How to setup Free radius for sending attributes in the Access Challenge

Summary

How to use Free radius for sending attributes in the Access Challenge

Question

How to setup Free radius for sending attributes in the Access Challenge for rfc5580

Customer Environment

Ubuntu 18.04.6 Freeradius 3.0

Troubleshooting Steps

NA

Workaround

NA

Resolution

Assumptions

This article assumes the Ubuntu Linux host has been deployed, and user have basic knowledge of working with Linux and radius protocol.

Updating host package list
As root, issue the following command to receive the latest version of all packages for the system:

# apt-get update
User-added image

Install FreeRADIUS packages

As root, execute the following command to retrieve and install the FreeRADIUS daemon and its related dependencies:

# apt-get install freeradius

User-added image
Basic configuration of FreeRADIUS

FreeRADIUS configuration files are located in the "/etc/freeradius/3.0" folder in the current freeradius version. The basic configuration requirements include defining your Ruckus controller as a "client" and specifying a shared secret known only to the controller and FreeRADIUS. A client definition may include a single host, or an entire management subnet. To define your Ruckus controller(s) as clients, insert the following lines at the top of the "/etc/freeradius/3.0/clients.conf" file using vi:  

client Ruckus-vSZ {
ipaddr = 10.176.X.X
secret = Secret@1234
}
User-added image
User-added image

Where 10.176.X.X should be replaced with the Ruckus controller management prefix (or host address) and the secret with your own secret key.

Next, add a test user to confirm the FreeRADIUS server is configured correctly. Add a user by inserting the following lines at the top of the file "/etc/freeradius/3.0/users" using vi:

rfc5580 Cleartext-Password := "test@123", Max-Daily-Session := 1800
        Framed-IP-Address = 10.211.55.100,
        Reply-Message = "Hello, %{User-Name}"
User-added image
User-added image

Save config request the FreeRADIUS service to restart its configuration files by issuing the command:

# service freeradius restart

Use the radtest application to connect to the FreeRADIUS server and attempt to authenticate user "rfc5580" with password "test@123" (defined in the "users" file):
  
# radtest rfc5580 test@123 localhost 1812 testing123
User-added image
Note that "localhost" is already defined as a client in clients.conf, with password "testing123". If all the instructions were followed correctly, an Access-Accept message will be dispatched by the FreeRADIUS server, including the attributes specified for the user "demo":
  
Sent Access-Request Id 43 from 0.0.0.0:53904 to 127.0.0.1:1812 length 77
        User-Name = "rfc5580"
        User-Password = "test@123"
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 1812
        Message-Authenticator = 0x00
        Cleartext-Password = "test@123"
Received Access-Accept Id 43 from 127.0.0.1:1812 to 0.0.0.0:0 length 100
        Framed-IP-Address = 10.211.55.100
        Reply-Message = "Hello, rfc5580"

User-added image
Setting up for Access-Challenge

Now we will do configuration t challenge the client with a certain attributes in the Access-Challenge packet, for that we will need to modify default file under /etc/freeradius/3.0/sites-available using vi:
User-added image

In this example we are challenging a certain client with below information, config needs to be done at 3 places in the default file, a reference file is attached below.
 

    578 if ( &User-Name == "rfc5580") {
    579         update reply {
    580                                 &Session-Timeout = 10089
    581                                 &Basic-Location-Policy-Rules += "0000123456781234567812345678123456780000"
    582                                 &Requested-Location-Info += "11"
    583                                 &Extended-Location-Policy-Rules += "78"
    584                      }
    585  }

User-added image

Save config request the FreeRADIUS service to restart its configuration files by issuing the command:

# service freeradius restart

 

Use the radtest application again to connect to the FreeRADIUS server and attempt to authenticate user "rfc5580" with password "test@123":

 
# radtest rfc5580 test@123 localhost 1812 testing123
User-added image

You should see the Access-Accept message as below.

Sent Access-Request Id 102 from 0.0.0.0:40913 to 127.0.0.1:1812 length 77
        User-Name = "rfc5580"
        User-Password = "test@123"
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 1812
        Message-Authenticator = 0x00
        Cleartext-Password = "test@123"
Received Access-Accept Id 102 from 127.0.0.1:1812 to 0.0.0.0:0 length 100
        Framed-IP-Address = 10.211.55.100
        Reply-Message = "Hello, rfc5580"
        Session-Timeout = 10000
        Basic-Location-Policy-Rules = 0x30303030313233343536373831323334353637383132333435363738313233343536373830303030
        Requested-Location-Info = 11
        Extended-Location-Policy-Rules = 0x3738
User-added image

If we get the output as above, it means we have setup the radius server for sending attributes in Access-Challenge.


Now we can test client connectivity and verify the attributes in Access-Challenge as below.

User-added image

 

NOTE: Attaching sample default files, which can be used as a reference to modify or replace the file.

Attachment 1

default-GEO
application/octet-stream;type=unknown
Download
(28.6 KB)

Article Number:
000012278

Updated:
September 29, 2022 07:28 PM (over 1 year ago)

Answer Attachment 1
default-GEO
application/octet-stream;type=unknown
Download
(28.6 KB)

Tags:
Configuration, Knowledge

Votes:
0

This article is:
helpful
not helpful

Working...Please wait

This is here to prevent you from accidentally submitting twice.

The page will automatically refresh.