Novell Home

Addendum to the FreeRADIUS Administration Guide

Novell Cool Solutions: Feature
By Fahim Siddiqui

Digg This - Slashdot This

Posted: 30 Jun 2005
 

Addendum to the FreeRADIUS Administration Guide

Introduction

The FreeRADIUS Administration Guide is available at: http://www.novell.com/documentation/edir_radius/index.html

This article serves as an addendum to the Administrator Guide. Its purpose is to integrate eDirectory 8.7.3.6 running on NetWare 5.1 patched to SP8, with FreeRADIUS v 1.0.2 running on SLES 9 SP1. With this, wireless/802.11 authentication to eDirectory running on NetWare 5.1 is made possible.

Below are the extra software packages employed. (I am not considering core NetWare 5.1 and SLES 9 OS here, and the links given below can change - but they hold good as of June 20th, 2005.)

Note: I recommend using the PDF version of the Radius Administration guide, as it's easier to reference the Page numbers and subsections that way. The Administration Guide should be followed step by step, unless an extra comment is found here relating to a subsection. That would imply that changes/deviation from the original document are required.

Acknowledgements

Please join me in acknowledging the help given in implementing this solution to the following people:

  • Sayantan Bhowmick: Developer, Novell Forge Free Radius
  • Jacob Kuriyan: CO, Etisalat College
  • Dennis Comeaux

Extra Software Needed

Setting Up the Test Environment

My test environment looked something like this:

Figure: Test environment for FreeRADIUS integration

My eDirectory structure on Netware 5.1 was something like the following:

NDS|
ETC_TREE
|
(O)ETC|
User:admin |
User:radmin|
			(OU)STAFF
			(servers) STAFF_SRVR
				LDAP SRVR - STAFF_SRVR
				LDAP Group - STAFF_SRVR
---- All Other Radius users

The FreeRadius module that I downloaded from the Novell Forge site was installed on SUSE Linux Enterprise 9, along with iManager 2.5, as iManager is not natively supported on NetWare 5.1.

Netware 5.1 is patched to SP8, with eDirectory version 8.7.3.6 and its LDAP Agent installed. Console->Load Monitor shows module nmas.nlm running at version as 2.6.5 (the result of patching to SP8). Make sure that it's above v2.3, as that's the minimum listed requirement for iManager 2.5.

After installing iManager on SLES9, test your admin connection by logging in to eDirectory. Also, from the LDAP browser, see if you can login and browse the tree structure. That would confirm that LDAP agent is running and port 389 is listening. You can also check the listening ports by using tcpcon at the NetWare console.

Integration Steps

Installing the Password Management Plugin

(See TID 10091343 for FAQ on Universal passwords.)

Download the plugin in .jar format and follow the steps given in TID 10097107:
http://support.novell.com/cgi-bin/search/searchtid.cgi?10097107.htm

The steps might look overwhelming at first but they are doable. What we derive in the end is a set of schema (.sch) files and iManager plugins in package module format (.npm files).

Extending the Schema

Now extend the schema of eDirectory 8.7.3.6 to comply with the NMAS requirements:

  1. Copy all the (.sch) files into a folder in Sys:Public.
  2. At the server console, load nwconfig.nlm.
  3. Select Directory Options > Extend Schema.
  4. Enter an administrator name and password.
  5. Press F3 (F4 if you're using RCONSOLE) and specify the path to the \public\*.sch files.
  6. Install all the five schema files, one by one (you can't select them all at once).

Installing the Plugin Modules

  1. Log in to iManager as Admin.
  2. Click on the Configure icon.
  3. Select Module Installation > Available Novell plug-in modules > New.
  4. Browse to the directory where you have extracted the six .npm files.
  5. In sequence, bring in all the npm's except Platform Administration and NMAS client.
  6. Once all of them are brought into the window, select them all and click Install.

Ugrading NICI

This may be a good time to upgrade your NICI. Crypto Upgrade provides the ability to upgrade existing installations of NetWare 5.1 or later with enhanced cryptographic support. It also resolves several reported deficiencies.

  1. Extract the compressed files out of the package that you downloaded earlier (nici_u0.exe).
  2. Follow the Installation notes given under the 'readme' file therein. The installation will update your any existing version of NICI to version 2.6.7.

You might want to restart the NetWare server now to see if everything is fine after extension of the schema. The documentation advises that only the Tomcat server serving iManager, residing on SLES, be restarted.

Having done this, verify that your SDI Domain key servers are ready for Universal Passwords.

You might want to read and follow TID 2966746 in this regard: http://support.novell.com/cgi-bin/search/searchtid.cgi?/2966746.htm

Enabling Universal Password

Here are the steps to enable Universal Passwords. The steps here complement the 'Enabling Universal Password for edirectory users' section on Page 12 of the Administration Guide.

If you have installed the Password Management plug-in as described in the steps earlier, do the following:

  1. Start iManager.
  2. Under Roles and Tasks > Passwords > click Manage Password Policies.
  3. Click New to start the Password Policy Wizard.
  4. Provide a name for the policy (say, Universal PW Policy) and click Next.
  5. Click Yes to enable Universal Password. Do not select Advanced Password Rules at this time.
  6. Under the Option tab, select All.
  7. Complete the Password Policy Wizard.
  8. Assign Password policy to the whole organization if you wish. In my case, I assigned it to .ETC.

