Allan, <div><br></div><div>I thank you for your advice and your time. </div><div><br></div><div>A person like you who is dealing with freeradius on a daily basis may have a tendency of thinking that using/installing/troubleshooting freeradius is very easy. But for a complete new beginner, like myself, things seem more complicated. I'll give an example from my own experience; 3 years ago when I started as a network admin in my company, it took me almost 10 days to figure out how to properly instal apache/mysql/php on a linux box. Now, it takes me under 15 minutes to install them all. I wrote a step-by-step instruction for the process at the time and distributed to everyone on the net. Based on the feedback I got from people, everyone seems to agree that it provided them a simple and easy to follow steps for the installation. I felt happy that I helped other people the way that I was helped at all the time through different forums on the internet.</div>
<div><br></div><div>When I started implementing the FreeRadius, I thought I would find some documentation to start with. But unfortunately, after spending days, i couldn't find such a document. The more I read, the more i surprised that I couldn't figure this out. I know that it shouldn't be much difficult but here I am still struggling to make this work.</div>
<div><br></div><div>I don't want to take your and other people's valuable time any more, so here is where I am now;</div><div><br></div><div>I installed the FreeRadous 2.0.2 with Yast tool with SuSE SLES. It installed it OK. And then i made changes to eap.conf and radiusd.conf files to start my test. I run radiusd -X and here is what I got;</div>
<div><br></div><div><br></div><div># radiusd -X</div><div>FreeRADIUS Version 2.0.2, for host i686-suse-linux-gnu, built on Feb 14 2008 at 15:34:49</div><div>Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.</div>
<div>There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A</div><div>PARTICULAR PURPOSE.</div><div>You may redistribute copies of FreeRADIUS under the terms of the</div><div>GNU General Public License.</div>
<div>Starting - reading configuration files ...</div><div>including configuration file /etc/raddb/radiusd.conf</div><div>including configuration file /etc/raddb/proxy.conf</div><div>including configuration file /etc/raddb/clients.conf</div>
<div>including configuration file /etc/raddb/snmp.conf</div><div>including configuration file /etc/raddb/eap.conf</div><div>including configuration file /etc/raddb/sql.conf</div><div>including configuration file /etc/raddb/sql/mysql/dialup.conf</div>
<div>including configuration file /etc/raddb/sql/mysql/counter.conf</div><div>including configuration file /etc/raddb/policy.conf</div><div>including files in directory /etc/raddb/sites-enabled/</div><div>including configuration file /etc/raddb/sites-enabled/default</div>
<div>including dictionary file /etc/raddb/dictionary</div><div>main {</div><div> prefix = "/usr"</div><div> localstatedir = "/var"</div><div> logdir = "/var/log/radius"</div>
<div> libdir = "/usr/lib/freeradius"</div><div> radacctdir = "/var/log/radius/radacct"</div><div> hostname_lookups = no</div><div> max_request_time = 30</div><div> cleanup_delay = 5</div>
<div> max_requests = 1024</div><div> allow_core_dumps = no</div><div> pidfile = "/var/run/radiusd/radiusd.pid"</div><div> user = "radiusd"</div><div> group = "radiusd"</div>
<div> checkrad = "/usr/sbin/checkrad"</div><div> debug_level = 0</div><div> proxy_requests = yes</div><div> security {</div><div> max_attributes = 200</div><div> reject_delay = 1</div>
<div> status_server = yes</div><div> }</div><div>}</div><div> client localhost {</div><div> ipaddr = <a href="http://127.0.0.1">127.0.0.1</a></div><div> require_message_authenticator = no</div><div> secret = "testing123"</div>
<div> nastype = "other"</div><div> }</div><div> client <a href="http://10.10.30.3">10.10.30.3</a> {</div><div> require_message_authenticator = no</div><div> secret = "testing123"</div>
