I have to sincerely apologize for the 0.00 one I put out here. I was eager to try to help out those of you attempting to use eDirectory.
The new version is MUCH more mature and has less spelling errors. I don't claim to be a FreeRADIUS expert, so please don't hesitate to point out glaring errors in this document. I also don't want anyone to think that this document is a replacement for Novell's VERY GOOD documentation on FreeRADIUS. CNE's should have no trouble following their documentation. Enjoy and PLEASE send me any comments. I don't like being the only name on this document. You can get a copy of this document on OpenOffice format from me as well. Just send me an email. <begin eDirectory & FreeRadius HowTO Dennis Comeaux Version 0.03 (Butchering of this Document is welcomed.) (This document is NOT a replacement for Novell's documentation.)(This document is NOT a replacement for Novell's documentation.)(This document is NOT a replacement for Novell's documentation.)(This document is NOT a replacement for Novell's documentation.)(This document is NOT a replacement for Novell's documentation.)(This document is NOT a replacement for Novell's documentation.)(This document is NOT a replacement for Novell's documentation.)(This document is NOT a replacement for Novell's documentation.)(This document is NOT a replacement for Novell's documentation.)(This document is NOT a replacement for Novell's documentation.) 1.Preamble This document is a guide intended for administrators who already know what the OSI model is and who are familiar with networking but not very familiar with Linux. If you are completely new to Linux but not new to networking, take a look at www.linuxhomenetworking.com or your local bookstore for some excellent information on using Linux. Command Syntax / configuration file format Mandatory input will be included with greater than and less than symbols. Optional input will be included in brackets. Anything not in a bracket or less than / greater than symbols should be typed in exactly as shown. In cases where a bracket or less than / greater than symbol is needed to be entered, that symbol will be indicated by a \ preceeding the symbol. command <mandatory input> [optional input] typeexactlyasshown Note that all Linux commands are case sensitive. Installing Software If you find that you need additional software installed on your box to proceed, you can generally install RPMs with one of the following. rpm -i <rpm package> rpm -U <rpm package> Most packages work with the -i option. The -U option is sometimes necessary to upgrade a package. If the software that you are trying to install is in source code format, then use the following procedure: tar -zxf <program.tar.gz> cd <extracted program's folder> ./configure make make install When this document makes reference to installing software, please follow the above procedure unless otherwise noted. Acknowledgments: My thanks to Jim Whitt for his expertise in editing this document and pointing out utter stupidity in the way that I tend to write. Eternal thanks to Dalbert Varnell for getting me off of the loading docks of a smiley-faced store and giving me the opportunity to work on computer Networks. Deep gratitude to Novell for their products and support. Many, many thanks to the Developers who worked on integrating eDirectory and FreeRADIUS. My 2 favorite things in the world are now blended. This is just as wonderful as the invention of peanut butter and chocolate. 2.Introduction FreeRADIUS is used worldwide in production environments for RADIUS authentication services. FreeRADIUS is EXTREMELY scalable to large environments. Until recently, FreeRADIUS was only able to authorize users with eDirectory via an attempted bind and LDAP queries. Newly released code has been added to FreeRADIUS 1.02 to allow for queries against eDirectory where the password of the user in eDirectory is compared with the password contained in the RADIUS authentication request. Below is the model of how RADIUS works with eDirectory.1 [Laptop] ---request/reply--- [Network Access Server] ---forwarded RADIUS access request/reply--- [Linux Radius Server] ---RADIUS attributes, Password read--- [eDirectory] This implementation of FreeRADIUS sends the user's password through the following steps: 1.The user's password is encrypted before being sent to the NAS with MS-CHAPv2. 