Dear Tek and everyone, In message <[EMAIL PROTECTED]>, [EMAIL PROTECTED] writes >I am very new to FreeRadius. Just today, I have installed FreeRadius >1.13 from FreeBSD 6.0 (i386) ports.
I am the maintainer of the FreeBSD FreeRADIUS port starting from version 1.1.3. It's probably about time I revealed myself here. >I am following this material from: >http://www.onlamp.com/pub/a/onlamp/excerpt/radius_5/index1.html As Alan DeKok says, that material is very old (2002 vintage, which is ancient history in FreeRADIUS terms). It really can't be recommended now, and I suggest that you follow the usual advice to start from the sample configuration shipped with FreeRADIUS. As is usual for a FreeBSD port (see the FreeBSD Porter's Handbook, section 7.2), the port installs the sample FreeRADIUS configuration, but the name of each file has a suffix, in this case .sample. This is to stop port upgrades, or deinstall/reinstalls, from wiping your hand-crafted configuration. In the case of FreeRADIUS, assuming you don't set PREFIX explicitly to something else, the default configuration files go in /usr/local/etc/raddb, suffixed with .sample - so /usr/local/etc/raddb/radiusd.conf.sample and so on. I suggest, therefore, that you cd /usr/local/etc/raddb cp -p radiusd.conf.sample radiusd.conf and edit radiusd.conf to suit your environment. You will need to do the same (unless you symlink if you don't need to make any changes, or you make appropriate changes to the configuration) for: clients.conf.sample dictionary.sample eap.conf.sample hints.sample huntgroups.sample proxy.conf.sample snmp.conf.sample sql.conf.sample and probably also: acct_users.sample preproxy_users.sample users.sample If you're using EAP, I suggest that you place your own certificates in raddb/mycerts, and edit eap.conf accordingly. Placing your own certificates in raddb/certs is likely to lead to them being wiped on an upgrade. (Memo to self: changing the port to install the test certificates in raddb/certs.sample is possibly worthwhile). Do NOT use the certificates shipped with FreeRADIUS on a production server - this is a significant security hole. I've not had any reports, other than yours, of the FreeBSD port failing since I took over the maintainership. I've had a few requests for enhancement of the port, and I've dealt with all those other than ones that I've dealt with and fixed the port for. The FreeBSD port is now up to 1.1.4_1; in other words, the second revision of the port of FreeRADIUS 1.1.4. The initial 1.1.4 port didn't rm -r rlm_sql_firebird, which has already been acknowledged on this list as broken, so configure failed when experimental modules were enabled. For versions 1.1.2 to 1.1.4, I was working on FreeBSD 6.1-RELEASE i386, but I have now moved to 6.2-RELEASE i386. FreeBSD's pointyhat cluster monitors build failures on other architectures, but nothing monitors whether the software runs on other architectures. FreeBSD 6.0-RELEASE becomes end of life on 31 January 2007 - from that point on there's no more security team support. It's worth considering an upgrade to 6.2-RELEASE, though read the errata and other release notes first. I never used 6.0-RELEASE (I jumped from 5.4-RELEASE to 6.1-RELEASE on my main box). 6.0-RELEASE is very nearly end of life, and I'm not much interested in fixing the port to work on 6.0-RELEASE. If you tell me that you can't get the port working on 6.0-RELEASE, I may set up a virtual 6.0-RELEASE machine and try FreeRADIUS quickly with a configuration that I know works. However, if there's a problem for which there's not an obvious fix, I'll just mark the port as broken on 6.0-RELEASE. As the FreeBSD Porter's Handbook says, in section 5.2.2: FreeBSD only guarantees that the Ports Collection works on the -STABLE branches. You should be running 5-STABLE or 6-STABLE, preferably the latter. In theory, you should be able to get by with running the latest release of each stable branch (since the ABIs are not supposed to change) but if you can run the branch, that is even better. Considering that -STABLE is not recommended for production machines (it means stable ABI, not that the operating system you'll get by downloading -STABLE is necessarily stable), I'd upgrade to 6.2-RELEASE if you need to upgrade. Another thing that I suggest you consider is building the OpenSSL port and rebuilding FreeRADIUS (portupgrade -f net/freeradius or similar) - especially if you're going to use any part of FreeRADIUS that uses OpenSSL, such as EAP. The FreeBSD FreeRADIUS port uses the OpenSSL port if it's installed in preference to the base system's OpenSSL. Indeed, I suggest you build the OpenSSL port if you're going to use any software that uses OpenSSL, because the OpenSSL version in the base system is somewhat out of date and this won't change until FreeBSD 7.0 (7.0-CURRENT has OpenSSL 0.9.8d in the base system). Before building the OpenSSL port, you may want to add the line: USE_OPENSSL_BETA=yes to /etc/make.conf to make the ports system build OpenSSL 0.9.8d rather than OpenSSL 0.9.7l - I don't see what's so beta about the 0.9.8 branch of OpenSSL these days. In summary, my suggested way ahead if you haven't already got this working is: Upgrade the FreeRADIUS port to 1.1.4_1 and build FreeRADIUS. Build a simple configuration starting from the 1.1.4 sample configuration, and test FreeRADIUS. If you're still having problems, especially if you're attempting to use any part of FreeRADIUS that relies on OpenSSL such as EAP, build the OpenSSL port and rebuild FreeRADIUS. Consider doing this anyway. If you're still having problems, upgrade the operating system (I suggest to 6.2-RELEASE). Consider doing this anyway in the light of the upcoming end of life of 6.0-RELEASE. I have the FreeBSD FreeRADIUS port 1.1.4_1 working on 6.2-RELEASE i386 with OpenSSL 0.9.8d installed via the OpenSSL port. Best wishes, David -- David Wood [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
