One popular RADIUS server is Open Systems Consultant's "Radiator. This section details its configuration.
Because of the EAP authentication within RADIUS, a (small) PKI is required. If there is no PKI available, you could create the required key and certificate with, for instance, TinyCA. TinyCA (http://tinyca.sm-zone.net/) is a simple graphical interface on top of OpenSSL. It is possible to use OpenSSL directly (but instructions to do so are outside the scope of this document).
There is also a bootable CD available based on Knoppix that runs TinyCA, the roCA (read-only CA) that can be found at http://www.intrusion-lab.net/roca/.
Depending on the EAP-type used, client certificates may also be needed.
Within the Radiator distribution there are also simple scripts available to create certificates for testing purposes.
The Radiator RADIUS server needs the configuration file /etc/radiator/radius.cfg.
This configuration file can be created with the editor of choice, for example
vi /etc/radiator/radius.cfg
or
pico /etc/radiator/radius.cfg
In the following examples there are two kinds of EAP that are configured at "institution":
- EAP-TLS based on client-certificates.
- EAP-TTLS and EAP-PEAP that do not require client certificates but use the traditional mechanism of
username/password authentication instead.
Clients
RADIUS is based on a client-server model. The NAS-devices (Access Points, switches etc.) forward credentials to a RADIUS server, i.e. act as a client, and therefore need to be defined on the RADIUS server. Other RADIUS servers can act as a client as well, so every kind of RADIUS-request can be forwarded to another server.
The clients are configured within Radiator using the <Client>-clause:
<Client 192.168.10.200>
Secret 6.6obaFkm&RNs666
Identifier ACCESSPOINT1
IdenticalClients 192.168.10.201
RequireMessageAuthenticator
</Client>
In this example there is a client definition for 192.168.10.200, an Access-Point. The "secret" is a series of (at best 16) characters that are used to encrypt the credentials sent in the RADIUS-request.
It is of course recommended to create a secret that cannot be guessed easily, otherwise the RADIUS-message can be decrypted. This is not an issue with EAP-authentication using 802.1X, since the credentials are also transmitted over a SSL-encrypted tunnel between the client and the final authentication server. However, with regular credentials (like those used with Web-based redirection authentication) this is sensitive information that might be captured, therefore a reasonably complex secret and an SSL tunnel is recommended.
The Identifier in the Client-definition can be used later on in the Radiator configuration to filter a specific request.
If more then one Client is to use this same secret and identifier definition, the IdenticalClients statement can be used. If there are many clients with different IP-addresses, there is also the possibility for a "catch-all" client. This is the default client that is used after all other client definitions didn't match. Define this client as:
<Client DEFAULT>
If this kind of configuration is used, it is worth filtering with firewall-rules on RADIUS packets. There are only a few places where a RADIUS-request should come from; the management VLAN with the NAS-devices (switches and access-points), and the RADIUS infrastructure where unknown requests can be sent to.
Realms and VLAN assignment
The processing of authentication and accounting requests is done by linear processing of the present <Realm>- or <Handler>-clauses in the Radiator configuration file. Handler-clauses are more potent than Realm clauses in terms of filtering anything besides realms, and are therefore the preferred method. A realm is the part behind a username to indicate the origin of a user. With RADIUS, the username is usually separated from the realm with a "@" so the complete username looks like a regular e-mail address.
A <Handler>-clause is terminated with a </Handler>.
Within a Handler many mechanisms can be configured that define what to do with the RADIUS request.
PROXY example
The simplest Handler for proxying the request to another server uses the "AuthBy RADIUS" definition within this
Handler.
In this example a proxy-configuration is shown. First we have a Handler that matches on any request, as long as it does not come from the client with the identifier "Proxy-Identifier". This is to prevent a proxy loop. When a request comes from a proxy-server, it should never be forwarded back to that proxy-server.
Another important part is the hostname to which the request should be forwarded. Multiple hostnames can be defined here for redundancy reasons: if the first host does not respond within three seconds, the second one is tried instead. The UDP ports to which the RADIUS-request should be forwarded can be defined in this "AuthBy RADIUS" clause as well.
<Handler Client-Identifier=/^(?!Proxy-Identifier$)/>
<AuthBy RADIUS>
Host 192.87.36.3
Secret super_secret!
AuthPort 1812
AcctPort 1813
StripFromReply Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-ID
AddToReply Tunnel-Type=1:VLAN, Tunnel-Medium-Type=1:Ether_802, Tunnel-Private-Group-ID=1:909
</AuthBy>
</Handler>
For a "Host", both the IP-address and FQDN can be used. The choice is more or less a personal preference of the RADIUS administrator, but be aware that the hostnames are only looked up once at the Radiator (re)start. If the lookup fails, the Host cannot be used until the next restart. This can represent a problem at a power outage, where for instance the DNS server is not yet available even though Radiator is.
While by using hostnames one benefits from the administrative ease when an IP-address is changed, it is still necessary to restart the RADIUS server.
The last part in this <AuthBy RADIUS>-definition shows the addition of RADIUS-attributes to the RADIUS- response. These attributes can be used to define a VLAN that will be assigned to users that are authenticated using this Handler. With StripFromReply, the attributes that came from the proxy-server are stripped first to prevent malicious VLAN-assignments, afterwards the attributes are added with the proper values for the local network design. In this case, VLAN 909 is used for guests.
