Fun with FreeRADIUS

I suppose that most people reading this will already know what RADIUS is, and at least some of what it can do. However, for those who don't, it's an open standard protocol for authenticating and authorising users who attempt to log on to a network service, which may mean a wireless LAN, a network device (router, switch, etc.) or indeed a range of other things. (To give you some idea of how old RADIUS is, note that it stands for "Remote Access Dial-in User Service," given that dial-in access to a network is now ancient history).

A couple of words of explanation: "authentication" of a user means determining that the user is really who she or he says s/he is; "authorisation" means applying limits to what the user is allowed to do. Authentication is what happens when, for example, you log on to your Windows laptop with your normal user name and password. Authorisation, amongst other things, defines which files you're allowed to look at or change in some way.

(As an aside: there is at least one other protocol which can accomplish broadly similar things and which is especially prevalent in the Cisco world; that protocol is TACACS+. There are some fundamental differences between RADIUS and TACACS+ at the network layer, and TACACS+ is a Cisco-proprietary protocol, to the best of my knowledge. RADIUS is an open standard, however, meaning that its details are fully in the public domain, and anyone can write and publish software to implement a RADIUS service on any platform).

I first got involved with RADIUS at a previous employer, which used it to authenticate users trying to use its very extensive wireless network. That particular employer used a commercial implementation of RADIUS known as Radiator. This was a very capable piece of software, which appeared to be more or less infinitely extensible, by writing your own scripts which could hook into the main software. It was an "interesting" experience, given my total lack of experience with RADIUS itself and that particular implementation. I even had to do some debugging of one of those scripted extensions, which in that case was written in Perl. (As some people will undoubtedly know, Perl can be a bit of a "write once, read never" language, because the code can be particularly unfriendly and opaque).

FreeRADIUS, however, is an open-source implementation of the RADIUS protocol. The software is free to download and free to use as much as you want. FreeRADIUS is (or at least appears to be) a full and complete implementation of the protocol, so it has many, many features, most of which are likely to be irrelevant in any given situation. This means that if you're coming to it for the first time with only a basic understanding of RADIUS itself, you're likely to find it quite hard going at first - IF you try to read all the included documentation and all the documentation included within the configuration files themselves. Fortunately many of the defaults work out of the box in a great many situations. Admittedly, if you're going to use a back-end database of users (e.g. Active Directory) then you're lining yourself up for some extra work. Since it's open-source software, you're relying on your favourite search engine to find a lot of answers to the questions you're inevitably going to have. (Of course, you may have the luxury of a service contract if you're doing it for your employer!)

Anyway...we don't use FreeRADIUS at work, so what am I writing about? Well, if you're read my previous stuff, you will know that I'm quite an enthusiastic Linux user at home, and I have quite a lot of functionality on the home network based on Linux. One of those functions is authentication users of the wireless network, and authentication of logons to the various network devices at home. The "user database" is a simple flat file. (I must get round to making something a bit better...) and it occurred to me recently that users who authenticate to the wireless network with their user name and password (802.1X) can also log on to the network devices with the same details. Clearly the only person who should have access to the network devices is me!

Now it's not quite as bad as that, because part of the RADIUS protocol is the ability for vendors of RADIUS-compatible equipment to specify "Vendor-specific attributes," (VSAs) which are bits of data that the RADIUS server can send to the equipment under a given circumstance, e.g. when a user authenticates successfully. One of these VSAs used by Cisco gives you the ability to specify the user's "privilege level," which is a way of restricting the commands a logged-on user is able to execute on a Cisco device. I of course had set my privilege level to the highest possible level (15), allowing me to do anything, and all the other users had no specified level; this by default puts them at privilege level 1, which in the Cisco world allows you to discover many things about the network device, but not to configure anything; this is clearly not ideal from the security point of view.

My first idea was to use the VSA to set privilege level 0 to all users except me. However this still allows them to log on to the network devices, but only to execute an extremely limited set of commands. I could even cut down that small number of commands with configuration on the network devices themselves. But I wasn't satisfied with this; I wanted to ensure NO logon at all for anyone except me. (Imagine if you had hundreds or even thousands of network devices to secure; it isn't really practical to reconfigure all of them, and indeed is a waste of time if people can still log on to them in some way).

So we come to one of the features of FreeRADIUS, which is its ability to run what it calls "virtual servers," which are supposed to be multiple instances of a RADIUS server on one physical machine. I say "supposed to be," because when I first started running 2 "virtual servers," the Linux ps command showed only a single RADIUS process on the machine. Anyway, there were in effect two separate RADIUS servers running on the one Linux machine with different functionality. In fact, the only difference in functionality was that the two virtual RADIUS servers were listening on different UDP ports and used separate user databases. The user database for the wireless LAN was attached to one RADIUS instance, and contained all the users; the other user database contained only myself, which of course means that even if someone other than me tries to use their wireless credentials against a network device, they will not be allowed to log on, since they effectively don't exist in the network device world.

Getting this working was a little bit challenging. As I said before, although FreeRADIUS documentation is A LOT better than it used to be, you still don't have anyone you can just ask for advice, and not everything is really intuitive - a long way from intuitive, to be honest - so quite a lot of searching and reading was in order at first. However, the FreeRADIUS configuration files are quite logically arranged, and once you've got their order straight in your head, armed with a full set of search engine results, it didn't take all that long to get things going.

So now I have a central location where I can add or remove WLAN users, and I'm the only person who can log on to all the network devices themselves, so I'm happy with that result and even happier that I managed to do it.