Page 1 of 1

FreeRADIUS with group membership (cOS core 10.x)

Posted: 29 Aug 2014, 02:49
by Siby
This How-to applies to:
  • Clavister CorePlus 8.x, 9.x Clavister cOS Core 10.x FreeRADIUS
Description:

This article will show how to setup an environment with User Authentication in Clavister Security Gateway that will validate users against a machine that is running FreeRADIUS.

Topics covered in this document
  • Configuring FreeRADIUS
    Configuring Clavister Security Gateway
Configuring FreeRADIUS

Clavister Vendor Specific attributes

FreeRADIUS must notify the Clavister Security Gateway that any user that matches this policy belongs to a certain group. This is done by letting FreeRADIUS send a Vendor-Specific-Attribute (VSA) to the Clavister Security Gateway as a part of the remote policy.

To add the Clavister Security Gateway Vendor Specific attributes: (These are predefined in newer releases of FreeRADIUS, /usr/share/freeradius/dictionary.clavister)

nano /etc/freeradius/dictionary. (Edit and add the following line.)
$INCLUDE /usr/share/freeradius/dictionary.clavister


Adding a client
In order for Clavister Security Gateway to be allowed to communicate with FreeRADIUS it has to be added as a client.

Nano /etc/freeradius/clients

Code: Select all

client 192.168.2.0/24 {
        secret          = 123456
}
The Key is the shared secret that is used to encrypt the user-password when a RADIUS-packet is being transmitted, so the same consideration as when choosing a regular password should be taken (the password should be hard to guess, not too small, etc). The Clavister Security Gateway supports shared secrets up to 100 characters. Remember that the shared secret is case-sensitive.


Setting up users

Note. Auth-Type = System, This means that it will use the host OS user accounts.

nano /etc/freeradius/users

Code: Select all

DEFAULT Auth-Type = System
        Clavister-User-Group = "ADMIN",
        Fall-Through = 1

When this is done, you need to restart FreeRADIUS.

You can start FreeRADIUS in debug mode which will tell you exacly what is going on!

$ freeradius -X

Something like this you want to see:

Sending Access-Accept of id 86 to 192.168.2.39 port 4961
Clavister-User-Group = "ADMIN"

RADIUS MEMBERSHIP.png
RADIUS MEMBERSHIP.png (7.45 KiB) Viewed 3041 times
Configuring Clavister Security Gateway
This is described in the Knowledge Base article - Linking Active Directory with Clavister Security Gateway User Authentication - Configuring User Authentication on the Clavister Security Gateway, it can be found here : viewtopic.php?f=8&t=3423

Note: That you have to use PAP.