Couple of my last documents followed up on how to setup

• OpenVPN server.
• freeRADIUS server.

Getting Started

Note that through out the document, I will stick to Ubuntu 18.04 OS version.

Step 01 — Required Package Installation

# apt-get update
# apt-get install libgcrypt11-dev build-essential

Step 02 — build radius plugin that helps to communicate from OpenVPN to freeRadius

Downloading and building

# wget http://www.nongnu.org/radiusplugin/radiusplugin_v2.1a_beta1.tar.gz
# tar xvf radiusplugin_v2.1a_beta1.tar.gz

# cd radiusplugin_v2.1a_beta1
# make

Copy the built plugin to appropriate location

# mkdir /etc/openvpn/radius
# cp -r radiusplugin.so /etc/openvpn/radius

Step 03 — Configure built Plugin to work with freeRadius server

# vim /etc/openvpn/radius/radius.cnf

NAS-Identifier=anyName

# The service type which is sent to the RADIUS server
Service-Type=5

# The framed protocol which is sent to the RADIUS server
Framed-Protocol=1

# The NAS port type which is sent to the RADIUS server
NAS-Port-Type=5

# The NAS IP address which is sent to the RADIUS server
NAS-IP-Address=172.17.0.56

# Path to the OpenVPN configfile. The plugin searches there for
# client-config-dir PATH   (searches for the path)
# status FILE     		   (searches for the file, version must be 1)
# client-cert-not-required (if the option is used or not)
# username-as-common-name  (if the option is used or not)

# Path to our OpenVPN configuration file. Each OpenVPN configuration file needs its own radiusplugin configuration file as well
OpenVPNConfig=/etc/openvpn/server.conf


# Support for topology option in OpenVPN 2.1
# If you don't specify anything, option "net30" (default in OpenVPN) is used. 
# You can only use one of the options at the same time.
# If you use topology option "subnet", fill in the right netmask, e.g. from OpenVPN option "--server NETWORK NETMASK"  
subnet=255.255.255.0
# If you use topology option "p2p", fill in the right network, e.g. from OpenVPN option "--server NETWORK NETMASK"
# p2p=10.8.0.1


# Allows the plugin to overwrite the client config in client config file directory,
# default is true
overwriteccfiles=true

# Allows the plugin to use auth control files if OpenVPN (>= 2.1 rc8) provides them.
# default is false
# useauthcontrolfile=false

# Only the accouting functionality is used, if no user name to forwarded to the plugin, the common name of certificate is used
# as user name for radius accounting.
# default is false
# accountingonly=false


# If the accounting is non essential, nonfatalaccounting can be set to true. 
# If set to true all errors during the accounting procedure are ignored, which can be
# - radius accounting can fail
# - FramedRouted (if configured) maybe not configured correctly
# - errors during vendor specific attributes script execution are ignored
# But if set to true the performance is increased because OpenVPN does not block during the accounting procedure.
# default is false
nonfatalaccounting=false

# Path to a script for vendor specific attributes.
# Leave it out if you don't use an own script.
# vsascript=/root/workspace/radiusplugin_v2.0.5_beta/vsascript.pl

# Path to the pipe for communication with the vsascript.
# Leave it out if you don't use an own script.
# vsanamedpipe=/tmp/vsapipe

# A radius server definition, there could be more than one.
# The priority of the server depends on the order in this file. The first one has the highest priority.
server
{
	# The UDP port for radius accounting.
	acctport=1813
	# The UDP port for radius authentication.
	authport=1812
	# The name or ip address of the radius server.
	name=172.17.0.55
	# How many times should the plugin send the if there is no response?
	retry=1
	# How long should the plugin wait for a response?
	wait=1
	# The shared secret.
	sharedsecret=mysecret
}

