FreeRADIUS – a step toward a more secure network

Posted on by

Introduction

FreeRADIUS is a general purpose RADIUS daemon.  RADIUS enables administrators to centralize user accounts (among many other features).  This is quite handy when you have many devices that you are administering.  Imagine updating a couple-hundred switches and routers because an administrator needs to change their password.  With RADIUS, you update a central location rather than each and every node.  When it is time to login, the device you are connecting to can check your credentials against the central RADIUS server to determine whether or not access should be granted.

Installation

tpb@$ sudo apt-get install freeradius

That’s it (for Ubuntu, anyway).  What next?  Read the docs: http://freeradius.org/doc/

My focus here isn’t a step-by-step setup guide for FreeRADIUS.  My focus is bridging the gap between FreeRADIUS and the Cisco realm.  That said, here’s what I came across:

  • In Ubuntu the daemon isn’t called “radiusd”, instead it’s “freeradius” (lives in /usr/sbin/).
  • Config files are in /etc/freeradius/
  • To restart the daemon (after, say, editing the ‘users’ file) run: “/etc/init.d/freeradius restart”

Wait, this is on a Linux server, why not just use the database on the server for authentication information?  Good idea:

root@xbmcsrv:/etc/freeradius# head users
DEFAULT   Auth-Type = System
...

Great – we have users setup.  What next?  Well, I seem to recall needing to generate keys to talk between hosts.  Yep, back to the docs: http://wiki.freeradius.org/Basic-configuration-HOWTO.  Here’s the good news, it’s just one file: /etc/freeradius/clients.conf and the syntax is pretty easy.  Here’s what I added:

client router1 {
        ipaddr = 192.168.1.109
        secret = ThisIsASecret001
}

On the Cisco side, I had to do a little more work. Did I read documentation? Of course I did! http://wiki.freeradius.org/Cisco

aaa new-model
!
aaa authentication login default group radius local
radius-server host 192.168.1.2 auth-port 1812 acct-port 1813 key ThisIsASecret0

This is a VERY basic configuration.  You can get into groups, privileges, heck you can even have the enable password looked up against RADIUS.