2.The NAS connects to the FreeRADIUS server with cryptography supplied by a shared secret. 3.The FreeRADIUS server connects to eDirectory with EAP-TLS. This is an encrypted connection. EDirectory can refuse clear text connections on port 389. There is a common misconception that EAP-TLS uses LDAPS on port 636. EAP-TLS uses port 389 and the LDAP server (eDirectory) requires encryption for port 389 connections if the LDAP Group Object has the following option cleared: [ ] Require TLS for Simple binds with password. 4.The user's password is read from eDirectory by FreeRADIUS. This password is then compared with the password that FreeRADIUS received from the NAS. 5.If the user's password matches, then additional requirements (such as Group Membership or any LDAP attribute) are checked. 6.An authorization is sent to the NAS. This authorization is encrypted with the shared secret. 7.The password is NOT echoed into server logs unless password logging is enabled. Another option if the password is needed is to compile a logging of the password into the eDirectory portion of RLM_LDAP. The classes required to echo logs are either inherited by the eDirectory classes or they are global functions. If an existing NAS needs to be changed to authenticate and authorize via FreeRADIUS, then the NAS will have to change the IP address that it has coded for RADIUS and will have to have a new shared secret setup in the CLIENTS.CONF file. Additional configuration of the NAS will be minimal. 2.Software requirements and hardware requirements Software you'll need: 1.ConsoleOne 1.36d. 2.FreeRADIUS 1.0.2. 3.Sun Java 1.5.0.01. 4.Cygwin's setup files (if installing from a windows machine). 5.Novell's scrub utility for Linux (removes all Novell applications). 6.The iManager snap-in for iManager (available from forge.novell.com). 7.OpenSSL (version 0.9.7e has been tested with this procedure). 8.OpenLDAP (version 2.0.27-11 has been tested with this procedure). OpenSSL and OpenLDAP can be installed with the standard installation options (./configure, make, and make install). Documents that are helpful: 1. MonkeyNoodle.com's remote-X-cygwin HowTo. 2. Novell's freeradius integration guide (radadmin.pdf). Files that you will spend time editing: 1./usr/local/etc/raddb/radiusd.conf (the main radius configuration) 2./usr/local/etc/raddb/users (a list of users who can use radius) 2./usr/local/etc/raddb/clients.conf (a list of radius clients by IP) 3./etc/init.d/* (a directory of startup scripts) Useful Websites: 1.support.novell.com (for troubleshooting eDirectory) 2.www.rpmfind.net (for getting RPMs) 3.www.monkeynoodle.com (for good HowTos on CygWin) 4.www.openssl.org (the OpenSSL product) 5.www.openldap.org (the OpenLDAP product) 6.www.ohse.de/uwe/software/lrzsz.html (lrzsz for file xfers) 7.www.chiark.greenend.org.uk/~sgtatham/putty/ (putty for telnet / ssh client) 8.www.vandykesoftware.com (for commercial grade ssh / telnet client SecureCRT) 9.moin.conectiva.com.br/AptRpm (for the APT program) 10.www.novell.com/de-de/linux/suse/ (for YAST) 11.www.linuxhomenetworking.com (for VERY useful information on the networking side of running linux) Hardware Requirements In addition to CPU requirements, you will need at least 512 MB of RAM to run Nterprise Services. 3.Installing Cygwin2 You may skip this step if you are installing directly on the server, have another X server that you are using, or simply do not wish to use an X server. Cygwin is an X Server that runs on Windows. Do not install the entire 500 MB of Cygwin. Just install the defaults except for X11 which should be changed to Install. If your server is configured to not boot to runlevel 5, it may have trouble connecting to the X Server on your workstation. The telinit commands below will fix that problem if you don't want to boot to runlevel 5. If the procedure below does not work, you may want to try making all of the modifications indicated in MonkeyNoodle's Cygwin HowTo. The following procedure will work with a Gnome installation on RedHat. See MonkeyNoodle's documentation for other implementations. 1. Download and run Cygwin's setup.exe. 2. Accept defaults except for X11. Change X11 to Install. 3.Edit /etc/X11/gdm/gdm.conf, find [xdmcp] and change Enable=false to Enable=true. 4.Edit /etc/X11/xdm/Xaccess and uncomment the "any host can get a login window" line. 5.Restart X (CTRL+ALT+BACKSPACE, rebooting the server, or telinit 3 && telinit 5). 