HOWTO PEAP + FreeRadius + XP Client
Hello everyone, Before I write my question here, I just want to let all of you know that I did lots of searching in both google and this email list. But couldn't find anything to get the answer. My question is I have been looking for a HOWTO paper for a beginner to set freeradius as an AAA server in a wireless environment to Windows XP SP2 clients. I will use Windows' own PEAP client. Is there such a paper someone can give me the link? I'm very frustrated to find out that there is no information available for a setup from the scratch. I wrote papers like that before for various topics such as subversion implementation for a multiple OS environment, VoIP implementation with a Linux based open sources S/W etc. I have intention to write such a paper for how to set up PEAP implementation with freeradius as well. But for that, I'm hoping someone can give me a good start. OK, here is my network settings and needed information; I have a SUSE SLES 10 server to be used as an AAA server. This server is called store-AAA and also acts as a DHCP server for the clients. I have a few of Cisco 1242 AP as an authenticator. Clients are going to be computers with WinCE as their OS and they will contact to the LAN wirelessly. What I want to achieve is authenticating this clients with server-AAA using PEAP before letting them use the other network resources. Thank you in advance for your time and effort. George Knight
George KNIGHT schrieb:
Hello everyone, Before I write my question here, I just want to let all of you know that I did lots of searching in both google and this email list. But couldn't find anything to get the answer.
My question is I have been looking for a HOWTO paper for a beginner to set freeradius as an AAA server in a wireless environment to Windows XP SP2 clients. I will use Windows' own PEAP client. Is there such a paper someone can give me the link?
I'm very frustrated to find out that there is no information available for a setup from the scratch. I wrote papers like that before for various topics such as subversion implementation for a multiple OS environment, VoIP implementation with a Linux based open sources S/W etc. I have intention to write such a paper for how to set up PEAP implementation with freeradius as well. But for that, I'm hoping someone can give me a good start.
For everyone who can create good google expressions: http://www.wi-fiplanet.com/tutorials/article.php/3557251 http://www.linuxjournal.com/article/8095 http://www.rinta-aho.org/docs/wlan/wlan.html http://ubuntuforums.org/showthread.php?t=478804 http://tldp.org/HOWTO/8021X-HOWTO/freeradius.html http://www.greatnorthcomputing.com/2008/03/using-freeradius-with-both-eap-pe... and about 100.000 more. order of apperance at google, not related to relevance. Greetings, Michael.
George KNIGHT wrote:
Before I write my question here, I just want to let all of you know that I did lots of searching in both google and this email list. But couldn't find anything to get the answer.
My question is I have been looking for a HOWTO paper for a beginner to set freeradius as an AAA server in a wireless environment to Windows XP SP2 clients. I will use Windows' own PEAP client. Is there such a paper someone can give me the link?
$ ./configure $ make $ make install $ radiusd -X - Un-check "verify server certificate" in Windows (ONLY for testing). - Add a user to the database (username/password, example in the FAQ) That's it.
I'm very frustrated to find out that there is no information available for a setup from the scratch.
Part of the problem is that in 2.0, there is so little to do...
I wrote papers like that before for various topics such as subversion implementation for a multiple OS environment, VoIP implementation with a Linux based open sources S/W etc. I have intention to write such a paper for how to set up PEAP implementation with freeradius as well. But for that, I'm hoping someone can give me a good start.
The EAP-TLS "howtos" contain additional documentation: http://freeradius.org/doc/
Clients are going to be computers with WinCE as their OS and they will contact to the LAN wirelessly. What I want to achieve is authenticating this clients with server-AAA using PEAP before letting them use the other network resources.
Install 2.0, start the server. See also raddb/certs/README. You can create "real" certificates, and import them into WinCE. There is very, very, little to change in order to get PEAP to work. Alan DeKok.
