Editing
FreeRADIUS Proxy - Filter Radius Attributes
Jump to navigation
Jump to search
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Version == * Requires 2.x (used: freeradius2-2.1.12-5.el5 ) <source> #centos 5.x (must specify freeradius2 otherwise 1.1.x will be installed) yum install freeradius2 freeradius2-utils #centos 6.x (2.x branch is default) yum install freeradius freeradius-utils # ubuntu apt-get install freeradius freeradius-utils </source> == Reason == * To allow an offsite vendor control of radius, but limit their ability to supply bad radius attribuites. * MAIN issue: '''Protect your network''' from disallowing the vendor to supply a misconfigured '''FRAMED-IP-ADDRESS''' and/or '''FRAMED-ROUTE''' that could be injected into OSPF or whatever routing protocol you might use. This is accomplished with the '''rlm_attr_filter''' FreeRADIUS Module http://freeradius.org/radiusd/man/rlm_attr_filter.html <source class=text enclose="div">The rlm_attr_filter module exists for filtering certain attributes and values in received ( or transmitted ) radius packets. It gives the server a flexible framework to filter the attributes we send to or receive from home servers or NASes. This makes sense, for example, in an out-sourced dialup situation to various policy decisions, such as restricting a client to certain ranges of Idle-Timeout or Session-Timeout. </source> == config == * Vendor Name: '''rarforge.com''' (we'll use that for the realm) * Allowed Framed-IP-Address: '''10.0.0.x''' and '''192.168.5.x''' * Allowed Framed-Netmask: '''255.255.255.255''' * Allowed Framed-Route: '''NONE''' * Framed-Filter-ID: '''NONE''' -- login will fail if access-list doesn't exist. * Allow user to login with only 'username' or 'username'@'realm' ===/etc/raddb/clients.conf=== * Update your clients secret - for now we are just testing localhost. <source> client localhost { ... secret = badsecret ... } </source> ===/etc/raddb/radiusd.conf=== * Listen on 21000 for auth * Listen on 21001 for acct <source> ... ### realm rarforge.com listen { ipaddr = * port = 21000 type = auth } listen { ipaddr = * port = 21001 type = acct } ... </source> ===/etc/raddb/attrs=== * This is where we remove/disallow radius attributes from the vendor sent to the client * make sure to keep a close eye on your comments in the config. Remove them if you have parsing errors. The last rule must not end with a comma. <source> ... rarforge.com Service-Type =* ANY, Login-Service =* ANY, Login-TCP-Port =* ANY, Framed-Protocol =* ANY, Framed-Compression =* ANY, Framed-MTU =* ANY, Reply-Message =* ANY, Proxy-State =* ANY, Session-Timeout =* ANY, Port-Limit =* ANY, Idle-Timeout =* ANY, ############ DENY BELOW #################### # ; comments must begin with '#'-- NO SPACE # ; ONLY ALLOW 10.0.0.x and 192.168.5.X Framed-IP-Address =~ "10\.0\.0\.|192\.168\.5\.", # ; /32 ONLY Framed-IP-Netmask == 255.255.255.255, # # ; LAST Framed-Filter-ID !* ANY ... </source> ===/etc/raddb/proxy.conf=== * enable the realm (rarforge.com) to be proxied to the vendors radius auth/acct server <source> ... realm rarforge.com { type = radius authhost = vendor_radius_auth_ip:1645 accthost = vendor_radius_acct_ip:1646 secret = <radius secret> } ... </source> ===/etc/raddb/sites-enabled/default=== * set realm to rarforge.com based on the Destination Port auth/acct port (21000/210001) * This is optional if you require users to be user@realm. In my case, we had users authing with a realm. <source> ... authorize { ## rarforge realm if (Packet-Dst-Port == "21000") { update control { Proxy-To-Realm := "rarforge.com" } } if (Packet-Dst-Port == "21001") { update control { Proxy-To-Realm := "rarforge.com" } } ... </source> === Testing Proxy === <source> radtest username <password> localhost:21000 1 badsecret Sending Access-Request of id 85 to 127.0.0.1 port 21000 User-Name = "username" User-Password = "<password>" NAS-IP-Address = 127.0.0.1 NAS-Port = 1 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 21000, id=85, length=50 Framed-IP-Address = 10.0.0.5 Framed-Netmask = 255.255.255.255 Idle-Timeout = 600 Session-Timeout = 18000 Service-Type = Framed-User Port-Limit = 1 ## SUCCESS! </source> === Troubleshooting === * Verify with radtest you can auth from the server running freeradius to the vendors radius server. It could be firewalled, not in their client list, etc... * try appending your realm to the username username@yourrealmname. Maybe the section in '''/etc/raddb/sites-enabled/default''' is not working. [[Category:Linux]] [[Category:Services]]
Summary:
Please note that all contributions to RARForge may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
RARForge:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Navigation menu
Personal tools
Not logged in
Talk
Contributions
Log in
Namespaces
Page
Discussion
English
Views
Read
Edit
View history
More
Search
Navigation
Home
All Pages
All Files
View Categories
Recent changes
Random page
Edit this menu
Tools
What links here
Related changes
Special pages
Page information