I have to sincerely apologize for the 0.00 one I put out here. I was
eager to try to help out those of you attempting to use eDirectory.
The new version is MUCH more mature and has less spelling errors.
I don't claim to be a FreeRADIUS expert, so please don't hesitate to
point out glaring errors in this document.
I also don't want anyone to think that this document is a replacement
for Novell's VERY GOOD documentation on FreeRADIUS. CNE's should have
no trouble following their documentation.
Enjoy and PLEASE send me any comments. I don't like being the only
name on this document.
You can get a copy of this document on OpenOffice format from me as
well. Just send me an email.
<begin
eDirectory & FreeRadius HowTO
Dennis Comeaux
Version 0.03
(Butchering of this Document is welcomed.)
(This document is NOT a replacement for Novell's documentation.)(This
document is NOT a replacement for Novell's documentation.)(This
document is NOT a replacement for Novell's documentation.)(This
document is NOT a replacement for Novell's documentation.)(This
document is NOT a replacement for Novell's documentation.)(This
document is NOT a replacement for Novell's documentation.)(This
document is NOT a replacement for Novell's documentation.)(This
document is NOT a replacement for Novell's documentation.)(This
document is NOT a replacement for Novell's documentation.)(This
document is NOT a replacement for Novell's documentation.)
1.Preamble
This document is a guide intended for administrators who already know
what the OSI model is and who are familiar with networking but not
very familiar with Linux. If you are completely new to Linux but not
new to networking, take a look at www.linuxhomenetworking.com or your
local bookstore for some excellent information on using Linux.
Command Syntax / configuration file format
Mandatory input will be included with greater than and less than
symbols. Optional input will be included in brackets. Anything not in
a bracket or less than / greater than symbols should be typed in
exactly as shown.
In cases where a bracket or less than / greater than symbol is needed
to be entered, that symbol will be indicated by a \ preceeding the
symbol.
command <mandatory input> [optional input] typeexactlyasshown
Note that all Linux commands are case sensitive.
Installing Software
If you find that you need additional software installed on your box to
proceed, you can generally install RPMs with one of the following.
rpm -i <rpm package>
rpm -U <rpm package>
Most packages work with the -i option. The -U option is sometimes
necessary to upgrade a package.
If the software that you are trying to install is in source code
format, then use the following procedure:
tar -zxf <program.tar.gz>
cd <extracted program's folder>
./configure
make
make install
When this document makes reference to installing software, please
follow the above procedure unless otherwise noted.
Acknowledgments:
My thanks to Jim Whitt for his expertise in editing this document and
pointing out utter stupidity in the way that I tend to write.
Eternal thanks to Dalbert Varnell for getting me off of the loading
docks of a smiley-faced store and giving me the opportunity to work on
computer Networks.
Deep gratitude to Novell for their products and support.
Many, many thanks to the Developers who worked on integrating
eDirectory and FreeRADIUS. My 2 favorite things in the world are now
blended. This is just as wonderful as the invention of peanut butter
and chocolate.
2.Introduction
FreeRADIUS is used worldwide in production environments for RADIUS
authentication services. FreeRADIUS is EXTREMELY scalable to large
environments. Until recently, FreeRADIUS was only able to authorize
users with eDirectory via an attempted bind and LDAP queries. Newly
released code has been added to FreeRADIUS 1.02 to allow for queries
against eDirectory where the password of the user in eDirectory is
compared with the password contained in the RADIUS authentication
request.
Below is the model of how RADIUS works with eDirectory.1
[Laptop]
---request/reply---
[Network Access Server]
---forwarded RADIUS access request/reply---
[Linux Radius Server]
---RADIUS attributes, Password read---
[eDirectory]
This implementation of FreeRADIUS sends the user's password through
the following steps:
1.The user's password is encrypted before being sent to the NAS with MS-CHAPv2.
2.The NAS connects to the FreeRADIUS server with cryptography supplied
by a shared secret.
