3.1 Prerequisites for Configuring the FreeRADIUS Server
Download and install the following:
-
FreeRADIUS 1.0.2 or later: Install FreeRADIUS 1.0.2 or later. For installation instructions, refer to Section 2.0, Installing FreeRADIUS.
-
Novell eDirectory 8.8 or later: For installation instructions, refer to the Novell eDirectory 8.8 Installation Guide.
After installing eDirectory, you need to configure it using iManager. Refer to Section 3.1.1, Configuring eDirectory for more information.
You also need to extract the self-signed certificate of the Certificate Authority (CA). For more information, refer to Section 3.1.2, Extracting the Self-Signed Certificate of the Certificate Authority.
-
Novell iManager 2.7.x or later: For installing iManager 2.7.x, refer to the iManager 2.7 Installation Guide.
Download the RADIUS iManager plug-in from the Novell Download site. For the most recent version of iManager plug-in refer to Novell Download site.
Security considerations:
-
Ensure that you meet the security considerations as discussed in Section 7.0, Security Considerations.
The following prerequisite tasks explain how to configure eDirectory so that you can log in to the system as a system administrator.
3.1.1 Configuring eDirectory
You need to configure the following in eDirectory using iManager:
Enabling Universal Password for eDirectory Users
Ensure that you enable universal password for the users in eDirectory. After enabling, you need to set the universal password either manually or by logging in.
For more information, refer to "Deploying Universal Password" chapter in Password Management 3.3.x Guide.
Creating the RADIUS Administrator Object
An Administrator object is a User object.
For information on creating an RADIUS Administrator object in eDirectory, refer to the Managing User Accounts section in the Novell eDirectory Administration Guide.
You need to mention the DN of the RADIUS Administrator object while modifying the attributes in the LDAP module.
Granting Administration Rights for the RADIUS Administrator
Grant the RADIUS administrator the write right over the ACL attribute of the user object whose universal password has to be read. By granting this right, the RADIUS administrator will gain the administrative rights over that user object.
The eDirectory administrator can also be the RADIUS administrator. For more information on eDirectory rights, refer to the Novell eDirectory Administration Guide.
Granting Rights to RADIUS Administrator to Retrieve Password
By default, the administrator does not have the right to read universal password. eDirectory administrator will modify the password policy to enable the RADIUS Administrator to read universal password.
Execute the following steps to grant rights to the RADIUS administrator in order to retrieve the universal password:
-
In iManager, click the Roles and Tasks button
.
-
Click Passwords > Password Policies and select the password policy being used.
-
Click Universal Password > Configuration Options.
-
Select Allow admin to retrieve passwords checkbox from Universal Password Retrieval.
-
Click Apply, then click OK.
-
3.1.2 Extracting the Self-Signed Certificate of the Certificate Authority
Extract the self-signed certificate of the Certificate Authority in base 64 format. For information on extracting the certificate, refer to the Novell Certificate Server 3.3.x Administration Guide.
You need to mention the extracted path and the certificate filename while modifying the attributes in the LDAP module of the radiusd.conf configuration file. The configuration parameter is:
|
Parameter |
Description |
|---|---|
|
tls_cacertfile |
Specifies the full path of a certificate file in the UNIX file system. |
NOTE:The RADIUS server administrator has to make sure that the (UNIX) user having RADIUS server rights also has right to read the certificate files.