Hi Ivan and word, Well I've read documentation you mentioned and files into sites-enabled.
But there are some things that I don't understand fully and I want to repeat what I have and what I want: I have a radius 2.0.2 working with EAP-TTLS, users passwords are in a LDAP server. Itis working well. Please bear in mind that password and encrypted in LDAP server and I can't modifiy that (my boss don't want!). So I need a "secondary" password in clear-text only for radius, because of this I've added to LDAP an attribute that looks like userPassword called radiusPassword. Then, you've suggested me that I create a virtual for peap server. Sorry for stupid questions, but I want to be sure... So, should I set virtual_server = "inner-tunnel" in eap.conf? The only that will differ between first virtual server and second one is that 1)First server: use EAP-TTLS and use LDAP authentication as usual 2)Second Server: use EAP-PEAP and it should use radiusPassword instead of userPassword. I'd want to avoid usage of "plain users" in user files, but if itsn't alternative, well I will do that... I don't understand well how to apply these difference in config files for virtual servers... Could you help me please? Thanks in advance!! 2008/4/30 Ivan Kalik <[EMAIL PROTECTED]>: > 1) Leave as it is. > > http://www.freeradius.org/features/virtual_servers.html > > 2) Create a virtual server for peap and send peap requests to it. In > users file for that server enter: > > DEFAULT Cleartext-Password := whatever > > You don't need radiusPassword attribute at all. > > Ivan Kalik > Kalik Informatika ISP > > > Dana 30/4/2008, "Sergio Belkin" <[EMAIL PROTECTED]> piše: > > > > >Hi, > > > >I've added an new attribute called "radiusPassword" this a clear-text > >password exclusively for radius usage. I want that: > > > >1) All Linux, MAC OS X, and all Windows users that want to and can > >install (or already have installed and configured) securew2 use their > >usual encrypted userPassword. (EAP-TTLS) > >2) All users that don't want to install securew2 (Windows users) and > >want to use PEAP instead TTLS use the radiusPassword as their password > >for access to wireless network. > > > >How can I do that? These are my current config files: > > > >---------- > >radiusd.conf > >---------------- > > > >prefix = /usr/local-2.0.2 > >exec_prefix = ${prefix} > >sysconfdir = ${prefix}/etc > >localstatedir = ${prefix}/var > >sbindir = ${exec_prefix}/sbin > >logdir = ${localstatedir}/log/radius > >raddbdir = ${sysconfdir}/raddb > >radacctdir = ${logdir}/radacct > >confdir = ${raddbdir} > >run_dir = ${localstatedir}/run/radiusd > >db_dir = $(raddbdir) > >libdir = ${exec_prefix}/lib > >pidfile = ${run_dir}/radiusd.pid > >user = radiusd > >group = radiusd > >max_request_time = 30 > >cleanup_delay = 5 > >max_requests = 1024 > >listen { > > type = auth > > ipaddr = 190.69.213.5 > > port = 0 > >} > >listen { > > ipaddr = 190.69.213.5 > > port = 0 > > type = acct > >} > >hostname_lookups = no > >allow_core_dumps = no > >regular_expressions = yes > >extended_expressions = yes > >log { > > destination = files > > file = ${logdir}/radius.log > > syslog_facility = daemon > > stripped_names = yes > > auth = yes > > auth_badpass = no > > auth_goodpass = no > >} > >checkrad = ${sbindir}/checkrad > >security { > > max_attributes = 190 > > reject_delay = 1 > > status_server = yes > >} > >proxy_requests = no > >$INCLUDE proxy.conf > >$INCLUDE clients.conf > >snmp = no > >$INCLUDE snmp.conf > >thread pool { > > start_servers = 5 > > max_servers = 32 > > min_spare_servers = 3 > > max_spare_servers = 10 > > max_requests_per_server = 0 > >} > >modules { > > pap { > > auto_header = yes > > } > > chap { > > authtype = CHAP > > } > > pam { > > pam_auth = radiusd > > } > > unix { > > radwtmp = ${logdir}/radwtmp > > } > >$INCLUDE eap.conf > > mschap { > > } > > ldap { > > server = "ldap.cadorna.edu > > identity = "cn=freeradius,ou=applications,dc=cadorna,dc=edu" > > port = 636 > > password = doyouwantocrakforgetitdude > > basedn = "ou=people,dc=cadorna,dc=edu" > > filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" > > ldap_connections_number = 5 > > timeout = 4 > > timelimit = 3 > > net_timeout = 1 > > tls { > > start_tls = no > > cacertfile = /etc/raddb-2.0.2/cacert.pem > > randfile = /dev/urandom > > require_cert = "allow" > > } > > access_attr = "radiusAllowed" > > dictionary_mapping = ${confdir}/ldap.attrmap > > edir_account_policy_check = no > > } > > realm IPASS { > > format = prefix > > delimiter = "/" > > } > > realm suffix { > > format = suffix > > delimiter = "@" > > } > > realm realmpercent { > > format = suffix > > delimiter = "%" > > } > > realm ntdomain { > > format = prefix > > delimiter = "\\" > > } > > checkval { > > item-name = Calling-Station-Id > > check-name = Calling-Station-Id > > data-type = string > > } > > > > preprocess { > > huntgroups = ${confdir}/huntgroups > > hints = ${confdir}/hints > > with_ascend_hack = no > > ascend_channels_per_line = 23 > > with_ntdomain_hack = no > > with_specialix_jetstream_hack = no > > with_cisco_vsa_hack = no > > } > > files { > > usersfile = ${confdir}/users > > acctusersfile = ${confdir}/acct_users > > preproxy_usersfile = ${confdir}/preproxy_users > > compat = no > > } > > detail { > > detailfile = > ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d > > detailperm = 0600 > > header = "%t" > > suppress { > > User-Password > > } > > } > > detail auth_log { > > detailfile = > >${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d > > suppress { > > User-Password > > } > > } > > acct_unique { > > key = "User-Name, Acct-Session-Id, NAS-IP-Address, > >Client-IP-Address, NAS-Port" > > } > > $INCLUDE sql.conf > > > > radutmp { > > filename = ${logdir}/radutmp > > username = %{User-Name} > > case_sensitive = yes > > check_with_nas = yes > > perm = 0600 > > callerid = "yes" > > } > > radutmp sradutmp { > > filename = ${logdir}/sradutmp > > perm = 0644 > > callerid = "no" > > } > > attr_filter attr_filter.post-proxy { > > attrsfile = ${confdir}/attrs > > } > > attr_filter attr_filter.pre-proxy { > > attrsfile = ${confdir}/attrs.pre-proxy > > } > > attr_filter attr_filter.access_reject { > > key = %{User-Name} > > attrsfile = ${confdir}/attrs.access_reject > > } > > attr_filter attr_filter.accounting_response { > > key = %{User-Name} > > attrsfile = ${confdir}/attrs.accounting_response > > } > > counter daily { > > filename = ${db_dir}/db.daily > > key = User-Name > > count-attribute = Acct-Session-Time > > reset = daily > > counter-name = Daily-Session-Time > > check-name = Max-Daily-Session > > reply-name = Session-Timeout > > allowed-servicetype = Framed-User > > cache-size = 5000 > > } > > $INCLUDE sql/mysql/counter.conf > > always fail { > > rcode = fail > > } > > always reject { > > rcode = reject > > } > > always noop { > > rcode = noop > > } > > always handled { > > rcode = handled > > } > > always updated { > > rcode = updated > > } > > always notfound { > > rcode = notfound > > } > > always ok { > > rcode = ok > > simulcount = 0 > > mpp = no > > } > > expr { > > } > > digest { > > } > > expiration { > > reply-message = "Password Has Expired\r\n" > > } > > logintime { > > reply-message = "You are calling outside your allowed > >timespan\r\n" > > minimum-timeout = 60 > > } > > exec { > > wait = yes > > input_pairs = request > > shell_escape = yes > > output = none > > } > > exec echo { > > wait = yes > > program = "/bin/echo %{User-Name}" > > input_pairs = request > > output_pairs = reply > > shell_escape = yes > > } > > ippool main_pool { > > range-start = 192.168.1.1 > > range-stop = 192.168.3.254 > > netmask = 255.255.255.0 > > cache-size = 800 > > session-db = ${db_dir}/db.ippool > > ip-index = ${db_dir}/db.ipindex > > override = no > > maximum-timeout = 0 > > } > > policy { > > filename = ${confdir}/policy.txt > > } > >} > >instantiate { > > exec > > expr > > expiration > > logintime > >} > >$INCLUDE policy.conf > >$INCLUDE sites-enabled/ > > > >EOF > > > >-------------- > >eap.conf > >---------------- > >eap { > > default_eap_type = peap > > timer_expire = 60 > > ignore_unknown_eap_types = no > > cisco_accounting_username_bug = no > > md5 { > > } > > leap { > > } > > gtc { > > auth_type = PAP > > } > > tls { > > private_key_file = > >/etc/pki/tls/certs/ips-spectrum-key.pem > > certificate_file = > >/etc/pki/tls/certs/ips-spectrum-crt.pem > > CA_file = /etc/pki/tls/certs/ips-ca-bundle.crt > > dh_file = ${raddbdir}/certs/dh > > random_file = ${raddbdir}/certs/random > > cipher_list = "DEFAULT" > > } > > ttls { > > default_eap_type = md5 > > copy_request_to_tunnel = no > > use_tunneled_reply = yes > > } > > peap { > > default_eap_type = mschapv2 > > copy_request_to_tunnel = no > > use_tunneled_reply = no > > } > > mschapv2 { > > } > > } > >EOF > > > >------------------- > >ldap.attrmap > >checkItem $GENERIC$ radiusCheckItem > >replyItem $GENERIC$ radiusReplyItem > >checkItem Cleartext-Password clrtxtPassword > >checkItem User-Password userPassword > >replyItem Tunnel-Type radiusTunnelType > >replyItem Tunnel-Medium-Type radiusTunnelMediumType > >replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId > >checkItem Auth-Type radiusAuthType > >checkItem Simultaneous-Use radiusSimultaneousUse > >checkItem Called-Station-Id radiusCalledStationId > >checkItem Calling-Station-Id radiusCallingStationId > >checkItem LM-Password lmPassword > >checkItem NT-Password ntPassword > >checkItem LM-Password sambaLmPassword > >checkItem NT-Password sambaNtPassword > >checkItem SMB-Account-CTRL-TEXT acctFlags > >checkItem Expiration radiusExpiration > >checkItem NAS-IP-Address radiusNASIpAddress > >replyItem Service-Type radiusServiceType > >replyItem Framed-Protocol radiusFramedProtocol > >replyItem Framed-IP-Address radiusFramedIPAddress > >replyItem Framed-IP-Netmask radiusFramedIPNetmask > >replyItem Framed-Route radiusFramedRoute > >replyItem Framed-Routing radiusFramedRouting > >replyItem Filter-Id radiusFilterId > >replyItem Framed-MTU radiusFramedMTU > >replyItem Framed-Compression radiusFramedCompression > >replyItem Login-IP-Host radiusLoginIPHost > >replyItem Login-Service radiusLoginService > >replyItem Login-TCP-Port radiusLoginTCPPort > >replyItem Callback-Number radiusCallbackNumber > >replyItem Callback-Id radiusCallbackId > >replyItem Framed-IPX-Network radiusFramedIPXNetwork > >replyItem Class radiusClass > >replyItem Session-Timeout radiusSessionTimeout > >replyItem Idle-Timeout radiusIdleTimeout > >replyItem Termination-Action radiusTerminationAction > >replyItem Login-LAT-Service radiusLoginLATService > >replyItem Login-LAT-Node radiusLoginLATNode > >replyItem Login-LAT-Group radiusLoginLATGroup > >replyItem Framed-AppleTalk-Link radiusFramedAppleTalkLink > >replyItem Framed-AppleTalk-Network radiusFramedAppleTalkNetwork > >replyItem Framed-AppleTalk-Zone radiusFramedAppleTalkZone > >replyItem Port-Limit radiusPortLimit > >replyItem Login-LAT-Port radiusLoginLATPort > >replyItem Reply-Message radiusReplyMessage > > > >EOF > > > >Thanks in advance!! > > > >-- > >-- > >Open Kairos http://www.openkairos.com > >Watch More TV http://sebelk.blogspot.com > >Sergio Belkin - > >- > >List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html