<div> shortname = "<a href="http://10.10.30.3">10.10.30.3</a>"</div><div> nastype = "cisco"</div><div> }</div><div>radiusd: #### Loading Realms and Home Servers ####</div><div> proxy server {</div>
<div> retry_delay = 5</div><div> retry_count = 3</div><div> default_fallback = no</div><div> dead_time = 120</div><div> wake_all_if_all_dead = no</div><div> }</div><div> home_server localhost {</div>
<div> ipaddr = <a href="http://127.0.0.1">127.0.0.1</a></div><div> port = 1812</div><div> type = "auth"</div><div> secret = "testing123"</div><div> response_window = 20</div>
<div> max_outstanding = 65536</div><div> zombie_period = 40</div><div> status_check = "status-server"</div><div> ping_check = "none"</div><div> ping_interval = 30</div>
<div> check_interval = 30</div><div> num_answers_to_alive = 3</div><div> num_pings_to_alive = 3</div><div> revive_interval = 120</div><div> status_check_timeout = 4</div><div> }</div><div>
home_server_pool my_auth_failover {</div><div> type = fail-over</div><div> home_server = localhost</div><div> }</div><div> realm <a href="http://example.com">example.com</a> {</div><div> auth_pool = my_auth_failover</div>
<div> }</div><div> realm LOCAL {</div><div> }</div><div>radiusd: #### Instantiating modules ####</div><div> instantiate {</div><div> Module: Linked to module rlm_exec</div><div> Module: Instantiating exec</div><div> exec {</div>
<div> wait = yes</div><div> input_pairs = "request"</div><div> shell_escape = yes</div><div> }</div><div> Module: Linked to module rlm_expr</div><div> Module: Instantiating expr</div><div> Module: Linked to module rlm_expiration</div>
<div> Module: Instantiating expiration</div><div> expiration {</div><div> reply-message = "Password Has Expired "</div><div> }</div><div> Module: Linked to module rlm_logintime</div><div> Module: Instantiating logintime</div>
<div> logintime {</div><div> reply-message = "You are calling outside your allowed timespan "</div><div> minimum-timeout = 60</div><div> }</div><div> }</div><div>radiusd: #### Loading Virtual Servers ####</div>
<div>server {</div><div> modules {</div><div> Module: Checking authenticate {...} for more modules to load</div><div> Module: Linked to module rlm_pap</div><div> Module: Instantiating pap</div><div> pap {</div><div> encryption_scheme = "auto"</div>
<div> auto_header = no</div><div> }</div><div> Module: Linked to module rlm_chap</div><div> Module: Instantiating chap</div><div> Module: Linked to module rlm_mschap</div><div> Module: Instantiating mschap</div><div>
mschap {</div><div> use_mppe = yes</div><div> require_encryption = no</div><div> require_strong = no</div><div> with_ntdomain_hack = no</div><div> }</div><div> Module: Linked to module rlm_unix</div>
<div> Module: Instantiating unix</div><div> unix {</div><div> radwtmp = "/var/log/radius/radwtmp"</div><div> }</div><div> Module: Linked to module rlm_eap</div><div> Module: Instantiating eap</div><div>
eap {</div><div> default_eap_type = "peap"</div><div> timer_expire = 60</div><div> ignore_unknown_eap_types = no</div><div> cisco_accounting_username_bug = no</div><div> }</div><div>
Module: Linked to sub-module rlm_eap_md5</div><div> Module: Instantiating eap-md5</div><div> Module: Linked to sub-module rlm_eap_leap</div><div> Module: Instantiating eap-leap</div><div> Module: Linked to sub-module rlm_eap_gtc</div>
<div> Module: Instantiating eap-gtc</div><div> gtc {</div><div> challenge = "Password: "</div><div> auth_type = "PAP"</div><div> }</div><div> Module: Linked to sub-module rlm_eap_tls</div>
<div> Module: Instantiating eap-tls</div><div> tls {</div><div> rsa_key_exchange = no</div><div> dh_key_exchange = yes</div><div> rsa_key_length = 512</div><div> dh_key_length = 512</div><div>
verify_depth = 0</div><div> pem_file_type = yes</div><div> private_key_file = "/etc/raddb/certs/server.pem"</div><div> certificate_file = "/etc/raddb/certs/server.pem"</div>
