authentification radius
TRANSCRIPT
CHAÎNE D’AUTHENTIFICATION RADIUS
INSTALLATION ET CONFIGURATION
Thomas VENARD Wireless-lyonCréé le 25/03/2002 6:12 Wireless-frRelecture :
SOMMAIREPrincipe.........................................................................................................................................................................3
Pré requis..................................................................................................................................................................5Serveur Mysql...............................................................................................................................................................6
Vérification...............................................................................................................................................................6Configuration............................................................................................................................................................6
Serveur RADIUS..........................................................................................................................................................6Installation................................................................................................................................................................6Configuration............................................................................................................................................................6
Serveur PPP..................................................................................................................................................................7Vérification...............................................................................................................................................................7Installation du module pam_auth_radius..................................................................................................................7Configuration............................................................................................................................................................7
Serveur PPPoE..............................................................................................................................................................8Installation................................................................................................................................................................8Configuration............................................................................................................................................................8Démarrage.................................................................................................................................................................8
Client PPPoE.................................................................................................................................................................9Windows 98/98SE ou ME........................................................................................................................................9Windows 2000........................................................................................................................................................11
Annexe........................................................................................................................................................................14Script de démarrage................................................................................................................................................14
Serveur RADIUS................................................................................................................................................14Gateway..............................................................................................................................................................14
Thomas VENARD Wireless-lyonCréé le 25/03/2002 6:12 Wireless-frRelecture :
PrincipeL’authentification par RADIUS a pour but de valider la présence d’un utilisateur sur le réseau.Pour cela on utilise un serveur RADIUS connecté à une base Mysql contenant la liste des utilisateurs autorisés à se connecter au réseau.
Pour des raisons de disponibilité, on fera appelle à deux serveurs RADIUS utilisant des bases identiques, selon le schéma suivant :
Thomas VENARD Wireless-lyonCréé le 25/03/2002 6:12 Wireless-frRelecture :
Définition :
Client : (End Point) : utilise le protocole PPPoE pour se connecter au réseau Wirless-fr
Serveur d’accès : (Gateway ou NAS : Network Access Server) : jonction entre les clients et le réseau Wireless-fr. Serveur PPPoE et client RADIUS.
Serveur RADIUS : serveur d’authentification utilisant une base Mysql pour stocker ses informations.
Thomas VENARD Wireless-lyonCréé le 25/03/2002 6:12 Wireless-frRelecture :
Pré requisServeur RADIUS :
RedHat installé en mode serveur avec Mysql (>= 3.2 … )installé et configuré
Gateway :RedHat avec support des modules PAM et PPPD >= 2.0
Client : Windows 98/98SE/MEWindows 2000 Windows XPLinuxMac
Logiciel nécessaire:
Freeradius 5.0 (www.freeradius.org)pam_auth_radius (www.freeradius.org/pam_auth_radius)PPPoE-server (www.roaring-penguin.com)RASPPPoE ou autre client PPPoE
Thomas VENARD Wireless-lyonCréé le 25/03/2002 6:12 Wireless-frRelecture :
Serveur Mysql
VérificationVérifier que la base Mysql est lancé au démarrage du serveur et fonctionne.
ConfigurationCréer un utilisateur radius, password : xxxxCréer les tables RADIUS à l’aide du script sql disponibles dans la répertoire freeradius-0.5/drivers/relm …
Mysql –u radius –p xxxx < db_mysql.sql
Autoriser le serveur Radius de backup a se connecter à la base MysqlMysql –u root –p xxxx
connect mysql insert into ….
Réplication de base[…]
Serveur RADIUS
Installation
Tar xvfz freeradius.tar.gzCd freeradius.0.5/./configure --localdir=/ --configdir=/etcmakemake install
ConfigurationCd /etc/raddb
Vi users ajout d’un client (gateway permettant l’authentification RADIUS)
vi sql.conf modification pour base local et base de backup
vi radius.conf ajout de « sql » et « sql2 » dans la section authorize
Thomas VENARD Wireless-lyonCréé le 25/03/2002 6:12 Wireless-frRelecture :
Ajout d’un utilisateur dans la base Radius/Mysql
Serveur PPP
VérificationVous devez avoir PPPD installé sur votre machine, si tel n’est pas le cas, démerdez-vous pour l’installer !