6.Run Cygwin and type in X -query <ip of the linux box>. Other useful X options are X –broadcast (gets a list of nearby X clients), X -fullscreen, and X -help (gets a list of command line options). 4.Install the Red Carpet Daemon: The Red Carpet Daemon (RCD) must be present for a smooth install of eDirectory. Other management tools (apt, yast, et al.) can be used as well, but the RCD's presence is required by eDirectory. Download a version applicable to your distro. The file rcd-2.2.0-0.ximian.6.5.i386.rpm works with RedHat. Follow the steps in the preamble of this document for installing the RCD. 5. Configure NTP3 If you are installing into an existing tree, you will need to make sure that your Linux box is using the same time sources as the eDirectory servers. 1.Edit /etc/ntp.conf and add these lines to the file: restrict <time server 1 IP> mask 255.255.255.255 nomodify notrap noquery restrict <time server 2 IP> mask 255.255.255.255 nomodify notrap noquery restrict <time server 3 IP> mask 255.255.255.255 nomodify notrap noquery server <time server 1> server <time server 2> server <time server 3> Note that the restrict lines should all be one ONE line, ie. they should start with the word restrict and end with the word noquery. Don't put a return after nomodify. 2.Make sure the NTPD runs at run level 3. chkconfig --level 35 ntpd on 3.You can reboot and run /etc/init.d/ntpd status to check on the status of NTP after a boot up. Some useful ntpd commands can be found on the ntpd man pages (man ntpd). Using ntpq -p is useful for troubleshooting your NTP setup. 6. Install Java This is fairly straight forward. Do not run rpm -e jre if you are currently running X. This may cause your X session lock up. Use SecureCRT to remove JRE if you need to. 1. Download jre-1_5_0_01-linux-i586.rpm and install it. 2. This is important for java applications (including console one) run: export JRE_HOME=/usr/java/jre1.5.0_01 3. Make the environment variable JRE_HOME permanent. 1.Create a file in /etc/profiles.d named JAVA 2.Run chmod +x /etc/profiles.d/JAVA. edit the JAVA file and put the command from #3 in the file. 7. Install eDirectory Note that you MUST NOT HAVE CONSOLEONE INSTALLED when you run the eDirectory installation. Having ConsoleOne installed has caused some installs to hang on non patched RedHat systems. You should remove ConsoleOne if you want to run the scrub script as well. To remove ConsoleOne, you will have to run the c1-uninstall script. To install ConsoleOne, you will need to run the c1-install script. These scripts are extracted from the ConsoleOne installation files with tar -zxf. 1. Mount the Nterprise CD. You can share the CD from your workstation and do: mount //<workstation IP>/<share> /mnt/cdrom If the CD is local, the mount command is: mount /dev/cdrom /mnt/cdrom If you're using an ISO: mounth -o loop /<full path and filename of iso> /mnt/cdrom 2.Unload openldap or edirectory to prevent problems installing. Run /etc/init.d/ldap stop. 3.cd to /mnt/cdrom and run ./install.sh. 4.Select install. 5.Change the selected packages to install to ONLY install Apache, Tomcat, the JVM, eDirectory, and iManager. Install ALL of the options for Linux User Management when prompted. These are options 1-4 and 11. 6.Enter the path to your nfk file when prompted. 7.Answer the remaining prompts and use default values for all ports. 8.Be patient. This install can take some time on slower systems. Install ConsoleOne After you have installed ConsoleOne, you can login to trees on your network. If your tree doesn't show up in the available trees list, you can login to that tree by specifying the IP address of a server within that tree in the tree field of the ConsoleOne login window. Note that the tar.gz file for ConsoleOne extracts it's files to Linux 1.Download c1_136d-linux.tar.gz to /usr/src. 2.cd to /usr/src and run tar -zxf ./c1_136d-linux.tar.gz. 3.cd into the Linux directory that is extracted. 4.Run ./c1-install and a. do NOT install the Java Runtime Environment that comes with this program. b. DO install all of the snapins. 5.Test ConsoleOne by running /usr/ConsoleOne/bin/ConsoleOne and logging into your eDirectory. 8. Install FreeRadius 1.02 This step is relatively easy provided that the compiler on your Linux box is functional. Note that if you have errors during this phase, you may need to look at ./configure –-help to find the switches for SSL. 1. Download freeradius-1.0.2.tar.gz to /usr/src. 2. Run tar -zxf /usr/src/freeradius-1.0.2.tar.gz 3. cd into /usr/src/freeradius-1.0.2. 