[Radius] I tried verifying Radius authentication (radtest) via Global.
Hello, this is Nagatani from the System Development Department.
This time, we will introduce the steps to verify Radius authentication globally using the radtest command.
To be honest, the method itself is relatively easy to do without any particular twist, but when I searched on the internet, I basically only found methods for local verification...
Also, it is almost impossible for Radius authentication to be completed locally, and I wanted to perform verification in a form that is close to actual operation, so I decided to introduce it this time.
What to prepare
- Local server with FreeRadius installed
- AWS server with FreeRadius and DaloRadius installed
1 is a server just for being able to use the radtest command.
To use the radtest command, you must have FreeRadius installed.
2 is a Radius server for performing global verification from the local server built in 1.
Since we want to create a Radius account, let's install DaloRadius, which allows account management.
This time we are building a server on AWS, but you can use other platforms as well, so feel free to use whatever you like. Basically the method is the same.
Visually, 1 is the Radius client and 2 is the Radius server.
Building a local server with FreeRadius installed
is clearly written on
this site Also, since the purpose of this time is to be able to use the radtest command, there is no need to configure the client or user.
Building an AWS server with FreeRadius and DaloRadius installed
Launch an EC2 instance on AWS and install FreeRadius and DaloRadius.
this site for easy-to-understand instructions on how to install DaloRadius.
Register a RADIUS account
Create a Radius account to verify Radius authentication on the AWS server built above.
Log in to the DaloRadius management screen
Access and log in to the installed DaloRadius.
If you are not playing with anything in particular, you can log in with Username:administrator, Password:radius.
Create an account
1. Select Management ⇒ New User
↓
2. Enter your username and password in Username Authentication and click Apply.
You have now created an account. This time I created it with testuser and testpassword.
You can also check the created account in List Users.
↓
Change Client settings to allow authentication from global IP
This time, in order to authenticate from the global client, add the following settings to clients.conf.
client all { ipaddr = 0.0.0.0/0 secret = testing123 }
0.0.0.0/0 allows authentication from all IPs.
Let's set the secret key to testing123 this time.
Now restart Radius and you're done.
Perform Radius authentication from local server to AWS server
Now that the preparations are complete, let's actually perform Radius authentication from the local to the AWS server.
Run the following radtest command on the local server.
$ radtest testuser testpassword {AWS server IP} 1812 testing123
In terms of composition,
radtest {username} {password} {AWS server IP} 1812 {secret key}
It will look like this.
If successful, Access-Accept will be returned as shown below.
Sent Access-Request Id 43 from 0.0.0.0:48774 to {AWS server IP}:1812 length 78 User-Name = "testuser" User-Password = "testpassword" NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 Message-Authenticator = 0x00 Cleartext-Password = "testpassword"
Radius authentication via global is now successful.
If Radius authentication fails
If you run the above radtest but there is no response and it times out as shown below,
(0) No reply from server for ID 43 socket 3
Access may be restricted to port 1812 on the AWS server side.
Let's edit the inbound rule and add UDP for port 1812.
summary
What did you think?
Well, I don't think it was that difficult since it's basically the same as what we normally do locally.
However, this method was surprisingly not listed, so I would like to introduce it here.
I hope this can be of some help.
lastly
I have opened the system development service site "SEKARAKU Lab" to which I belong.
Beyond is a one-stop service for everything from server design and construction to operation, so if you have any trouble with server-side development, please feel free to contact us.
SEKARAKU Lab: [https://sekarakulab.beyondjapan.com/](https://sekarakulab.beyondjapan.com/)
Well, that's it.
thank you very much!