FreeRADIUS Proxy - Filter Radius Attributes: Difference between revisions

From RARForge
Jump to navigation Jump to search
No edit summary
 
(11 intermediate revisions by the same user not shown)
Line 4: Line 4:


<source>
<source>
#centos 5.x (must specify freeradius2 otherwrite 1.1.x will be installed)
#centos 5.x (must specify freeradius2 otherwise 1.1.x will be installed)
yum install freeradius2 freeradius2-utils
yum install freeradius2 freeradius2-utils


Line 18: Line 18:


* To allow an offsite vendor control of radius, but limit their ability to supply bad radius attribuites.  
* To allow an offsite vendor control of radius, but limit their ability to supply bad radius attribuites.  
* MAIN issue. '''Protect your network''' from disallowing the vendor to supply a misconfigured '''FRAMED-IP-ADDRESS''' and/or '''FRAMED-ROUTE''' that could be injected into OSPF or whatever routing protocol you might use.   
* MAIN issue: '''Protect your network''' from disallowing the vendor to supply a misconfigured '''FRAMED-IP-ADDRESS''' and/or '''FRAMED-ROUTE''' that could be injected into OSPF or whatever routing protocol you might use.   
 
 
This is accomplished with the '''rlm_attr_filter''' FreeRADIUS Module  http://freeradius.org/radiusd/man/rlm_attr_filter.html
 
 
<source class=text enclose="div">The rlm_attr_filter module exists for filtering certain attributes and values in received ( or transmitted ) radius packets. It gives the server a flexible framework to filter the attributes we send to or receive from home servers or NASes. This makes sense, for example, in an out-sourced dialup situation to various policy decisions, such as restricting a client to certain ranges of Idle-Timeout or Session-Timeout.
</source>
 




Line 24: Line 32:
== config ==
== config ==


* Vendor Name: '''rarforge.com'''
* Vendor Name: '''rarforge.com'''   (we'll use that for the realm)
* Allowed Framed-IP-Address: '''10.0.0.x''' and '''192.168.5.x'''
* Allowed Framed-IP-Address: '''10.0.0.x''' and '''192.168.5.x'''
* Allowed Framed-Netmask: 255.255.255.255
* Allowed Framed-Netmask: '''255.255.255.255'''
* Allowed Framed-Route: '''NONE'''
* Allowed Framed-Route: '''NONE'''
* Framed-Filter-ID: '''NONE''' -- login will fail if access-list doesn't exist.
* Framed-Filter-ID: '''NONE''' -- login will fail if access-list doesn't exist.


* Allow user to login with only 'username' or 'username'@'realm'


===/etc/raddb/clients.conf===
===/etc/raddb/clients.conf===
Line 42: Line 51:
}
}
</source>
</source>




Line 50: Line 58:


<source>
<source>
...e
...
### realm rarforge.com
### realm rarforge.com
listen {
listen {
Line 64: Line 72:
...
...
</source>
</source>




===/etc/raddb/attrs===
===/etc/raddb/attrs===
* This is where we remove/disallow radius attributes from the vendor sent to the client
* This is where we remove/disallow radius attributes from the vendor sent to the client
* make sure to keep a close eye on your comments in the config. Remove them if you have parsing errors. Last rule must not end with a comma.  
* make sure to keep a close eye on your comments in the config. Remove them if you have parsing errors. The last rule must not end with a comma.  


<source>
<source>
Line 96: Line 103:
...
...
</source>
</source>




Line 135: Line 141:
  ...
  ...
</source>
</source>




Line 157: Line 164:
## SUCCESS!
## SUCCESS!
</source>
</source>


=== Troubleshooting ===
=== Troubleshooting ===

Latest revision as of 07:02, 23 January 2015

Version[edit]

  • Requires 2.x (used: freeradius2-2.1.12-5.el5 )

<source>

  1. centos 5.x (must specify freeradius2 otherwise 1.1.x will be installed)

yum install freeradius2 freeradius2-utils

  1. centos 6.x (2.x branch is default)

yum install freeradius freeradius-utils

  1. ubuntu

apt-get install freeradius freeradius-utils </source>


Reason[edit]

  • To allow an offsite vendor control of radius, but limit their ability to supply bad radius attribuites.
  • MAIN issue: Protect your network from disallowing the vendor to supply a misconfigured FRAMED-IP-ADDRESS and/or FRAMED-ROUTE that could be injected into OSPF or whatever routing protocol you might use.


