For the List, i ill publish my config Files. They work for 802.1x TTLS with Alfa & Ariss Client. They tested with a CISCO 2950 and a Windows XP Laptop patched up2date. The error before was the AcessPoint, he didn't work with TTLS :-(
The following Configs provided below:
1) freeradius: radiusd.conf 2) freeradius: users
Note that you have to write your client to the clients.conf!
At last, i have set up TTLS and used a RADIATOR evaluation to proxy the requests to my freeradius. It's pity that freeradius doesn't provide proxying for TTLS, but i will wait and hope these feature get included.
Is not relevant here but it could be interresting for someone:
3) radiator: radius.cfg
4) radiator: users (was used to test the local authenticate first, for proxying not needed)
Unrelevant comments was deleted to save space.
Great thanks to the List, i hope i can help some people who have to setup radius servers.
Regards, Christian
############### 1) freeradius: radiusd.conf ###############
prefix = /usr/local/radius
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkradsecurity {
max_attributes = 200
reject_delay = 1
status_server = no
}proxy_requests = no
$INCLUDE ${confdir}/clients.conf
snmp = no
$INCLUDE ${confdir}/snmp.confthread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}
eap {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
leap {
}
tls {
private_key_password = password
private_key_file = /etc/1x/Radius.pem
certificate_file = /etc/1x/Radius.pem
CA_file = /etc/1x/root.pem
dh_file = /etc/1x/DH
random_file = /etc/1x/random
fragment_size = 1024
include_length = yes
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
}
mschapv2 {
}
}
mschap {
authtype = MS-CHAP
}
ldap {
server = "ldap.your.domain"
basedn = "o=My Org,c=UA"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
realm IPASS {
format = prefix
delimiter = "/"
}
realm suffix {
format = suffix
delimiter = "@"
}
realm realmpercent {
format = suffix
delimiter = "%"
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
$INCLUDE ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
ippool main_pool {
range-start = 192.168.1.1
range-stop = 192.168.3.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
}
}
instantiate {
exec
expr
}authorize {
preprocess
chap
mschap
suffix
eap
files
}authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
eap
}preacct {
preprocess
suffix
files
}accounting {
acct_unique
detail
unix
radutmp
}session {
radutmp
}post-auth {
}pre-proxy {
}post-proxy {
eap
}############### END 1) freeradius: radiusd.conf ###############
############### 2) freeradius: users ###############
tester2 User-Password == "test"
DEFAULT Auth-Type = System
Fall-Through = 1DEFAULT Service-Type == Framed-User
Framed-IP-Address = 255.255.255.254,
Framed-MTU = 576,
Service-Type = Framed-User,
Fall-Through = YesDEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IPDEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IPDEFAULT Hint == "SLIP"
Framed-Protocol = SLIP############### END 2) freeradius: users ###############
############### 3) radiator: radius.cfg ###############
LogDir /var/log/radius DbDir /etc/radiator Trace 4
AuthPort 1645 AcctPort 1646
<Client DEFAULT> Secret testing123 </Client>
# Proxy request to proxy
<Handler TunnelledByTTLS=1>
<AuthBy RADIUS>
Host 192.168.113.12
Secret proxy_secret
AuthPort 1812
Retries 1
Synchronous
</AuthBy RADIUS>
</Handler># TTLS, Lookup local users in file
<Handler DEFAULT>
RewriteUsername s/^([EMAIL PROTECTED]).*/$1/
<AuthBy FILE>
Filename %D/users
EAPType TTLS
EAPTLS_CAFile /etc/1x/root.pem
EAPTLS_CertificateFile /etc/1x/Radius.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile /etc/1x/Radius.pem
EAPTLS_PrivateKeyPassword password
EAPTLS_MaxFragmentSize 1024
AutoMPPEKeys
</AuthBy>
</Handler>############### END 3) radiator: radius.cfg ###############
############### 4) radiator: users ###############
tester User-Password=test
############### END 4) radiator: users ###############
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
