Unable to setup freeradius server to authenticate from Unix username/passwords

Alan DeKok aland at deployingradius.com
Wed Feb 29 16:27:31 CET 2012 

Mohit Aron wrote:
> I'm using the freeradius 2.10 server that comes with Ubuntu 11.10. I'm unable
> to set it up so as to authenticate incoming requests from the Unix
> username/passwords stored in /etc/{passwd, shadow}.

  You should mostly just uncomment "unix" in raddb/sites-enabled/default

> Here is a description of my setup. I've setup wifi security on my wireless
> router to WPA-Enterprise and entered the IP address of the radius server in the
> router to that of a Linux machine running freeradius.
> 
> Here's a description of all the changes I made to /etc/freeradius directory to
> even reach the point to make it partially work:
> 1) chown -R freerad /etc/freeradius
>   The above is needed as Ubuntu seems to install every file there as root and
>   thus the freeradius server which runs as user freerad isn't able to read
>   the configuration files.

  I saw that.  What a ridiculous thing for them to do.

> 2) Modified /etc/freeradius/clients.conf to accept requests from my router's IP
> address. Also added the shared key testing123 there - which is the same that
> was put in the router while configuring it with a radius server.
> 
> 3) Changed the 'group =' setting inside /etc/freeradius/radiusd.conf to make it
> 'shadow' to enable it to lookup /etc/shadow.

  Yes.

> 4) Uncommmented the keyword 'unix' in both
> /etc/freeradius/sites-enabled/{inner-tunnel,default}

  That should work.

  *With* the caveat that it will only work for TTLS, not PEAP.

> 5) Modified /etc/default/freeradius to pass option '-X' to the freeradius
> server.

  You don't want to do that.  Just run it in debugging mode from the
command-line.

> I've tried using both Windows 7 as well as an iPad as a client to connect using
> wifi. Each time, the freeradius server running on my Linux box denies the
> requests. I should mention that a 'radtest' succeeds - so I'm entering the
> username/passwd correctly.

  That doesn't test EAP, and isn't enough.

> I'm attaching the output of the freeradius
> server when iPad is used. In a separate email I'll also attach the
> output from Windows 7 (to avoid going over the 100KB message limit in
> this email).

  Which says:

> TLS Alert read:fatal:unknown CA
>     TLS_accept: failed in SSLv3 read client certificate A
> rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca

  Follow the EAP-TLS Howto.  You either didn't sign the certificates
correctly, or you didn't put the root CA on the client machine.

  Alan DeKok.

More information about the Freeradius-Users mailing list