Hi Olivier, Thanks for your response. Since we are primarily trying to get the wireless portion of Packetfence working, I'll hold off on the Nessus and Snort for the time being.
>From what I'm told, yes we are trying to get the 802.1x authentication working so yes the freeradius needs to be setup and configured. I'm not very well versed in freeradius, but I did some research against the error messages that I was getting and fixed that problem by uncommenting the tls section of /etc/raddb/eap.conf and here is what I'm getting now. Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied rlm_eap_tls: Error reading certificate file rlm_eap: Failed to initialize type tls radiusd.conf[10]: eap: Module instantiation failed. radiusd.conf[1945] Unknown module "eap". radiusd.conf[1892] Failed to parse authenticate section. Again, I'm not very familiar with freeradius, but it looks like I've got something needing fixed with the certificates? Please advise... Ubence Quevedo Technology Support Specialist Information Systems, Business Services Merced County Office of Education 632 West 13th Street Merced, CA 95341 Voice - [209] 381-5950 Fax - [209] 385-8465 e-Mail - [email protected] -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Monday, September 20, 2010 11:26 AM To: Ubence Quevedo Subject: Re: [Packetfence-users] Packetfence ZEN 1.9.0 SetupQuestions [freeradius/Snort/Nessus] Hi Ubence, Ubence Quevedo wrote: > Hi All, > > We have somewhat gotten the Packetfence ZEN 1.9.0 to work with wired > connections, but we are having some issues getting freeradius configured > to be usable for wireless connections. > > From the PF Admin manual [specifically Chapter 5], we've put all of the > configuration information in place for freeradius, however the service > fails to start. > > Here is the output from running radiusd -X: > [...] > > rlm_eap: No such sub-type for default EAP type peap > > radiusd.conf[10]: eap: Module instantiation failed. > > radiusd.conf[1945] Unknown module "eap". > > radiusd.conf[1892] Failed to parse authenticate section. > > Is there something we are missing in our radius config in order for it > to work properly? Chapter 5 is split into two sections: MAC Authentication (open wi-fi) and 802.1x (WPA Enterprise). Have you followed the appropriate section? EAP is only required for 802.1X. If you don't plan to use it, comment the module from the authenticate and authorize section of radiusd.conf. > > Also, both Snort and Nessus look to be non-free products. Do we need to > purchase the full versions of both softwares in order to get full > functionality out of both? Adding to what Joel already replied: Snort is free and open source. Nessus *was* free and open source but isn't since a long time. You can use snort in a commercial environment without paying as long as you don't use their proprietary rules. The PacketFence installer fetches rules from emerging threats[1] because of this. For Nessus, you need to pay to use it in a corporate setting. We would be interested in being sponsored to port this functionality to another open source tool (nmap or OpenVAS?). > I ask because when I try to get Snort > working, the service fails to start properly even when I reference the > oinkmaster config that is included in PF. It might be missing some rules that are expected to be in place. Can you send us the exact error message (from /var/log/messages)? > When we tried to get Nessus > scanning working, it just seemed to hang on the initial client > registration portal. Nessus configuration is hard to get right on the first try. To troubleshoot it, the best is to request a scan on the CLI by hand: /usr/local/pf/bin/pfcmd schedule now <ip> where <ip> is the valid IP of a node in registration VLAN. Then either look at the console output or in /usr/local/pf/logs/packetfence.log Do not hesitate to ask further questions. Have a nice day! [1] http://www.emergingthreats.net/ -- Olivier Bilodeau [email protected] :: +1.514.447.4918 *115 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------ ------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users . ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
