07-21-05 10:47 PM
Hi everyone,
After many hours and days triing to configured Freeradius on my OES
Linux ( SUSE 9 Sp1 ) with an authentication LDAP and a access point
Linksys WRT54G ... There's the step by step documentation for you !!!!
Here my setup and what you should downloaded before starting the
procedure
++ hardware Needed ++
1) Server for OES Linux
2) Linksys Router Wireless - WRT54G
3) Workstation XP with Wireless Network Card
----------------------------------------------------------------------------
-----
++ Software Needed ++
1) OES Linux ( SuSE 9 SP1 ) - Installed with eDir + NCP + iManager 2.5
Note : FRESH INSTALLATION
2) Freeradius 1.02
http://forge.novell.com/modules/xfc...74/certs.tar.gz
4) iManager Plugins for RADIUS
http://forge.novell.com/modules/xfc.../edirfreeradius
5) iManager NMAS Client
http://support.novell.com/cgi-bin/s...gi?10097107.htm
Note : Follow this TID to extract the NMASCLIENT.NPM
----------------------------------------------------------------------------
-------------
Step 1 - Install Freeradius
1a) Copy the 2 packages for Freeradius on your OES Linux server into
/tmp directory.
1b) Go into yast
1c) Go Software/Install and remove program - Search for Freeradius
package. If there are not installed, install it.
Note : We installed Freeradius with Yast because Freeradius have a
couple of dependencies. It's more easy to do it like this if you don't
know which package is needed.
1d) Return at the command line and install both Freeradium RPM.
rpm -Uvh --force /tmp/freeradius-1.0.2-0.i586.rpm
rpm -Uvh --force /tmp/freeradius-devel-1.0.2-0.i586.rpm
1e) Delete the whole CERTS directory under /etc/raddb/
1f) Copy certs.tar.gz under /tmp directory.
1g) Unzip the certs.tar.gz - tar -zvf
tar -zxf certs.tar.gz
1h) Edit CA.certs like this the follow exemple :
COUNTRY="CA"
PROVINCE="Quebec"
CITY="Montreal"
ORGANIZATION="Complys technologies inc"
ORG_UNIT=`HeadOffice`
PASSWORD="complys" ; Use a password of your choice
COMMON_NAME_CLIENT="Rezotik Client SSL"
EMAIL_CLIENT="info@complys.dot.com"
PASSWORD_CLIENT=$PASSWORD
COMMON_NAME_SERVER="Rezotik Server SSL"
EMAIL_SERVER="info@complys.com"
PASSWORD_SERVER=$PASSWORD
COMMON_NAME_ROOT="Root certificate"
EMAIL_ROOT="info@complys.dot.com"
PASSWORD_ROOT=$PASSWORD
1j) Go on line 85 into CA.certs and modify the line with the follow one
:
echo "newreq.pem" | ./CA.pl -newca || exit 2
1k) Copy the whole directory /tmp/certs into /etc/raddb
1m) Extract the seft signed certificate with the following step
- Open ConsoleOne
- Highlight the Security Container
- Go on properties of CERTIFICATE AUTHORITY OBJECT then go on the
Certificate Tab under Self Signed Certificate
- Click on Export - Say NO on export Private Key.
- Save your file with B64 format with the following name under
/etc/raddb/certs/rootder.b64
1n) Modify the file /etc/raddb/radiusd.conf
# ... Change under MODULE SECTION ... #
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
authtype = MS-CHAP
}
ldap {
server = "localhost"
identity = "cn=admin,o=complys"
password = password # !!! Use your own admin password here !!!
basedn = "o=complys"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
start_tls = yes
tls_cacertfile = /etc/raddb/certs/rootder.b64
access_attr = "dialupAccess"
ldap_connections_number = 5
password_attribute = nspmPassword
edir_account_policy_check=yes
timeout = 4
timelimit = 3
net_timeout = 1
}
# ... CHANGE UNDER AUTHORIZE SECTION ... #
authorize {
preprocess
chap
mschap
suffix
eap
files
ldap
}
# ... CHANGE UNDER AUTHENTICATE SECTION ... #
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
ldap
}
eap
}
# ... CHANGE UNDER POST-AUTH SECTION ... #
post-auth {
ldap
Post-Auth-Type REJECT {
ldap
}
}
1n) Modify the file /etc/raddb/eap.conf
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
md5 {
}
leap {
}
tls {
private_key_password = complys
private_key_file = /etc/raddb/certs/cert-srv.pem
certificate_file = /etc/raddb/certs/cert-srv.pem
CA_file = /etc/raddb/certs/demoCA/cacert.pem
dh_file = /etc/raddb/certs/dh
random_file = /etc/raddb/certs/random
fragment_size = 1024
include_length = yes
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = yes
use_tunneled_reply = yes
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
1o) Modify the file /etc/raddb/clients.conf
client 192.168.1.0/24 {
secret = rezotik
shortname = newton
}
Note : My subnet is 192.168.1.0/24 ... Change it for your subnet.
"secret" atrribute is the secret password to know to be able to
connect on the Radius Server.
1p) Modify the file /etc/raddb/users
!!! EMPTY THE WHOLE FILE !!! We don't need it because you will use
authentication LDAP
1q) Start Freeradius at the command line : radiusd -X -A
Note : You should see "READY TO PROCESS REQUESTS" if your
configuration is good. Otherwise double checked your files.
Note : You should test your radius connection with NTRadPing Utility
before continuing.
----------------------------------------------------------------------------
------------
Step 2 - Install RADIUS Plugin and NMAS Client Plugin into iManager
2a) Install RADIUS.NPM and NMASCLIENT.NPM into iManager
Note : I will not describe all the step ... I'll assume that you are a
Novell Administrator and you should know how to use iManager and add a
plugin into it.
2b) Install both LDIF included with the NPG files for RADIUS.
Note : The most easiest way to had it without problem is ConsoleOne
under Tools/NDS Import/Export
2c) Open iManager - Go under RADIUS
2d) Click on Extend Schema for RADIUS - Say Yes to Extend the schema.
----------------------------------------------------------------------------
-------------
Step 3 - Create a Universal Password Policy
3a) Open iManager - Go under PASSWORD
3b) Click on Password Policy
3c) Add a NEW POLICY - Give the policy name - Exemple : Universal
Password Policy
3d) Disable Advanced Password Rules
3e) Click on VIEW OPTIONS
3f) Enable everything except : Remove the NDS password when setting
Universal Password.
3g) Next - Next -
3h) DON'T ASSIGN ANY USERS OR CONTAINER NOW !
----------------------------------------------------------------------------
-----------------
Step 4 - Configure your linksys Router Wireless WRT54G
4a) Go into the administration web page of your router.
4b) Under Wireless Security - Choose
Security Mode: WPA RADIUS
WPA Algorithms: TKIP
RADIUS Server Address: 192.168.1.30 <------ IP Address of my
OES Linux server
RADIUS Port: 1812
Shared Key: complys <----- Secret password of radius server
Key Renewal Timeout: 3600 seconds
----------------------------------------------------------------------------
-----------------
Step 5 - Configure your Wireless card under Windows XP
5a) Under Network Connection - Go on properties of your Wireless Card
5b) Click on Wireless Network
5c) Enable : Use Windows to configure my wireless networks settings.
5d) Click on ADD under PREFERED NETWORKS SECTION.
5e) Enter the SSID of your Wireless Router.
5f) Click on AUTHENTICATION TAB
5g) Choose in the DROP DOWN LIST for EAP Type : Protected EAP (PEAP)
5h) Click on PROPERTIES just under the drop down list.
5i) Disable VALIDATE SERVER CERTIFICATE
5j) Select Secured password (EAP-MSCHAP v2) for Authentication Method.
5k) Click on Configure ... just beside
5l) Disable AUTOMATICALLY USE MY WINDOWS LOGON NAME AND PASSWORD
5m) Click OK - Click OK
5n) Click on CONNECTION Tab
5o) Disable CONNECT WHEN THIS IS IN RANGE
5p) Click OK.
Note : You should have a connection with your SSIDNAME(On Demand)
----------------------------------------------------------------------------
-----------------------
Step 6 - Create a USERS and RADIUS USERS under eDirectory
6a) Create a user in by ConsoleOne or via iManager
6b) Give him username and a password
6c) Open iManager - Go under RADIUS
6d) Click on CREATE RADIUS USERS
6e) Choose the user that you just created
6f) Click on MODIFY RADIUS USERS
6g) Click on OTHERS ITEMS Tab
6h) Add ON to the dialupAccess Attribute.
6i) Apply changes
----------------------------------------------------------------------------
------------------------------
Step 7 - Try your connection with Windows XP wireless card
7a) Go under VIEW AVAILABLE WIRELESS NETWORK
7b) Click SSIDNAME(ON DEMAND) access point.
7c) Enter the credential of the user that you just created
7d) THAT'S IT !!!!
----------------------------------------------------------------------------
------------------------
Step 8 - Troubleshoot USERS login
1) First Problem - Error FAILED AUTHENTICATE -669 under the Freeradius
Console.
Note : A great tools to troubleshoot if your user is ready to work with
Radius is UNIVERSAL PASSWORD DIAG UTILITY.
http://support.novell.com/cgi-bin/s...gi?/2970885.htm
Note : The NMAS Client plugins for iManager ( See STEP 2 ) should be
installed to synchronize UP ( Universal Password ) with NDS password,
etc ...
A good user should return this
Object DN: cn=radmin,o=complys
EMail: [NONE]
Password Status: Enabled, Set
Simple Password Status: Set
Password Policy DN: cn=Universal Password Policy,cn=Password
Policies,cn
=Security
a bad user should return this
Object DN: cn=radius2,o=complys
EMail: [NONE]
Password Status: Enabled, Set, UP != NDS
Simple Password Status: Set, Simple != NDS
Password Policy DN: cn=Universal Password Policy,cn=Password
Policies,cn
=Security
Hope this step will help you ! Comments are welcome !
PS : Sorry my english is not so good, i did my best for this post.
Eric Champagne, CNE, CCNA
eric.champagne@complys.c.o.m
Complys technologies inc
www.complys.com
[ Post a follow-up to this message ]
| 
Thanx=20
Eric Champagne