Allan, I thank you for your advice and your time. A person like you who is dealing with freeradius on a daily basis may have a tendency of thinking that using/installing/troubleshooting freeradius is very easy. But for a complete new beginner, like myself, things seem more complicated. I'll give an example from my own experience; 3 years ago when I started as a network admin in my company, it took me almost 10 days to figure out how to properly instal apache/mysql/php on a linux box. Now, it takes me under 15 minutes to install them all. I wrote a step-by-step instruction for the process at the time and distributed to everyone on the net. Based on the feedback I got from people, everyone seems to agree that it provided them a simple and easy to follow steps for the installation. I felt happy that I helped other people the way that I was helped at all the time through different forums on the internet. When I started implementing the FreeRadius, I thought I would find some documentation to start with. But unfortunately, after spending days, i couldn't find such a document. The more I read, the more i surprised that I couldn't figure this out. I know that it shouldn't be much difficult but here I am still struggling to make this work. I don't want to take your and other people's valuable time any more, so here is where I am now; I installed the FreeRadous 2.0.2 with Yast tool with SuSE SLES. It installed it OK. And then i made changes to eap.conf and radiusd.conf files to start my test. I run radiusd -X and here is what I got; # radiusd -X FreeRADIUS Version 2.0.2, for host i686-suse-linux-gnu, built on Feb 14 2008 at 15:34:49 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including configuration file /etc/raddb/snmp.conf including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/sql.conf including configuration file /etc/raddb/sql/mysql/dialup.conf including configuration file /etc/raddb/sql/mysql/counter.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/radiusd/radiusd.pid" user = "radiusd" group = "radiusd" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 10.10.30.3 { require_message_authenticator = no secret = "testing123" shortname = "10.10.30.3" nastype = "cisco" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/raddb/certs/bootstrap" } rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied rlm_eap_tls: Error reading certificate file /etc/raddb/certs/server.pem rlm_eap: Failed to initialize type tls /etc/raddb/eap.conf[17]: Instantiation failed for module "eap" /etc/raddb/sites-enabled/default[252]: Failed to find module "eap". /etc/raddb/sites-enabled/default[199]: Errors parsing authenticate section. } } Errors initializing modules comp-010:/home/srn # This is one. And other thing is that the command bootstrap couldn't finish creating certificates. How may I solve this problem. And if finish creating certs successfully, which certificates should I install to the XP SP2 client and where? You suggested to read the file at http://freeradius.org/doc/EAPTLS.pdf but believe me it didn't help me. And it also gives information for TLS implementation. NOthing for PEAP. I hope I am not asking silly questions that would make you feel like you are wasting your time. Thank you. George Knight On Tue, Apr 29, 2008 at 3:03 PM, Alan DeKok <aland@deployingradius.com> wrote:
George KNIGHT wrote:
Before I write my question here, I just want to let all of you know that I did lots of searching in both google and this email list. But couldn't find anything to get the answer.
My question is I have been looking for a HOWTO paper for a beginner to set freeradius as an AAA server in a wireless environment to Windows XP SP2 clients. I will use Windows' own PEAP client. Is there such a paper someone can give me the link?
$ ./configure $ make $ make install $ radiusd -X
- Un-check "verify server certificate" in Windows (ONLY for testing).
- Add a user to the database (username/password, example in the FAQ)
That's it.
I'm very frustrated to find out that there is no information available for a setup from the scratch.
Part of the problem is that in 2.0, there is so little to do...
I wrote papers like that before for various topics such as subversion implementation for a multiple OS environment, VoIP implementation with a Linux based open sources S/W etc. I have intention to write such a paper for how to set up PEAP implementation with freeradius as well. But for that, I'm hoping someone can give me a good start.
The EAP-TLS "howtos" contain additional documentation:
Clients are going to be computers with WinCE as their OS and they will contact to the LAN wirelessly. What I want to achieve is authenticating this clients with server-AAA using PEAP before letting them use the other network resources.
Install 2.0, start the server.
See also raddb/certs/README. You can create "real" certificates, and import them into WinCE.
There is very, very, little to change in order to get PEAP to work.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
George KNIGHT wrote:
A person like you who is dealing with freeradius on a daily basis may have a tendency of thinking that using/installing/troubleshooting freeradius is very easy.
The goal is to *make* it that easy. A large number of problems on the list are because people think it's complicated, and start changing large amounts of the default config.
Based on the feedback I got from people, everyone seems to agree that it provided them a simple and easy to follow steps for the installation. I felt happy that I helped other people the way that I was helped at all the time through different forums on the internet.
Based on the feedback I've seen, I've edited/updated the software itself to be easier to use. I don't like reading "howto's", because many are out of date, and many others are simply wrong. I would *prefer* that people shipped software that worked, and was easy to use.