3.The FreeRADIUS server connects to eDirectory with EAP-TLS. This is
an encrypted connection. EDirectory can refuse clear text connections
on port 389. There is a common misconception that EAP-TLS uses LDAPS
on port 636. EAP-TLS uses port 389 and the LDAP server (eDirectory)
requires encryption for port 389 connections if the LDAP Group Object
has the following option cleared:
[ ] Require TLS for Simple binds with password.
4.The user's password is read from eDirectory by FreeRADIUS. This
password is then compared with the password that FreeRADIUS received
from the NAS.
5.If the user's password matches, then additional requirements (such
as Group Membership or any LDAP attribute) are checked.
6.An authorization is sent to the NAS. This authorization is
encrypted with the shared secret.
7.The password is NOT echoed into server logs unless password logging
is enabled. Another option if the password is needed is to compile a
logging of the password into the eDirectory portion of RLM_LDAP. The
classes required to echo logs are either inherited by the eDirectory
classes or they are global functions.
If an existing NAS needs to be changed to authenticate and authorize
via FreeRADIUS, then the NAS will have to change the IP address that
it has coded for RADIUS and will have to have a new shared secret
setup in the CLIENTS.CONF file. Additional configuration of the NAS
will be minimal.
2.Software requirements and hardware requirements
Software you'll need:
1.ConsoleOne 1.36d.
2.FreeRADIUS 1.0.2.
3.Sun Java 1.5.0.01.
4.Cygwin's setup files (if installing from a windows machine).
5.Novell's scrub utility for Linux (removes all Novell applications).
6.The iManager snap-in for iManager (available from forge.novell.com).
7.OpenSSL (version 0.9.7e has been tested with this procedure).
8.OpenLDAP (version 2.0.27-11 has been tested with this procedure).
OpenSSL and OpenLDAP can be installed with the standard installation
options (./configure, make, and make install).
Documents that are helpful:
1. MonkeyNoodle.com's remote-X-cygwin HowTo.
2. Novell's freeradius integration guide (radadmin.pdf).
Files that you will spend time editing:
1./usr/local/etc/raddb/radiusd.conf (the main radius configuration)
2./usr/local/etc/raddb/users (a list of users who can use radius)
2./usr/local/etc/raddb/clients.conf (a list of radius clients by IP)
3./etc/init.d/* (a directory of startup scripts)
Useful Websites:
1.support.novell.com (for troubleshooting eDirectory)
2.www.rpmfind.net (for getting RPMs)
3.www.monkeynoodle.com (for good HowTos on CygWin)
4.www.openssl.org (the OpenSSL product)
5.www.openldap.org (the OpenLDAP product)
6.www.ohse.de/uwe/software/lrzsz.html (lrzsz for file xfers)
7.www.chiark.greenend.org.uk/~sgtatham/putty/ (putty for telnet / ssh client)
8.www.vandykesoftware.com (for commercial grade ssh / telnet client SecureCRT)
9.moin.conectiva.com.br/AptRpm (for the APT program)
10.www.novell.com/de-de/linux/suse/ (for YAST)
11.www.linuxhomenetworking.com (for VERY useful information on the
networking side of running linux)
Hardware Requirements
In addition to CPU requirements, you will need at least 512 MB of RAM
to run Nterprise Services.
3.Installing Cygwin2
You may skip this step if you are installing directly on the server,
have another X server that you are using, or simply do not wish to use
an X server.
Cygwin is an X Server that runs on Windows. Do not install the entire
500 MB of Cygwin. Just install the defaults except for X11 which
should be changed to Install.
If your server is configured to not boot to runlevel 5, it may have
trouble connecting to the X Server on your workstation. The telinit
commands below will fix that problem if you don't want to boot to
runlevel 5.
If the procedure below does not work, you may want to try making all
of the modifications indicated in MonkeyNoodle's Cygwin HowTo. The
following procedure will work with a Gnome installation on RedHat.
See MonkeyNoodle's documentation for other implementations.
