BlueCoat Packetshaper and FreeRadius

For a test, I recently was in need of setting up a FreeRadius server to authenticate users from a BlueCoat PacketShaper appliances.

In this, I found the aforementioned eBox a really good help. Insallation and setup was relatively a breeze. I first enabled both the LDAP and RADIUS modules. The LDAP module was configured witht eh appropriate domain values, and I added some groups and users for good measure.

The eBox ties RADIUS authentication with LDAP, which is why I needed the LDAP module. It then allows you to choose which LDAP group should be allowed to use RADIUS login. Simple enough till there. One caveat to this: you can only use PAP, not CHAP. RADIUS encrypts the password anyway, but fact remains that the password is still transmitted over the wire, making it slightly less secure. Anyway, in a LAN environment you can probably live with such a good ease-of-use to security tradeoff.

Also remember to add the IP addresses of the RADIUS client. Don’t let the term “client” confuse you. This does not refer to the actual user PCs, it refers to the authenticators that will be using this server (in this case, the PacketShaper). With other RADIUS clients, configuration basically stops here. On these RADIUS clients, (eg ProxySG) you basically point it to the RADIUS server, enter the correct shared key and off you go. With PacketShaper it’s not so simple because it expects the RADIUS server to return a specific attribute (basically this attribute determines if the user will have read only or read-write access to the packetshaper. There are specific details in freeradius configuration on the bluecoat support site, here specifically:

https://bto.bluecoat.com/packetguide/8.4/info/configure-radius-server.htm

 

But, here are some pointers that I figured I should make a note of, specifically for users of the eBox:

– Configuration files are located at: /etc/freeradius

– Changed logging to show authentication failures and success in radiusd.conf (these options are well commented, towards the bottom of the file)

– The users file is:

# /etc/freeradius/users

DEFAULT LDAP-Group == RADIUS_Users

                          Service-Type := Login-User,

                          Packeteer-AVPair = "access=touch"

DEFAULT Auth-Type := Reject

There is a slight but important difference between my users file and that recommended by the BlueCoat site. The bluecoat site assumes local authentication (that is the RADIUS server has the usernames and password stored locally). In my case, since the RADIUS server is linked to the LDAP module, and I chose the group “RADIUS_Users” as my group to be able to authenticate versus RADIUS, note the use of “LDAP-Group == RADIUS_Users

– From the file named “dictionary”, we see that the path for the actual dicitonary is “/usr/share/freeradius/dictionary”, so added I added the dictionary.packeteer (as described int eh above link) in the directory /usr/share/freeradius

– Use tail -f /var/log/freeradius/radius.log to monitor progress