ect/freeradius/clients.conf client localhost { ipaddr = secret = ******* // specify some passphrase client ns { ipaddr = secret = ******* client noc { ipaddr = secret = ******* client mcu { ipaddr = secret = ******* client sip { ipaddr = secret = ******* client dma { ipaddr = secret = ******* 5. Create a list of the users that will be granted access to the specified servers on AGLARBRI network. Users are added in the file /etc/freeradius/users by defining a username for every user. #List of Aglarbri administrators and guests rahmonov talaganov skinner sosa fallios merabi dragan testuser nagios 5

6 #Disable access for any other users DEFAULT Auth-type := Reject Reply-Message = "Sorry, your account is disabled. Contact your administrator 6. In the previous configuration file we only provided the username for every user, next is to register an account for every user locally on the RADIUS server, providing the same username but with password. All this data will be saved in /etc/passwd (Linux system accounts database) against which the RADIUS will authenticate the users. #adduser testuser 7. To enable authentication against /etc/passwd, uncomment the line with unix in the file /etc/freeradius/site-available/default. unix 8. Restart the server to apply the changes #service freeradius restart 5. RADIUS-client configuration Linux-PAM (Pluggable Authentication Module) is a system of libraries that handle the authentication tasks of applications (services) on the system. With PAM you can always configure the Linux machine to authenticate users setting up SSH connections against RADIUS server. Module libpam-radiusauth allows any PAM-capable machine to become a RADIUS client for authentication and accounting requests. 1. Install the latest libpam-radius-auth package: #apt-get install libpam-radius-auth 2. In the file /etc/pam_radius_auth.conf, add the IP address of the RADIUS server and specify the secret key that will be used to encrypt the messages between the RADIUS server and client (RADIUS server and the client should have the same keys). Comment the line with to so that system doesn t send authentication requests locally but to RADIUS server which in our case is on the address # server[:port] shared_secret timeout (s) # secret ******* 3 3. Configure the PAM module to authenticate users connecting via SSH against RADIUS server instead of local authentication against the file /etc/passwd. To do this, comment out the common-auth in the file /etc/pam.d/sshd, and before that line add the following lines[5]: 6

7 #Authentication against AGLARBRI RADIUS auth sufficient pam_radius_auth.so # Standard Un*x authentication. #@include common-auth 4. To enable session setup and teardown between RADIUS and clients for SSH logins in the same file add the following lines before the common-session : #RADIUS session setup and teardown session sufficient pam_radius_auth.so # Standard Un*x session setup and common-session 5. To authenticate users requesting root privileges against the RADIUS server configure the PAM module in the file /etc/pam.d/sudo to contain the following: #%PAM-1.0 #Authenticate against Aglarbri Radius-server auth sufficient common-account session required pam_permit.so session required pam_limits.so 6. Create the same users locally that already exist in the database of RADIUS server with the same username, but with NO password: #sudo useradd rahmonov #sudo passwd d rahmonov //to delete the password if set by mistake 7. Lastly, give specific privileges (e.g. root, admin, sudo) to desired users if needed: #sudo usermod G root rahmonov 6. Verifying To access any client-server, a user must initiate SSH connection towards the server and provide the credentials given him by the administrator. Every time a user successfully authenticates and logs into the system, the log file with the current date will be created/updated under the folder /var/log/freeradius/radacct/ip_address_of_radius_client/ : Wed Dec 28 18:42: User-Name = "rahmonov" NAS-IP-Address = NAS-Identifier = "sshd" NAS-Port =

8 NAS-Port-Type = Virtual Acct-Status-Type = Start Acct-Session-Id = " " Acct-Authentic = RADIUS Acct-Unique-Session-Id = "5d23cce33ca80a0b" Timestamp = Request-Authenticator = Verified Wed Dec 28 18:59: User-Name = "rahmonov" NAS-IP-Address = NAS-Identifier = "sshd" NAS-Port = NAS-Port-Type = Virtual Acct-Status-Type = Stop Acct-Session-Id = " " Acct-Authentic = RADIUS Acct-Session-Time = 975 Acct-Unique-Session-Id = "5d23cce33ca80a0b" Timestamp = Request-Authenticator = Verified When you face problems getting the system work you can always run the RADIUS server in debug mode and see what messages are passing between the server and the clients. To run the server in debug mode, first stop the running server and start with the following command: #service freeradius stop #freeradius X Once you try connecting with user credentials, you should receive messages similar to this from which you can define the problem, if there is any: Listening on authentication address port 1812 Listening on accounting address port 1813 Listening on authentication address port 1812 Listening on accounting address port 1813 Listening on authentication address port as server inner-tunnel Ready to process requests. rad_recv: Access-Request packet from host port 22162, id=116, length=96 User-Name = "rahmonov" User-Password = "*********" NAS-IP-Address = NAS-Identifier = "sshd" NAS-Port = NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = "rta.aglarbri.org" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {... ++[preprocess] returns ok ++[chap] returns noop 8

9 ++[mschap] returns noop ++[digest] returns noop [suffix] No in User-Name = "rahmonov", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated [files] users: Matched entry rahmonov at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group PAP {... [pap] login attempt with password "*******" [pap] Using CRYPT password "$6$1V9cwink$jsLI1NyIIEl/LnfRfHCOCSPXMz5O/dfJ6WvL7GwQLFJs9gz0xVihudfYC6nN88IqrValAI itv9phm6a1j2spj." [pap] User authenticated successfully ++[pap] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {... ++[exec] returns noop Sending Access-Accept of id 116 to port Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Accounting-Request packet from host port 22162, id=135, length=76 User-Name = "rahmonov" NAS-IP-Address = NAS-Identifier = "sshd" NAS-Port = NAS-Port-Type = Virtual Acct-Status-Type = Start Acct-Session-Id = " " Acct-Authentic = RADIUS # Executing section preacct from file /etc/freeradius/sites-enabled/default +- entering group preacct {... ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 21137,Client-IP-Address = ,NAS-IP-Address = ,Acct-Session-Id = " ",User-Name = "rahmonov"' [acct_unique] Acct-Unique-Session-ID = "7fe84712c6bd9d3c". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "rahmonov", looking up realm NULL [suffix] No such realm "NULL" 9

10 7. References [1] AGLARBRI Conceptual network topology diagram for CSD fall 2011 team [2]Revised AGLARBRI overall network map [3] Current Serengeti Broadband Implementation [4] FreeRADIUS: Documentation and man pages [Online]. Available: [5] PAM with Radius Authentication [Online]. Available: 10