Pppd –v :PPPD 2.4.1 …
Installation du module pam_auth_radius
Sans commentaire … :
Tar xvf pam_radius…Cd pam_radius…./configuremake cp pam_radius_auth.so /lib/security
ConfigurationIl est nécessaire de modifier les fichiers /etc/ppp/pap-secrets et /etc/pam.d/ppp pour tenir compte de l’authentification PAP par serveur radius :
/etc/ppp/pap-secrets* * “” *
/etc/pam.d/pppauth required pam_radius_authaccount required pam_permitsession required pam_radius_auth
puis on configure le fichier utilisé par le module radius pour accéder au serveur RADIUS :
etc/raddb/server<serveur radius> <secret> <timeout><serveur radius> <secret> <timeout>
Rmq : <secret> le mot de passe ou clé utilisé par le module RADIUS avec le serveur RADIUS.
Thomas VENARD Wireless-lyonCréé le 25/03/2002 6:12 Wireless-frRelecture :
Serveur PPPoELe serveur PPPoE a pour but d’écouter les requêtes d’ouverture de session et d’établir une session PPPoE avec le client via le démon PPPD.
Installation
Tar xvfz rpppoe.tar.gz./configureMake Make install
Configuration
/etc/ppp/pppoe-server-optionsrequire-paploginmtu …
DémarragePppoe-server –I <interface LAN> [-k] &
(option K indique d’utiliser le mode PPPoE du kernel , si celui-ci a été configuré avec le support du PPPoE)
Thomas VENARD Wireless-lyonCréé le 25/03/2002 6:12 Wireless-frRelecture :
Client PPPoERécupérer le dernière version de RASPPPOE sur le site ….
Windows 98/98SE ou ME
Installing the PPP over Ethernet Protocol Right-click the Network Neighborhood (Windows 98/98SE) or My Network Places (Windows ME) icon
on your desktop and select Properties to bring up the Network Configuration window.
Click the Add... button.
In the Select Network Component Type window, select Protocol and click the Add... button. (Note: It could take a few seconds for the following window to come up.)
In the Select Network Protocol window, click the Have Disk... button.
In the Install From Disk window, either type the name of your temporary installation directory or click the Browse... button to navigate to it (it does not matter which of the three INF files you select, Windows will automatically pick the right one later). Then click the OK button. A new window opens, offering the PPP over Ethernet Protocol for installation. Click OK to start installing the protocol.
If you have more than one network adapter in your system, you may want to remove the PPP over Ethernet Protocol for all adapters but the one your broadband modem is actually connected to. To do this, locate all unneeded PPP over Ethernet Protocol -> Adapter Name entries in the Network Configuration window, select them one by one and click the Remove button. (Note: For each adapter you remove the protocol from, you will see two additional entries disappear: PPP over Ethernet Miniport -> PPP over Ethernet Protocol and NDISWAN -> PPP over Ethernet Miniport. Do not remove any of these entries manually!)
IMPORTANT: Locate and select the TCP/IP->Adapter Name entry for the network adapter connected to your broadband modem. If this network adapter is dedicated to your broadband modem, simply click the Remove button. If you also want to access other local machines through the same network adapter, click the Configure button and assign a fixed IP address (e.g. 192.168.0.1 with subnet mask 255.255.255.0). If you do not take either of these steps, you will experience periodic pauses while using this protocol, because Windows will periodically halt the network adapter and try to acquire for an IP address for it, which also makes the machine take significantly longer to boot up.
Click the OK button to close the Network Configuration window and confirm to reboot.
After the reboot, the protocol is fully functional, but you still need to create a dial-up connection to use it. See the next section for details.