1. Download and run Cygwin's setup.exe.
2. Accept defaults except for X11. Change X11 to Install.
3.Edit /etc/X11/gdm/gdm.conf, find [xdmcp] and change Enable=false to
Enable=true.
4.Edit /etc/X11/xdm/Xaccess and uncomment the "any host can get a
login window" line.
5.Restart X (CTRL+ALT+BACKSPACE, rebooting the server, or telinit 3 &&
telinit 5).
6.Run Cygwin and type in X -query <ip of the linux box>.
Other useful X options are X –broadcast (gets a list of nearby X
clients), X -fullscreen, and X -help (gets a list of command line
options).
4.Install the Red Carpet Daemon:
The Red Carpet Daemon (RCD) must be present for a smooth install of
eDirectory. Other management tools (apt, yast, et al.) can be used as
well, but the RCD's presence is required by eDirectory.
Download a version applicable to your distro. The file
rcd-2.2.0-0.ximian.6.5.i386.rpm works with RedHat.
Follow the steps in the preamble of this document for installing the RCD.
5. Configure NTP3
If you are installing into an existing tree, you will need to make
sure that your Linux box is using the same time sources as the
eDirectory servers.
1.Edit /etc/ntp.conf and add these lines to the file:
restrict <time server 1 IP> mask 255.255.255.255 nomodify notrap noquery
restrict <time server 2 IP> mask 255.255.255.255 nomodify notrap noquery
restrict <time server 3 IP> mask 255.255.255.255 nomodify notrap noquery
server <time server 1>
server <time server 2>
server <time server 3>
Note that the restrict lines should all be one ONE line, ie. they
should start with the word restrict and end with the word noquery.
Don't put a return after nomodify.
2.Make sure the NTPD runs at run level 3.
chkconfig --level 35 ntpd on
3.You can reboot and run /etc/init.d/ntpd status to check on the
status of NTP after a boot up.
Some useful ntpd commands can be found on the ntpd man pages (man
ntpd). Using ntpq -p is useful for troubleshooting your NTP setup.
6. Install Java
This is fairly straight forward. Do not run rpm -e jre if you are
currently running X. This may cause your X session lock up. Use
SecureCRT to remove JRE if you need to.
1. Download jre-1_5_0_01-linux-i586.rpm and install it.
2. This is important for java applications (including console one) run:
export JRE_HOME=/usr/java/jre1.5.0_01
3. Make the environment variable JRE_HOME permanent.
1.Create a file in /etc/profiles.d named JAVA
2.Run chmod +x /etc/profiles.d/JAVA. edit the JAVA file and put the
command from #3 in the file.
7. Install eDirectory
Note that you MUST NOT HAVE CONSOLEONE INSTALLED when you run the
eDirectory installation. Having ConsoleOne installed has caused some
installs to hang on non patched RedHat systems. You should remove
ConsoleOne if you want to run the scrub script as well. To remove
ConsoleOne, you will have to run the c1-uninstall script. To install
ConsoleOne, you will need to run the c1-install script. These scripts
are extracted from the ConsoleOne installation files with tar -zxf.
1. Mount the Nterprise CD. You can share the CD from your workstation and do:
mount //<workstation IP>/<share> /mnt/cdrom
If the CD is local, the mount command is:
mount /dev/cdrom /mnt/cdrom
If you're using an ISO:
mounth -o loop /<full path and filename of iso> /mnt/cdrom
2.Unload openldap or edirectory to prevent problems installing. Run
/etc/init.d/ldap stop.
3.cd to /mnt/cdrom and run ./install.sh.
4.Select install.
5.Change the selected packages to install to ONLY install Apache,
Tomcat, the JVM, eDirectory, and iManager. Install ALL of the options
for Linux User Management when prompted. These are options 1-4 and 11.
6.Enter the path to your nfk file when prompted.
7.Answer the remaining prompts and use default values for all ports.
8.Be patient. This install can take some time on slower systems.
Install ConsoleOne
After you have installed ConsoleOne, you can login to trees on your
network. If your tree doesn't show up in the available trees list,
you can login to that tree by specifying the IP address of a server
within that tree in the tree field of the ConsoleOne login window.
