Configuring FreeRADIUS on Open Enterprise Server for Linux
Novell Cool Solutions: Tip
By Eric Champagne
|
Digg This -
Slashdot This
Posted: 31 Aug 2005 |
problem:
After many hours and days trying to configure FreeRADIUS on my OES Linux (SUSE 9 Sp1 ) with LDAP authentication and a access point Linksys WRT54G ... Here's a step by step documentation for you!
Here is my setup and what you should download before starting the procedure.
solution:
Hardware Needed
- Server for OES Linux
- Linksys Router Wireless - WRT54G
- Workstation XP with Wireless Network Card
Software Needed
- OES Linux ( SUSE 9 SP1 ) - Installed with eDir + NCP + iManager 2.5
Note: FRESH INSTALLATION - FreeRADIUS 1.02
http://forge.novell.com/modules/xfcontent/downloads.php/edirfreeradius/SLES%209/ - Certificates Scripts for Freeradius
http://oriol.joor.net/article_fitxers/1574/certs.tar.gz - iManager Plugins for RADIUS
http://forge.novell.com/modules/xfcontent/downloads.php/edirFreeRADIUS - iManager NMAS Client
http://support.novell.com/cgi-bin/search/searchtid.cgi?10097107.htm
Note : Follow this TID to extract the NMASCLIENT.NPM
Step 1 - Install FreeRADIUS
- Copy the 2 packages for FreeRADIUS on your OES Linux server into /tmp directory.
- Go into yast
- Go Software/Install and remove program - Search for FreeRADIUS package. If there are not installed, install it.
- Return at the command line and install both Freeradium RPM.
rpm -Uvh --force /tmp/freeradius-1.0.2-0.i586.r?pm
rpm -Uvh --force /tmp/freeradius-devel-1.0.2-0.?i586.rpm - Delete the whole CERTS directory under /etc/raddb/
- Copy certs.tar.gz under /tmp directory.
- Unzip the certs.tar.gz - tar -zvf
tar -zxf certs.tar.gz - Edit CA.certs like this the follow example:
COUNTRY="CA"
PROVINCE="Quebec"
CITY="Montreal"
ORGANIZATION="Complys technologies inc"
ORG_UNIT=`HeadOffice`
PASSWORD="complys" ; Use a password of your choiceCOMMON_NAME_CLIENT="Rezotik Client SSL"
EMAIL_CLIENT="i...@complys.dot.com"
PASSWORD_CLIENT=$PASSWORDCOMMON_NAME_SERVER="Rezotik Server SSL"
EMAIL_SERVER="i...@complys.com"
PASSWORD_SERVER=$PASSWORDCOMMON_NAME_ROOT="Root certificate"
EMAIL_ROOT="i...@complys.dot.com"
PASSWORD_ROOT=$PASSWORD - Go on line 85 into CA.certs and modify the line with the follow one:
- echo "newreq.pem" | ./CA.pl -newca || exit 2
- Copy the whole directory /tmp/certs into /etc/raddb
- Extract the seft signed certificate with the following step
- Open ConsoleOne
- Highlight the Security Container
- Go on properties of CERTIFICATE AUTHORITY OBJECT then go on the Certificate Tab under Self Signed Certificate
- Click on Export - Say NO on export Private Key.
- Save your file with B64 format with the following name under /etc/raddb/certs/rootder.b64
- Modify the file /etc/raddb/radiusd.conf
# ... Change under MODULE SECTION ... # modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes authtype = MS-CHAP } ldap { server = "localhost" identity = "cn=admin,o=complys" password = password # !!! Use your own admin password here !!! basedn = "o=complys" filter = "(uid=%{Stripped-User-Name:-%{?User-Name}})" base_filter = "(objectclass=radiusprofile)" start_tls = yes tls_cacertfile = /etc/raddb/certs/rootder.b64 access_attr = "dialupAccess" ldap_connections_number = 5 password_attribute = nspmPassword edir_account_policy_check=yes timeout = 4 timelimit = 3 net_timeout = 1 } # ... CHANGE UNDER AUTHORIZE SECTION ... # authorize { preprocess chap mschap suffix eap files ldap } # ... CHANGE UNDER AUTHENTICATE SECTION ... # authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { ldap } eap } # ... CHANGE UNDER POST-AUTH SECTION ... # post-auth { ldap Post-Auth-Type REJECT { ldap } } - Modify the file /etc/raddb/eap.conf
eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no md5 { } leap { } tls { private_key_password = complys private_key_file = /etc/raddb/certs/cert-srv.pem certificate_file = /etc/raddb/certs/cert-srv.pem CA_file = /etc/raddb/certs/demoCA/cacert?.pem dh_file = /etc/raddb/certs/dh random_file = /etc/raddb/certs/random fragment_size = 1024 include_length = yes } ttls { default_eap_type = md5 copy_request_to_tunnel = yes use_tunneled_reply = yes } peap { default_eap_type = mschapv2 } mschapv2 { } } - Modify the file /etc/raddb/clients.conf
client 192.168.1.0/24 { secret = rezotik shortname = newton } - Modify the file /etc/raddb/users
!!! EMPTY THE WHOLE FILE !!! We don't need it because you will use authentication LDAP
- Start FreeRADIUS at the command line : radiusd -X -A
- Note: You should see "READY TO PROCESS REQUESTS" if your configuration is good. Otherwise double checked your files.
