Translate

Tuesday, 25 September 2012

OpenBSD 5.1 + FreeRADIUS 2



This is a step by step guide for making Radius Server with MAC-AUTH, if you will follow this I make you sure that you don’t get error. First of all open the interface of your access point and make it authenticate via RADIUS, provide it with the ip of the radius server you will make and a shared key (shared key will be same for access point and radius server). The operating system used here is OpenBSD 5.1 and the FreeRadius version 2.1.12 

(make all actions as root)Install freeradius

# pkg_add freeradius-2.1.12.tgz
##########

#radiusd –X

This will show Ready to process requests at the end press ctrl+c

Now,

#cd  /etc/raddb/

# nano clients.conf

client ip of your access point {
    secret = yourShareds3cret
    shortname = airport
    nastype = other
}

SAVE & EXIT

# mv modules/files  modules/files.bak

#nano modules/files

files authorized_macs {
            # The default key attribute to use for matches.  The content
            # of this attribute is used to match the "name" of the
            # entry.
            key = "%{Calling-Station-ID}"

            usersfile = ${confdir}/authorized_macs

            #  If you want to use the old Cistron 'users' file
            #  with FreeRADIUS, you should change the next line
            #  to 'compat = cistron'.  You can the copy your 'users'
            #  file from Cistron.
            compat = no
    }

SAVE &EXIT

#nano  authorized_macs

The mac address of client(laptop) 

            Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access"

SAVE & EXIT

#mv sites-available/default  sites-available/default.bak

#nano sites-available/default

authorize {
      preprocess

      # if cleaning up the Calling-Station-Id...
      Rewrite.called_station_id

      # now check against the authorized_macs file
      authorized_macs
      if (!ok) {
        reject
      }
      else {
        # accept
        update control {
          Auth-Type := Accept
        }
      }
    }

SAVE & EXIT

#radiusd –X


This will show Ready to process requests
This means you have not encountered any error and now try to connect your laptop or any wifi device with the access point but make sure that the mac address of the device is in the users and the authorized_macs files. When you will try to connect your client (laptop) and you will see Calling-Station-Id = "00-FF-00-FF-00-FF", that should be the MAC address of the client you want to authenticate. 

Now add MAC address of the devices you want to connect with the network, in the authorized_macs file.

Additionally you can get some errors like "can't find /var/run/radiusd.radius.sock  or we do not own /var/run/radiusd/radiusd.sock".
If you get such error make a folder naming radiusd in /var/run/ and make sure that "_freeradius" own it. The command for this will be "chown -R _freeradius:_freeradius /var/run/radiusd/"

     All the best and remember

                   Do not try this at home!!!

No comments:

Post a Comment