We are currently using our RADIUS server to do one thing. It is
authenticating wireless users via Mac address through access points.
Very clean, very simple. We would like to increase the security a
bit by having the users authenticate against eDirectory as well. If
a user tries to get on the network, his MAC is passed to the RADIUS
server. If the MAC is validated, the request is passed to the Novell
Server, the user is asked to enter his password, and then he is
allowed in. I have setup my config files according to several
eDirectory/FreeRADIUS FAQ articles that I have found, but I am still
having a few issues.
1: I am never asked for a password
2: rlm_ldap: When I attempt to get access, I get an error message
"could not start TLS operations error"
Below are some clips from my configurations as well as the access
messages as I receive:
ACCESS ATTEMPT:
rad_recv: Access-Request packet from host 172.16.14.23:1812, id=1,
length=73
User-Password = "xxxxxx"
User-Name = "0016cb-b64f93"
NAS-Identifier = "172.16.14.23"
NAS-IP-Address = 172.16.14.23
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat: '/usr/local/var/log/radius/radacct/172.16.14.23/auth-
detail-20071011'
rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/
auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/
172.16.14.23/auth-detail-20071011
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "0016cb-b64f93", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry DEFAULT at line 153
users: Matched entry 0016cb-b64f93 at line 222
modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for 0016cb-b64f93
radius_xlat: '(uid=0016cb-b64f93)'
radius_xlat: 'o=dist-155'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 172.16.13.10:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /usr/local/etc/raddb/certs/
cacert.pem
rlm_ldap: setting TLS CACert Directory to /usr/local/etc/raddb/certs/
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: starting TLS
rlm_ldap: ldap_start_tls_s()
rlm_ldap: could not start TLS Operations error
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns fail for request 0
modcall: leaving group authorize (returns fail) for request 0
Finished request 0
Going to the next request
RADIUSD.CONF
# MODULE CONFIGURATION
#
modules {
#
pap {
encryption_scheme = crypt
auto_header = yes
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
# passwd = /etc/passwd
# shadow = /etc/shadow
# group = /etc/group
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
mschap {
#use_mppe = no
#require_encryption = yes
#require_strong = yes
#with_ntdomain_hack = no
#ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%
{Stripped-User-Name:-%{User-Name:-None}} --challenge=%
{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
ldap {
server = 172.16.13.10
identity = "cn=ProxyUser,ou=District,o=dist-155"
password = "xxxxxx"
basedn = "o=dist-155"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
start_tls = yes
tls_mode = yes
port = 636
tls_cacertfile = /usr/local/etc/raddb/certs/cacert.pem
tls_cacertdir = /usr/local/etc/raddb/certs/
# tls_certfile = /usr/local/etc/raddb/certs/radius.crt
# tls_keyfile = /usr/local/etc/raddb/certs/radius.key
# tls_randfile = /path/to/rnd
tls_require_cert = "demand"
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 10
Set:
password_attribute = nspmPassword
# password_attribute = userPassword
edir_account_policy_check=yes
# groupname_attribute = cn
# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%
{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-
UserDn})))"
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
# set_auth_type = yes
}
EAP.CONF
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
# Supported EAP-types
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
## EAP-TLS
tls {
private_key_password = ch$d!s$
private_key_file = ${raddbdir}/certs/cert-key.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
# check_crl = yes
# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My
Company Ltd"
# check_cert_cn = %{User-Name}
# cipher_list = "DEFAULT"
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = yes
use_tunneled_reply = yes
}
peap {
default_eap_type = mschapv2
# copy_request_to_tunnel = no
# use_tunneled_reply = no
# proxy_tunneled_request_as_eap = yes
}
mschapv2 {
}
}
USERS
#Dist - Lachel
"0016cb-b64f93" Auth-Type := Local, User-Password == "xxxxxx"
I am using freeRADIUS 1.1.7 on an OS X 10.4.10 Server machine. My
Access Points are currently Apple Airports, but we will be replacing
those with Cisco 1131s.
Any help at getting this going would be greatly appreciated.
Thanks
Brad Lachel
Community High School District #155
[EMAIL PROTECTED]
-----------------------------
All e-mail to and from this address is subject to the Acceptable Use Policies
of Community High School District #155. All e-mail may be monitored and/or
disclosed to third parties. Any views or opinions presented in an e-mail are
solely those of the author and may not represent those of Community High School
District #155.
Community High School District #155
http://www.d155.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