When I started implementing the FreeRadius, I thought I would find some documentation to start with. But unfortunately, after spending days, i couldn't find such a document. The more I read, the more i surprised that I couldn't figure this out. I know that it shouldn't be much difficult but here I am still struggling to make this work.
The 5-6 line instructions I gave are all that's needed.
I installed the FreeRadous 2.0.2 with Yast tool with SuSE SLES. It installed it OK. And then i made changes to eap.conf and radiusd.conf files to start my test. I run radiusd -X and here is what I got;
Why change eap.conf && radiusd.conf?
# radiusd -X ... rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied
That should be a pretty simple problem to fix. It's file permissions... Are you starting the server as root?
And other thing is that the command bootstrap couldn't finish creating certificates.
Why not? What's the error message? Is it secret? Did you run the "bootstrap" script as root?
How may I solve this problem. And if finish creating certs successfully, which certificates should I install to the XP SP2 client and where?
To be honest, you *shouldn't* install the default certificates. They're only for testing. For testing, un-check the "validate server certificate" in XP. For real certificates, edit the conf files as described in the raddb/certs/ documentation, and re-build the certs. Then, install the CA cert, as described in the EAP-TLS howto... with pictures.
You suggested to read the file at http://freeradius.org/doc/EAPTLS.pdf but believe me it didn't help me. And it also gives information for TLS implementation. NOthing for PEAP.
PEAP *is* EAP-TLS. It's a variation of EAP-TLS, and all of the certificate requirements for EAP-TLS apply to PEAP, too. If you have any ideas for what documentation needs to be updated, please submit suggested text. We can include it in the next release. But my experience (unfortunately) is that the people who have the most problems are reading third-party "howtos" that are *wrong*, and are ignoring the server documentation that is *right*. That's a problem I can't fix. Alan DeKok.
Hi Allan, Sorry that It was a mistake to say that I made changes at the config files. In fact I didn't not change anything on radiusd.conf and the only change I made at eap.conf is this line; default_eap_type = peap As it was md5 before. Yes, I run all the commands as a root. Is this wrong? When I run the bootstrap script, again, as a root, here is what I get; comp-010:/etc/raddb/certs # ./bootsrap bash: ./bootsrap: No such file or directory comp-010:/etc/raddb/certs # ./bootstrap make: Nothing to be done for `ca'. make: Nothing to be done for `server'. make: `dh' is up to date. make: `random' is up to date. comp-010:/etc/raddb/certs # I will use the default certs for just testing purposes. Once I make this work with defaults ones, I will sure go ahead and create new certificates. But at this moment, all I want to see a working version of PEAP authentication in my test environment. Thank you George Knight On Thu, May 1, 2008 at 2:00 AM, Alan DeKok <aland@deployingradius.com> wrote:
George KNIGHT wrote:
A person like you who is dealing with freeradius on a daily basis may have a tendency of thinking that using/installing/troubleshooting freeradius is very easy.
The goal is to *make* it that easy. A large number of problems on the list are because people think it's complicated, and start changing large amounts of the default config.
Based on the feedback I got from people, everyone seems to agree that it provided them a simple and easy to follow steps for the installation. I felt happy that I helped other people the way that I was helped at all the time through different forums on the internet.
Based on the feedback I've seen, I've edited/updated the software itself to be easier to use. I don't like reading "howto's", because many are out of date, and many others are simply wrong. I would *prefer* that people shipped software that worked, and was easy to use.
When I started implementing the FreeRadius, I thought I would find some documentation to start with. But unfortunately, after spending days, i couldn't find such a document. The more I read, the more i surprised that I couldn't figure this out. I know that it shouldn't be much difficult but here I am still struggling to make this work.
The 5-6 line instructions I gave are all that's needed.
I installed the FreeRadous 2.0.2 with Yast tool with SuSE SLES. It installed it OK. And then i made changes to eap.conf and radiusd.conf files to start my test. I run radiusd -X and here is what I got;
Why change eap.conf && radiusd.conf?
# radiusd -X ... rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied
That should be a pretty simple problem to fix. It's file permissions...
Are you starting the server as root?
And other thing is that the command bootstrap couldn't finish creating certificates.
Why not? What's the error message? Is it secret?
Did you run the "bootstrap" script as root?
How may I solve this problem. And if finish creating certs successfully, which certificates should I install to the XP SP2 client and where?