Step 04 — Template OpenVPN server configuration file

# vim /etc/openvpn/server.conf

port 443 
proto tcp 
dev tun 
server 10.11.0.0 255.255.255.0 
ca /etc/openvpn/easy-rsa/keys/ca.crt 
cert /etc/openvpn/easy-rsa/keys/server.crt 
key /etc/openvpn/easy-rsa/keys/server.key 
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
plugin /etc/openvpn/radius/radiusplugin.so /etc/openvpn/radius/radius.cnf ifconfig-pool-persist ipp.txt persist-key 
persist-tun 
keepalive 10 60 
reneg-sec 0 
comp-lzo 
tun-mtu 1468 
tun-mtu-extra 32 
mssfix 1400 
push "persist-key" 
push "persist-tun" 
push "redirect-gateway def1" 
push "dhcp-option DNS 8.8.8.8" 
push "dhcp-option DNS 8.8.4.4" 
status /etc/openvpn/443.log 
verb 3
client-cert-not-required

Step 05 — Service start up

# systemctl start openvpn@server

Client Work-Station End

Step 06 — Required Package Installation

# apt-get update && apt-get install -y network-manager-openvpn

Step 07 — Launch `nm-connection-editor` & create new VPN profile

# nm-connection-editor

Next, Click (+) sign & Select “OpenVPN” from the drop-down menu

Check my previous post on getting required certificate. Also, once the new VPN profile is saved, start the launch by clicking the configured Profile name. Note that prior to VPN establishment, your credentials are being passed to OpenVPN server which in turn redirect them to freeRadius. However, actual process of credential verification is being performed at mysql database where we setup user details.

“I hope this has been informative”

The post OpenVPN authentication with freeRADIUS appeared first on Linux Windows and android Tutorials.

FreeRADIUS is a yet another service that we can setup on Linux and the protocol by which – the RADIUS – we can take advantage of providing functionalities of authentication, authorization and accounting. It has been developing very long time back and yet its very powerful and modern enough to provide authentication facility to systems & applications, specially in networking.

In this article we focus on its authentication ability and even beyond taking “mysql” database as the source of database to retrieve authentication credentials. However, there are other sources you could integrated as well, such as openLDAP, simple flat file and etc.

Now lets install FreeRadius with mysql Backend

Getting Started.

Note that through out the document, I will stick to Ubuntu 18.04 OS version.

Step 01 — Required Package Installation

# apt-get update
# apt-get install -y freeradius freeradius-mysql freeradius-utils php-common php-gd php-curl php-mysql mysql-server mysql-client

Step 02 — Setting up password for mysql own ROOT user

# mysql_secure_installation

Securing the MySQL server deployment.

Connecting to MySQL using a blank password.

VALIDATE PASSWORD PLUGIN can be used to test passwords
and improve security. It checks the strength of password
and allows the users to set only those passwords which are
secure enough. Would you like to setup VALIDATE PASSWORD plugin?

Press y|Y for Yes, any other key for No: y

There are three levels of password validation policy:

LOW    Length >= 8
MEDIUM Length >= 8, numeric, mixed case, and special characters
STRONG Length >= 8, numeric, mixed case, special characters and dictionary                  file

Please enter 0 = LOW, 1 = MEDIUM and 2 = STRONG: 0
Please set the password for root here.

New password: 

Re-enter new password: 

Estimated strength of the password: 50 
Do you wish to continue with the password provided?(Press y|Y for Yes, any other key for No) : y
By default, a MySQL installation has an anonymous user,
allowing anyone to log into MySQL without having to have
a user account created for them. This is intended only for
testing, and to make the installation go a bit smoother.
You should remove them before moving into a production
environment.

Remove anonymous users? (Press y|Y for Yes, any other key for No) : y
Success.


Normally, root should only be allowed to connect from
'localhost'. This ensures that someone cannot guess at
the root password from the network.

Disallow root login remotely? (Press y|Y for Yes, any other key for No) : y
Success.

By default, MySQL comes with a database named 'test' that
anyone can access. This is also intended only for testing,
and should be removed before moving into a production
environment.


Remove test database and access to it? (Press y|Y for Yes, any other key for No) : y
 - Dropping test database...
Success.

 - Removing privileges on test database...
Success.

Reloading the privilege tables will ensure that all changes
made so far will take effect immediately.

Reload privilege tables now? (Press y|Y for Yes, any other key for No) : y
Success.

All done! 

Step 03 — Create ‘radius’ database and import required Schema which already available.