This is accomplished with the rlm_attr_filter FreeRADIUS Module http://freeradius.org/radiusd/man/rlm_attr_filter.html


<source class=text enclose="div">The rlm_attr_filter module exists for filtering certain attributes and values in received ( or transmitted ) radius packets. It gives the server a flexible framework to filter the attributes we send to or receive from home servers or NASes. This makes sense, for example, in an out-sourced dialup situation to various policy decisions, such as restricting a client to certain ranges of Idle-Timeout or Session-Timeout. </source>



config[edit]

  • Vendor Name: rarforge.com (we'll use that for the realm)
  • Allowed Framed-IP-Address: 10.0.0.x and 192.168.5.x
  • Allowed Framed-Netmask: 255.255.255.255
  • Allowed Framed-Route: NONE
  • Framed-Filter-ID: NONE -- login will fail if access-list doesn't exist.
  • Allow user to login with only 'username' or 'username'@'realm'

/etc/raddb/clients.conf[edit]

  • Update your clients secret - for now we are just testing localhost.

<source> client localhost { ... secret = badsecret ... } </source>


/etc/raddb/radiusd.conf[edit]

  • Listen on 21000 for auth
  • Listen on 21001 for acct

<source> ...

      1. realm rarforge.com

listen {

       ipaddr = *
       port = 21000
       type = auth

} listen {

       ipaddr = *
       port = 21001
       type = acct

} ... </source>


/etc/raddb/attrs[edit]

  • This is where we remove/disallow radius attributes from the vendor sent to the client
  • make sure to keep a close eye on your comments in the config. Remove them if you have parsing errors. The last rule must not end with a comma.

<source> ... rarforge.com

       Service-Type =* ANY,
       Login-Service =* ANY,
       Login-TCP-Port =* ANY,
       Framed-Protocol =* ANY,
       Framed-Compression =* ANY,
       Framed-MTU =* ANY,
       Reply-Message =* ANY,
       Proxy-State =* ANY,
       Session-Timeout =* ANY,
       Port-Limit =* ANY,
       Idle-Timeout =* ANY,
                        1. DENY BELOW ####################
  1. ; comments must begin with '#'-- NO SPACE
  2. ; ONLY ALLOW 10.0.0.x and 192.168.5.X
       Framed-IP-Address =~ "10\.0\.0\.|192\.168\.5\.",
  1. ; /32 ONLY
       Framed-IP-Netmask == 255.255.255.255,
  1. ; LAST
       Framed-Filter-ID !* ANY

... </source>


/etc/raddb/proxy.conf[edit]

  • enable the realm (rarforge.com) to be proxied to the vendors radius auth/acct server

<source> ... realm rarforge.com {

       type            = radius
       authhost        = vendor_radius_auth_ip:1645
       accthost        = vendor_radius_acct_ip:1646
       secret          = <radius secret>

} ... </source>


/etc/raddb/sites-enabled/default[edit]

  • set realm to rarforge.com based on the Destination Port auth/acct port (21000/210001)
  • This is optional if you require users to be user@realm. In my case, we had users authing with a realm.

<source> ... authorize {

## rarforge realm
if (Packet-Dst-Port == "21000") {
 update control {
   Proxy-To-Realm := "rarforge.com"
   }
}
if (Packet-Dst-Port == "21001") {
 update control {
   Proxy-To-Realm := "rarforge.com"
   }
 }
...

</source>


Testing Proxy[edit]

<source> radtest username <password> localhost:21000 1 badsecret

Sending Access-Request of id 85 to 127.0.0.1 port 21000

       User-Name = "username"
       User-Password = "<password>"
       NAS-IP-Address = 127.0.0.1
       NAS-Port = 1
       Message-Authenticator = 0x00000000000000000000000000000000

rad_recv: Access-Accept packet from host 127.0.0.1 port 21000, id=85, length=50

       Framed-IP-Address = 10.0.0.5
       Framed-Netmask = 255.255.255.255 
       Idle-Timeout = 600
       Session-Timeout = 18000
       Service-Type = Framed-User
       Port-Limit = 1
    1. SUCCESS!

</source>


Troubleshooting[edit]

  • Verify with radtest you can auth from the server running freeradius to the vendors radius server. It could be firewalled, not in their client list, etc...
  • try appending your realm to the username username@yourrealmname. Maybe the section in /etc/raddb/sites-enabled/default is not working.