FreeRADIUS is a high-performance and highly configurable multi-protocol policy server that supports RADIUS, DHCPv4, DHCPv6, TACACS+ and VMPS. It is provided under the terms of the GNU GPLv2. Using RADIUS allows authentication and authorization to be centralized on the network and minimizes the need to do so when new users are added or removed from the network.
CHAP: Challenge Handshake Authentication Protocol, challenge handshake authentication protocol.
Building steps
1. Environmental requirements
OS: CentOS7 machine
FreeRadius: FreeRADIUS Version 3.0.13
2. Installation configuration and environment setup
1. Refer to FreeRadius server environment setup (PAP version) for simple environment setup
2. Modify /etc/raddb/sites-enabled/default to enable challenge. There is an example of challenge configuration in the freeradius source code, the path is: /etc/raddb/sites-available/challenge
server default {
listen {
type = auth
ipaddr = *
port = 0
virtual_server = challenge
}
#server challenge {
authorize {
#
# If ther's no State attribute, then this is the request from
# the user.
#
if (!State) {
update control {
Auth-Type := Step1
Cleartext-Password := "password"
}
}
else {
#
# Do authentication for step 2.
# Set the "known good" password to the number
# saved in the session-state list.
#
update control {
Auth-Type := Step2
Cleartext-Password := &session-state:Tmp-Integer-0
}
}
}
authenticate {
Auth-Type Step1 {
# If the password doesn't match, the user is rejected
# immediately.
pap
#
# Set the random number to save.
#
update session-state {
Tmp-Integer-0 := "%{randstr:n}"
}
update reply {
Reply-Message := &session-state:Tmp-Integer-0
}
#
# Send an Access-Challenge.
# See raddb/policy.d/control for the definition
# of "challenge"
#
challenge
}
Auth-Type Step2 {
#
# Do PAP authentication with the password.
#
pap
}
}
post-auth {
-sql
exec
remove_reply_message_if_eap
Post-Auth-Type REJECT {
-sql
attr_filter.access_reject
eap
remove_reply_message_if_eap
}
Post-Auth-Type Challenge {
remove_reply_message_if_eap
attr_filter.access_challenge.post-auth
}
}
}
3. Testing
Use guacamole for challenge testing.
Specific reference: Guacamole configuration to enable Radius authentication method Configure to enable Radius authentication method of guacamole.