what kind of radius server is placed between the radius server and radius clients? This is a topic that many people are looking for. savegooglewave.com is a channel providing useful information about learning, life, digital marketing and online courses …. it will help you have an overview and solid multi-faceted knowledge . Today, savegooglewave.com would like to introduce to you 22. Creating a Radius Server with FreeRadius (on pfSense) and Authenticating with the FortiGate.. Following along are instructions in the video below:
Everyone out there my name is devin adams. Im a four dannette instructor. Here here in tempe arizona for dynamic worldwide and i record these videos for the participants take my class so anyways.
This is my impromptu lab. Me and xlviii you know right we were were sitting here and thinking up things to do and someone threw it out there. Hey what about radius can you do a radius demo real quick and im like you know what thats not a big deal.
So you hear it is in this video. We have a couple of coals. I might split it up into two but we are gonna configure a simple radius server using free radius on a pf sense box and then to make this all work with the fortigate.
We do have to make sure that the vendors specific attributes are there and in the free radius server. So ill kind of explain what those are okay and after that were gonna create a user and a user group on the radius server and then we were gonna configure the fortigate as a radius. Clients and then well go ahead and test.
It all out by authenticating someone through the firewall using radius. So anyways. This is gonna be a quick one i hope my videos ever quick anyways.
So im just gonna dive right into it so. If you guys have been following the other videos to this impromptu lab. Im literally throwing everything at this until my laptop breaks alright so but this box right here.
The dev ops box. That is a pf sense box alright and is acting as a firewall for our devops teams here at headquarters. So im gonna use this outgoing interface right here thats supposedly publicly facing to accept radius requests.
So thats the goal so lets go ahead and do it so. And i know that radius can be a lot more feature rich than this it really is a protocol. A language love for a triple a server and that stands for authentication authorization and accounting.
And theres a lot of neat things that you can do with it. This is gonna be a really basic example though guys okay so. But its still a good start so were gonna go over here to our package manager and then were gonna look up radius.
And this is on pfsense okay and there it is radius all right so were gonna go ahead and install it well hit confirm and then it should pull down the appropriate files that it needs to to go ahead and get that to work all right so im not gonna do a sequel database here just for simplicity reasons. But once this is done once this is up and running. We should be able to set it up and so all right there we are now its extracting.
It there we go services started done good all right cool. So now. It is there all right so now we can go over to our services and yep.
There. It is free radius okay good times. So before we do anything with the users all right we need to make sure that the interfaces that are going to be listening right are set up all right.
So lets go ahead. And just hit new and here. Im just gonna say hey you know what i want you to listen on port.
10200. 81. For radius requests all right and well just leave it out authentication.
Theres a lot of cool stuff you can do with accounting. But anyways so that allows the pfsense box to at least talk to the other radius clients okay so were gonna hit save good times all right make sure thats stuck alright cool so after that the next thing. We have to do is yeah.
We have to verify that the vsa library is in there so in order to get radius to accept user groups from the fortigate itself. Because usually thats what we do right we create a user group and then we say any one that comes in from this remote group associate them with the spire wall objects all right and so at that point. So essentially before we can actually make our users and our user groups and get them to talk right we have to make sure that that vsa dictionary is in our free radius.
Now every radio server is going to have their different ways of doing this but essentially what were looking for and ill put this in our on in the video description all right. This is the attributes that are needed to be known by the radius server. So we can point to them with our users and pass along certain information.
Okay specifically this guy right here. Okay. And you can actually do some cool stuff with the admin accounts.
Too using this guy right there and this is actually for several for dannette products. All right so. But these are the vendors specific attributes that that need to be there okay so lets go ahead and check.
It are you guys ready so i am gonna go ahead and just use my windows machine here because im just lazy like that okay and im gonna use something like i dont know filezilla there we go and im gonna connect to that pfsense box. So i can navigate its filesystem and pull some files over and take a look at it. Alright.
