FreeRADIUS InkBridge

Virtual Servers

Goal: To understand how to create and use a new virtual server.

Time: 20-30 minutes

File:

  • sites-enabled/virtual

documentation page: virtual servers

A "virtual server" is a configuration file that contains sections which process packets. These are usually recv FOO or send FOO. They can also include listen sections, long with a few others.

For RADIUS, the common sections are:

  • listen Defines a new socket.

  • recv Access-Request Run policies when receiving an Access-Request packet

  • authenticate <name> Run an authentication method

  • send Access-Accept Run policies when sending an Access-Accept

  • send Access-Reject Run policies when sending an Access-Reject

  • send Access-Challenge Run policies when sending an Access-Challenge

  • recv Accounting-Request Run policies when receiving an Accounting-Request packet

  • accounting <type> Run policies for a particular value of Acct-Status-Type

  • send Accounting-Response Run policies when receiving an Accounting-Response packet

Default behavior: All site configurations are stored in the `sites-availabl`e directory, while only the active (running) sites are present in sites-enabled. To activate a site, a symbolic link must be created in sites-enabled that points to the corresponding configuration in sites-available.

Best practice: Always create or modify site configurations in sites-available, and then enable them by creating a symbolic link in sites-enabled.

Create Virtual Server file

Create a new file sites-available/virtual:

server virtual {

    listen authentication {
        udp {
            ipaddr = *
            port = 20000
        }
    }

    recv Access-Request {
        control.Password.Cleartext := "hello"
        pap
    }

    authenticate pap {
        pap
    }

This configuration defines a virtual FreeRADIUS server named virtual that listens for authentication requests on UDP port 20000 on all interfaces. The port value can be changed to any available UDP port as required. When an Access-Request packet is received, the server sets a cleartext password and processes the request using PAP authentication. The authenticate pap section explicitly handles PAP-based authentication by invoking the PAP module.

Enable the Virtual Server

Create a symbolic link from sites-available/ to sites-enable/:

$ cd sites-enabled
$ ln -s ../sites-available/virtual virtual

Verify the symbolic link was created:

$ cat sites-enabled/virtual

Start the server in debugging mode (radiusd -X), and use radclient to send a test packet.

echo 'User-Name = "bob"
CHAP-Password = "hello"
NAS-IP-Address = 127.0.0.1
NAS-Port = 501
NAS-Port-Type = Virtual' | radclient -x 127.0.0.1 auth testing123

The debug mode shows the server successfully started, is listening on UDP port 20000, and has received an Access-Request for authentication:

Scheduler created successfully with 1 networks and 1 workers
#### Opening listener interfaces ####
Listening on radius_udp server * port 20000 bound to virtual server default
Ready to process requests
...
(0)    recv Access-Request {
(0)      control.Password.Cleartext := "hello"
(0)     ...
(0)     }

Questions

  1. What happens when you try to use CHAP or MS-CHAP? Why does this result occur?

  2. How can you make that virtual server use CHAP or MS-CHAP?

  3. What happens when you try different User-Names? Why does this result occur?

  4. How can you make the above configuration authenticate different users via different passwords?