FreeRadius....

English Applications
1

I’m new to linux and im following this Cool Solutions: Configuring FreeRADIUS on Open Enterprise Server for Linux documentation.

My Goal is for people to log in with there novell accounts and be encrypted with TTLS on wireless.

As I go through the steps in the doc I hope to ask questions here to get over some road blocks…I’m probably going to ask a lot of questions.

This is my first question.

From the documentation: Step 1 - Install FreeRADIUS

  1. Copy the 2 packages for FreeRADIUS on your OES Linux server into /tmp directory.
  2. Go into yast
  3. Go Software/Install and remove program - Search for FreeRADIUS package. If there are not installed, install it.
    Note: We installed FreeRADIUS with Yast because FreeRADIUS have a couple of dependencies. It’s more easy to do it like this if you don’t know which package is needed. Return at the command line and install both Freeradium RPM.
  4. rpm -Uvh --force /tmp/freeradius-1.0.2-0.i586.r?pm
    rpm -Uvh --force /tmp/freeradius-devel-1.0.2-0.?i586.rpm

I installed FreeRadius using YAST. do I really have to do step 4 and install the rmp packages?

2

No, if you have already installed it using YaST, you can proceed. It’s always preferable to install it with YaST as opposed to using rpm on a package.

3

thanks,

here my next question about step 12.

At what line should I paste each of these sections. For examble should I paste the change under module section on line 613 under the title module configuration?

(from the document)
step 12 Modify the file /etc/raddb/radiusd.conf

… Change under MODULE SECTION …

modules {
pap {
encryption_scheme = crypt
}

    chap { 
            authtype = CHAP 
    } 


    pam { 
            pam_auth = radiusd 
    } 


    unix { 
            cache = no 
            cache_reload = 600 
            radwtmp = ${logdir}/radwtmp 
    }

$INCLUDE ${confdir}/eap.conf

    mschap { 
            authtype = MS-CHAP 
            use_mppe = yes 
            require_encryption = yes 
            require_strong = yes 
            authtype = MS-CHAP 
            } 


    ldap { 
            server = "localhost" 
            identity = "cn=admin,o=complys" 
            password = password # !!! Use your own admin password here !!! 
            basedn = "o=complys" 
            filter = "(uid=%{Stripped-User-Name:-%{?User-Name}})" 
            base_filter = "(objectclass=radiusprofile)" 
            start_tls = yes 
            tls_cacertfile  = /etc/raddb/certs/rootder.b64 
            access_attr = "dialupAccess" 
            ldap_connections_number = 5 
            password_attribute = nspmPassword 
            edir_account_policy_check=yes 
            timeout = 4 
            timelimit = 3 
            net_timeout = 1 


    }

… CHANGE UNDER AUTHORIZE SECTION …

authorize {
preprocess
chap
mschap
suffix
eap
files
ldap

}

… CHANGE UNDER AUTHENTICATE SECTION …

authenticate {

    Auth-Type PAP { 
            pap 
    } 


    Auth-Type CHAP { 
            chap 
    } 


    Auth-Type MS-CHAP { 
            mschap 
    } 


    unix 


    Auth-Type LDAP { 
            ldap 
    } 


    eap

}

… CHANGE UNDER POST-AUTH SECTION …

post-auth {

    ldap 
    Post-Auth-Type REJECT { 
            ldap 
    }

}

4

Ah sorry, it’s been ages since I had to configure freeradius, but IIRC you have to modify the existing file where indicated. There should be comments delimiting the sections. Don’t just paste things in blindly. You have to make sure that it goes into the right place, matching braces and all, or you will have mysterious syntax errors. Also replace existing lines that are obviously substituted by your changes. Good luck.

5

I see a line in my config file that said $INCULDE eap.conf and from the document it said $INCLUDE ${confdir}/eap.conf

These 2 phrases look the same. Do you know what they mean. I’m taking a guess but I think one of them tells freeRadius to look into the eap.conf for more information

Should I replace $INCULDE eap.conf with $INCLUDE ${confdir}/eap.conf and paste in everything about eap under it?

6

$INCLUDE as the name suggests, means insert the contents of the named file at that point. It’s a convenient way to make the configuration more modular. ${confdir} means substitute the value of the variable confdir which was probably declared earlier on to be the path of the configuration directory. The one without ${confdir} just includes it from the current directory.

I hope you know what you are doing with freeradius. Configuring it and getting it to work is not for the faint-hearted.

7

I think I get it then. They dont want that one config file getting to big so they break it down into a bunch of configs. adding: $INCLUDE superduperfile.conf would add everything writen in the superduperfile.conf file.

im looking at all the protocols it wants to name like mschap.

If I only want TTLS then why would I need to do this?

also I added I pasted the snyntax for the module stuff on the line after “Module {” starting with pap

8

ALl I want is TTLS not TLS. Do I need to have TLS configured for it to work?

Can you explain to me what these commands below really mean. I read the comments about them but I’m still if-y.

ttls {
default_eap_type = md5
copy_request_to_tunnel = yes
use_tunneled_reply = yes

Those commands were already typed in and all I had to do was write yes or no. Is there any other commands I have to type in?

for default_eap_type = , what other types can i type in?

Also What other config files do I have to change to get ttls working. So far I think I only need to change eap.conf, clients.conf, LDAP.conf and radiusd.conf

9

Hi I am trying to set up freeradius to use with our centrally controlled wireless. I am new to linux and could use any help out there, where to find step by step instructions would be great. I am using 11.1 I can reinstall another version if needed.
Thanks