Re: Freeradius, EAP-TTLS ans eDirectory

"Jóhann B. Guðmundsson" <johannbg@hi.is> · Tue, 28 Nov 2006 14:22:00 +0000

Mariano Morano wrote:

Hi all,
 We are working in a RFP and one of the customer's requirement is that we must support EAP-TTLS with Freeradius   integrated with eDirectory as back-end.

We were reading the Novell documentation  and at the Novell page, there appears "How to integrate Novell® eDirectoryTM 8.7.1 or later with FreeRADIUS 1.0.2 on wards to allow wireless authentication for eDirectory users." and it not mntions EAP-TTLS (only EAP-TLS)

SO, Some questions:

1) First, can we use Freeradius with EAP-TTLS and eDirectory as back end ? 

2) if we can waht version of frereadius should we use ?

3) Ca someone send us information about how do that?

I would appreciate any hel ASAP

Thanks in advance.

- 

List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Follow Novells latest document about Integrate Novell® eDirectoryTM with FreeRADIUS

Then just make sure that these lines are present and uncommented in radius.conf 

# radius.conf (Fresh install these lines are present and uncommented in radius.conf)

$INCLUDE ${confdir}/eap.conf

authorize {
	   eap
	  }

authenticate {
	      eap
	     }

post-proxy {
	   eap
	   }

then change eap.conf to look something like this....        

	eap {                

               default_eap_type = tls

               timer_expire     = 60
               ignore_unknown_eap_types = no
               cisco_accounting_username_bug = no

               md5 {
               }

               leap {
               }

               gtc {
                       #challenge = "Password: "
                       auth_type = PAP
               }

               tls {
			private_key_password = example-password
			private_key_file = ${raddbdir}/certs/cert-srv.pem
			certificate_file = ${raddbdir}/certs/cert-srv.pem
			CA_file = ${raddbdir}/certs/root.pem
			dh_file = ${raddbdir}/certs/dh
			random_file = ${raddbdir}/certs/random
			fragment_size = 1024
			include_length = yes
		}

               ttls {
               #       default_eap_type = md5 # you may have to uncomment eithor one of these depends on your configuration...

		#	default eap_type = pap # 

                      copy_request_to_tunnel = no

                      use_tunneled_reply = no
               }

	        # peap {
               #       default_eap_type = mschapv2
               #       copy_request_to_tunnel = no
               #       use_tunneled_reply = no

               #       proxy_tunneled_request_as_eap = yes                

		#}

		mschapv2 {
               }
       }

Create the certificates....

configure proxy.conf and client.conf and user.conf to suit your needs 

and your ready to go 

Best Regards
           Johann B.