To be honest, you *shouldn't* install the default certificates. They're only for testing.
For testing, un-check the "validate server certificate" in XP.
For real certificates, edit the conf files as described in the raddb/certs/ documentation, and re-build the certs. Then, install the CA cert, as described in the EAP-TLS howto... with pictures.
You suggested to read the file at http://freeradius.org/doc/EAPTLS.pdf but believe me it didn't help me. And it also gives information for TLS implementation. NOthing for PEAP.
PEAP *is* EAP-TLS. It's a variation of EAP-TLS, and all of the certificate requirements for EAP-TLS apply to PEAP, too.
If you have any ideas for what documentation needs to be updated, please submit suggested text. We can include it in the next release.
But my experience (unfortunately) is that the people who have the most problems are reading third-party "howtos" that are *wrong*, and are ignoring the server documentation that is *right*. That's a problem I can't fix.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
George KNIGHT wrote:
Yes, I run all the commands as a root. Is this wrong?
No.
When I run the bootstrap script, again, as a root, here is what I get;
<sigh> You said it had errors. You need to show what those errors are. Showing that it runs *without* errors doesn't help.
I will use the default certs for just testing purposes. Once I make this work with defaults ones, I will sure go ahead and create new certificates. But at this moment, all I want to see a working version of PEAP authentication in my test environment.
Follow the instructions. It WILL work. - uncheck "validate server certificate" in Windows. - add username/password to FreeRADIUS as per the FAQ - start the server - verify that PEAP works. That's what I do. It's not complicated. It doesn't require "special" knowledge or experience. It really *is* that easy. Alan DeKok.
Alan, I feel extremely stupid even though I know I am not. Running radiusd -X command as a root gives me the following error message as I posted here yesterday; PS: I'm just posting last part of the output here. The full output can be seen at my previous email that I sent yesterday. ------------------------------------------------------------------------------------------------------------------------------- Module: Instantiating eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/raddb/certs/bootstrap" } rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied rlm_eap_tls: Error reading certificate file /etc/raddb/certs/server.pem rlm_eap: Failed to initialize type tls /etc/raddb/eap.conf[17]: Instantiation failed for module "eap" /etc/raddb/sites-enabled/default[252]: Failed to find module "eap". /etc/raddb/sites-enabled/default[199]: Errors parsing authenticate section. } } Errors initializing modules comp-010:/home/srn # --------------------------------------------------------------------------------------------------------------------- It says a 'permission denied' and you asked me earlier if I was running the command as a root, which the answer is yes. So, how can I overcome this problem? Thank you George On Thu, May 1, 2008 at 11:50 AM, Alan DeKok <aland@deployingradius.com> wrote:
George KNIGHT wrote:
Yes, I run all the commands as a root. Is this wrong?
No.
When I run the bootstrap script, again, as a root, here is what I get;
<sigh> You said it had errors. You need to show what those errors are. Showing that it runs *without* errors doesn't help.
I will use the default certs for just testing purposes. Once I make this work with defaults ones, I will sure go ahead and create new certificates. But at this moment, all I want to see a working version of PEAP authentication in my test environment.
Follow the instructions. It WILL work.
- uncheck "validate server certificate" in Windows. - add username/password to FreeRADIUS as per the FAQ - start the server - verify that PEAP works.
That's what I do. It's not complicated. It doesn't require "special" knowledge or experience. It really *is* that easy.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
George KNIGHT wrote:
Running radiusd -X command as a root gives me the following error message as I posted here yesterday;
And the permissions on that directory are... ?
It says a 'permission denied' and you asked me earlier if I was running the command as a root, which the answer is yes. So, how can I overcome this problem?
Can you look at the directory as root, from the shell? In this case, the server is just calling OpenSSL... which calls the normal file API. If that returns "no permission", OpenSSL is at the mercy of the file system, and FreeRADIUS is at the mercy of OpenSSL. If worse comes to worse, for testing do: $ cd /etc/raddb $ chmod -R ug+rwx . Alan DeKok.