So im just gonna say ten. Dot. 200.
Dot. 81. Alright.
Put in my admin good stuff. Teleports. 22.
All right quick connect and here we are alright so this is our pfsense box. Im just gonna go up a level and it is located in you sr. I believe its share okay.
Where is it after that its been a minute. Oh let me go ahead and double check. It should actually be in here.
I thought it was in here. Let me double check just a second guys all right my bad. I had to look it up real quick so it is local share all right free radius.
And there they are heres the dictionary files that came when i installed it okay. So if you dont see a four dannette. One in here you would have to essentially copy and pay that that bsa file alright so you can essentially just copy this bad boy to a text file and name it let me get back there and name a dictionary dot for danette and then it would know the attributes.
When you reference them while creating a user ok so but look at that theres one already there ok so pretty cool in fact we could just i dont know were too sick this maybe documents ok we can drag it over there and then we can open it up no no no there we go edits and as you can see its not formatted. But it has the attribute strings in it let me try a different application here you guys sorry about that dont i have a notepad plus. Plus.
I guess i do not yeah. I do its right there. Ok.
Im just gonna open up that bad boy using notepad plus. Plus. So its formatted.
A little bit better ok so this is whats in there already so we already have group name out of the box interface name access name all right. And so we should be good. We should be good there so.
But if we wanted to we could add in those other attributes. But its its there so awesome alright so we just confirmed.
It now how do we actually make this work with with our users all right so before we do that lets go back. And see what our goals were all right so here we go weve already configured our simple radius server using three radius and pfsense and weve also taken a look a bit about the vendor specific attributes so now its time to create a user and im gonna actually skip the user group on the radius server for right now and just set up the radius clients on the pf sense. Ok.
And then also make sure that the fortigate can talk to it and then well go ahead and play with group memberships because it can be a little bit tricky guys so anyway so lets go ahead and do this lets go into our or windows pc. Again. I was kind of dinking around a little bit earlier.
But as you notice. We do not have a radius server set up on the 40 gate. Yet all right and then back here on our pf sense.
We are going to go to our services and we are gonna go to our free radius. All right and then it wants to go to it i guess im already there okay. Were gonna have to set up the client side alright.
So. This is gonna be saying listen for the fortigate as a radius. Clients to this radius server.
So lets go ahead. And say add alright and our. Client ip address is going to be 10 200 11.
Which is gonna be the interface of our way. And one here at headquarters. All right and then ill just say hq for to gate as its name and then here is the the client shared secret and thats how radius works all right it uses this pre shared key.
So im gonna go ahead and type in something super secret. There alright so and then were gonna say yeah. I think thats all okay yeah.
All right looks good to me. So. Lets hit save ok.
And now that should be enough for the fortigate to be able to reach out here to the radius server and at least form a connection. So im gonna go to my headquarters for two gates all right im gonna go to radius server here. Im gonna say create new and im going to give it a name so im gonna call this a radius server all right and then down here im gonna type in my 10 dots 200 dot 81.
And use the same pre shared key all right now. Im gonna go ahead and hit test connectivity and make sure that i can talk to each other all right now. I was actually expecting this okay and the reason.
Why is because we have an sd win and that sd when abstracts are our internet connections right guys. So how do we tell the fortigate always to you a particular ip address. If it is coming from a particular service.
So theres a couple of things that we have to do here. Okay for one we have to set the source ip to always use the same ip address when its trying to use radius. Were gonna have to write the sd way and rule to say hey always when youre going out to.
102 hundred eight. Dot one use the ten dot 200 up 11. Ip address.
So we could use this using like central nats. If we know actually we we wouldnt because traffic. Thats directly being being established through the fortigate.
So okay kind of getting ahead of myself. Im still gonna commit this change alright so that will at least make the radius server entry then im gonna pop this guy open right here to get to the console window then im gonna do a config user radius alright. If i do a show here.