Note that the tar.gz file for ConsoleOne extracts it's files to Linux
1.Download c1_136d-linux.tar.gz to /usr/src.
2.cd to /usr/src and run tar -zxf ./c1_136d-linux.tar.gz.
3.cd into the Linux directory that is extracted.
4.Run ./c1-install and
a. do NOT install the Java Runtime Environment that comes with this
program.
b. DO install all of the snapins.
5.Test ConsoleOne by running /usr/ConsoleOne/bin/ConsoleOne and
logging into your eDirectory.
8. Install FreeRadius 1.02
This step is relatively easy provided that the compiler on your Linux
box is functional. Note that if you have errors during this phase,
you may need to look at ./configure –-help to find the switches for
SSL.
1. Download freeradius-1.0.2.tar.gz to /usr/src.
2. Run tar -zxf /usr/src/freeradius-1.0.2.tar.gz
3. cd into /usr/src/freeradius-1.0.2.
4. Run ./configure --with-edir
5. Run make
6. Run make install
Debugging FreeRADIUS can be done by stopping FreeRADIUS
(/etc/init.d/radiusd -stop) and then running /usr/sbin/radiusd -X in a
console window.
One useful option for debugging is to run
radiusd -X \> <some file to log to>
tail -f <some file to log to>
Note that the \> should be typed as > (see the preamble).
9. Configuring iManager and Extending the Schema
It is advisable to run iManager on the linux box and NOT on your
production iManager box. Installing the Radius snapin on a production
iManager box may cause your "Modify User" default task to be
overwritten with a page of Radius attribute settings.
1.Download and save radius_npm.tar.gz to /usr/src (this file is
available from forge.novell.com and is the plug-in for imanager)
2.cd to /usr/src.
3.run tar -zxf radius_npm.tar.gz. This will extract radius_npm.
4.Open a http browser to your linux box.
5.Click on the imanger link and authenticate.
6.Click configure, install module package.
7.browse to the npm (/usr/src/radius.npm) and click install.
8.restart your web server (or the box)
9.open imanager (via steps above)
10.Enable Universal Password (NMAS, universal password config).
Enable it for the OU that you have your radius users in. Click APPLY,
not done when you set this.
11.Open ConsoleOne and disable "require TLS with simple bind" on the
ldap group object.
12.Run the following commands:
ldapmodify -D <admin DN, ie. cn=admin,o=something> -x -w <admin
password> -f <full path to the addclassmap.ldif file from the radius
snapin tar.gz file>
ldapmodify -D <admin DN> -x -w <admin password> -f <path to RADIUS-LDAPv3.ldif>
Note that the admin DN here uses the LDAP syntax (with commas) and not
the NDS syntax (with periods).
14.Open ConsoleOne and ENABLE "require TLS with simple bind" on the
ldap group object.
15.Login to iManager and extend the RADIUS schema. (roles+tasks,
radius, extend schema) This step may not be necessary if the
ldapmodify commands were successful.
16.Exit your browser and then reopen iManager to change a user in the
container you specified for universal password into a radius user.
Again, there should be NO errors.
17.Now you need to enable password administrators to read universal
passwords. iManager, eDirectory Administration role, modify object,
Universal Password On from password policies in the security
container, edit nspmConfigurationOptions attribute and add 32 to the
value shown.
10. Configuring FreeRADIUS
1.In ConsoleOne, extract the self signed certificate (from the
security container, the CA object) to
/usr/local/etc/raddb/certs/cacert.b64.
2.Make your radiusd.conf file's LDAP section look like what you see below.
