-
1
- #1
Sniffer Distributed Server authenticating to Radius
Author: Patrick Bartkus, SCM
Date: 19 Sept 2003
This is to help anyone who wants to set up a Radius server to be able to authenticate and authorize users of a Distributed Sniffer Server.
Step 1 - Get a Radius server running.
I used FreeRadius (Open Source = Free) Server. {from the README} There is now an O'Reilly book available, which we recommend highly:
{end of README inclusion}
It took me a bit of work to get it going. I initially wanted to authenticate users on our Cisco routers and switches. But now I am finding other uses for Radius such as this.
Step 2 - Configure FreeRadius to accept and respond to requests from the DSS.
2.1 - Clients file:
/etc/raddb/clients.conf
client 10.1.7.21 {
secret = shared-secret
shortname = palantir-wan
nastype = other
}
client 10.1.7.22 {
secret = shared-secret
shortname = palantir-fas
nastype = other
}
client 10.1.7.23 {
secret = shared-secret
shortname = palantir-gig
nastype = other
}
2.2 - Huntgroups file:
/etc/raddb/huntsgroups
---
# this huntgroup will be so that we ensure that if the request is
# from a sniffer, that the user is part of that group
sniffer NAS-IP-Address == 10.1.7.21
sniffer NAS-IP-Address == 10.1.7.22
sniffer NAS-IP-Address == 10.1.7.23
---
2.3 - Users file:
/etc/raddb/users
---
# This is to authenticate Distributed Sniffer Server users
DEFAULT Huntgroup-Name == "sniffer", Group == "snifferroot"
Reply-Message = "PSCDRWF256"
---
The users we want to have access the Distributed Sniffer Server have to be in the Unix group listed. You could set up multiple groups and change the DSS permissions appropriately. The users permissions are set by the Reply-Message attribute. The (undocumented) permissions are:
P - Packet Capture
S - Control Session
C - Remote Config
D - Database
R - Reset Stats
W - Groupware
Fnnn - Frame Slice nnn characters [thanks Kendall and Cherri]
{Getting Started Guide Ver 4.3 states on p16} "For example, the Reply-Message may be CF128 to designate the user has Capture Permission and Frame Slice of 128. Each user may
have different permissions."
Also, a word of warning. FreeRadius is VERY particular about the syntax in its configuration files. A missing comma can cause it not to do what you think it should do.
Manually executing the demon in debug mode causes it to spit out a lot of stuff. Careful reading of it should help you find out about what it is not happy about. When all else fails, there is a mailing list for the product; just be sure you have read and re-read ALL of the documentation or post at your own peril.
2.4 - iptables config
If you are running a recent flavor of Linux, be sure you have configured ipchains/iptables to allow the port through from the DSS into the Linux box.
Step 3 - Configure the Distributed Sniffer Server to use Radius for authentication
3.1 - Config Agent - User Tab
Create a dummy user. This has to be done to be able to do the next step.
3.2 - Config Agent - Options Tab
3.2.1 Check "Verify User Info"
3.2.2 Check "External Security"
3.2.3 Push the [Configure] button
3.2.3.1 Give it the IP address of the Radius Server in the Primary Server field
3.2.3.1a {optional} Give it the IP address of the backup Radius Server in the Secondary Server field
3.2.3.2 Ensure you have the right port number. By default it uses the old Radius protocol port 1645. The newer distributions of Radius use port 1812.
3.2.3.3 Give it the same shared secret word as used in step 2.1 above
3.2.3.4 Give what default user permissions you want.
3.2.3.5 [OK]
3.2.4 [OK]
Step 4 - Test
Now you are ready to try it out. If you use SniffView menu "Connections->Connect As..." it will prompt you for your username and password. Otherwise if you connect with the SniffView menu "Connections->Connect" or you select the agent & hit enter, it will try to authenticate with the username you used to access the console and probaby fail. You will then be prompted for your username and password. Give it your Radius username and password and you should be good to go.
Again, putting the Radius in debug mode can help you troubleshoot. And if you want to see the packets as they appear at the Radius server you can always use a Sniffer Pro LAN
.
Step 5 - Configure SniffView
These steps will configure SniffView to send your username and password as part of the connect sequence.
5.1 SniffView Console menu - Change Password - Give your console a password
5.2 Agent menu - Modify each agent - put your Radius password in the password field. Did I mention that your console username has to match your Radius username? It does.
Now, you can connect to an agent without typing your password again once you have accessed the console.
Unfortunately, the DSS doesn't send any Radius accounting information so you can't see who connected where and for how long. I've submitted a Feature Modification Request to have this added.
Enjoy!
Patrick
Patrick Bartkus, CCNP, CNX, SCM Sr. Network Engineer
GA Dept of Labor IT Network Services
If truth were not absolute, how could there be justice?
