Installation & Configuration¶
Install Radius Server¶
In den Paketquellen von Linuxmuster.net gibt es das Paket linuxmuster-freeradius. Installieren Sie das Paket (als root) mit
# apt-get install linuxmuster-freeradius
Configure Firewall¶
Nun muss die Firewall konfiguriert werden, damit die Anfragen auch auf dem Server ankommen (UDP, Port 1812). Dazu bearbeitet man die Datei /etc/linuxmuster/allowed_ports und fügt in der Zeile “udp” den entsprechenden Port hinzu.
...
udp domain, ... , 1812
In order for the changes to be effective on the firewall (IPFire), please enter the following command:
# service linuxmuster-base restart
If you use a firewall other than the recommended firewall solution (IPFire), you must set up the appropriate firewall rule yourself!
Test the Radius Server¶
Das Programm radtest wird über das Paket freeradius-utils installiert:
# apt-get install linuxmuster-freeradius
In the file /etc/freeradius/users remove the comment mark ( #) in the following line.
steve Cleartext-Password := "testing"
Next, check if localhost is entered in the file /etc/freeradius/clients. This entry can be removed after the test.
client localhost {
ipaddr = 127.0.0.1
secret = testing123
}
Now, after restarting the Radius server, you can test the authentication for this user.
# service freeradius restart
# radtest steve testing 127.0.0.1:1812 10 testing123
The output should be as follows:
# radtest steve testing 127.0.0.1:1812 10 testing123
Sending Access-Request of id 34 to 127.0.0.1 port 1812
User-Name = "steve"
User-Password = "testing"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=34, length=20
If you get a similar output, access to the LDAP directory can now be set up, so that you can log in with its username and password of linuxmuster.net. To do so, the client (Access Point, Captive Portal Server, Wireless Controller) must be entered into the file /etc/freeradius/clients. Please adjust the client name, the IP address and the password accordingly.
client captivePortal {
ipaddr = 10.16.1.254
secret = geheim
}
Configure Radius Server¶
For authentication with a Radius server, there are different protocols that determine how the transfer and authentication process is running. This can be specified in the file /etc/freeradius/eap.conf. Check the following settings and remove - if necessary - the comment marks.
eap {
...
default_eap_type = peap
...
}
...
peap {
...
default_eap_type = mschapv2
...
}
MD5 is not suitable as the passwords are not stored as MD5 in the LDAP!
Also, check the auto_header parameter in the file /etc/freeradius/radiusd.conf.
pap {
auto_header = yes
}