13.2.10 Lab: Configure A Radius Solution

Understanding RADIUS Configuration: A Complete Lab Guide

Remote Authentication Dial-In User Service (RADIUS) remains one of the most critical protocols for network authentication, authorization, and accounting. This comprehensive lab guide walks you through configuring a RADIUS solution from start to finish, providing both theoretical understanding and practical implementation steps.

What is RADIUS and Why Configure It?

RADIUS is a client-server protocol that provides centralized authentication, authorization, and accounting (AAA) management for network users. Organizations implement RADIUS to secure network access, simplify user management, and maintain detailed accounting records of network usage.

The protocol operates on UDP ports 1812 (authentication) and 1813 (accounting), though some implementations use ports 1645 and 1646 for backward compatibility. When a user attempts to connect to a network resource, the RADIUS client (typically a network access server) forwards the authentication request to the RADIUS server, which then responds with an accept, reject, or challenge message.

Lab Prerequisites and Requirements

Before beginning the configuration process, ensure you have the following components ready:

Essential Hardware and Software:

• A dedicated server or virtual machine for the RADIUS server
• Network devices that support RADIUS authentication (switches, wireless access points, VPN concentrators)
• Client devices for testing
• Network connectivity between all components

Software Options:

• FreeRADIUS (open-source and widely used)
• Microsoft Network Policy Server (NPS)
• Cisco Secure ACS
• Other commercial RADIUS solutions

For this lab, we'll focus on FreeRADIUS due to its widespread adoption and comprehensive feature set.

Step-by-Step RADIUS Configuration

1. Installing the RADIUS Server

Begin by installing FreeRADIUS on your chosen server. On Debian-based systems, use:

sudo apt-get update
sudo apt-get install freeradius freeradius-utils

For Red Hat-based systems:

sudo yum install freeradius

After installation, verify the service is running:

sudo systemctl status freeradius

2. Configuring the RADIUS Server

The main configuration directory is typically located at /etc/freeradius/. The key files you'll modify include:

clients.conf - Define network devices that can communicate with your RADIUS server:

client switch1 {
    ipaddr = 192.168.1.2
    secret = your_shared_secret
    require_message_authenticator = no
    nas_type = cisco
}

users - Create user accounts and their authentication policies:

testuser    Cleartext-Password := "password123"
    Service-Type = Framed-User,
    Framed-IP-Address = 192.168.1.100

default - Configure default authentication and accounting settings in the appropriate configuration files.

3. Setting Up Authentication Methods

RADIUS supports multiple authentication methods. The most common include:

PAP (Password Authentication Protocol): Sends passwords in clear text. Use only in encrypted tunnels.

CHAP (Challenge-Handshake Authentication Protocol): More secure than PAP, uses MD5 hashing.

MS-CHAP and MS-CHAPv2: Microsoft's challenge-response protocols, widely supported.

EAP (Extensible Authentication Protocol): Highly flexible, supports various authentication methods including certificates.

Configure your preferred method in the appropriate configuration file, typically eap.conf for EAP methods.

Network Device Configuration

Configuring RADIUS Clients

Network devices must be configured to communicate with your RADIUS server. The configuration varies by device type:

For Cisco Switches:

radius server RADIUS-SERVER
 address ipv4 192.168.1.10 auth-port 1812 acct-port 1813
 key your_shared_secret

aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius
aaa accounting exec default start-stop group radius

For Wireless Access Points:

Access points typically have a web interface for RADIUS configuration. You'll need to enter:

• RADIUS server IP address
• Shared secret
• Authentication port (usually 1812)
• Accounting port (usually 1813)

Testing and Verification

After configuration, thorough testing is essential:

Basic Connectivity Test:

radtest username password 192.168.1.10 0 your_shared_secret

Using radclient for Authentication:

echo "User-Name= testuser, User-Password= password123" | radclient -x 192.168.1.10 auth your_shared_secret

Checking Server Logs:

Monitor the RADIUS server logs to verify successful authentication attempts:

sudo tail -f /var/log/freeradius/radius.log

Troubleshooting Common Issues

Authentication Failures:

• Verify shared secrets match between client and server
• Check firewall rules allowing UDP ports 1812 and 1813
• Review server logs for specific error messages
• Ensure time synchronization between devices (important for timestamp-based authentications)

Accounting Issues:

• Verify accounting ports are open
• Check that accounting is enabled on both client and server
• Review database connectivity if using external databases

Performance Problems:

• Monitor server resources during peak authentication times
• Consider implementing RADIUS proxy for large deployments
• Review authentication timeouts in configuration

Security Best Practices

Implementing RADIUS securely requires attention to several key areas:

Network Security:

• Use encrypted connections (IPsec or VPN) between RADIUS clients and servers
• Implement firewall rules restricting RADIUS traffic to necessary sources
• Use strong shared secrets and rotate them periodically

Server Hardening:

• Keep RADIUS software updated with security patches
• Use dedicated hardware or isolated virtual machines
• Implement intrusion detection systems
• Regularly audit configuration files

Authentication Security:

• Prefer EAP-TLS or other certificate-based authentication when possible
• Implement password policies for user accounts
• Use accounting to detect unusual authentication patterns

Advanced Configuration Options

Once basic RADIUS functionality is working, consider these advanced features:

Dynamic VLAN Assignment: Configure the RADIUS server to assign users to specific VLANs based on group membership or other attributes:

testuser    Tunnel-Type = VLAN,
    Tunnel-Medium-Type = IEEE-802,
    Tunnel-Private-Group-Id = "10"

Simultaneous Use Limitation: Prevent users from authenticating from multiple devices simultaneously:

testuser    Simultaneous-Use = 1

Vendor-Specific Attributes (VSA): Leverage device-specific features through VSAs, which allow manufacturers to extend RADIUS with proprietary attributes.

Monitoring and Maintenance

Effective RADIUS implementation includes ongoing monitoring and maintenance:

Performance Monitoring:

• Track authentication success/failure rates
• Monitor response times
• Set up alerts for unusual authentication patterns

Backup and Recovery:

• Regularly backup configuration files
• Document all shared secrets securely
• Test recovery procedures periodically

Updates and Patches:

• Subscribe to security notifications for your RADIUS software
• Test updates in a non-production environment first
• Schedule maintenance windows for updates

Conclusion

Configuring a RADIUS solution requires careful planning, precise implementation, and ongoing maintenance. This lab has covered the essential steps from initial installation through advanced configuration options. By following these guidelines and best practices, you can implement a robust authentication system that scales with your organization's needs while maintaining strong security standards.

Remember that RADIUS configuration is often specific to your environment and devices. Always test thoroughly in a controlled environment before deploying to production, and maintain detailed documentation of your configuration for future reference and troubleshooting.