Using a Raspberry Pi based freeradius server to test dynamic vlan assignment or AAA.

Problem I was trying to Solve was an ethical problem.

I was going down to Brazil in support of the VAR, Jose the VAR representative emailed me a most poignant and relevant question. Jose asked, “Have you used a freeradius server to assign a wireless clients (802.1x supplicant) to a VLAN?”  

Was so glad Jose emailed the question rather than called me, because there would have been a pregnant pause for Jose at my end of the phone. My answer would have been no, I had not tested assigning a wireless client to a specified vlan on the attached Ethernet switch. Some people call this dynamic vlan assignment. I knew that the application works, but never validated the application myself.

figure 1; Test network diagram sent by Jose

 I needed to find an inexpensive way to validate the end user’s application.

My Technical support team in the USA and other tech support teams scattered around the world use freeradius.. After a little research, I put freeradius together with my Raspberry Pi. You may ask what is a Raspberry Pi or Raspberry Pi Zero W? Go and perform a search on the text “Raspberry Pi” on your internet search engine. Simply put Raspberry Pi is a low-cost compute module varying in price from around $US5 and up to $50. This is one piece of hardware that every network engineer needs to have in their tool kit.

Warning: Physically handle the Raspberry Pi with care or even better with a ESD wrist strap, as the Pi is sensitive to static charge and the circuitry can be damaged by inappropriate handling.

Working with the Raspberry Pi

As a prerequisite, I installed Virtual Network Computing (VNC) server on my Raspberry Pi. I downloaded and installed RealVNC client on my PC which allows me to see the Pi's management desktop. No need to connect a Keyboard, Video display or Mouse (KVM) directly onto the Pi when you use VNC. 

You don’t have to install VNC, but I found it initially useful as I only have one Display, keyboards and mouse available to me. Once you become familiar with the Pi's command line interface you can just enable secureshell (SSH) to connect to the Pi.

As of October 2019, the instructions to install VNC on the pi were obtained from the following URL;  https://www.raspberrypi.org/documentation/remote-access/vnc/. 

Instructions to install freeradius on the Pi

(remember i am using a Pi for testing purposes only)

The Pi must have access to the internet to be able to perform the following commands. Cut and paste or type the following commands one line at a time  into the Pi terminal.

sudo apt-get update

sudo apt-get install freeradius -y

This install of freeradius creates directories, and everything needed to have a working radius server. This installation takes a while, so go grab a cuppa and be patient.

 Logging user authentication attempts is not enabled by default. probably done to save you periodically clearing out the radius.log file. Now you could alter three configuration files. Easier said than done. There are a number of programs to edit files on the pi, such as “nano” or “vi.” I personally use vi editor to modify files. Download a vi cheat sheet from the internet to help you with editor commands. VI is a pain but over time the pain subsides.

Note: If you really screw up configuring or modifying these files, freeradius just wont work. You may have to start again, even if it means reloading Noobs back onto your raspberry pi flash card. I seemed to reload from scratch several times before I started to learn to use vi.  There is one failsafe vi command that I learnt to love and that was to press the Esc key and then type :q! This allowed me to quit the vi editor immediately without saving any changes or errors. So if you feel you screwed up editing a file, just quit the editor without saving and try try try again.

 Freeradius configuration files can be located with the commands;

 cd //etc/freeradius/3.0       - change to directory where files are stored

ls -al                               -  if you wish list files and file sizes in the directory

 clients.conf - file containing the configuration and secret password for switches and router access.

sudo vi clients.conf                   - and copy and paste the following at the end of the file.

client NAME {

 ipaddr = 0.0.0.0/0

 secret = friend

}

        

This will allow any router or switch with a radius secret password of “friend” to use the freeradius server. Save the change with  Esc key  then press :wq  This writes and quits, but saves changes to the file called clients.conf.

users   - file containing user entries for dynamic wireless clients and router or switch admin logins.

sudo vi users           -allows me to edit the users file. I used the computer keyboard arrows to scroll to the bottom of the file and cut and pasted the  following into the users file. Use the vi cheat sheet to figure out how to insert text at the end of the users file.

As an example the following adds a user called gabriel with a password of friendly and will dump the user into vlan300 of the attached switch port.

gabriel Cleartext-Password := "Torres1234"
       Service-Type = Framed-User,
       Tunnel-Type = "VLAN",
       Tunnel-Medium-Type = "IEEE-802",
       Tunnel-Private-Group-ID = "300"

manager Cleartext-Password := "friend"
      Service-Type = Administrative-User,
      Management-Privilege-Level  = 15

dave Cleartext-Password := "krynski"
      Service-Type = Administrative-User,
      Management-Privilege-Level  = 15



00-40-8c-f4-76-89 Cleartext-Password := "00-40-8c-f4-76-89"
10-65-30-60-fd-5b Cleartext-Password := "10-65-30-60-fd-5b"
20-7d-74-74-50-0d Cleartext-Password := "20-7d-74-74-50-0d"
00-1a-eb-b1-a3-20 Cleartext-Password := "00-1a-eb-b1-a3-20"