4. Run ./configure --with-edir 5. Run make 6. Run make install Debugging FreeRADIUS can be done by stopping FreeRADIUS (/etc/init.d/radiusd -stop) and then running /usr/sbin/radiusd -X in a console window. One useful option for debugging is to run radiusd -X \> <some file to log to> tail -f <some file to log to> Note that the \> should be typed as > (see the preamble). 9. Configuring iManager and Extending the Schema It is advisable to run iManager on the linux box and NOT on your production iManager box. Installing the Radius snapin on a production iManager box may cause your "Modify User" default task to be overwritten with a page of Radius attribute settings. 1.Download and save radius_npm.tar.gz to /usr/src (this file is available from forge.novell.com and is the plug-in for imanager) 2.cd to /usr/src. 3.run tar -zxf radius_npm.tar.gz. This will extract radius_npm. 4.Open a http browser to your linux box. 5.Click on the imanger link and authenticate. 6.Click configure, install module package. 7.browse to the npm (/usr/src/radius.npm) and click install. 8.restart your web server (or the box) 9.open imanager (via steps above) 10.Enable Universal Password (NMAS, universal password config). Enable it for the OU that you have your radius users in. Click APPLY, not done when you set this. 11.Open ConsoleOne and disable "require TLS with simple bind" on the ldap group object. 12.Run the following commands: ldapmodify -D <admin DN, ie. cn=admin,o=something> -x -w <admin password> -f <full path to the addclassmap.ldif file from the radius snapin tar.gz file> ldapmodify -D <admin DN> -x -w <admin password> -f <path to RADIUS-LDAPv3.ldif> Note that the admin DN here uses the LDAP syntax (with commas) and not the NDS syntax (with periods). 14.Open ConsoleOne and ENABLE "require TLS with simple bind" on the ldap group object. 15.Login to iManager and extend the RADIUS schema. (roles+tasks, radius, extend schema) This step may not be necessary if the ldapmodify commands were successful. 16.Exit your browser and then reopen iManager to change a user in the container you specified for universal password into a radius user. Again, there should be NO errors. 17.Now you need to enable password administrators to read universal passwords. iManager, eDirectory Administration role, modify object, Universal Password On from password policies in the security container, edit nspmConfigurationOptions attribute and add 32 to the value shown. 10. Configuring FreeRADIUS 1.In ConsoleOne, extract the self signed certificate (from the security container, the CA object) to /usr/local/etc/raddb/certs/cacert.b64. 2.Make your radiusd.conf file's LDAP section look like what you see below. # Lightweight Directory Access Protocol (LDAP) # # This module definition allows you to use LDAP for # authorization and authentication (Auth-Type := LDAP) # # See doc/rlm_ldap for description of configuration options # and sample authorize{} and authenticate{} blocks ldap { server = "server.name.your.domain.com" identity = "cn=admin,o=something" password = adminpassword basedn = "ou=something,o=something" # The above line is where you will be searching for users filter = "(cn=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = yes tls_cacertfile = /usr/local/etc/raddb/certs/cacert.b64 # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd tls_require_cert = "demand" # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" # access_attr = "dialupAccess" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # # NOTICE: The password_header directive is NOT case insensitive # # password_header = "{clear}" # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with "0x", such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading "0x", NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too. # password_attribute = nspmPassword # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes edir_account_policy_check = yes } Please read Novell's eDirectory and FreeRADIUS Administration Guide for some vital information on why you should have edir_acocunt_policy_check=yes turned on. 3. Modify the authorize { ... } portion of radiusd.conf. You want to add "ldap" before files. Also, the authenticate { … } portion