# Lightweight Directory Access Protocol (LDAP)
#
# This module definition allows you to use LDAP for
# authorization and authentication (Auth-Type := LDAP)
#
# See doc/rlm_ldap for description of configuration options
# and sample authorize{} and authenticate{} blocks
ldap {
server = "server.name.your.domain.com"
identity = "cn=admin,o=something"
password = adminpassword
basedn = "ou=something,o=something"
# The above line is where you will be searching for users
filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections
start_tls = yes
tls_cacertfile = /usr/local/etc/raddb/certs/cacert.b64
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
tls_require_cert = "demand"
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
# access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
#
# NOTICE: The password_header directive is NOT case insensitive
#
# password_header = "{clear}"
#
# The server can usually figure this out on its own, and pull
# the correct User-Password or NT-Password from the database.
#
# Note that NT-Passwords MUST be stored as a 32-digit hex
# string, and MUST start off with "0x", such as:
#
# 0x000102030405060708090a0b0c0d0e0f
#
# Without the leading "0x", NT-Passwords will not work.
# This goes for NT-Passwords stored in SQL, too.
#
password_attribute = nspmPassword
# groupname_attribute = cn
# groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
edir_account_policy_check = yes
}
Please read Novell's eDirectory and FreeRADIUS Administration Guide
for some vital information on why you should have
edir_acocunt_policy_check=yes turned on.
3. Modify the authorize { ... } portion of radiusd.conf. You want to
add "ldap" before files. Also, the authenticate { … } portion should
have ldap commented out.
# Authorization. First preprocess (hints and huntgroups files),
# then realms, and finally look in the "users" file.
#
# The order of the realm modules will determine the order that
# we try to find a matching realm.
#
# Make *sure* that 'preprocess' comes before any realm if you
# need to setup hints for the remote radius server
authorize {
#
# The preprocess module takes care of sanitizing some bizarre
# attributes in the request, and turning them into attributes
# which are more standard.
#
# It takes care of processing the 'raddb/hints' and the
# 'raddb/huntgroups' files.
#
# It also adds the %{Client-IP-Address} attribute to the request.
preprocess
#
# If you want to have a log of authentication requests,
# un-comment the following line, and the 'detail auth_log'
# section, above.
# auth_log
# attr_filter
#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
chap
#
# If the users are logging in with an MS-CHAP-Challenge
# attribute for authentication, the mschap module will find
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
# to the request, which will cause the server to then use
# the mschap module for authentication.
mschap
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authenticate' section.
# digest
#
# Look for IPASS style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
# IPASS
#
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#
suffix
# ntdomain
#
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
# authentication.
#
# It also sets the EAP-Type attribute in the request
# attribute list to the EAP type from the packet.
eap
#
# Read the 'users' file
# and enable ldap for edir
ldap
files
#
# Look in an SQL database. The schema of the database
# is meant to mirror the "users" file.
#
# See "Authorization Queries" in sql.conf
# sql
#
# If you are using /etc/smbpasswd, and are also doing
# mschap authentication, the un-comment this line, and
# configure the 'etc_smbpasswd' module, above.
# etc_smbpasswd
#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
# ldap
#
# Enforce daily limits on time spent logged in.
# daily
#
# Use the checkval module
# checkval
}
# Authentication.
#
#
# This section lists which modules are available for authentication.
# Note that it does NOT mean 'try each module in order'. It means
# that a module from the 'authorize' section adds a configuration
# attribute 'Auth-Type := FOO'. That authentication type is then
# used to pick the apropriate module from the list below.
#
# In general, you SHOULD NOT set the Auth-Type attribute. The server
# will figure it out on its own, and will do the right thing. The
# most common side effect of erroneously setting the Auth-Type
# attribute is that one authentication method will work, but the
# others will not.
#
# The common reasons to set the Auth-Type attribute by hand
# is to either forcibly reject the user, or forcibly accept him.
#
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authorize' section.