Thomas VENARD Wireless-lyonCréé le 25/03/2002 6:12 Wireless-frRelecture :
Creating PPP over Ethernet Dial-up Connections
PPP over Ethernet dial-up connections can be most conveniently created with the Dial-up Connection Setup application provided with the protocol, which creates dial-up connections with all the correct settings at the click of a button.
NOTE: The Dial-Up Networking folder interferes with the operation of this application and prevents successful creation of dial-up connections. Thus, if you currently have the Dial-Up Networking folder open, please close that window before proceeding.
Click the Start button on the taskbar and select Run... to bring up the Run dialog box.
Type RASPPPOE in the edit field and click the OK button to run the Dial-up Connection Setup application.
If the application quits with an error message, follow the advice it gives.
A dialog box comes up with a combo box labeled Query available PPP over Ethernet Services through Adapter: at the top. Select the network adapter your broadband modem is connected to from the list. If the protocol is only operating on one network adapter, the box will be grayed out as there is no choice to make.
Generally, it is recommended that you create a connection for an adapter, not for a specific service, so that it continues to work even if your provider changes the server or service name. To do this, simply click the Create a Dial-up Connection for the selected Adapter button now. Shortly afterwards, a shortcut to the new dial-up connection named Connection through Adapter Name should show up on your desktop.
If you want to create a connection for a specific service, click the Query Available Services button. The application will send out a query for offered services and display the result in the list view below. If an error message is displayed. Otherwise, select the desired service and the button below will change to Create a Dial-up Connection for the selected Service. Click the button to create a connection for this service. Shortly afterwards, a shortcut to the new dial-up connection named Connection to Service Name at Access Concentrator or Connection to Access Concentrator (if the connection is for the default service) should show up on your desktop.
After you have created the connection(s) you need, click the Exit button to quit the application.
Double-click the desktop icon for the dial-up connection you created.
In the Connect To window, enter your user name and password if your service provider requires authentication.
Click on the Connect button. If all goes well, you should be connected to the Internet almost instantly.
Thomas VENARD Wireless-lyonCréé le 25/03/2002 6:12 Wireless-frRelecture :
Windows 2000
Installing the PPP over Ethernet Protocol WARNING: You are about to install a driver. Since any driver installation poses a non-zero risk of
crashing your operating system, you are advised to save your work and close all running applications before proceeding.
Since you are about to install a driver, you will need administrative privileges to perform the installation. If you are logged on to a user account, log off and log on to an account with administrative privileges before proceeding.
If there is already a different PPPoE implementation installed on your machine, it might get confused by the PPPoE traffic generated by this protocol. This protocol was written to peacefully coexist with other PPPoE implementations on the same machine, but other programmers may not have been as thoughtful. Thus, it is recommended (but not required!) that you uninstall any other PPPoE implementations and reboot your machine before proceeding. .
Unpack the downloaded archive to a temporary installation directory. Make sure that the following files are correctly extracted: README98.HTM, README2K.HTM, NETPPPOE.INF, RASPPPOE.INF, WINPPPOE.INF, WINPPPOE.DLL, RASPPPOE.DLL, RASPPPOE.EXE and RMSPPPOE.SYS. NOTE: The Intel Itanium 64-bit CPU release only contains the files README2K.HTM, NETPPPOE.INF, RASPPPOE.INF, RASPPPOE.DLL, RASPPPOE.EXE and RMSPPPOE.SYS.
If you are running Windows 2000, right-click the My Network Places icon on your desktop and select Properties to bring up the Network and Dial-up Connections window.
If you are running Windows XP/2002, click the Start button, select Control Panel, then click Network and Internet Connections and then click the Network Connections control panel icon to bring up the Network Connections window.
Go to the menu and select View then Details to bring up a detailed view of the network connections on your machine.
You should find one or more Local Area Connection objects. Locate the one for the network adapter connected to your broadband modem (you should be able to tell by the name in the Device Name column), right-click it and select Properties.
In the properties dialog box, click the Install... button.
In the Select Network Component Type window, select Protocol and click the Add... button. (Note: It could take a few seconds for the following window to come up.)