should have ldap commented out. # Authorization. First preprocess (hints and huntgroups files), # then realms, and finally look in the "users" file. # # The order of the realm modules will determine the order that # we try to find a matching realm. # # Make *sure* that 'preprocess' comes before any realm if you # need to setup hints for the remote radius server authorize { # # The preprocess module takes care of sanitizing some bizarre # attributes in the request, and turning them into attributes # which are more standard. # # It takes care of processing the 'raddb/hints' and the # 'raddb/huntgroups' files. # # It also adds the %{Client-IP-Address} attribute to the request. preprocess # # If you want to have a log of authentication requests, # un-comment the following line, and the 'detail auth_log' # section, above. # auth_log # attr_filter # # The chap module will set 'Auth-Type := CHAP' if we are # handling a CHAP request and Auth-Type has not already been set chap # # If the users are logging in with an MS-CHAP-Challenge # attribute for authentication, the mschap module will find # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' # to the request, which will cause the server to then use # the mschap module for authentication. mschap # # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authenticate' section. # digest # # Look for IPASS style 'realm/', and if not found, look for # '@realm', and decide whether or not to proxy, based on # that. # IPASS # # If you are using multiple kinds of realms, you probably # want to set "ignore_null = yes" for all of them. # Otherwise, when the first style of realm doesn't match, # the other styles won't be checked. # suffix # ntdomain # # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP # authentication. # # It also sets the EAP-Type attribute in the request # attribute list to the EAP type from the packet. eap # # Read the 'users' file # and enable ldap for edir ldap files # # Look in an SQL database. The schema of the database # is meant to mirror the "users" file. # # See "Authorization Queries" in sql.conf # sql # # If you are using /etc/smbpasswd, and are also doing # mschap authentication, the un-comment this line, and # configure the 'etc_smbpasswd' module, above. # etc_smbpasswd # # The ldap module will set Auth-Type to LDAP if it has not # already been set # ldap # # Enforce daily limits on time spent logged in. # daily # # Use the checkval module # checkval } # Authentication. # # # This section lists which modules are available for authentication. # Note that it does NOT mean 'try each module in order'. It means # that a module from the 'authorize' section adds a configuration # attribute 'Auth-Type := FOO'. That authentication type is then # used to pick the apropriate module from the list below. # # In general, you SHOULD NOT set the Auth-Type attribute. The server # will figure it out on its own, and will do the right thing. The # most common side effect of erroneously setting the Auth-Type # attribute is that one authentication method will work, but the # others will not. # # The common reasons to set the Auth-Type attribute by hand # is to either forcibly reject the user, or forcibly accept him. # authenticate { # # PAP authentication, when a back-end database listed # in the 'authorize' section supplies a password. The # password can be clear-text, or encrypted. Auth-Type PAP { pap } # # Most people want CHAP authentication # A back-end database listed in the 'authorize' section # MUST supply a CLEAR TEXT password. Encrypted passwords # won't work. Auth-Type CHAP { chap } # # MSCHAP authentication. Auth-Type MS-CHAP { mschap } # # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authorize' section. # digest # # Pluggable Authentication Modules. # pam # # See 'man getpwent' for information on how the 'unix' # module checks the users password. Note that packets # containing CHAP-Password attributes CANNOT be authenticated # against /etc/passwd! See the FAQ for details. # unix # Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. # Auth-Type LDAP { # ldap # } # # Allow EAP authentication. eap } 4. Modify the Post-Auth { … } section and include a Post-Auth Reject section and uncomment the ldap part: # Post-Authentication # Once we KNOW that the user has been authenticated, there are # additional steps we can take. post-auth { # Get an address from the