Unable to setup freeradius server to authenticate from Unix username/passwords

Fajar A. Nugraha list at fajar.net
Tue Feb 28 09:18:31 CET 2012


On Tue, Feb 28, 2012 at 2:34 PM, Mohit Aron <extproxy at gmail.com> wrote:
> Hello,
>
> I'm using the freeradius 2.10 server that comes with Ubuntu 11.10. I'm unable
> to set it up so as to authenticate incoming requests from the Unix
> username/passwords stored in /etc/{passwd, shadow}.
>
> Here is a description of my setup. I've setup wifi security on my wireless
> router to WPA-Enterprise and entered the IP address of the radius server in the
> router to that of a Linux machine running freeradius.
>
> Here's a description of all the changes I made to /etc/freeradius directory to
> even reach the point to make it partially work:
> 1) chown -R freerad /etc/freeradius
>   The above is needed as Ubuntu seems to install every file there as root and
>   thus the freeradius server which runs as user freerad isn't able to read
>   the configuration files.

You shouldn't need to do that. The files should have freerad group
ownership (at least it does last time I look on Natty), so freerad
user will be able to read it. Did you test it and it didn't work, or
did you THINK it wouldn't work so you do a chown manually?

If it's the first, file a bug on launchpad, cause it's packaging bug.
If it's the later, try with a fresh install.

> I've tried using both Windows 7 as well as an iPad as a client to connect using
> wifi.

IIRC Windows will use EAP-PEAP-MSCHAPv2, which requires
cleartext-password (or NT-Hash, or accounts stored in AD). Linux
passwords in /etc/shadow is hashed (the ones I have use SHA-512), so
they're not compatible.

You need a third-party supplicant that can send passwords in cleartext
(e.g. TTLS-PAP, EAP-PEAP-GTC).

-- 
Fajar




More information about the Freeradius-Users mailing list