You can see the settings that i just did all right so im gonna edit my radius server and remember if we do a git command we see all of the options and one of them here is setting the source ip address all right and the reason. Why we need the source ip address is so it can match up hit there it is so it can match up when it talks to the radius server to that preacher key because you know a radius server could have several clients not just the fortigate. So lets do a set source ip address to ten dot 200 dot.
One dot. One all right and then well commit the changes and then lets go ahead and write that sd way and rule to make that happen all right so were gonna go its a network sd win sd win rules. Were gonna create a new one and im just gonna say two radius and our source ip address is going to be ten dot.
Oh i have to make a i have to make an object all right thats fine. So lets do this great new new address and ill just say. R and one.
Ip sure itll be ten 200 11. With a slash 32. Just in case.
We needed for static. Routing and weve been coloring. Things weve been coloring things.
And because that belongs to the fortigate. I am going to make that orange. Why not alright so i dont think ive used orange.
Yet all i have with the vpns. I dont care ok and then destination now this is important this is gonna be the radius server itself all right so im gonna hit new address. Im gonna call this radius server all right and this is just making audre.
Ah address objects so radius server. All right and well make servers. Whats the color.
We havent used yet i dont know magenta all this too aggressive. Well make it nice and nice and gray or. Something i dont know all right.
Here we go 10200 dot. 81. With a slash 32.
Okay and in case. We need for static routing there we go all right so this is saying. If its coming in from the the way an ip address going out to the radius server.
Okay yeah anyways itll always use this this way an ip address all right and then here. Were gonna say the preference interface is always gonna be way in one all right so that way you know it goes back to the same connection. Each time.
And you have to pick a you have to pick a service here so im just gonna say gules dns. Newer versions of the 40s by the way guys 6. 2.
Now has a manual connection. So you dont have to like awkwardly pick a measured sla for a single lan connection. Which i thought was kind of nice but its all good so were gonna hit ok alright and because it is a top down.
Im just gonna for best practices. Stick it up at the top alright. So there we go alright.
Now. It should be able to get there and be able to authenticate.
So lets try it out lets go over to our user devices lets go over to our radius servers and before we had a i could not connect and now we have a connection successful okay so lets go ahead and try to get a user to authenticate through the radio service. So were gonna go back to our pfsense box alright and then were gonna go over to our users and were gonna create a new user so this ones gonna be called i dont know i just got done teaching another four dannette class. We use shady bob a lot as an example so there you go bob im gonna give bob a password okay all right looks good were gonna hit save okay awesomeness so lets go back here alright and then lets go ahead and test user credentials.
So well type in bob and then well type in his password and as you can see guys he authenticated successfully to the radio server. So how can we now start using this and thats where things can get a little bit. Trickier okay.
So we have to make sure that those vendor specific dictionary. Attributes right get read correctly. When it queries.
Bobs radius. Account. Here.
So. Lets go ahead and make that happen and now once again. Were back full circle to our goal of creating user groups on the radius server.
So we already talked about the v. Sas. All right so lets now start using them so and guys.
It does it gets a little bit tricky so lets go back to our domain our domain. Controller. Hey our radio server.
Alright and we have bob here okay. And we need to put in an attribute here all right now as you can see theres three of them and the place that you want to go to and i hope this is right. Im just gonna have to try it out i cant remember off the top.
My head. But the attribute for our group membership. Okay i already have it in a notepad here is for dannette group.
Name. So im gonna put him in a test in a test group here all right now when youre working with radius in your and im talking about free radius with pfsense specifically and youre manipulating. These boxes here guys you screw up the syntax.
It will it will stop the process. The actual service of radius. So whenever youre manipulating anything in these three boxes.
Okay make sure after you hit the save button. You go a step further all right and you go to your services and you go to your nope statuses. I lied and go to services and make sure that the radius statement is still running okay if you see an x.