IP Pool. # main_pool # # If you want to have a log of authentication replies, # un-comment the following line, and the 'detail reply_log' # section, above. # reply_log # # After authenticating the user, do another SQL qeury. # # See "Authentication Logging Queries" in sql.conf # sql # # Un-comment the following if you have set # 'edir_account_policy_check = yes' in the ldap module sub-section of # the 'modules' section. # # ldap # # Access-Reject packets are sent through the REJECT sub-section of the # post-auth section. # Uncomment the following and set the module name to the ldap instance # name if you have set 'edir_account_policy_check = yes' in the ldap # module sub-section of the 'modules' section. # Post-Auth-Type REJECT { ldap } 5. Edit /etc/raddb/clients.conf and add in your own client. Typically this is the switch you will be using. The format in this file is EXTREMELY self explanatory. It's basically this: client <client domain name or ip address> { secret = somesecretpasswordyouaresharingwiththeclient shortname = someshortnametoidentifytheclient } 6. Test the server.... 1.run /usr/local/sbin/radiusd -X 2.Run the radtest command or connect from an outside client. You should see the action on the radiusd screen. 11. Configuring EAP EAP doesn't work right out of the box, it must be configured. 1.Enable EAP on the switch 2.Download and install OpenSSL 0.9.7e or later (you may have already had to do this during the FreeRADIUS installation). a.After tar –zxf <gz file> b../config [[[[[[ note that this is NOT configure which is more common ]]]]] c.make d.make install 3.Edit /usr/src/freeradius-1.0.2/scripts/CA.cert. Fill it in with your information AND change the SSL line at the top to point to /usr/local/ssl. 4.Make a temporary directory and cd into it. Then run /usr/src/freeradius-1.0.2/scripts/CA.cert. a.You will get many files. We need to copy 2 of them. Copy root.pem to /usr/local/etc/raddb/certs/demoCA. b.Copy cert-srv.pem to /usr/local/etc/raddb/certs. i.Note that I had problems running FreeRADIUS when I didn't have this file in the certs directory. 5.Edit eap.conf. You need to change the default eap type to peap, enable TLS, and enable the peap section. See below: eap { default_eap_type = peap … tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem # If Private key & Certificate are located in # the same file, then private_key_file & # certificate_file must contain the same file # name. certificate_file = ${raddbdir}/certs/cert-srv.pem # Trusted Root CA list CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random # # This can never exceed the size of a RADIUS # packet (4096 bytes), and is preferably half # that, to accomodate other attributes in # RADIUS packet. On most APs the MAX packet # length is configured between 1500 - 1600 # In these cases, fragment size should be # 1024 or less. # fragment_size = 1024 # include_length is a flag which is # by default set to yes If set to # yes, Total Length of the message is # included in EVERY packet we send. # If set to no, Total Length of the # message is included ONLY in the # First packet of a fragment series. # include_length = yes # Check the Certificate Revocation List # # 1) Copy CA certificates and CRLs to same directory. # 2) Execute 'c_rehash <CA certs&CRLs Directory>'. # 'c_rehash' is OpenSSL's command. # 3) Add 'CA_path=<CA certs&CRLs directory>' # to radiusd.conf's tls section. # 4) uncomment the line below. # 5) Restart radiusd # check_crl = yes # # If check_cert_cn is set, the value will # be xlat'ed and checked against the CN # in the client certificate. If the values # do not match, the certificate verification # will fail rejecting the user. # # check_cert_cn = %{User-Name} } … peap { # The tunneled EAP session needs a default # EAP type which is separate from the one for # the non-tunneled EAP module. Inside of the # PEAP tunnel, we recommend using MS-CHAPv2, # as that is the default type supported by # Windows clients. default_eap_type = mschapv2 } } 11. Epilogue Look into hardening your FreeRADIUS installation and minimizing the rights that you have to grant to the Radius Administrator account. This information is freely available on the net and may be included in version 0.5 of this document. Contact the author at [EMAIL PROTECTED] to gripe or to point out glaring mistakes <end - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html