Szczegóły ebooka

FreeRADIUS Beginner's Guide. Master authentication, authorization, and accessing your network resources using FreeRADIUS

FreeRADIUS Beginner's Guide. Master authentication, authorization, and accessing your network resources using FreeRADIUS

Dirk van der Walt, FreeRadius, Dirk van der

Ebook
The Open Source pioneers have proved during the past few decades that their code and projects can indeed be more solid and popular than commercial alternatives. With data networks always expanding in size and complexity FreeRADIUS is at the forefront of controlling access to and tracking network usage. Although many vendors have tried to produce better products, FreeRADIUS has proved over time why it is the champion RADIUS server. This book will reveal everything you need to know to get started with using FreeRADIUS.

FreeRADIUS has always been a back-room boy. It's not easy to measure the size or number of deployments world-wide but all indications show that it can outnumber any commercial alternatives available. This essential server is part of ISPs, universities, and many corporate networks, helping to control access and measure usage. It is a solid, flexible, and powerful piece of software, but can be a mystery to a newcomer.

FreeRADIUS Beginner's Guide is a friend of newcomers to RADIUS and FreeRADIUS. It covers the most popular Linux distributions of today, CentOS, SUSE, and Ubuntu, and discusses all the important aspects of FreeRADIUS deployment: Installing, configuring and testing; security concerns and limitations; LDAP and Active Directory integration.

It contains plenty of practical exercises that will help you with everything from installation to the more advanced configurations like LDAP and Active Directory integration. It will help you understand authentication, authorization and accounting in FreeRADIUS. It uses many practical step-by-step examples, which are discussed in detail to lead you to a thorough understanding of the FreeRADIUS server as well as the RADIUS protocol. A quiz at the end of each chapter validates your understanding.Not only can FreeRADIUS be used to monitor and limit the network usage of individual users; but large deployments are possible with realms and fail-over functionality. FreeRADIUS can work alone or be part of a chain where the server is a proxy for other institution's users forwarding requests to their servers. FreeRADIUS features one of the most versatile and comprehensive Extensible Authentication Protocol (EAP) implementations. EAP is an essential requirement to implement enterprise WiFi security. FreeRADIUS Beginner's Guide covers all of these aspects.
  • FreeRADIUS
    • Table of Contents
    • FreeRADIUS
    • Credits
    • About the Author
    • About the Reviewers
    • www.PacktPub.com
      • Support files, eBooks, discount offers, and more
        • Why Subscribe?
        • Free Access for Packt account holders
    • Preface
      • What this book covers
      • What you need for this book
      • Who this book is for
      • Conventions
      • Time for action heading
        • What just happened?
        • Pop quiz heading
        • Have a go hero heading
      • Reader feedback
      • Customer support
        • Errata
        • Piracy
        • Questions
    • 1. Introduction to AAA and RADIUS
      • Authentication, Authorization, and Accounting
        • Authentication
        • Authorization
        • Accounting
      • RADIUS
        • RADIUS protocol (RFC2865)
          • The data packet
            • Code
            • Identifier
            • Length
            • Authenticator
            • Attributes
            • Conclusion
          • AVPs
            • Type
            • Length
            • Value
          • Vendor-Specific Attributes (VSAs)
          • Proxying and realms
          • RADIUS server
          • RADIUS client
        • RADIUS accounting (RFC2866)
          • Operation
          • Packet format
          • Acct-Status-Type (Type40)
          • Acct-Input-Octets (Type42)
          • Acct-Output-Octets (Type43)
          • Acct-Session-Id (Type44)
          • Acct-Session-Time (Type46)
          • Acct-Terminate-Cause (Type49)
          • Conclusion
        • RADIUS extensions
          • Dynamic Authorization extension (RFC5176)
            • Disconnect-Message (DM)
            • Change-of-Authorization Message (CoA)
          • RADIUS support for EAP (RFC3579)
      • FreeRADIUS
        • History
        • Strengths
        • Weaknesses
        • The competition
      • Summary
        • Pop quiz RADIUS knowledge
    • 2. Installation
      • Before you start
      • Pre-built binary
      • Time for action installing FreeRADIUS
        • What just happened?
