Setting up a FreeRadius test lab (HOWTO)

It’s quite handy to have one of these labs to test your radius configs, especially in the ISP world. This is mainly for testing radius attributes as it’s very easy to get a Cisco box to actually be a regular PPPoE server.

I have an old 7200 NPE-300 connected to a virtual machine running in VMware

I’m running Ubuntu server 12.04 so installing freeradius is pretty painless:

[email protected]:~$ sudo apt-get install freeradius

Now we need to configure the box. Just a few files need to be edited for our environment. I won’t go over every single part of radiusd.conf, only the things I made changes to:

[email protected]:/etc/freeradius$ sudo vi radius.conf

listen {
        type = auth
        ipaddr = 10.80.1.1
        port = 1645

}

listen {
        ipaddr = 10.80.1.1
        port = 1646
        type = acct
}

log {
        destination = files
        file = ${logdir}/radius.log
        syslog_facility = daemon
        stripped_names = no
        auth = yes
        auth_badpass = yes
        auth_goodpass = yes
}

It’s always good to have a fair amount of logging, especially in a lab.

We also need to tell the FreeRadius server that a radius client will be coming in and making authentication requests. We also choose a password here:

[email protected]:/etc/freeradius$ sudo vi clients.conf
client 10.80.1.2 {
        secret          = radiuspassword
        shortname       = 10.80.1.2
        nastype         = cisco
}

Short and sweet

Finally the actual username, passwords, IPs, attributes, etc are all stored in the users file. For now let’s just create a short single entry:

[email protected]:/etc/freeradius$ sudo vi users

testuser     Password = "password"
        Framed-IP-Address = 192.168.1.100

Now onto the 7200. The 7200 and FreeRadius server are directly connected in this lab, but in the real world all they need is IP connectivity to each other.

aaa group server radius RADIUS_SERVER
 server 10.80.1.1 auth-port 1645 acct-port 1646
!
aaa authentication ppp CPE_USER group RADIUS_SERVER
aaa authorization network default group RADIUS_SERVER
!
vpdn enable
!
bba-group pppoe LAB
 virtual-template 1
 sessions per-mac limit 20
 sessions per-vlan limit 250
!
interface Loopback0
 ip address 200.200.200.200 255.255.255.255
!
interface FastEthernet0/0
 description Link to FreeRadius server
 ip address 10.80.1.2 255.255.255.0
 duplex full
!
interface FastEthernet1/0
 description PPPOE interface
 no ip address
 duplex full
 pppoe enable group LAB
!
interface Virtual-Template1
 ip unnumbered Loopback0
 no peer default ip address
 ppp authentication chap CPE_USER
!
radius-server host 10.80.1.1 auth-port 1645 acct-port 1646 key radiuspassword

I’ve used a radius group which allows you to add more radius servers and test fail-over scenarios.

For a test device I’ve just configured a 2801 like so:

interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Dialer1
 mtu 1492
 ip address negotiated
 encapsulation ppp
 dialer pool 1
 ppp chap hostname testuser
 ppp chap password 0 password

Let’s give it a quick test. I’ve enabled logging on the radius server to see what’s going on. Let me enable the 2801’s PPPoE interface and see if the radius server sees the authentication request coming in:

[email protected]:/etc/freeradius$ tail -f /var/log/freeradius/radius.log
Mon Oct  1 21:24:23 2012 : Auth: Login OK: [testuser/] (from client 10.80.1.2 port 0)

So that’s all fine. Did my router pick up the correct IP address?

c2801#sh int dialer 1
Dialer1 is up, line protocol is up (spoofing)
  Hardware is Unknown
  Internet address is 192.168.1.100/32
  MTU 1492 bytes, BW 56 Kbit/sec, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, LCP Closed, loopback not set
  Keepalive set (10 sec)
  DTR is pulsed for 1 seconds on reset
  Interface is bound to Vi2
  Last input never, output never, output hang never
  Last clearing of "show interface" counters 05:13:33
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: weighted fair
  Output queue: 0/1000/64/0 (size/max total/threshold/drops)
     Conversations  0/0/16 (active/max active/max total)
     Reserved Conversations 0/0 (allocated/max allocated)
     Available Bandwidth 42 kilobits/sec
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     1017 packets input, 103010 bytes
     4703 packets output, 173178 bytes
Bound to:
Virtual-Access2 is up, line protocol is up
  Hardware is Virtual Access interface
  MTU 1492 bytes, BW 56 Kbit/sec, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, LCP Open
  Stopped: CDPCP
  Open: IPCP
  PPPoE vaccess, cloned from Dialer1
  Vaccess status 0x44, loopback not set
  Keepalive set (10 sec)
  Interface is bound to Di1 (Encapsulation PPP)
  Last input 00:00:01, output never, output hang never
  Last clearing of "show interface" counters 00:01:55
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     27 packets input, 387 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     26 packets output, 378 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions

c2801#show ip route connected | beg Ga
Gateway of last resort is not set

      192.168.1.0/32 is subnetted, 1 subnets
C        192.168.1.100 is directly connected, Dialer1
      200.200.200.0/32 is subnetted, 1 subnets
C        200.200.200.200 is directly connected, Dialer1


c2801#ping 200.200.200.200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.200.200.200, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

These are PPP links and hence the 7200 and 2801 have swapped host routes. This is why they can get to each other. We can also check form the 7200 side:

c7200#sh ip route 192.168.1.100
Routing entry for 192.168.1.100/32
  Known via "connected", distance 0, metric 0 (connected, via interface)
  Routing Descriptor Blocks:
  * directly connected, via Virtual-Access1.1
      Route metric is 0, traffic share count is 1

c7200#ping 192.168.1.100

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

So everything is working just as expected.

The whole point of radius attributes is to be able to do all kinds of fancy things. Let’s say that this 2801 has another network behind it that the rest of our network needs to be able to get to through the BRAS box. An easy way is to get the 7200 to install a static route to the network behind the 2801 that gets installed when the router dials in. Let’s use a loopback on the 2801 for this purpose:

interface Loopback1
 ip address 40.40.40.40 255.255.255.255

going back to the users files in radius above we do the following:

testuser     Password = "password"
        Framed-IP-Address = 192.168.1.100,
        Cisco-Avpair += "ip:route=40.40.40.40 255.255.255.255"

Let’s clear the pppoe session and take a look at the 7200:

c7200#sh ip route 40.40.40.40
Routing entry for 40.40.40.40/32
  Known via "static", distance 1, metric 0
  Routing Descriptor Blocks:
  * 192.168.1.100
      Route metric is 0, traffic share count is 1

c7200#ping 40.40.40.40

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 40.40.40.40, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

As this is a static route to a connected route, the 7200 can redistribute the routes into the IGP so the rest of your network can get to it. Notice that when I reload the 2801 and the session is pulled down, the static route is removed:

c7200#sh ip route 40.40.40.40
% Network not in table

There are a TON of radius attributes. If I have the time I may go over a few handy ones with which you can create some powerful routing policies.

© 2009-2019 Darren O'Connor All Rights Reserved -- Copyright notice by Blog Copyright