Permissions are as follow; comp-010:/etc/raddb # dir total 289 -rw-r----- 1 root radiusd 718 2008-02-14 10:35 acct_users -rw-r----- 1 root radiusd 4187 2008-02-14 10:35 attrs -rw-r----- 1 root radiusd 516 2008-02-14 10:35 attrs.access_reject -rw-r----- 1 root radiusd 501 2008-02-14 10:35 attrs.accounting_response -rw-r----- 1 root radiusd 1969 2008-02-14 10:35 attrs.pre-proxy drwxr-x--- 2 root radiusd 680 2008-04-30 17:48 certs -rw-r----- 1 root radiusd 6727 2008-04-30 12:06 clients.conf -rw-r----- 1 root radiusd 929 2008-02-14 10:35 dictionary -rw-r----- 1 root radiusd 13648 2008-04-30 17:53 eap.conf -rw-r----- 1 root root 13647 2008-04-25 14:01 eap.conf.orig -rw-r----- 1 root radiusd 4609 2008-02-14 10:35 example.pl -rw-r----- 1 root radiusd 14536 2008-02-14 10:35 experimental.conf -rw-r----- 1 root radiusd 2396 2008-02-14 10:35 hints -rw-r----- 1 root radiusd 1604 2008-02-14 10:35 huntgroups -rw-r----- 1 root radiusd 2985 2008-02-14 10:35 ldap.attrmap -rw-r----- 1 root radiusd 3357 2008-02-14 10:35 otp.conf -rw-r----- 1 root radiusd 1204 2008-02-14 10:35 policy.conf -rw-r----- 1 root radiusd 4922 2008-02-14 10:35 policy.txt -rw-r----- 1 root radiusd 1035 2008-02-14 10:35 preproxy_users -rw-r----- 1 root radiusd 17889 2008-02-14 10:35 proxy.conf -rw-r----- 1 root radiusd 60371 2008-04-30 12:18 radiusd.conf -rw-r----- 1 root root 60371 2008-04-25 13:14 radiusd.conf.orig drwxr-xr-x 2 root root 120 2008-04-25 10:17 sites-available drwxr-xr-x 2 root root 72 2008-04-25 10:17 sites-enabled -rw-r----- 1 root radiusd 1276 2008-02-14 10:35 snmp.conf drw-r----- 6 root radiusd 152 2008-02-14 10:35 sql -rw-r----- 1 root radiusd 2533 2008-02-14 10:35 sql.conf -rw-r----- 1 root radiusd 1988 2008-02-14 10:35 sqlippool.conf -rw-r----- 1 root radiusd 3503 2008-02-14 10:35 templates.conf -rw-r----- 1 root radiusd 6603 2008-04-30 15:50 users comp-010:/etc/raddb # dir ./certs total 104 -rw-r----- 1 root root 4210 2008-04-25 10:17 01.pem -rwxr-x--- 1 root radiusd 524 2008-02-14 10:35 bootstrap -rw-r----- 1 root radiusd 1155 2008-02-14 10:35 ca.cnf -rw-r----- 1 root root 1743 2008-04-25 10:17 ca.key -rw-r----- 1 root root 1322 2008-04-25 10:17 ca.pem -rw-r----- 1 root radiusd 1109 2008-02-14 10:35 client.cnf -rw-r----- 1 root root 245 2008-04-25 10:18 dh -rw-r----- 1 root root 120 2008-04-25 10:17 index.txt -rw-r----- 1 root root 21 2008-04-25 10:17 index.txt.attr -rw-r----- 1 root root 0 2008-04-25 10:17 index.txt.old -rw-r----- 1 root radiusd 4430 2008-02-14 10:35 Makefile -rw-r----- 1 root root 5120 2008-04-25 10:18 random -rw-r----- 1 root radiusd 5343 2008-02-14 10:35 README -rw-r----- 1 root root 3 2008-04-25 10:17 serial -rw-r----- 1 root root 3 2008-04-25 10:17 serial.old -rw-r----- 1 root radiusd 1123 2008-02-14 10:35 server.cnf -rw-r----- 1 root root 4210 2008-04-25 10:17 server.crt -rw-r----- 1 root root 1062 2008-04-25 10:17 server.csr -rw-r----- 1 root root 1743 2008-04-25 10:17 server.key -rw-r----- 1 root root 2525 2008-04-25 10:17 server.p12 -rw-r----- 1 root root 3495 2008-04-25 10:17 server.pem -rw-r----- 1 root radiusd 578 2008-02-14 10:35 xpextensions comp-010:/etc/raddb # Thank you. George On Thu, May 1, 2008 at 12:47 PM, Alan DeKok <aland@deployingradius.com> wrote:
George KNIGHT wrote:
Running radiusd -X command as a root gives me the following error message as I posted here yesterday;
And the permissions on that directory are... ?