        • Advantages
        • Extra packages
        • Available packages
          • CentOS
          • SUSE
          • Ubuntu
        • Special considerations
        • Remember the firewall
          • CentOS
          • SUSE
        • Have a go hero installing from source
      • Building from source
        • Advantages of building packages
        • CentOS
      • Time for action building CentOS RPMs
        • What just happened?
          • Installing rpm-build
          • The source RPM package
          • The package name
          • Updating an existing installation
        • SUSE
      • Time for action SUSE: from tarball to RPMs
        • Adding an OpenSUSE repository
      • What just happened?
        • zypper or yast -i
        • Tweaks done by hand
      • Ubuntu
      • Time for action Ubuntu: from tarball to debs
        • What just happened?
          • Installing dpkg-dev
          • Using build-dep
          • fakeroot
          • dpkg-buildpackage
          • Installing the debs
        • For those preferring the old school
      • Installed executables
      • Running as root or not
      • Dictionary access for client programs
      • Ensure proper start-up
      • Summary
        • Pop quiz installation
    • 3. Getting Started with FreeRADIUS
      • A simple setup
      • Time for action configuring FreeRADIUS
        • What just happened?
        • Configuring FreeRADIUS
        • Clients
          • Sections
          • Client identification
          • Shared secret
          • Message-Authenticator
          • Nastype
          • Common errors
        • Users
          • Files module
          • PAP module
          • Users file
            • Check items
            • Reply items
            • Operators
            • Substitution
            • DEFAULT user
            • Login-Time
            • Simultaneous-Use
            • Framed-IP-Address
        • Radtest
      • Helping yourself
        • Installed documentation
          • Man pages
      • Time for action discovering available man pages for FreeRADIUS
        • dpkg systems
        • rpm systems
        • radtest revisited
        • Radclient
      • What just happened?
      • Have a go hero adding more AVPs to the auth request
        • Configuration file comments
      • Pop quiz clients.conf
      • Online documentation
      • Online help
      • Golden rules
      • Inside radiusd
        • Configuration files
        • Important includes
        • Libraries and dictionaries
        • FreeRADIUS-specific AVPs
        • Running as ...
        • Listen section
        • Log files
          • radiusd
          • Who was logged in and when?
          • Who is logged in right now?
      • Summary
    • 4. Authentication
      • Authentication protocols
        • PAP
        • CHAP
        • MS-CHAP
      • FreeRADIUSauthorize before authenticate
      • Time for action authenticating a user with FreeRADIUS
        • What just happened?
        • Access-Request arrives
        • Authorization
          • Authorize set Auth-Type
          • Authorization in action
        • Authentication
        • Post-Auth
        • Finish
        • Conclusion
        • Have a go hero using other authentication protocols
      • Storing passwords
        • Hash formats
      • Time for action hashing our password
        • Crypt-Password
        • MD5-Password
        • SMD5-Password
        • SHA-Password
        • SSHA-Password
        • NT-Password or LM-Password
        • What just happened?
        • Hash formats and authentication protocols
      • Other authentication methods
        • One-time passwords
        • Certificates
      • Summary
        • Pop quiz authentication
    • 5. Sources of Usernames and Passwords
      • User stores
      • System users
      • Time for action incorporating Linux system users in FreeRADIUS
        • Preparing rights
          • SUSE is different
          • CentOS
          • Activating system users
        • What just happened?
        • Authorize using the unix module
        • Authenticating using pap
        • Tips for including system users
      • MySQL as a user store
      • Time for action incorporating a MySQL database in FreeRADIUS
        • Installing MySQL
        • Installing FreeRADIUSs MySQL package
        • Preparing the database
        • Configuring FreeRADIUS
          • Connection information
          • Including the SQL configuration
          • Virtual server
        • Testing the MySQL user store
        • What just happened?
