Using FreeRADIUS 2 on Oracle Enterprise Linux

Another aspect of my home network is that I want to leverage as much of the Oracle security technologies as I can. Obviously IRM was one of the first services installed and now protects all my important documents. I also want to use the Oracle Identity Management Suite (IDM) to centralize the administration of all my user accounts, roles and such. With all the services I have configured (IRM, UCM, ODC, 11gDB, Active Directory, PPTP), I sure do have a lot of accounts and passwords and roles to manage, even though there are only a handful of users!

I'm waiting for the 11g release of OID and whilst I wait I want to get my systems prepared so I can be ready to slot OID behind everything that requires authorization. One of these first steps is to configure a radius server for the PPTP server on my firewall which I use to connect securely back to the network on my iPhone. I can configure my PPTP server to use radius for authentication, which in turn can use an LDAP repository, which will be OID.

Installing FreeRADIUS on Oracle Enterprise Linux 5


There is a very popular and well tested radius server in the open source community called FreeRADIUS. The Oracle Enterprise Linux 5 DVD has a version of FreeRADIUS but it's old, version 1.x (freeradius-1.1.3-1.4.el5.i386.rpm). It seems that currently RedHat (upon which Oracle Enterprise Linux is based) do not ship FreeRADIUS 2 for the following reason;



As of the time of this writing the version of FreeRADIUS in RHEL 5 is a rather old 1.1.3 version. RHEL has strict rules concerning package upgrades. In particular it is not permitted to upgrade a package with a newer version if they are not configuration compatible. FreeRADIUS 1.x and 2.x are NOT configuration compatible. It is also not permitted to remove a package from RHEL, customers may be running the 1.x version. Thus the version of FreeRADIUS in RHEL must stay at the 1.x level and must continue to use the package name "freeradius". However, many users
want to install a current FreeRADIUS version on their RHEL5 system. The migration path to accomplish this is to introduce a new package called "freeradius2" into the RHEL5 update stream. It is anticipated this will occur in the RHEL 5.5 update. However to accommodate users wishing to install a current version on RHEL5 immediately a download site has been set up with pre-built FreeRADIUS 2.x packages on a tech preview basis. This will allow users to easily install a current version and to provide feedback on the tech preview in advance of the freeradius2 package becoming available in the RHEL5 update stream.

It is important to note: The freeradius2 RPM's are not part of an official release therefore Red Hat customers with support contracts may not receive support on this version. These tech preview RPM's will be removed from the download site once freeradius2 enters the update stream, at that time the method to obtain the freeradius2 RPM's will be to utilize the normal software installation tools.

The download site to get the RPM for version 2 is;
http://people.redhat.com/jdennis/freeradius-rhel-centos/i386/. I downloaded the following files that I will need for my install.

freeradius2-2.1.6-2.el5.i386.rpm
freeradius2-devel-2.1.6-2.el5.i386.rpm
freeradius2-libs-2.1.6-2.el5.i386.rpm
freeradius2-utils-2.1.6-2.el5.i386.rpm

Logged in as root I started to install the packages. First up is the libraries;

[root@localhost install]# rpm -ivh freeradius2-libs-2.1.6-2.el5.i386.rpm
Preparing... ########################################### [100%]
1:freeradius2-libs ########################################### [100%]

Next I attempted to install freeradius2-2.1.6-2.el5.i386.rpm but it failed with a dependency.

[root@localhost install]# rpm -ivh freeradius2-2.1.6-2.el5.i386.rpm
error: Failed dependencies:
libltdl.so.3 is needed by freeradius2-2.1.6-2.el5.i386

A quick search on rpmfind.net details this library is part of libtool-libs. Looking on the DVD under the Server folder shows the following RPM's and querying the RPM install library I can see that I only have libtool installed, so I go ahead and install libtool-1.5.22-6.1.i386.rpm

[root@localhost install]# cd /mnt/cdrom/Server/
[root@localhost Server]# ls libtool*
libtool-1.5.22-6.1.i386.rpm
libtool-ltdl-devel-1.5.22-6.1.i386.rpm
libtool-ltdl-1.5.22-6.1.i386.rpm
[root@localhost Server]# rpm -qa libtool\*
libtool-1.5.22-6.1
[root@localhost Server]# rpm -ivh libtool-ltdl-1.5.22-6.1.i386.rpm
warning: libtool-ltdl-1.5.22-6.1.i386.rpm: Header V3 DSA signature: NOKEY, key ID 1e5e0159
Preparing... ########################################### [100%]
1:libtool-ltdl ########################################### [100%]

With this installed I can now go back and install the FreeRADIUS package.