- Note: You should test your radius connection with NTRadPing Utility before continuing.
- Note: We installed FreeRADIUS with Yast because FreeRADIUS have a couple of dependencies. It's more easy to do it like this if you don't know which package is needed.
- Note: My subnet is 192.168.1.0/24 ... Change it for your subnet.
"secret" atrribute is the secret password to know to be able to connect on the Radius Server.
Step 2 - Install RADIUS Plugin and NMAS Client Plugin into iManager
- Install RADIUS.NPM and NMASCLIENT.NPM into iManager Note: I will not describe all the step ... I'll assume that you are a Novell Administrator and you should know how to use iManager and add a plugin into it.
- Install both LDIF included with the NPG files for RADIUS.
- Note: The most easiest way to had it without problem is ConsoleOne under Tools/NDS Import/Export
- Open iManager - Go under RADIUS
- Click on Extend Schema for RADIUS - Say Yes to Extend the schema.
Step 3 - Create a Universal Password Policy
- Open iManager - Go under PASSWORD
- Click on Password Policy
- Add a NEW POLICY - Give the policy name - Exemple : Universal Password Policy
- Disable Advanced Password Rules
- Click on VIEW OPTIONS
- Enable everything except : Remove the NDS password when setting Universal Password.
- Next - Next -
- DON'T ASSIGN ANY USERS OR CONTAINER NOW!
Step 4 - Configure your linksys Router Wireless WRT54G
- Go into the administration web page of your router.
- Under Wireless Security - Choose
Security Mode: WPA RADIUS
WPA Algorithms: TKIP
RADIUS Server Address: 192.168.1.30 <------ IP Address of my OES Linux server
RADIUS Port: 1812
Shared Key: complys <----- Secret password of radius server
Key Renewal Timeout: 3600 seconds
Step 5 - Configure your Wireless card under Windows XP
- Under Network Connection - Go on properties of your Wireless Card
- Click on Wireless Network
- Enable : Use Windows to configure my wireless networks settings.
- Click on ADD under PREFERED NETWORKS SECTION.
- Enter the SSID of your Wireless Router.
- Click on AUTHENTICATION TAB
- Choose in the DROP DOWN LIST for EAP Type : Protected EAP (PEAP)
- Click on PROPERTIES just under the drop down list.
- Disable VALIDATE SERVER CERTIFICATE
- Select Secured password (EAP-MSCHAP v2) for Authentication Method.
- Click on Configure ...
- Disable AUTOMATICALLY USE MY WINDOWS LOGON NAME AND PASSWORD
- Click OK - Click OK
- Click on CONNECTION Tab
- Disable CONNECT WHEN THIS IS IN RANGE
- Click OK.
- Note: You should have a connection with your SSIDNAME(On Demand)
Step 6 - Create a USERS and RADIUS USERS under eDirectory
- Create a user in by ConsoleOne or via iManager
- Give him username and a password
- Open iManager - Go under RADIUS
- Click on CREATE RADIUS USERS
- Choose the user that you just created
- Click on MODIFY RADIUS USERS
- Click on OTHERS ITEMS Tab
- Add ON to the dialupAccess Attribute.
- Apply changes
Step 7 - Try your connection with Windows XP wireless card
- Go under VIEW AVAILABLE WIRELESS NETWORK
- Click SSIDNAME(ON DEMAND) access point.
- Enter the credential of the user that you just created
- THAT'S IT !!!!
Step 8 - Troubleshoot USERS login
- First Problem - Error FAILED AUTHENTICATE -669 under the FreeRADIUS Console.
- Note: A great tools to troubleshoot if your user is ready to work with Radius is UNIVERSAL PASSWORD DIAG UTILITY.
http://support.novell.com/cgi-bin/search/searchtid.cgi?/2970885.htm
- Note: The NMAS Client plugins for iManager ( See STEP 2 ) should be installed to synchronize UP ( Universal Password ) with NDS password, etc ...
A good user should return this:
Object DN: cn=radmin,o=complys
EMail: [NONE]
Password Status: Enabled, Set
Simple Password Status: Set
Password Policy DN: cn=Universal Password Policy,cn=Password
Policies,cn=Securitya bad user should return this:
Object DN: cn=radius2,o=complys
EMail: [NONE]
Password Status: Enabled, Set, UP != NDS
Simple Password Status: Set, Simple != NDS
Password Policy DN: cn=Universal Password Policy,cn=Password
Policies,cn=Security
Hope this will help you. Comments are welcome!
Eric Champagne, CNE, CCNA
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com