        • Advantages of SQL over flat files
        • Other uses for the SQL database
        • Duplicate users
        • The database schema
          • Groups
        • Have a go hero exploring group usage
          • Using SQL Groups
          • Controlling the use of groups
          • Profiles
      • LDAP as a user store
      • Time for action connecting FreeRADIUS to LDAP
        • Installing slapd
        • Configuring slapd
          • CentOS
          • SUSE
          • Ubuntu
        • Adding the radiusProfile schema
        • Populating the LDAP directory
        • Installing FreeRADIUS's LDAP package
        • Configuring the ldap module
        • Testing the LDAP user store
        • What just happened?
        • Binding as a user
        • Advanced use of LDAP
        • Have a go hero explore advanced use of LDAP
          • Ldap-Group and User-Profile AVP
          • Reading passwords from LDAP
      • Active Directory as a user store
      • Time for action connecting FreeRADIUS to Active Directory
        • Installing Samba
        • Configuring Samba
        • Joining the domain
          • CentOS
          • SUSE
          • Ubuntu
        • FreeRADIUS and ntlm_auth
          • PAP Authentication
          • MS-CHAP Authentication
      • Summary
        • Linux system users
        • SQL database
        • LDAP directory
        • Active Directory
        • Pop quiz user stores
    • 6. Accounting
      • Requirements for this chapter
      • Basic accounting
      • Time for action simulate accounting from an NAS
        • Files for simulation
        • Starting a session
        • Ending a session
        • Orphan sessions
        • What just happened?
        • Independence of accounting
        • NAS: important AVPs
          • Acct-Status-Type
          • Acct-Session-Id
          • AVPs indicating usage
        • NAS: included AVPs
        • FreeRADIUS: pre-accounting section
          • Realms
          • Setting Acct-Type
        • FreeRADIUS: accounting section
        • Minimising orphan sessions
        • radwho
        • radzap
      • Limiting a user's simultaneous sessions
      • Time for action limiting a user's simultaneous sessions
        • What just happened?
        • Session section
        • Problems with orphan sessions
        • checkrad
      • Limiting the usage of a user
        • 30 minutes per day in total
        • How FreeRADIUS can help
      • Time for action limiting a user's usage
        • Activating a daily counter
        • Terminating the session at a specified time
        • What just happened?
        • rlm_counter
        • Have a go hero using a single database for various counters
        • Using rlm_sqlcounter
        • Resetting the counter
        • SQL module instance
        • Special variables inside the query
        • Empty account records
        • Counters that reset daily
        • Counting octets
      • Housekeeping of accounting data
        • Web-based tools
      • Summary
        • Pop quiz accounting
    • 7. Authorization
      • Implementing restrictions
      • Authorization in FreeRADIUS
      • Introduction to unlang
        • Using conditional statements
      • Time for action using the if statement in unlang
        • Obtaining a return code using the if statement
          • Authorizing a user using the if statement
          • What just happened?
            • Module return codes
            • Keywords in unlang
          • Have a go hero other tests using conditional statements
          • Checking if an attribute exists
          • Using logical expressions to authenticate a user
        • Attributes and variables
          • Attribute lists
      • Time for action referencing attributes
        • Attributes in the if statement
          • What just happened?
            • Referencing attributes in a condition
            • Comparison operators
            • Attribute manipulation
          • Variables
      • Time for action SQL statements as variables
        • What just happened?
      • Time for action setting default values for variables
        • What just happened?
      • Time for action using command substitution
        • What just happened?
      • Time for action using regular expressions
        • What just happened?
      • Practical unlang
        • Limiting data usage
      • Time for action using unlang to create a data counter
        • Defining custom attributes
          • 32-bit limitation
        • Using the perl module
          • reset_time.pl
          • check_usage.pl
          • Installing the perl module on CentOS
        • Updating the dictionary files
          • The recommended way of updating dictionaries
        • Preparing the users file
        • Preparing the SQL database
        • Adding unlang code to the virtual server
        • The SUSE and Ubuntu bug
          • Pre-loading Perl library
        • Testing the data counter
        • Clean-up
      • Summary
        • Pop quiz authorization
    • 8. Virtual Servers
      • Why use virtual servers?
