jueves, 30 de marzo de 2017

How to setup a Network Access Control system with FreeRadius and Oracle XE

Overview


Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users who connect and use a network service.



RADIUS, definitely is a great protocol, it allows us to establish a control access policy for our users, and it is really implemented in a variety of systems and devices around the world.

FreeRadius, is the most widely deployed Radius server in the world, and from my point of view the best one.


Therefore, why don't we improve our network access security deploying a robust and scalable RADIUS service based on FreeRadius and Oracle.




In this article, we are going to setup a FreeRadius and Oracle XE environment


System environment and Software


  • Vmware: Debian 8 32 bits.
  • Vmware: Windows 2008 Server 64 bits.
  • oracle-instantclient11.2-basic-11.2.0.4.0-1.i386.rpm.
  • oracle-instantclient11.2-devel-11.2.0.4.0-1.i386.rpm.
  • oracle-instantclient11.2-sqlplus-11.2.0.4.0-1.i386.rpm.
  • freeradius-server-2.2.9.tar.gz.

Laboratory Architecture





Step 1: we install the necessary tools for compilation and installation


$ apt-get install build-essential unzip libtool automake dpkg-dev debhelper quilt libssl-dev libpam0g-dev libmysqlclient-dev libgdbm-dev libldap2-dev libsasl2-dev libiodbc2-dev libkrb5-dev libperl-dev libpcap-dev python-dev libsnmp-dev libpq-dev libaio1 alien


Step 2: Oracle Headers and Libs installation



$ cd /usr/local/src
ls -l
oracle-instantclient11.2-basic-11.2.0.4.0-1.i386.rpm
oracle-instantclient11.2-devel-11.2.0.4.0-1.i386.rpm
oracle-instantclient11.2-sqlplus-11.2.0.4.0-1.i386.rpm

Install libraries:

$ alien -i oracle-instantclient11.2-basic-11.2.0.4.0-1.i386.rpm
$ alien -i oracle-instantclient11.2-devel-11.2.0.4.0-1.i386.rpm
$ alien -i oracle-instantclient11.2-sqlplus-11.2.0.4.0-1.i386.rpm


Load libraries:
  • create/edit: /etc/ld.so.conf.d/oracle.conf
  • add: /usr/lib/oracle/11.2/client/lib
  • ldconfig

 Check it:

  • ldconfig -p | grep libcln
libclntsh.so.11.1 (libc6) => /usr/lib/oracle/11.2/client/lib/libclntsh.so.11.1
libclntsh.so (libc6) => /usr/lib/oracle/11.2/client/lib/libclntsh.so

  • ldconfig -p | grep liboc
libocijdbc11.so (libc6) => /usr/lib/oracle/11.2/client/lib/libocijdbc11.so
libociei.so (libc6) => /usr/lib/oracle/11.2/client/lib/libociei.so
libocci.so.11.1 (libc6) => /usr/lib/oracle/11.2/client/lib/libocci.so.11.1
libocci.so (libc6) => /usr/lib/oracle/11.2/client/lib/libocci.so

  • ORACLE_HOME variable:
vi /etc/profile.d/oracle.sh
export ORACLE_HOME=/usr/lib/oracle/11.2/client
export ORACLE_HOME=/usr/lib/oracle/11.2/client

If there is no 'include' directory under ORACLE_HOME, and it is located over in /usr/include/oracle/, create a symbolic link to assist packages looking for these header files.

ln -s /usr/include/oracle/11.2/client/ $ORACLE_HOME/include


Step 3: FreeRadius installation


cd /usr/local/src/
$ wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.2.9.tar.gz

tar xzvf freeradius-server-2.2.9.tar.gz

$ ./configure --with-oracle-lib-dir=/usr/lib/oracle/11.2/client/lib --with-oracle-include-dir=/usr/include/oracle/11.2/client

make

make install

  • The binaries are installed in /usr/local/bin and /usr/local/sbin.
  • The configuration files are found under /usr/local/etc/raddb.
  • The logs: /usr/local/var/log/radius.


Step 4: FreeRadius permissions



groupadd -g 403 radius

useradd -u 420 -g 403 -c "Radius Server Owner" -d /usr/local/etc/raddb -s /bin/false radius

chown -R radius:radius /usr/local/etc/raddb/

chown radius.radius -R radiusd/

chown radius.radius -R /usr/local/var/log/radius/

  • Edit /usr/local/etc/raddb/radius.conf
user = radius
group = radius



  • Boot Script


cp /usr/local/src/freeradius-server-2.2.9/scripts/rc.radiusd /etc/init.d/radiusd

chmod 755 /etc/init.d/radius

update-rc.d /etc/init.d/radiusd defaults

  • Restart Virtual Machine and check radius service: 
ps waux | grep radius

radius 799 0.0 0.4 48160 5008 ? Ssl 09:52 0:00 /usr/local/sbin/radiusd


Step 4: Oracle XE Database Installation


System environment and Software
  • OracleXE112_Win64.
  • Oracle Database 11g Express Edition over VM Windows 64bits.
  • Destination Folder: C:\oraclexe\
  • Oracle Home: C:\oraclexe\app\oracle\product\11.2.0\server\
  • Oracle Base:C:\oraclexe\
  • Port for 'Oracle Database Listener': 1521
  • Port for 'Oracle Services for Microsoft Transaction Server': 2030
  • Port for 'Oracle HTTP Listener': 8080

Windows Firewall configuration

  • Windows Firewall exceptions:
C:\oraclexe\app\oracle\product\11.2.0\server\bin\oracle.exe
C:\oraclexe\app\oracle\product\11.2.0\server\tnslsnr.exe


Test connectivity


$ sudo sqlplus sys@192.168.131.133:1521 as sysdba
SQL*Plus: Release 11.2.0.4.0 Production on Mon Mar 20 10:50:50 2017
Copyright (c) 1982, 2013, Oracle. All rights reserved.

