We are currently using our RADIUS server to do one thing. It is authenticating wireless users via Mac address through access points. Very clean, very simple. We would like to increase the security a bit by having the users authenticate against eDirectory as well. If a user tries to get on the network, his MAC is passed to the RADIUS server. If the MAC is validated, the request is passed to the Novell Server, the user is asked to enter his password, and then he is allowed in. I have setup my config files according to several eDirectory/FreeRADIUS FAQ articles that I have found, but I am still having a few issues. 1: I am never asked for a password 2: rlm_ldap: When I attempt to get access, I get an error message "could not start TLS operations error" Below are some clips from my configurations as well as the access messages as I receive: ACCESS ATTEMPT: rad_recv: Access-Request packet from host 172.16.14.23:1812, id=1, length=73 User-Password = "xxxxxx" User-Name = "0016cb-b64f93" NAS-Identifier = "172.16.14.23" NAS-IP-Address = 172.16.14.23 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/usr/local/var/log/radius/radacct/172.16.14.23/auth-detail-20071011' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/172.16.14.23/auth-detail-20071011 modcall[authorize]: module "auth_log" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "0016cb-b64f93", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 153 users: Matched entry 0016cb-b64f93 at line 222 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for 0016cb-b64f93 radius_xlat: '(uid=0016cb-b64f93)' radius_xlat: 'o=dist-155' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 172.16.13.10:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /usr/local/etc/raddb/certs/cacert.pem rlm_ldap: setting TLS CACert Directory to /usr/local/etc/raddb/certs/ rlm_ldap: setting TLS Require Cert to demand rlm_ldap: starting TLS rlm_ldap: ldap_start_tls_s() rlm_ldap: could not start TLS Operations error rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns fail for request 0 modcall: leaving group authorize (returns fail) for request 0 Finished request 0 Going to the next request RADIUSD.CONF # MODULE CONFIGURATION # modules { # pap { encryption_scheme = crypt auto_header = yes } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 # passwd = /etc/passwd # shadow = /etc/shadow # group = /etc/group radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { #use_mppe = no #require_encryption = yes #require_strong = yes #with_ntdomain_hack = no #ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } ldap { server = 172.16.13.10 identity = "cn=ProxyUser,ou=District,o=dist-155" password = "xxxxxx" basedn = "o=dist-155" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" start_tls = yes tls_mode = yes port = 636 tls_cacertfile = /usr/local/etc/raddb/certs/cacert.pem tls_cacertdir = /usr/local/etc/raddb/certs/ # tls_certfile = /usr/local/etc/raddb/certs/radius.crt # tls_keyfile = /usr/local/etc/raddb/certs/radius.key # tls_randfile = /path/to/rnd tls_require_cert = "demand" # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 10 Set: password_attribute = nspmPassword # password_attribute = userPassword edir_account_policy_check=yes # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes # set_auth_type = yes } EAP.CONF eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no # Supported EAP-types md5 { } leap { } gtc { auth_type = PAP } ## EAP-TLS tls { private_key_password = ch$d!s$ private_key_file = ${raddbdir}/certs/cert-key.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes # check_crl = yes # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" # check_cert_cn = %{User-Name} # cipher_list = "DEFAULT" } ttls { default_eap_type = md5 copy_request_to_tunnel = yes use_tunneled_reply = yes } peap { default_eap_type = mschapv2 # copy_request_to_tunnel = no # use_tunneled_reply = no # proxy_tunneled_request_as_eap = yes } mschapv2 { } } USERS #Dist - Lachel "0016cb-b64f93" Auth-Type := Local, User-Password == "xxxxxx" I am using freeRADIUS 1.1.7 on an OS X 10.4.10 Server machine. My Access Points are currently Apple Airports, but we will be replacing those with Cisco 1131s. Any help at getting this going would be greatly appreciated. Thanks Brad Lachel Community High School District #155 All e-mail to and from this address is subject to the Acceptable Use Policies of Community High School District #155. All e-mail may be monitored and/or disclosed to third parties. Any views or opinions presented in an e-mail are solely those of the author and may not represent those of Community High School District #155. http://www.d155.org |