      • Defining and enabling virtual servers
      • Time for action creating two virtual servers
        • What just happened?
        • Available sub-sections
        • Enabling and disabling virtual servers
      • Using enabled virtual servers
      • Time for action using a virtual server
        • What just happened?
        • Including a virtual server
        • Handling Post-Auth-Type correctly
          • Taking care of Type attributes
      • Virtual server for happy hour
      • Time for action incorporating the Hotspot Happy Hour policy
        • Enabling the Happy Hour virtual server
        • Adding the virtual server to a client
        • What just happened?
        • Defining clients in SQL
      • Consolidating an existing setup using a virtual server
      • Time for action creating a virtual server for the Computer Science faculty
        • Consolidation implementation
        • A named files section
        • A virtual server for the Computer Science faculty
        • Incorporating the new virtual server
        • What just happened?
        • What about users stored in SQL?
        • When IP addresses and ports clash
        • Local listen and client sections
          • IPv6
          • Listen section type directive
      • Pre-defined virtual servers
      • Summary
        • Pop quiz virtual servers
    • 9. Modules
      • Installed, available, and missing modules
      • Time for action discovering available modules
        • Locating installed modules
        • What just happened?
          • Naming convention
          • Adding alternative paths
        • Available modules
        • Missing modules
      • Including and configuring a module
      • Time for action incorporating expiration and linelog modules
        • What just happened?
        • Configuring a module
          • Using modules
        • Sections that can contain modules
      • Using one module with different configurations
        • Have a go hero creating multiple instances of a module
        • What just happened?
      • Order of modules and return codes
      • Time for action investigating the order of modules
        • Access-Request
        • Return codes
      • Some interesting modules
      • Summary
        • Pop quiz modules
    • 10. EAP
      • EAP basics
        • EAP components
          • Authenticator
          • Supplicant
          • Backend authentication server
        • EAP conversation
          • EAPOL-Start
          • EAPOL-Packet
      • Practical EAP
      • Time for action testing EAP on FreeRADIUS with JRadius Simulator
        • Preparing FreeRADIUS
        • Configuring JRadius Simulator
        • What just happened?
        • Configuring the eap module
          • The user store
          • EAP on the client
      • EAP in production
        • Public Key Infrastructure in brief
        • Creating a PKI
      • Time for action creating a RADIUS PKI for you organization
        • What just happened?
          • Why use a PKI?
          • Adding a CA to the client
        • Configuring the inner-tunnel virtual server
      • Time for action testing authentication on the inner-tunnel virtual server
        • What just happened?
        • The difference between inner and outer identities
        • Have a go hero using JRadius Simulator to test with two identities
        • What just happened?
          • Naming conventions for the outer identity
        • Disabling unused EAP methods
      • Time for action disabling unused EAP methods
        • What just happened?
          • Message-Authenticator
      • Summary
        • Pop quiz EAP
    • 11. Dictionaries
      • Why do we need dictionaries?
        • Parsing requests
        • Generating responses
      • How to include dictionaries
      • Time for action including new dictionaries
        • What just happened?
      • How FreeRADIUS includes dictionary files
        • Including your own dictionary files
          • Including dictionary files already installed
          • Adding private attributes
          • Updating an existing dictionary
      • Time for action updating the MikroTik dictionary
        • What just happened?
          • Finding the latest supported attributes
          • Location of updated dictionary files
          • Order of inclusions
          • Attribute names
          • Upgrading FreeRADIUS
      • Format of dictionary files
        • Notes inside the comments
        • Vendor definitions
        • Attributes and values
          • Name field
          • Number field
          • Type field
          • Optional vendor field
          • Value definitions
        • Accessing dictionary files
      • Summary
        • Pop quiz dictionaries
    • 12. Roaming and Proxying
      • Roamingan overview
        • Agreement between an ISP and a Telco
        • Agreement between two organizations
      • Realms
      • Time for action investigating the default realms in FreeRADIUS
        • What just happened?