Enter password:
Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
SQL>

Radius Oracle Schema

/usr/local/etc/raddb/sql/oracle$ sudo ls –l
-rw-r----- 1 radius radius 13617 Mar 17 14:09 dialup.conf
-rw-r----- 1 radius radius 4643 Mar 17 14:09 ippool.conf
-rw-r----- 1 radius radius 1180 Mar 17 14:09 ippool.sql
-rw-r----- 1 radius radius 1386 Mar 17 14:09 msqlippool.txt
-rw-r----- 1 radius radius 317 Mar 17 14:09 nas.sql
-rw-r----- 1 radius radius 5503 Mar 17 14:09 schema.sql



Create a workspace RADIUS with user radius pass "whatever you want"

http://192.168.131.133:8080/apex

Grant permissions

$ sqlplus sys@192.168.131.133:1521 as sysdba
o GRANT CONNECT,RESOURCE TO radius;
debian:/usr/local/etc/raddb/sql/oracle$ sudo sqlplus radius@1
92.168.131.133:1521
Enter password:
Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
SQL> start schema.sql




  • Let's insert some data into the Database:


SQL>
INSERT INTO RADUSERGROUP (ID, USERNAME, GROUPNAME) VALUES (1,'Juan','HR');
INSERT INTO RADUSERGROUP (ID, USERNAME, GROUPNAME) VALUES (2,'Pedro','HR');
INSERT INTO RADCHECK (ID,USERNAME,ATTRIBUTE,OP,VALUE) VALUES (1,'Juan','Password','==','pass1');
INSERT INTO RADCHECK (ID,USERNAME,ATTRIBUTE,OP,VALUE) VALUES (2,'Pedro','Password','==','pass2');
INSERT INTO RADREPLY (ID,USERNAME,ATTRIBUTE,OP,VALUE) VALUES (1,'Juan','Framed-IP-Address','==','10.10.10.10');
INSERT INTO RADREPLY (ID,USERNAME,ATTRIBUTE,OP,VALUE) VALUES (2,'Pedro','Framed-IP-Address','==','10.10.10.11');
INSERT INTO RADGROUPREPLY (ID,GROUPNAME,ATTRIBUTE,OP,VALUE) VALUES (10,'HR','Framed-Compression','==','Van-Jacobsen-TCP-IP');


Step 5: FreeRadius configuration


  • Basic configuration

ln -s /usr/local/etc/raddb/ /etc/raddb

  • NAS or clients that send request to Radius:

Edit /etc/raddb/clients.conf

  • For testing:

client 192.168.131.134 {
secret = testing123
shortname = debian
}


  • Create a local user and password:
Edit /etc/raddb/users
testing Cleartext-Password := "password"
Reply-Message = "Hello, %{User-Name}"
Restart service: /etc/init.d/radiusd restart

  • Check authentication:
@debian:/etc/raddb$ radtest testing password 192.168.131.134 1 testing123
Sending Access-Request of id 73 to 192.168.131.134 port 1812
User-Name = "testing"
User-Password = "password"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 192.168.131.134 port 1812, id=73, length=36
Reply-Message = "Hello, testing"


  • Configuration FreeRadius to use Oracle 11g XE Database

 Enable sql.conf in radius.conf:

Uncomment: # include sql.conf


 Edit /etc/raddb/sql.conf:

database = "oracle"
server = "192.168.131.133"
port = 1521
login = "radius"
password = "What ever you want"
comment: # radius_db = “radius”
radius_db = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.131.133)(PORT=1521))(CONNECT_DATA=(SID=xe)))"


 Edit /etc/raddb/sites-available/default:

authorize section uncomment: # sql


 Edit /etc/raddb/sites-available/inner-tunnel:

authorize section uncomment: # sql


 Restart service:

/etc/init.d/radiusd restart


Step 6: Check authentication


  • @debian:/etc/raddb$ radtest Juan pass1 192.168.131.134 1 testing123

Sending Access-Request of id 147 to 192.168.131.134 port 1812
User-Name = "Juan"
User-Password = "pass1"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 192.168.131.134 port 1812, id=147, length=32
Framed-IP-Address = 10.10.10.10
Framed-Compression = Van-Jacobson-TCP-IP


  • @debian$ radtest Pedro pass2 192.168.131.134 1 testing123
Sending Access-Request of id 226 to 192.168.131.134 port 1812
User-Name = "Pedro"
User-Password = "pass2"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 192.168.131.134 port 1812, id=226, length=32
Framed-IP-Address = 10.10.10.11
Framed-Compression = Van-Jacobson-TCP-IP

  • @debian$ radtest Pedro pass1 192.168.131.134 1 testing123
Sending Access-Request of id 15 to 192.168.131.134 port 1812
User-Name = "Pedro"
User-Password = "pass1"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 192.168.131.134 port 1812, id=15, length=20


Have fun...

Publicado por en
Etiquetas: , , ,

No hay comentarios:

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)