It says a 'permission denied' and you asked me earlier if I was running the command as a root, which the answer is yes. So, how can I overcome this problem?
Can you look at the directory as root, from the shell?
In this case, the server is just calling OpenSSL... which calls the normal file API. If that returns "no permission", OpenSSL is at the mercy of the file system, and FreeRADIUS is at the mercy of OpenSSL.
If worse comes to worse, for testing do:
$ cd /etc/raddb $ chmod -R ug+rwx .
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
George KNIGHT wrote:
Permissions are as follow; .. comp-010:/etc/raddb # dir
Uh... which OS are you using? In any case, this is an OS issue. FreeRADIUS & OpenSSL use the normal OS API's to access files. If the server gets a "permission denied" error, it's because the OS is denying permission. So... the OS needs to be fixed. I have no idea how to do that. Maybe you're running some "security" feature that blocks access to files. e.g. AppArmor, SELinux, etc. Go see your OS documentation for details. i.e. Sorry, this isn't a FreeRADIUS problem. Alan DeKok.
Alan, The permission problem has been solved as I mentioned at my earlier email. Now, as a last step, I'm installing the certificates. I created the certificates by following the README file under /etc/raddb/certs/ folder. Now I have the following certificates; ca.der ca.key ca.pem client.crt client.csr client.key client.p12 client.pem server.crt server.csr server.key server.p12 server.pem I used ca.der and client.p12 to be installed to Windows XP SP2 client. I followed the instructions at the http://freeradius.org/doc/EAPTLS.pdf. But at the end of the installation, where the client certificate installation is tested at page 16, I have a different Windows message; it says " Windows does not have enough information to verify this certificate". I followed all the instructions there without any problem. Am I missing anything? Are those the right certificates that copied to the Windows machine? Why are there so many certificates created and we are just using 2? Thank you George Knight On Thu, May 1, 2008 at 1:29 PM, Alan DeKok <aland@deployingradius.com> wrote:
George KNIGHT wrote:
Permissions are as follow; .. comp-010:/etc/raddb # dir
Uh... which OS are you using?
In any case, this is an OS issue. FreeRADIUS & OpenSSL use the normal OS API's to access files. If the server gets a "permission denied" error, it's because the OS is denying permission.
So... the OS needs to be fixed. I have no idea how to do that.
Maybe you're running some "security" feature that blocks access to files. e.g. AppArmor, SELinux, etc. Go see your OS documentation for details.
i.e. Sorry, this isn't a FreeRADIUS problem.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
George KNIGHT wrote:
I used ca.der and client.p12 to be installed to Windows XP SP2 client. I followed the instructions at the http://freeradius.org/doc/EAPTLS.pdf. But at the end of the installation, where the client certificate installation is tested at page 16, I have a different Windows message; it says " Windows does not have enough information to verify this certificate". I followed all the instructions there without any problem. Am I missing anything?
No idea... it's a Windows thing. I suggest googling for it...
Are those the right certificates that copied to the Windows machine? Why are there so many certificates created and we are just using 2?
There are multiple steps to creating certificates, and multiple forms of those certificates. All the intermediary files are left in the directory for future reference. Alan DeKok.