[root@localhost install]# rpm -ivh freeradius2-2.1.6-2.el5.i386.rpm
Preparing... ########################################### [100%]
1:freeradius2 ########################################### [100%]

Awesome!

Configuring FreeRADIUS 2 on Oracle Enterprise Linux


Now that we have all the packages installed we can do some simple configuration. A directory has been created in /etc/raddb which contains all the config files. The most important initially is the radiusd.conf. I found that most of this config file was good for my initial tests. What parameter I did change however was it to log the authentication requests so that I could verify my PPTP server talking to the server. I changed this section and saved radiusd.conf.


# Log authentication requests to the log file.
#
# allowed values: {no, yes}
#
auth = yes

We also want an initial test user while we get the server up and running, edit the file /etc/raddb/users and add the following line at the very bottom.

testuser Cleartext-password := "welcome1"

Now its time to start the server for the first time, to check that everything is working and ensure the initial certificates get created simply run the server from the command line;

radiusd -X

This will then create keys and such, just sit back for a while and wait. Once its up it should start listening on all addresses like so;

Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.

Testing the FreeRADIUS server

So at this point we have a vanilla radius server which is authenticating against the local users file. Nothing complicated and in my environment I was able to then configure my firewall's VPN to use this server. I needed to add a line to the clients.conf with a shared secret for the firewall to communicate. There is a nice little utility which allows you to do all sorts of client testing and it runs on both Linux and Windows. You can download it from IEA Software and it runs a small HTTP server locally. Install, run the service, add a server and then radlogin using your test user. Here is the output from my radius server (which is still currently running as radiusd -X in a console) from a test request. Note how it tries different modules to find the user before matching the file. When I switch the back end to OID it will be using LDAP.


rad_recv: Access-Request packet from host 127.0.0.1 port 16120, id=1, length=100
User-Name = "testuser"
Acct-Session-Id = "1244745822G1viy"
NAS-IP-Address = 127.0.0.1
NAS-Identifier = "Localhost"
NAS-Port = 0
Calling-Station-Id = "1115551212"
User-Password = "welcome1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry testuser at line 204
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "welcome1"
[pap] Using clear text password "welcome1"
[pap] User authenticated successfully
++[pap] returns ok
Login OK: [testuser] (from client localhost port 0 cli 1115551212)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 1 to 127.0.0.1 port 16120
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 1 with timestamp +1755

Making sure the radius server starts on boot


The last thing to setup was to ensure the service started after a reboot. The RPM installer nicely setup the correct init.d files. chkconfig --list | grep radius shows that for all runlevels the service is off. Ideally you want this running when the system comes up, therefore use chkconfig --level to change the status of the service for the same levels that have the network running. You can also start the service using service radiusd start. The output of my machine is below for reference.


[root@localhost init.d]# chkconfig --list | grep radius
radiusd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[root@localhost init.d]# chkconfig --level 2345 radiusd on
[root@localhost init.d]# chkconfig --list | grep radius
radiusd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@localhost init.d]# service radiusd start
Starting RADIUS server: [ OK ]

And thats it! A very basic configuration of the radius server and as soon as I get OID installed/configured i'll come back to this and set it up so that it uses my central repository for authentication.

Comments:

Here's a handy tip. Instead of using rpm -i, use yum instead: # yum localinstall freeradius2-2.1.6-2.el5.i386.rpm This will handle dependencies automatically for you, instead of you having to find them. Also, be sure to either configure and use ULN (if you have a subscription) or http://public-yum.oracle.com so that Yum works properly.

Posted by Avi Miller on June 11, 2009 at 10:49 AM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Simon Thorpe, senior consultant at Oracle, blogs about simple and useful tips when working with Oracle technology.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today