Some background on what we have here:
- We have a Cisco wireless infrastructure (WLC 4400, a bunch of 1131s) and
clients running SecureW2 supplicant. We want to authenticate and
authorize them against our directory services.
The 802.1x/EAP-TTLS/PAP method was suggested and we went with it.
- user's directory is eDirectory and accessed via Novell LDAP v3 interface.
(authentication is working and SSL secured [SLDAP])
- Radius server is on separate hardware, OS is Novell SUSE Enterprise Linux
(SLES) 10 SP3 and is NOT running eDirectory.
- FreeRADIUS 2.1.8 downloaded from FreeRADIUS.org and built from scratch with
-eDIR options (compiled perfectly into RPMs and installed into
OS perfectly).
- Config files and debug output to follow the base email below.
- I have my NAS listed in the huntgroups.config
- I set correct type of NAS in the file /etc/raddb/clients.config. I set it
to cisco (We assume this directs checkrad.pl to use that
method)
- I set the username to SNMP, password is the community string in the clients
config
- I have accounting turned on my NAS and we see accounting messages coming in
when sessions expire.(see debug output below)
We can't get simultaneous login to work. We are trying to restrict simultaneous
use to allow only one user to be logged at once.
(1)
Some things that we have picked up on are that the checkrad.pl perl script is
not able to access the Cisco 4400 wireless controller's data
properly
to access the session information. I think this may be partly us not knowing
how a session is considered unique and two how the cisco section
in the script polls
the MIB for session data. We know based on the new Cisco Airespace MIB that
sessions are listed by MAC address but from there not sure how to
map
that onto what FreeRADIUS is looking for. SNMP access to the device is working,
we can see the request on the line using Wireshark and
snmpwalk returns system data.
Perhaps it has something to do with adding Simultaneous-use parameter to
the check items first line. I am not sure where to find check items.
Our usernames are coming from eDirectory and we have followed the Novell
documentation on what to do there. The data is then presented to
FreeRADIUS via LDAP.
When I go into Radius users using Novell iManager I can see some options for
check items but none are set.
(2)
Another oddity is radwho. When the user logs in the first time they show up in
radwho. When I have someone login again using the same
username but on a different laptop the newest login
overwrites the entry in radwho instead of adding to it. Should that not be a
separate unique session and thus two should appear in the
listing?
I have read the documentation:
- I installed the mrtg package (to allow the chekrad.pl to talk SNMP natively
and that does work just not polling the right data we think)
- I put this line in the /raddb/users.config file at the top of the file (the
first non commented line):
DEFAULT Simultaneous-Use := 1
Fall-Through = 1
We are not doing groups, everyone in our directory is allowed on the wireless
so we used DEFAULT.
Here is my debug output when I start radius:
radius:~ # radiusd -X
FreeRADIUS Version 2.1.8, for host i686-suse-linux-gnu, built on Jan 23 2010 at
01:51:06
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/linelog
including configuration file