In the Select Network Protocol window, click the Have Disk... button.
Thomas VENARD Wireless-lyonCréé le 25/03/2002 6:12 Wireless-frRelecture :
In the Install From Disk window, either type the name of your temporary installation directory or click the Browse... button to navigate to it (it does not matter which of the three INF files you select, Windows will automatically pick the right one later). Then click the OK button. A new window opens, offering the PPP over Ethernet Protocol for installation. Click OK to start installing the protocol.
During installation, a window titled Digital Signature Not Found (Windows 2000) or Hardware Installation (Windows XP/2002) may come up several times (typically four times per installed network adapter), warning you that the driver has no digital signature or Windows Logo. Make sure you click "Yes" (Windows 2000) or "Continue Anyway" (Windows XP/2002) every time you are prompted to allow successful installation of the protocol.
Back at the Local Area Connection Properties window, click Close to close the window. Note: If you have a network adapter dedicated to your broadband modem, it is recommended that you first clear the checkboxes for all other components listed and leave only PPP over Ethernet Protocol checked.
If you have more than one network adapter in your system, you may want to disable the PPP over Ethernet Protocol for all adapters but the one your broadband modem is actually connected to. To do this, bring up the properties of each network adapter to want to disable the protocol for and clear the checkbox next to PPP over Ethernet Protocol in the listed components. BEWARE: If you accidentally disable the protocol for the network adapter you want to connect through, simply re-checking the checkbox, even if you do so immediately, may not be enough to make the protocol functional on that network adapter again.
The protocol is now fully functional, but you still need to create a dial-up connection to use it. See the next section for details.
Creating PPP over Ethernet Dial-up Connections
PPP over Ethernet dial-up connections can be most conveniently created with the Dial-up Connection Setup application provided with the protocol, which creates dial-up connections with all the correct settings at the click of a button.
Click the Start button on the taskbar and select Run... to bring up the Run dialog box.
Type RASPPPOE in the edit field and click the OK button to run the Dial-up Connection Setup application.
If the application quits with an error message, follow the advice it gives.
A dialog box comes up with a combo box labeled Query available PPP over Ethernet Services through Adapter: at the top. Select the network adapter your broadband modem is connected to from the list. If the protocol is only operating on one network adapter, the box will be grayed out as there is no choice to make.
Generally, it is recommended that you create a connection for an adapter, not for a specific service, so that it continues to work even if your service provider changes the server or service name. To do this,
Thomas VENARD Wireless-lyonCréé le 25/03/2002 6:12 Wireless-frRelecture :
simply click the Create a Dial-up Connection for the selected Adapter button now. Shortly afterwards, a shortcut to the new dial-up connection named Connection through Adapter Name should show up on your desktop.
If you want to create a connection for a specific service, click the Query Available Services button. The application will send out a query for offered services and display the result in the list view below. If an error message is displayed. Otherwise, select the desired service and the button below will change to Create a Dial-up Connection for the selected Service. Click the button to create a connection for this service. Shortly afterwards, a shortcut to the new dial-up connection named Connection to Service Name at Access Concentrator or Connection to Access Concentrator (if the connection is for the default service) should show up on your desktop.
After you have created the connection(s) you need, click the Exit button to quit the application.
Double-click the desktop icon for the dial-up connection you created.
In the Connect Connection Name window, enter your user name and password if your service provider requires authentication.
Click on the Dial button. If all goes well, you should be connected to the Internet almost instantly.
Thomas VENARD Wireless-lyonCréé le 25/03/2002 6:12 Wireless-frRelecture :
Annexe
Script de démarrage
Serveur RADIUS
Ajout dans /etc/inittabRadius :3 :respawn : /usr/local/bin/radiusd > /dev/null 2&>1
Gateway
Ajout dans /etc/inittab PPPoE : 3 : respawn : /usr/sbin/pppoe-server –I ethx [-k] > /dev/null 2&>1
Thomas VENARD Wireless-lyonCréé le 25/03/2002 6:12 Wireless-frRelecture :