# digest
#
# Pluggable Authentication Modules.
# pam
#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
unix
# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
# Auth-Type LDAP {
# ldap
# }
#
# Allow EAP authentication.
eap
}
4. Modify the Post-Auth { … } section and include a Post-Auth Reject
section and uncomment the ldap part:
# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
post-auth {
# Get an address from the IP Pool.
# main_pool
#
# If you want to have a log of authentication replies,
# un-comment the following line, and the 'detail reply_log'
# section, above.
# reply_log
#
# After authenticating the user, do another SQL qeury.
#
# See "Authentication Logging Queries" in sql.conf
# sql
#
# Un-comment the following if you have set
# 'edir_account_policy_check = yes' in the ldap module sub-section of
# the 'modules' section.
#
# ldap
#
# Access-Reject packets are sent through the REJECT sub-section of the
# post-auth section.
# Uncomment the following and set the module name to the ldap instance
# name if you have set 'edir_account_policy_check = yes' in the ldap
# module sub-section of the 'modules' section.
#
Post-Auth-Type REJECT {
ldap
}
5. Edit /etc/raddb/clients.conf and add in your own client. Typically
this is the switch you will be using. The format in this file is
EXTREMELY self explanatory. It's basically this:
client <client domain name or ip address> {
secret = somesecretpasswordyouaresharingwiththeclient
shortname = someshortnametoidentifytheclient
}
6. Test the server....
1.run /usr/local/sbin/radiusd -X
2.Run the radtest command or connect from an outside client. You
should see the action on the radiusd screen.
11. Configuring EAP
EAP doesn't work right out of the box, it must be configured.
1.Enable EAP on the switch
2.Download and install OpenSSL 0.9.7e or later (you may have already
had to do this during the FreeRADIUS installation).
a.After tar –zxf <gz file>
b../config [[[[[[ note that this is NOT configure which is more common ]]]]]
c.make
d.make install
3.Edit /usr/src/freeradius-1.0.2/scripts/CA.cert. Fill it in with
your information AND change the SSL line at the top to point to
/usr/local/ssl.
4.Make a temporary directory and cd into it. Then run
/usr/src/freeradius-1.0.2/scripts/CA.cert.
a.You will get many files. We need to copy 2 of them. Copy root.pem
to /usr/local/etc/raddb/certs/demoCA.
b.Copy cert-srv.pem to /usr/local/etc/raddb/certs.
i.Note that I had problems running FreeRADIUS when I didn't have this
file in the certs directory.
5.Edit eap.conf. You need to change the default eap type to peap,
enable TLS, and enable the peap section. See below:
eap {
default_eap_type = peap
…
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
# If Private key & Certificate are located in
# the same file, then private_key_file &
# certificate_file must contain the same file
# name.
certificate_file = ${raddbdir}/certs/cert-srv.pem
# Trusted Root CA list
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
#
# This can never exceed the size of a RADIUS
# packet (4096 bytes), and is preferably half
# that, to accomodate other attributes in
# RADIUS packet. On most APs the MAX packet
# length is configured between 1500 - 1600
# In these cases, fragment size should be
# 1024 or less.
#
fragment_size = 1024
# include_length is a flag which is
# by default set to yes If set to
# yes, Total Length of the message is
# included in EVERY packet we send.
# If set to no, Total Length of the
# message is included ONLY in the
# First packet of a fragment series.
#
include_length = yes
# Check the Certificate Revocation List
#
# 1) Copy CA certificates and CRLs to same directory.
# 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
# 'c_rehash' is OpenSSL's command.
# 3) Add 'CA_path=<CA certs&CRLs directory>'
# to radiusd.conf's tls section.
# 4) uncomment the line below.
# 5) Restart radiusd
# check_crl = yes
#
# If check_cert_cn is set, the value will
# be xlat'ed and checked against the CN
# in the client certificate. If the values
# do not match, the certificate verification
# will fail rejecting the user.
#
# check_cert_cn = %{User-Name}
}
…
peap {
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# PEAP tunnel, we recommend using MS-CHAPv2,
# as that is the default type supported by
# Windows clients.
default_eap_type = mschapv2
}
}
11. Epilogue
Look into hardening your FreeRADIUS installation and minimizing the
rights that you have to grant to the Radius Administrator account.
This information is freely available on the net and may be included in
version 0.5 of this document.
Contact the author at [EMAIL PROTECTED] to gripe or to point
out glaring mistakes
<end
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