          • Suffix module
          • NULL realm
          • Enabling an instance of the realm module
        • Defining the NULL realm
      • Time for action activating the NULL realm
        • What just happened?
          • Stripped-User-Name and realm
          • LOCAL realm
          • Actions for a realm
        • Defining a proper realm
      • Time for action defining the realm
        • What just happened?
        • Rejecting usernames without a realm
      • Time for action rejecting requests without a realm
        • What just happened?
        • DEFAULT realm
        • In closing
      • Proxying
      • Time for action configuring proxying between two organizations
        • What just happened?
        • Proxying authentication requests
          • home_server
          • home_server_pool
        • Flow chart of an authentication proxy request
          • Suffix setting control: Proxy-To-Realm
          • Pre-proxy section
          • Post-proxy section
        • EAP and dynamic VLANs
      • Have a go hero testing proxying of EAP authentication
        • Removing and replacing reply attributes
      • Time for action filtering reply attributes returned by a home server
        • What just happened?
          • Status of the home servers
      • Time for action using the preferred way for status checking
        • Proxying accounting requests
      • Time for action simulating proxied accounting
        • What just happened?
          • Flow of an accounting proxy request
          • Updating accounting records after a server outage
        • Have a go hero implementing robust-proxy-accounting functionality
      • Summary
        • Pop quiz roaming and proxying
    • 13. Troubleshooting
      • Basic principles
      • FreeRADIUS does not start up
        • Who's using my port?
          • Checking the configuration
        • Finding a missing module or library
        • Fixing a broken external component
          • FreeRADIUS refuses to start
          • FreeRADIUS runs despite the display of an error message
          • FreeRADIUS only reports a problem when answering a request
        • Using the startup script
      • FreeRADIUS is slow
      • Time for action performing baseline speed testing
        • What just happened?
        • Tuning the performance of FreeRADIUS
          • Main server
          • LDAP Module
          • SQL Module
        • Redundancy and load-balancing
        • Things beyond our control
      • FreeRADIUS dies
      • Client-related problems
        • Testing UDP connectivity to a RADIUS server
        • The control-socket virtual server
      • Time for action using the control-socket and raddebug for troubleshooting
        • CentOS
        • SUSE
        • Ubuntu
        • Using raddebug
        • What just happened?
          • Remember the log output
          • Spotting a mismatched shared secret
          • Options for raddebug
          • Raddebug auto termination
          • If there's no output from raddebug
      • Authenticating users
        • Editing the users file
        • Using raddebug
        • When passwords change
          • Password length
        • EAP problems
          • The CA certificate
          • Identify where a problem is located
      • Problems with proxying
      • Online resources
      • Using the mailing list
      • Summary
        • Pop quiz troubleshooting
    • A. Pop Quiz Answers
      • Chapter 1
        • Pop quiz RADIUS knowledge
      • Chapter 2
        • Pop quiz installation
      • Chapter 3
        • Pop quiz clients.conf
      • Chapter 4
        • Pop quiz authentication
      • Chapter 5
        • Pop quiz user stores
      • Chapter 6
        • Pop quiz accounting
      • Chapter 7
        • Pop quiz authorization
      • Chapter 8
        • Pop quiz virtual servers
      • Chapter 9
        • Pop quiz modules
      • Chapter 10
        • Pop quiz EAP
      • Chapter 11
        • Pop quiz dictionaries
      • Chapter 12
        • Pop quiz roaming and proxying
      • Chapter 13
        • Pop quiz troubleshooting
    • Index
  • Tytuł: FreeRADIUS Beginner's Guide. Master authentication, authorization, and accessing your network resources using FreeRADIUS
  • Autor: Dirk van der Walt, FreeRadius, Dirk van der
  • Tytuł oryginału: FreeRADIUS Beginner's Guide. Master authentication, authorization, and accessing your network resources using FreeRADIUS
  • ISBN: 9781849514095, 9781849514095
  • Data wydania: 2011-09-08
  • Format: Ebook
  • Identyfikator pozycji: e_3ayc
  • Wydawca: Packt Publishing