OK, I have changed the ownership of the following files from root:root to root:radiusd server.pem ca.pem random dh and now radiusd -X is working. The problem arisen because the root:root permissions on the abovementioned files. Will get back to you for either further questions and or a success message. Thank you Alan George Knight On Thu, May 1, 2008 at 1:06 PM, George KNIGHT <georgeknight@gmail.com> wrote:
Permissions are as follow;
comp-010:/etc/raddb # dir total 289 -rw-r----- 1 root radiusd 718 2008-02-14 10:35 acct_users -rw-r----- 1 root radiusd 4187 2008-02-14 10:35 attrs -rw-r----- 1 root radiusd 516 2008-02-14 10:35 attrs.access_reject -rw-r----- 1 root radiusd 501 2008-02-14 10:35 attrs.accounting_response -rw-r----- 1 root radiusd 1969 2008-02-14 10:35 attrs.pre-proxy drwxr-x--- 2 root radiusd 680 2008-04-30 17:48 certs -rw-r----- 1 root radiusd 6727 2008-04-30 12:06 clients.conf -rw-r----- 1 root radiusd 929 2008-02-14 10:35 dictionary -rw-r----- 1 root radiusd 13648 2008-04-30 17:53 eap.conf -rw-r----- 1 root root 13647 2008-04-25 14:01 eap.conf.orig -rw-r----- 1 root radiusd 4609 2008-02-14 10:35 example.pl -rw-r----- 1 root radiusd 14536 2008-02-14 10:35 experimental.conf -rw-r----- 1 root radiusd 2396 2008-02-14 10:35 hints -rw-r----- 1 root radiusd 1604 2008-02-14 10:35 huntgroups -rw-r----- 1 root radiusd 2985 2008-02-14 10:35 ldap.attrmap -rw-r----- 1 root radiusd 3357 2008-02-14 10:35 otp.conf -rw-r----- 1 root radiusd 1204 2008-02-14 10:35 policy.conf -rw-r----- 1 root radiusd 4922 2008-02-14 10:35 policy.txt -rw-r----- 1 root radiusd 1035 2008-02-14 10:35 preproxy_users -rw-r----- 1 root radiusd 17889 2008-02-14 10:35 proxy.conf -rw-r----- 1 root radiusd 60371 2008-04-30 12:18 radiusd.conf -rw-r----- 1 root root 60371 2008-04-25 13:14 radiusd.conf.orig drwxr-xr-x 2 root root 120 2008-04-25 10:17 sites-available drwxr-xr-x 2 root root 72 2008-04-25 10:17 sites-enabled -rw-r----- 1 root radiusd 1276 2008-02-14 10:35 snmp.conf drw-r----- 6 root radiusd 152 2008-02-14 10:35 sql -rw-r----- 1 root radiusd 2533 2008-02-14 10:35 sql.conf -rw-r----- 1 root radiusd 1988 2008-02-14 10:35 sqlippool.conf -rw-r----- 1 root radiusd 3503 2008-02-14 10:35 templates.conf -rw-r----- 1 root radiusd 6603 2008-04-30 15:50 users comp-010:/etc/raddb # dir ./certs total 104 -rw-r----- 1 root root 4210 2008-04-25 10:17 01.pem -rwxr-x--- 1 root radiusd 524 2008-02-14 10:35 bootstrap -rw-r----- 1 root radiusd 1155 2008-02-14 10:35 ca.cnf -rw-r----- 1 root root 1743 2008-04-25 10:17 ca.key -rw-r----- 1 root root 1322 2008-04-25 10:17 ca.pem -rw-r----- 1 root radiusd 1109 2008-02-14 10:35 client.cnf -rw-r----- 1 root root 245 2008-04-25 10:18 dh -rw-r----- 1 root root 120 2008-04-25 10:17 index.txt -rw-r----- 1 root root 21 2008-04-25 10:17 index.txt.attr -rw-r----- 1 root root 0 2008-04-25 10:17 index.txt.old -rw-r----- 1 root radiusd 4430 2008-02-14 10:35 Makefile -rw-r----- 1 root root 5120 2008-04-25 10:18 random -rw-r----- 1 root radiusd 5343 2008-02-14 10:35 README -rw-r----- 1 root root 3 2008-04-25 10:17 serial -rw-r----- 1 root root 3 2008-04-25 10:17 serial.old -rw-r----- 1 root radiusd 1123 2008-02-14 10:35 server.cnf -rw-r----- 1 root root 4210 2008-04-25 10:17 server.crt -rw-r----- 1 root root 1062 2008-04-25 10:17 server.csr -rw-r----- 1 root root 1743 2008-04-25 10:17 server.key -rw-r----- 1 root root 2525 2008-04-25 10:17 server.p12 -rw-r----- 1 root root 3495 2008-04-25 10:17 server.pem -rw-r----- 1 root radiusd 578 2008-02-14 10:35 xpextensions comp-010:/etc/raddb #
Thank you. George
On Thu, May 1, 2008 at 12:47 PM, Alan DeKok <aland@deployingradius.com> wrote:
George KNIGHT wrote:
Running radiusd -X command as a root gives me the following error message as I posted here yesterday;
And the permissions on that directory are... ?