Author: Patrick Bartkus, SCM
Date: 19 Sept 2003
This is to help anyone who wants to set up a Radius server to be able to authenticate and authorize users of a Distributed Sniffer Server.
Step 1 - Get a Radius server running.
I used FreeRadius (Open Source = Free) Server. {from the README} There is now an O'Reilly book available, which we recommend highly:
{end of README inclusion}
It took me a bit of work to get it going. I initially wanted to authenticate users on our Cisco routers and switches. But now I am finding other uses for Radius such as this.
Step 2 - Configure FreeRadius to accept and respond to requests from the DSS.
2.1 - Clients file:
/etc/raddb/clients.conf
client 10.1.7.21 {
secret = shared-secret
shortname = palantir-wan
nastype = other
}
client 10.1.7.22 {
secret = shared-secret
shortname = palantir-fas
nastype = other
}
client 10.1.7.23 {
secret = shared-secret
shortname = palantir-gig
nastype = other
}
2.2 - Huntgroups file:
/etc/raddb/huntsgroups
---
# this huntgroup will be so that we ensure that if the request is
# from a sniffer, that the user is part of that group
sniffer NAS-IP-Address == 10.1.7.21
sniffer NAS-IP-Address == 10.1.7.22
sniffer NAS-IP-Address == 10.1.7.23
---
2.3 - Users file:
/etc/raddb/users
---
# This is to authenticate Distributed Sniffer Server users
DEFAULT Huntgroup-Name == "sniffer", Group == "snifferroot"
Reply-Message = "PSCDRWF256"
---
The users we want to have access the Distributed Sniffer Server have to be in the Unix group listed. You could set up multiple groups and change the DSS permissions appropriately. The users permissions are set by the Reply-Message attribute. The (undocumented) permissions are:
P - Packet Capture
S - Control Session
C - Remote Config
D - Database
R - Reset Stats
W - Groupware
Fnnn - Frame Slice nnn characters [thanks Kendall and Cherri]
{Getting Started Guide Ver 4.3 states on p16} "For example, the Reply-Message may be CF128 to designate the user has Capture Permission and Frame Slice of 128. Each user may
have different permissions."
Also, a word of warning. FreeRadius is VERY particular about the syntax in its configuration files. A missing comma can cause it not to do what you think it should do.
Manually executing the demon in debug mode causes it to spit out a lot of stuff. Careful reading of it should help you find out about what it is not happy about. When all else fails, there is a mailing list for the product; just be sure you have read and re-read ALL of the documentation or post at your own peril.
2.4 - iptables config
If you are running a recent flavor of Linux, be sure you have configured ipchains/iptables to allow the port through from the DSS into the Linux box.
Step 3 - Configure the Distributed Sniffer Server to use Radius for authentication
3.1 - Config Agent - User Tab
Create a dummy user. This has to be done to be able to do the next step.
3.2 - Config Agent - Options Tab
3.2.1 Check "Verify User Info"
3.2.2 Check "External Security"
3.2.3 Push the [Configure] button
3.2.3.1 Give it the IP address of the Radius Server in the Primary Server field
3.2.3.1a {optional} Give it the IP address of the backup Radius Server in the Secondary Server field
3.2.3.2 Ensure you have the right port number. By default it uses the old Radius protocol port 1645. The newer distributions of Radius use port 1812.
3.2.3.3 Give it the same shared secret word as used in step 2.1 above
3.2.3.4 Give what default user permissions you want.
3.2.3.5 [OK]
3.2.4 [OK]
Step 4 - Test
Now you are ready to try it out. If you use SniffView menu "Connections->Connect As..." it will prompt you for your username and password. Otherwise if you connect with the SniffView menu "Connections->Connect" or you select the agent & hit enter, it will try to authenticate with the username you used to access the console and probaby fail. You will then be prompted for your username and password. Give it your Radius username and password and you should be good to go.
Again, putting the Radius in debug mode can help you troubleshoot. And if you want to see the packets as they appear at the Radius server you can always use a Sniffer Pro LAN
.Step 5 - Configure SniffView
These steps will configure SniffView to send your username and password as part of the connect sequence.
5.1 SniffView Console menu - Change Password - Give your console a password
5.2 Agent menu - Modify each agent - put your Radius password in the password field. Did I mention that your console username has to match your Radius username? It does.
Now, you can connect to an agent without typing your password again once you have accessed the console.
Unfortunately, the DSS doesn't send any Radius accounting information so you can't see who connected where and for how long. I've submitted a Feature Modification Request to have this added.
Enjoy!
Patrick
Patrick Bartkus, CCNP, CNX, SCM Sr. Network Engineer
GA Dept of Labor IT Network Services
If truth were not absolute, how could there be justice?