<div> CA_file = "/etc/raddb/certs/ca.pem"</div><div> private_key_password = "whatever"</div><div> dh_file = "/etc/raddb/certs/dh"</div><div> random_file = "/etc/raddb/certs/random"</div>
<div> fragment_size = 1024</div><div> include_length = yes</div><div> check_crl = no</div><div> cipher_list = "DEFAULT"</div><div> make_cert_command = "/etc/raddb/certs/bootstrap"</div>
<div> }</div><div>rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied</div><div>rlm_eap_tls: Error reading certificate file /etc/raddb/certs/server.pem</div><div>rlm_eap: Failed to initialize type tls</div>
<div>/etc/raddb/eap.conf[17]: Instantiation failed for module "eap"</div><div>/etc/raddb/sites-enabled/default[252]: Failed to find module "eap".</div><div>/etc/raddb/sites-enabled/default[199]: Errors parsing authenticate section.</div>
<div> }</div><div>}</div><div>Errors initializing modules</div><div>comp-010:/home/srn #</div><div><br></div><div><br></div><div>This is one. </div><div>And other thing is that the command bootstrap couldn't finish creating certificates. How may I solve this problem. And if finish creating certs successfully, which certificates should I install to the XP SP2 client and where? You suggested to read the file at <a href="http://freeradius.org/doc/EAPTLS.pdf">http://freeradius.org/doc/EAPTLS.pdf</a> but believe me it didn't help me. And it also gives information for TLS implementation. NOthing for PEAP.</div>
<div><br></div><div>I hope I am not asking silly questions that would make you feel like you are wasting your time.</div><div><br></div><div>Thank you.</div><div><br></div><div>George Knight</div><div><br></div><div> <br>
<br><div class="gmail_quote">On Tue, Apr 29, 2008 at 3:03 PM, Alan DeKok <<a href="mailto:aland@deployingradius.com">aland@deployingradius.com</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="Ih2E3d">George KNIGHT wrote:<br>
> Before I write my question here, I just want to let all of you know that<br>
> I did lots of searching in both google and this email list. But couldn't<br>
> find anything to get the answer.<br>
><br>
> My question is I have been looking for a HOWTO paper for a beginner to<br>
> set freeradius as an AAA server in a wireless environment to Windows XP<br>
> SP2 clients. I will use Windows' own PEAP client. Is there such a paper<br>
> someone can give me the link?<br>
<br>
</div>$ ./configure<br>
$ make<br>
$ make install<br>
$ radiusd -X<br>
<br>
- Un-check "verify server certificate" in Windows (ONLY for testing).<br>
<br>
- Add a user to the database (username/password, example in the FAQ)<br>
<br>
That's it.<br>
<div class="Ih2E3d"><br>
> I'm very frustrated to find out that there is no information available<br>
> for a setup from the scratch.<br>
<br>
</div> Part of the problem is that in 2.0, there is so little to do...<br>
<div class="Ih2E3d"><br>
> I wrote papers like that before for<br>
> various topics such as subversion implementation for a multiple OS<br>
> environment, VoIP implementation with a Linux based open sources S/W<br>
> etc. I have intention to write such a paper for how to set up PEAP<br>
> implementation with freeradius as well. But for that, I'm hoping someone<br>
> can give me a good start.<br>
<br>
</div> The EAP-TLS "howtos" contain additional documentation:<br>
<br>
<a href="http://freeradius.org/doc/" target="_blank">http://freeradius.org/doc/</a><br>
<div class="Ih2E3d"><br>
> Clients are going to be computers with WinCE as their OS and they will<br>
> contact to the LAN wirelessly. What I want to achieve is authenticating<br>
> this clients with server-AAA using PEAP before letting them use the<br>
> other network resources.<br>
<br>
</div> Install 2.0, start the server.<br>
<br>
See also raddb/certs/README. You can create "real" certificates, and<br>
import them into WinCE.<br>
<br>
There is very, very, little to change in order to get PEAP to work.<br>
<font color="#888888"><br>
Alan DeKok.<br>
</font><div><div></div><div class="Wj3C7c">-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</div></div></blockquote></div><br></div>