freeRADIUS 2.1.8 on SLES 10 with eDirectory Integration

0 Likes
over 11 years ago

INSTALLATION



  • download the bzip tarball from freeradius.org to /usr/src/packages/SOURCE/
  • unpack the freeradius.spec file from the tarball to /usr/src/packages/SPECS/
  • run “rpmbuild -ba /usr/src/packages/SPECS/freeradius.spec” and use yast to satisfy any dependencies.

Packages can be found in /usr/src/packages/RPMS/


rpm -ivh freeradius-server-libs-2.1.8-0.x86_64.rpm
rpm -ivh freeradius-server-2.1.8-0.x86_64.rpm

again, use yast to satisfy any dependencies.

CONFIGURE


change perms in /etc/raddb/certs so that the radiusd group has enough access for `radiusd -X` to start

In short, all you really need to do is:

  • configure the ldap module
    !!! note: you need to bind with a user that is authorized for password retrieval in your universal password policy
    !!! export your trees CA self signed cert to /etc/raddb/certs/rootder.b64
  • uncomment "ldap" in the authorize section of /etc/raddb/sites-enabled/inner-tunnel
    !!! note that any ldap stuff in the post auth section was causing segfaults in 2.1.8 during authentication.
  • change default_eap_type from md5 to peap in eap.conf
  • setup a client in clients.conf



/etc/raddb/modules/ldap
---------------------------------
ldap {

server = "servername"
identity = "cn=admin,o=org"
password = thepassword
basedn = "o=org"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
port = 636
tls_mode = yes
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
#get this file from exporting the edir CA self signed cert
cacertfile = /etc/raddb/certs/rootder.b64
}
dictionary_mapping = ${confdir}/ldap.attrmap
password_attribute = nspmPassword
edir_account_policy_check = yes
# I allow everyone in my eDir to connect so I don't use the imanager / dial-in access stuff.
#This needs to be a “yes” if you do
access_attr_used_for_allow = no

set_auth_type = no
}



/etc/raddb/eap.conf
---------------------------
eap {
default_eap_type = peap
... # the rest of this file can stay as default
}



/etc/raddb/sites-enabled/inner-tunnel
--------------------------------------------------
uncomment "ldap" in the authorize section
!!! note, any ldap config in the post-auth section is causing segfaults in version 2.1.8
!!!Once this bug is fixed you will want to uncomment ldap in the post-auth section too



/etc/raddb/clients.conf
------------------------------
client 192.168.0.0/24 {
secret = somesecretpasswd
shortname = Wireless_AP
}


Now you should be able to turn on the freeradius with `radiusd -X` and watch some debug messages.

Labels:

How To-Best Practice
Comment List
Anonymous
Related Discussions
Recommended