FreeRadius server environment construction (CHAP version)

FreeRADIUS is a high-performance and highly configurable multi-protocol policy server that supports RADIUS, DHCPv4, DHCPv6, TACACS+ and VMPS. It is provided under the terms of the GNU GPLv2. Using RADIUS allows authentication and authorization to be centralized on the network and minimizes the need to do so when new users are added or removed from the network.

CHAP: Challenge Handshake Authentication Protocol, challenge handshake authentication protocol.

Building steps

1. Environmental requirements

OS: CentOS7 machine
FreeRadius: FreeRADIUS Version 3.0.13

2. Installation configuration and environment setup
1. Refer to FreeRadius server environment setup (PAP version) for simple environment setup
2. Modify /etc/raddb/sites-enabled/default to enable challenge. There is an example of challenge configuration in the freeradius source code, the path is: /etc/raddb/sites-available/challenge

server default {
    
    
listen {
    
    
        type = auth
        ipaddr = *
        port = 0
        virtual_server = challenge
}


#server challenge {
    
    
authorize {
    
    

        #
        #  If ther's no State attribute, then this is the request from
        #  the user.
        #
        if (!State) {
    
    
                update control {
    
    
                        Auth-Type := Step1
                        Cleartext-Password := "password"
                }
        }
        else {
    
    
                #
                #  Do authentication for step 2.
                #  Set the "known good" password to the number
                #  saved in the session-state list.
                #
                update control {
    
    
                        Auth-Type := Step2
                        Cleartext-Password := &session-state:Tmp-Integer-0
                }
        }
}

authenticate {
    
    
        Auth-Type Step1 {
    
    
                #  If the password doesn't match, the user is rejected
                #  immediately.
                pap

                #
                #  Set the random number to save.
                # 
                update session-state {
    
    
                        Tmp-Integer-0 := "%{randstr:n}"
                }
                update reply {
    
    
                        Reply-Message := &session-state:Tmp-Integer-0
                }
             
                #
                #  Send an Access-Challenge.
                #  See raddb/policy.d/control for the definition 
                #  of "challenge"
                #
                challenge
        }
    
        Auth-Type Step2 {
    
    
                #
                #  Do PAP authentication with the password.
                #
                pap
        }
}


post-auth {
    
    
	-sql

	exec

	remove_reply_message_if_eap

	Post-Auth-Type REJECT {
    
    
		-sql
		attr_filter.access_reject

		eap
	
		remove_reply_message_if_eap
	}	

	Post-Auth-Type Challenge {
    
    
		remove_reply_message_if_eap
		attr_filter.access_challenge.post-auth
	}
}
}

3. Testing
Use guacamole for challenge testing.
Specific reference: Guacamole configuration to enable Radius authentication method Configure to enable Radius authentication method of guacamole.