FreeRADIUS with group membership (cOS core 10.x)

Security Gateway Articles and How to's
Post Reply
Posts: 5
Joined: 03 Sep 2010, 08:16
Location: Clavister HQ - Örnsköldsvik

FreeRADIUS with group membership (cOS core 10.x)

Post by Siby » 29 Aug 2014, 02:49

This How-to applies to:
  • Clavister CorePlus 8.x, 9.x Clavister cOS Core 10.x FreeRADIUS

This article will show how to setup an environment with User Authentication in Clavister Security Gateway that will validate users against a machine that is running FreeRADIUS.

Topics covered in this document
  • Configuring FreeRADIUS
    Configuring Clavister Security Gateway
Configuring FreeRADIUS

Clavister Vendor Specific attributes

FreeRADIUS must notify the Clavister Security Gateway that any user that matches this policy belongs to a certain group. This is done by letting FreeRADIUS send a Vendor-Specific-Attribute (VSA) to the Clavister Security Gateway as a part of the remote policy.

To add the Clavister Security Gateway Vendor Specific attributes: (These are predefined in newer releases of FreeRADIUS, /usr/share/freeradius/dictionary.clavister)

nano /etc/freeradius/dictionary. (Edit and add the following line.)
$INCLUDE /usr/share/freeradius/dictionary.clavister

Adding a client
In order for Clavister Security Gateway to be allowed to communicate with FreeRADIUS it has to be added as a client.

Nano /etc/freeradius/clients

Code: Select all

client {
        secret          = 123456
The Key is the shared secret that is used to encrypt the user-password when a RADIUS-packet is being transmitted, so the same consideration as when choosing a regular password should be taken (the password should be hard to guess, not too small, etc). The Clavister Security Gateway supports shared secrets up to 100 characters. Remember that the shared secret is case-sensitive.

Setting up users

Note. Auth-Type = System, This means that it will use the host OS user accounts.

nano /etc/freeradius/users

Code: Select all

DEFAULT Auth-Type = System
        Clavister-User-Group = "ADMIN",
        Fall-Through = 1

When this is done, you need to restart FreeRADIUS.

You can start FreeRADIUS in debug mode which will tell you exacly what is going on!

$ freeradius -X

Something like this you want to see:

Sending Access-Accept of id 86 to port 4961
Clavister-User-Group = "ADMIN"

RADIUS MEMBERSHIP.png (7.45 KiB) Viewed 2933 times
Configuring Clavister Security Gateway
This is described in the Knowledge Base article - Linking Active Directory with Clavister Security Gateway User Authentication - Configuring User Authentication on the Clavister Security Gateway, it can be found here : viewtopic.php?f=8&t=3423

Note: That you have to use PAP.

Post Reply