Secure authentication with EAP-TLS
EAP-TLS requires both server and client certificates. Rolling out such certificates is a sometimes daunting administrative process, and is out of the scope of this document. The remainder of this section assumes that client certificates have been issued to the users already.
In this example the AuthBy-definition is outside the Handler, and is referred to using the Identifier. (This is useful if the AuthBy-definition is reused in another Handler, for instance.)
<AuthBy FILE>
Identifier ID4-TLS
Filename %D/TLS-users
EAPType TLS
EAPTLS_CAFile %D/cert/institution-ca-chain.pem
EAPTLS_CertificateFile %D/cert/radius-server-cert.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/cert/radius-server-key.pem
EAPTLS_PrivateKeyPassword (the secret that secures the private-key)
EAPTLS_MaxFragmentSize 1024
AutoMPPEKeys
SSLeayTrace 1
StripFromReply Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-Group-ID
AddToReply Tunnel-Type=1:VLAN,Tunnel-Medium-Type=1:Ether_802,Tunnel- Private-Group-ID=1:909,User-Name=%u
</AuthBy>
In this AuthBy-clause there is an EAPTLS file defined that lists every employee. In this way, the users that can access the infrastructure using EAP-TLS are controlled.
The definitions that follow determine what to do with the EAP-request. First the "EAPType TLS" limits the use of this AuthBy-definition for TLS-only. Here regular password authentication is not desired, just certificates. Next, the certificate files are configured and the secret that secures the private-key file can be provided. If there is no secret for the private key, this can be omitted.
The next part defines in what size blocks the EAP-messages should be fragmented. Since some parts of the EAP-TLS challenge are too big to fit in a RADIUS request, the packets should be fragmented.
The MPPE-keys (Microsoft Point to Point Encryption, the protocol for encrypting the data across links) portion is important for wireless access. With 802.1X, encryption occurs at the edge of the network, between the Access- Point and the client. To provide this secure encryption, a unique key is created and encrypted using the MPPE- keys that are derived from the SSL-challenge. This can be done at the Access-Point and the Client end so that there is no need to transfer the WEP-key in plain text over the air. This, and the fact that the key can be rotated within a period defined by either the Access-Point or the RADIUS server, provides 802.1x users with a good level of security.
The last part of the AuthBy-definition shows how to assign a proper VLAN.
<Handler Realm=instituion.cc, EAP-Message=/.+/>
AuthBy ID4-TLS
</Handler>
The Handler above shows the referral to the AuthBy-definition and some filtering mechanisms to filter out the proper requests. If more things need to be filtered on, they can be added to this handler, as follows:
NAS-Port-Type=/^(Wireless-IEEE-802-11|Ethernet)$/
In this way, only requests with the proper NAS-Port-Types are allowed. For Accounting purposes, a new handler should be defined in this case, that filters on:
"Request-Type=Accounting-Request"
since the request does not match the Handler that filters on the EAP-Message.
EAP-TTLS or EAP-PEAP
When issuing end user certificates is not an option, the EAP-mechanisms PEAP and TTLS can be used.
These two mechanisms look the same in that they both set up a TLS tunnel on which the credentials can be transported. They vary in the supported password encryption schemes.
Virtually all implementations of PEAP encrypt the user's password as an NT hash exclusively. TTLS implementations typically offer plain text transport of the password, called TTLS-PAP (the outer TLS tunnels makes sure the password cannot be eavesdropped) and sometimes other encryption schemes like MS- CHAPv2.
Administratively, the choice whether to use PEAP or TTLS can be challenging, since TTLS is not supported out of the box in the Microsoft Windows environment, therefore third party supplicant needs to be installed by users in case of a TTLS deployment.
Technically, three backend cases need to be considered for deployment:
Backend stores passwords in... | PEAP-MSCHAPv2? | TTLS? |
|---|---|---|
plain text or reversibly encrypted | Yes | Yes (TTLS-PAP, TTLS-MSCHAPv2) |
NT-Hash | Yes | Yes (TTLS-PAP, TTLS-MSCHAPv2) |
other irreversible encryption | No | Yes (TTLS-PAP) |
Where both options are possible, we suggest the following order of preference: TTLS-MSCHAPv2, PEAP- MSCHAPv2, TTLS-PAP (in descending order of preference).
Instead of a flat file, a more flexible backend for user accounts is a database like MySQL, or LDAP.
<Handler TunnelledByPEAP=1, Realm=tunnelled.institution.cc>
<AuthBy FILE>
Filename %D/peap-users
EAPType MSCHAP-V2
</AuthBy>
</Handler>
<Handler TunnelledByTTLS=1, Realm=tunneled.institution.cc>
<AuthBy FILE>
Filename %D/ttls-users
</AuthBy>
</Handler>
In these Handlers, the filtering options "TunneledByPEAP" and "TunnelledByTTLS" define that the tunnelled authentication (with the username and password in it) is handled here.
The "outer authentication", where the SSL tunnel is set up, looks like the TLS handler.
<Handler Realm=group_1>
<AuthBy FILE>
Filename %D/users
EAPType TTLS, PEAP
EAPTLS_CAFile %D/root.pem
EAPTLS_CertificateFile %D/server.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/server.pem
EAPTLS_PrivateKeyPassword serverkey
EAPTLS_MaxFragmentSize 1024
EAPAnonymous anonymous@group1
AutoMPPEKeys
</AuthBy>
</Handler>