Giter VIP home page Giter VIP logo

keycloak-freeradius-demo's Introduction

PoC for Authenticating Free-Radius against Keycloak

This setup uses free-radius, keycloak and the pam-exec-oauth2 module to authenticate a user through free-radius against Keycloak.

The authentication works like this:

free-radius -> PAM -> pam_exec -> pam-exec-oauth2 -> Keycloak

Build

Build pam-exec-oauth2 module

To rebuild the pam-exec-oauth2 go binary, just follow the instructions in https://github.com/shimt/pam-exec-oauth2 and copy the resulting native binary pam-exec-oauth2 into the radius folder.

Note that the pam-exec-oauth2 module can be configured via radius/pam-exec-oauth2.yaml.

Build custom free-radius image

radius/build.sh

Run

Start Keycloak

This starts a Keycloak instance reachable via http://localhost:8180/auth to which you can login with username: admin and password: admin.

The provided radiusdemo-realm.json file is automatically imported into Keycloak and provides radiusdemo realm with a client for radius authentication svc-radius-client and a user with the username tester and password test for testing.

keycloak/run.sh

Start free-radius

This will start a docker container with the name my-radius listening on ports 1812-1813:1812-1813/udp.

Note that you'll need to configure the client networks via the clients.conffile. You can also adjust the default secret testing123 manually or replace it automatically via the RADIUS_SECRET env variable.

radius/run.sh

Test Login

The following tests use the radtest tool within the my-radius container.

Test Login Fail

This try uses an incorrect password.

radius/test-login-fail.sh

Output:

Sent Access-Request Id 182 from 0.0.0.0:45851 to 127.0.0.1:1812 length 76
	User-Name = "tester"
	User-Password = "wrong"
	NAS-IP-Address = 127.0.0.1
	NAS-Port = 1
	Message-Authenticator = 0x00
	Cleartext-Password = "wrong"
Received Access-Reject Id 182 from 127.0.0.1:1812 to 127.0.0.1:45851 length 20
(0) -: Expected Access-Accept got Access-Reject

Test Login Success

This try uses a correct password.

radius/test-login-ok.sh

Output:

Sent Access-Request Id 139 from 0.0.0.0:47297 to 127.0.0.1:1812 length 76
	User-Name = "tester"
	User-Password = "test"
	NAS-IP-Address = 127.0.0.1
	NAS-Port = 1
	Message-Authenticator = 0x00
	Cleartext-Password = "test"
Received Access-Accept Id 139 from 127.0.0.1:1812 to 127.0.0.1:47297 length 20

Issues

No known issues so far.

keycloak-freeradius-demo's People

Contributors

thomasdarimont avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.