        

Last file to maybe edit is the radiusd.conf file. The reason why i say maybe edit, as my change allows for logging of attempts and maintains a forensic log of successful and rejected attempts to access the wireless network. The radius.log file can get large, so this alteration is up to you.

sudo vi radiusd.conf

Inside you will see a log section as seen below.  The section copied from my pi below has had text removed for brevity purposes. You will see a auth=no. You need to alter that to auth=yes for the raspberry Pi to log authentication requests.

           
log {
       #
       # Destination for log messages. This can be one of:


       #
       #      files - log to "file", as defined below.
       #      syslog - to syslog (see also the "syslog_facility", below.
       #      stdout - standard output
       #      stderr - standard error.
      :
      :
       # Log authentication requests to the log file.
       #
       # allowed values: {no, yes}
 auth = yes



Now Press the Esc key then type  :wq
        

Restart the freeradius server service with the following commands;

sudo service freeradius stop

sudo service freeradius start

You can test within the raspberry pi terminal screen that freeradius is working with the radtest command. The radtest command needs the IP address of the freeradius server which is the IP address of the Raspberry pi.

radtest gabriel Torres1234 <ipaddress> 0 friend

If you haven't made a mistakes in the three radius files you should see something like;

pi@raspberrypi:~ $ radtest gabriel Torres1234 <radius server IP addr> 1812 friend

Sent Access-Request Id 143 from 0.0.0.0:55830 to 192.168.10.14:1812 length 77
        User-Name = "gabriel"
        User-Password = "Torres1234"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 1812
        Message-Authenticator = 0x00
        Cleartext-Password = "Torres1234"
Received Access-Accept Id 143 from 192.168.10.14:1812 to 0.0.0.0:0 length 32
        Service-Type = Administrative-User
        Management-Privilege-Level = 15
pi@raspberrypi:~ $ 
        

If this command doesn’t work, then you have probably screwed up the configuration of one of those three freeradius files. The mistake must be fixed and the freeradius service stopped and started again.

You can check the radius log by going to the following location on the pi and looking at the freeradius log file.

cd //var/log/freeradius/

sudo cat radius.log

Fri Apr 19 12:17:08 2019 : Info: Loaded virtual server default

Fri Apr 19 12:17:08 2019 : Info: Loaded virtual server inner-tunnel

Fri Apr 19 12:17:08 2019 : Info: Ready to process requests

Fri Apr 19 15:18:09 2019 : Auth: (0) Login OK: [gabriel/Torres1234] (from client any port 0)
        

Now set the ATI access point you are using to provide WPA-enterprise authentication. Whatever address you statically configured you Pi, is the address to use for defining the radius server for WPA-Enterprise.

For testing purposes tagged vlan 300 is added on the wireless connected switch port.  You should find that the wireless 802.1x user gabriel now is dumped onto tagged vlan 300 on the switch. The SSID used to access the access point does not need to be assigned to anything but the default wireless LAN. Tick dynamic vlan assignment in the Access Point gui and off you go. make sure to save your changes.

There are a few on going administrative tasks that need done on the Pi like clearing logs occasionally, so figure out how to perform these sorts of tasks. :-)

Now lets use the Pi to authenticate and authorize my administrative access into a switch or firewall appliance.

AAA access to a firewall or switch via the cheap cheap freeradius server

My reference I used to create the following section is from Allied Telesis document entitled " AAA and Port Authentication Feature Overview and Configuration Guide" If you wish to use a freeradius server to authenticate and authorize your access to your Allied Telesis firewall or Switch for management purposes you can use the following, as a possible template/example.

Add an entry to the freeradius users file, like the following. In the freeradius users entry file shown below, user katie is at administrative level 15.

katie  Cleartext-Password := "isanicegirl"
      Service-Type = Administrative-User,
      Management-Privilege-Level  = 15

        

 The username ati-tac is in the switch CLI configuration, in case the radius server is offline. The aaa authentication statement below will subsequently try the local user authentication database if it can't get to a radius group called pi. Add the following to the switch or firewall appliance configuration;

username ati-tac privilege 15 password realniceguy

ssh server v2only
ssh server max-startups 5
ssh server allow-users ati-tac
ssh server allow-users katie
ssh server allow-users gabriel


radius-server host 192.168.1.130 key friend 

aaa group server radius pi
 server 192.168.1.130


aaa authentication login default group pi local
        

Again to emphasize, when you try to ssh or log into the switch , the aaa statement tells the device to first try the radius group called pi first for authentication and authorization, but if the radius server or servers in the group are offline, the allied appliance will as a last resort use the local user authentication database built into the switch or firewall to authenticate the user.

Go have some fun and give it a try, Remember if you screw up the Pi configuration, you can reload the Pi with Noobs. If you screw up the switch or firewall you can erase to factory defaults. So no harm really done :-) so have some fun.