There it means that you screwed up the syntax all right so go back you have it in the wrong boxes format in the wrong. Way youre screwing up the users alright. So i learned that the hard way passing along to you guys all right now back on the fortigate.
Theres really no way for us to test our credentials through the gui and get a membership associated with it all right in order to do that we actually have to use the cli so before we start making groups and tying them to our radius. Groups. Lets just go ahead and verify that bobs actually coming over as the test group so were gonna pop out our cli once again okay and there is a special command that you do here and its gonna be diagnosed test oops auth server alright radius and then the name of our radius server itself now that does not auto completes all right so what did i even named my radius server guys this is why okay it was radius server camelcase this is why i should really be practicing these before i record it alright so radius server alright and then after that its going to be our our server name and then its going to be how we are authenticating all right so here.
Were just doing cap. Which is the password protocol and then after that its gonna be bob and then look bobs password in the clear alright so once again its diagnosed tests off server the name of the radius server. Okay and because i didnt define anything and this is why this is a simple or a basic radius example.
I didnt do anything fancy. So i just use pap thats the general in the gui and then bob and his password and as you can see it reached out to the radius. It successfully found it and the group membership came back as test all right so once again guys you need to have that vsa defined in the attribute reply on the radius groups in order for it to come back with a group membership.
If not theres gonna be no group memberships and essentially you kill the whole role based access control principle of authentication alright. So anyways. But we now have test so lets start lets start using it and as you can see guys.
Thats all we need to do to get free radius to start passing along group membership all right so. But now were going to go to our users and groups alright and im just gonna say radius. Admins or something like that here.
We go radius admins and then here. Im gonna say use our radius server and our group. Specifically is going to be test all right and then we can add multiple ones here if we wanted to okay.
So as long as bob comes. A part of the test group it comes along alright and just just to prove how this works. Im actually going to make a another user account thats not associated with with the test.
Group just just to prove that its working. So let me go back to my free radius and instead of bob. Im just gonna do a joe here we go joe super secret password.
But for his group membership. Im just gonna have them come over as the group membership of users yeah im not feeling very creative today guys so okay there we go just to make sure we can test if its working or not all right so there we go now were gonna have to go to system. Were gonna have to go to our our admin.
The straight tours there we go were gonna say create new admin alright and then here we were gonna say and you know what we could actually match all users. So we dont even need to worry about bob. We can just say match all users in a remote server group.
So well just say radius admins. Okay and then were gonna make them super users and the radius group is gonna be radius admins all right were gonna hit ok and that should be it i mean that should be all that we need for bob to log in now using radius. And we could still use to your support there.
I did that at an earlier laughs example alright. But lets go ahead and log him out that was me and lets go ahead and accomplish our our goal here and then wrap up this video. So i should be able to type in bob.
And he should instantly authenticate using that radius server and be an admin all right. Which he did so there you guys go okay. And thats because it went out to the radius server authenticated and came back.
And said. Bobs a real dude. And he was able to come in and be an admin because of me had a wild card alright lets logout bob boom and lets try joe now now joe is not associated with that group that we tied with our our radius admins.
So he should fail. What she did all right guys. I know that was an extremely extremely example radius demo all right.
But it was requested and i thought to myself you know what thats cool you know well well do it so we did so we set it up on our pfsense box. Okay. We also went ahead and configured.
The clients as for de gates. We made sure using the sd wanne that were doing the right rules. So it always got back here.
We also created a members and we also did our or for two groups. All right so hopefully someone found that helpful out there and if not sorry for wasting your time. And yeah.
Im gonna try to plow through a couple more videos before i i leave out of town for work this weekend and uh yeah. Ill see you guys next time so. .
Thank you for watching all the articles on the topic 22. Creating a Radius Server with FreeRadius (on pfSense) and Authenticating with the FortiGate.. All shares of savegooglewave.com are very good. We hope you are satisfied with the article. For any questions, please leave a comment below. Hopefully you guys support our website even more.