# mysql -uroot -p

mysql> uninstall plugin validate_password;
mysql> ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'password';
mysql> CREATE DATABASE radius;
mysql> exit

# cd /etc/freeradius/3.0/mods-config/sql/main/mysql/

# mysql -uroot -pYourMysqlPass radius < schema.sql
# mysql -uroot -pYourMysqlpass radius < setup.sql

Step 04 — Enable ‘sql’ module to be used with

# cd /etc/freeradius/3.0/mods-enabled
# ln -s ../mods-available/sql sql

Step 05 — Instruct freeRadius to use SQL as the backend store, rather local File

To achieve this, for all the below sections, remove the “file” directive and add the “sql” instead

authorize {
...
}
accounting {
...
}
post-auth {
...
}
session{
...
}

Step 06 — Reflect the correct details in Radius SQL module’s config

# vim /etc/freeradius/3.0/mods-available/sql

driver = "rlm_sql_mysql"
 
dialect = "mysql"
 
 server = "localhost"
 port = 3306
 login = "root"
 password = "password-which-we-setup-in-step2"
 radius_db = "radius"
read_clients = yes

Step 07 — Running freeRADIUS in foreground to check the status..

# freeradius -X

Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 59791
Listening on proxy address :: port 36140
Ready to process requests

The output above is a good indication of a working configuration..

Step 08 — For a testing purpose, add basic authentication details, such as username, password, NAS ip address, etc..

# mysql -uroot -p

mysql> INSERT INTO nas VALUES (NULL , '0.0.0.0/0', 'myNAS', 'other', NULL , 'mysecret', NULL , NULL , 'RADIUS Client');
mysql> INSERT INTO radcheck (username, attribute, op, value) VALUES ('testuser', 'Cleartext-Password', ':=', 'testpassword');
mysql> INSERT INTO radusergroup (username, groupname, priority) VALUES ('testuser', 'testgroup', '1');
mysql> INSERT INTO radgroupreply (groupname, attribute, op, value) VALUES ('testgroup', 'Service-Type', ':=', 'Framed-User'), ('testgroup', 'Framed-Protocol', ':=', 'PPP'), ('testgroup', 'Framed-Compression', ':=', 'Van-Jacobsen-TCP-IP');

Lets check updated details by going through each mysql tables

mysql> select * from nas;
+----+-----------+-----------+-------+-------+----------+--------+-----------+---------------+
| id | nasname   | shortname | type  | ports | secret   | server | community | description   |
+----+-----------+-----------+-------+-------+----------+--------+-----------+---------------+
|  1 | 0.0.0.0/0 | myNAS     | other |  NULL | mysecret | NULL   | NULL      | RADIUS Client |
+----+-----------+-----------+-------+-------+----------+--------+-----------+---------------+

mysql> select * from radcheck;
+----+----------+--------------------+----+--------------+
| id | username | attribute          | op | value        |
+----+----------+--------------------+----+--------------+
|  1 | testuser | Cleartext-Password | := | testpassword |
+----+----------+---------------+----+-------------------+

mysql> select * from radusergroup;
+----------+-----------+----------+
| username | groupname | priority |
+----------+-----------+----------+
| testuser | testgroup |        1 |
+----------+-----------+----------+

mysql> select * from radgroupreply;
+----+-----------+--------------------+----+---------------------+
| id | groupname | attribute          | op | value               |
+----+-----------+--------------------+----+---------------------+
|  1 | testgroup | Service-Type       | := | Framed-User         |
|  2 | testgroup | Framed-Protocol    | := | PPP                 |
|  3 | testgroup | Framed-Compression | := | Van-Jacobsen-TCP-IP |
+----+-----------+--------------------+----+---------------------+

Step 09 — Ok. Finally lets verify the configured user using a “radclient” command

# echo "User-Name=testuser,User-Password=testpassword" | radclient 127.0.0.1:1812 auth mysecret

Sent Access-Request Id 65 from 0.0.0.0:43879 to 172.17.0.55:1812 length 48
Received Access-Accept Id 65 from 172.17.0.55:1812 to 0.0.0.0:0 length 38

Congradulations.! you have now working RADIUS service.

In order to run the service in background

# systemctl start freeradius
# systemctl enable freeradius

“I hope this has been informative”

The post FreeRadius with mysql Backend appeared first on Linux Windows and android Tutorials.