gary@gary_alderson@infosec.exchange
ChatGPT said:
Setting up RADIUS (Remote Authentication Dial-In User Service) on Debian isn't too difficult if you're familiar with basic server administration. Here's a breakdown of the steps and hardening tips for better security.
Basic Setup for RADIUS on Debian
Install FreeRADIUS:
FreeRADIUS is the most popular RADIUS server for Linux, and it's available directly from the Debian repositories.
sudo apt update
sudo apt install freeradius
Configure RADIUS:
The main configuration files are located in /etc/freeradius/3.0/. The radiusd.conf file controls server settings, and the clients.conf file controls which clients can access the server.
For example, to add a client (like a router or switch):
sudo nano /etc/freeradius/3.0/clients.conf
Add something like this for a client:
client my_router {
ipaddr = 192.168.1.10
secret = mysecretpassword
require_message_authenticator = no
}
User Authentication:
In the default configuration, users are stored in /etc/freeradius/3.0/mods-config/files/authorize. You can add users like:
sudo nano /etc/freeradius/3.0/mods-config/files/authorize
Example:
testuser Cleartext-Password := "testpassword"
Test the Server:
Start or restart the FreeRADIUS server:
sudo systemctl restart freeradius
To test if RADIUS is working, you can use the radtest command:
radtest testuser testpassword localhost 0 testing123
If successful, you should see an Access-Accept response.
Hardening RADIUS
RADIUS can be a security risk if not properly configured, as it deals with sensitive authentication data. Here are a few ways to harden your FreeRADIUS server:
Use Strong Secrets:
Use long, random secrets for RADIUS clients and servers. Avoid simple passwords like testing123.
Use EAP (Extensible Authentication Protocol):
For wireless or VPN setups, use EAP methods like PEAP or EAP-TLS for stronger security (especially compared to PAP or CHAP). These methods use certificates to encrypt authentication traffic.
Limit Client Access:
Be specific about which IPs can access your RADIUS server in clients.conf. Use the ipaddr and netmask options to restrict access.
client trusted_device {
ipaddr = 192.168.1.10
netmask = 255.255.255.255
secret = mystrongsecret
}
Enforce Strong Passwords:
When storing user credentials, ensure you're using strong passwords and avoid plain text passwords in the users file. Consider using hashed passwords or integrating with a back-end like LDAP or Active Directory.
Limit Access to the Server:
Only allow trusted hosts to communicate with your RADIUS server. Use firewall rules to restrict access:
sudo ufw allow from 192.168.1.10 to any port 1812
Use SSL/TLS for Admin Interfaces:
If you use any web-based management interfaces for FreeRADIUS (like freeradius-web), make sure to secure them with SSL/TLS.
Log Monitoring and Alerts:
Set up log monitoring and alerts for unusual behavior, such as repeated failed login attempts. FreeRADIUS logs to /var/log/freeradius/radius.log by default.
Disable Unnecessary Modules:
If you're not using certain authentication methods (like PAP, CHAP, or others), disable them in the configuration to reduce the attack surface. You can do this by commenting out the modules in /etc/freeradius/3.0/sites-available/default.
Set Up Fail2Ban:
Fail2Ban can help protect your RADIUS server from brute-force attacks. Install it and configure it to monitor FreeRADIUS logs for repeated failed attempts:
sudo apt install fail2ban
Encrypt Communications:
Use EAP-TLS with client certificates for secure communication, which ensures that the communication between clients and the server is encrypted. Ensure that you're not using unencrypted protocols like PAP.
Upgrade Regularly:
Keep FreeRADIUS and your system updated to ensure you get security patches and bug fixes. Enable automatic updates or check regularly for updates.