It says a 'permission denied' and you asked me earlier if I was running the command as a root, which the answer is yes. So, how can I overcome this problem?
Can you look at the directory as root, from the shell?
In this case, the server is just calling OpenSSL... which calls the normal file API. If that returns "no permission", OpenSSL is at the mercy of the file system, and FreeRADIUS is at the mercy of OpenSSL.
If worse comes to worse, for testing do:
$ cd /etc/raddb $ chmod -R ug+rwx .
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mandi! George KNIGHT In chel di` si favelave...
My question is I have been looking for a HOWTO paper for a beginner to set freeradius as an AAA server in a wireless environment to Windows XP SP2 clients. I will use Windows' own PEAP client. Is there such a paper someone can give me the link?
A very good starting point is: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO if you have a samba domain, simply ignore all the 'AD' stuff, the real point here are make ntlm_auth work, normally it suffices to install winbindd. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.sv.lnf.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/chi_siamo/5xmille.php (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Hello Marco, I really appreciate your help. The link you gave is way more helpful then most other stuff on the net. One thing that still not clear to me is which certificates I have to place to the Windows? There are so much information about certificates but no one clearly says which certificate goes where at the server and the XP client. After I installed the FreeRadius 2.0.2 on my SuSE SLES box, under the /etc/raddb/certs folder, there are following certificates; server.crt - server.key - server.pem - server.cnf - server.csr - server.p12. Can I test my environment by using these certificates? I just don't know how to use the certificates. Last week I was messing around the openssl to create certificates but ended up mixing everything. That's why I reinstalled the whole OS, reinstalled the freeradius cleanly again. Before I go ahead and mess around again, I just want to have the instructions. One more thing, I won't be using any LDAP or AD in a Windows environment. I just want my clients to be authenticated against freeradius AAA based on PEAP. Thank you. On Wed, Apr 30, 2008 at 3:39 AM, Marco Gaiarin <gaio@sv.lnf.it> wrote:
Mandi! George KNIGHT In chel di` si favelave...
My question is I have been looking for a HOWTO paper for a beginner to set freeradius as an AAA server in a wireless environment to Windows XP SP2 clients. I will use Windows' own PEAP client. Is there such a paper someone can give me the link?
A very good starting point is:
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
if you have a samba domain, simply ignore all the 'AD' stuff, the real point here are make ntlm_auth work, normally it suffices to install winbindd.
-- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.sv.lnf.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/chi_siamo/5xmille.php (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
For peap you need to import the CA certificate into trusted root store on Win XP. Ivan Kalik Kalik Informatika ISP Dana 30/4/2008, "George KNIGHT" <georgeknight@gmail.com> piše:
Hello Marco, I really appreciate your help. The link you gave is way more helpful then most other stuff on the net.
One thing that still not clear to me is which certificates I have to place to the Windows? There are so much information about certificates but no one clearly says which certificate goes where at the server and the XP client.
After I installed the FreeRadius 2.0.2 on my SuSE SLES box, under the /etc/raddb/certs folder, there are following certificates;
server.crt - server.key - server.pem - server.cnf - server.csr - server.p12..
Can I test my environment by using these certificates? I just don't know how to use the certificates. Last week I was messing around the openssl to create certificates but ended up mixing everything. That's why I reinstalled the whole OS, reinstalled the freeradius cleanly again. Before I go ahead and mess around again, I just want to have the instructions.
One more thing, I won't be using any LDAP or AD in a Windows environment. I just want my clients to be authenticated against freeradius AAA based on PEAP.
Thank you.
On Wed, Apr 30, 2008 at 3:39 AM, Marco Gaiarin <gaio@sv.lnf.it> wrote:
Mandi! George KNIGHT In chel di` si favelave...
My question is I have been looking for a HOWTO paper for a beginner to set freeradius as an AAA server in a wireless environment to Windows XP SP2 clients. I will use Windows' own PEAP client. Is there such a paper someone can give me the link?
A very good starting point is:
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
if you have a samba domain, simply ignore all the 'AD' stuff, the real point here are make ntlm_auth work, normally it suffices to install winbindd.
-- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.sv.lnf.it/ Polo FVG - Via della Bontŕ, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/chi_siamo/5xmille.php (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (5)
-
Alan DeKok -
George KNIGHT -
Ivan Kalik -
Marco Gaiarin -
Michael Schwartzkopff