Important note from the NMAS Documentation: When you enable Universal Password on a container (that is a partition root), it is enabled on all existing sub-containers as well. If you enable Universal Password at the Tree level, all sub-containers you create after enabling Universal Password will be enabled for Universal Password.

However, if you enable Universal Password on a container below the Tree level, such as on an Organization (O) or an Organizational Unit (OU)(which is NOT a partition root) and then create a new sub container, you must enable Universal Password on that sub container. It is not automatically enabled.


  1. Create a user (radmin in my case) and grant him Supervisor rights over the container. He might be made 'admin' equivalent but would act as Radius Administrator.
  2. Assign him a Universal Password during the creation process as you should now have the feature installed and available.
  3. Read Page 24 of the Administrator Guide.
  4. Do Scenario 1 under the section "Granting Rights to RADIUS Administrator to retrieve password" on Page 12 of the Radius Admin Guide.

Note: DO NOT extract any self-signed Certificate. I could not make this part work, but there is an alternative I'll define later.

Installing FreeRADIUS

Now it's time to install FreeRADIUS rpm on the SLES machine. To install it, just do an rpm -I (filename) or use Yast. Skip the "Modifying the LDAP Module" subsection on Page 13 for now.

The next step is to extend the eDirectory schema again for incorporating FreeRADIUS features in iManager. An 'un-tar' of iManager plug-in package 'radius_npm.tar' gives you two LDIF files, along with a license and a (.npm) file. We installed the 'radius.npm' file earlier - now we will extend schema again using the two LDIF files (addclassmap.ldif and RADIUS-LDAPv3.ldif). Explanation of this procedure is on Page 31 of the Admin Guide.

To do this, you can use ICE Wizard located under iManager's Roles and Tasks > eDirectory maintenance.

You might also want to do Scenario 2 on Page 18 of the Admin Guide. Make sure that an eDirectory class 'RADIUS:Profile' is added and mapped to the primary LDAP class using the name 'novellradiusprofile'.

Take note of the Step 4 of Scenario 2 as mentioned in the guide. Make sure that it goes through without errors, or else the addclass.ldif attributes won't be incorporated into the eDirectory schema.

You don't need to add any Radius attributes at this time (mentioned on Page 19 of the guide). You can instead create RADIUS users of the existing eDirectory users in order to test the functionality later.

  1. Under iManager > Roles and Tasks > LDAP Options > LDAP Servers > Connections, select Server Certificate.
  2. Select SSL Cert DNS.
  3. Uncheck "Require TLS for all operations".
  4. Read page 13 of the Guide.
  5. Make sure you have installed Free Radius on SLES 9 and NTRAD Ping on your Win 2k/XP machine (in case you are not using an 802.1x-enabled live Network Access Point and a Wireless client.)

Installing an LDAP Browser for Linux

You can install an alternate version of LDAP browser for Linux on the SLES 9 machine. This has the added advantage of testing LDAP Server accessibility from the same machine that hosts the Free Radius.

1. Modify raddb.conf. Under the LDAP subsection, my entries looked something like this:

ldap {
		#server = "ldap.your.domain"
		#*Added by ME*
		server = "STAFF_SRVR.STAFF.ETC"
		# identity = "cn=admin,o=My Org,c=UA"
		identity = "cn=radmin,o=etc"
		# password = mypass
		password = secret ( I assigned this as Universal password for radmin)
		#basedn = "o=My Org,c=UA"
		basedn = "o=etc"
...
# start_tls = no
		#*Added by ME*
		port = 636
		tls_mode = yes

2. Under the 'ntdomain' section of the Authorize subsection, enable LDAP for eDirectory.

authorize{
...
...
#ntdomain

eap
	#
	#  Read the 'users' file
	# *Added by ME*
	ldap
	files

Under the Authenticate subsection, unhash Auth type LDAP:

authenticate {
...
Auth-Type LDAP {
ldap
}

3. In the eap.conf file, make the changes to set the default EAP type to "peap."

4. Enable the TLS and PEAP sections:

default_eap_type = peap
?
tls {
private_key_password = whatever

...
peap {
			#  The tunneled EAP session needs a default
			#  EAP type which is separate from the one for
			#  the non-tunneled EAP module.  Inside of the
			#  PEAP tunnel, we recommend using MS-CHAPv2,
			#  as that is the default type supported by
			#  Windows clients.
			default_eap_type = mschapv2
		}
...

mschapv2 {
		}

Here I found the usage of kate text editor more useful than vi, as Kate takes off parentheses, making it easier to debug these conf files.

5. Edit these three lines in clients.conf:

lient 192.168.100.0/24 {
	secret		= testing123
	shortname	= cottage

6. Start 'radiusd -X -A' at the SLES console.

7. Log in as 'radmin' with the assigned password from the NtRadPing utility to the Radius Server on Port 1812. You should see the response 'Accept-Accept' on the right-hand frame of the utility.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell