metallica1973 |
02-23-2008 08:56 AM |
FreeRADIUS, PEAP and TLS
I use openRADIUS and PEAP for the moment for authentication and everything(W2K cpu's connect fine) works fine but the only problem is that my linux laptop cannot for the life of me connect via PEAP. So I have decided to use TLS. I believe that I can use both if I am not mistaken. I created the certificates using :
http://www.linuxjournal.com/article/8095
and tryed to finish it using part III:
http://www.linuxjournal.com/article/8151
and it will not work.
My Raduis.conf:
PHP Code:
prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = /usr/lib pidfile = ${run_dir}/radiusd.pid user = wireless group = radiusd max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = 192.168.3.5 port = 1645 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } }
modules { pap { encryption_scheme = crypt }
chap { authtype = CHAP }
pam { pam_auth = radiusd }
unix { cache = no cache_reload = 600 shadow = /etc/shadow radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { } ldap { server = "ldap.your.domain" basedn = "o=My Org,c=UA" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = no access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } realm IPASS { format = prefix delimiter = "/" ignore_default = no ignore_null = no }
realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no }
realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no }
realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } checkval { item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no }
detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600
callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp [ perm = 0644 callerid = "no" }
attr_filter { attrsfile = ${confdir}/attrs }
counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } sqlcounter dailycounter { counter-name = Daily-Session-Time check-name = Max-Daily-Session sqlmod-inst = sql key = User-Name reset = daily
query = "SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" }
sqlcounter monthlycounter { counter-name = Monthly-Session-Time check-name = Max-Monthly-Session sqlmod-inst = sql key = User-Name reset = monthly
query = "SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
} always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no }
expr { }
digest { }
exec { wait = yes input_pairs = request }
exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply }
ippool main_pool { range-start = 192.168.3.10 range-stop = 192.168.3.30
netmask = 255.255.255.224 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 }
} instantiate { exec expr } authorize { preprocess chap mschap suffix eap files } authenticate { Auth-Type PAP { pap } }
Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix eap } preacct { preprocess acct_unique suffix
files } accounting { detail
unix radutmp
} session { radutmp } post-auth {
}
pre-proxy { }
post-proxy { eap }
Here is my eap.conf(relavent areas)
PHP Code:
tls { private_key_password = XXXXX private_key_file = ${raddbdir}/certs/server_keycert.pem certificate_file = ${raddbdir}/certs/server_keycert.pem CA_file = ${raddbdir}/certs/cacert.pem
dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024
|