eDirectory and FreeRadius HowTo version 0.

This is version 0 because well... my technical writing skills are a bit lac=
king.

Those of you trying to implement this, please feel free to give me a
shout via email.

This is a procedure that works with the following:

1. Red Hat Enterprise Server 3 (but this SHOULD work with any linux distro)
2. A replica is ON the Linux box (this still SHOULD work with replicas
on novell boxes)
3. Nterprise Services for Linux, not Open Enterprise Server, is
installed on the server. Open Enterprise Server is really a SUSE
distro product. This procedure MIGHT work with OES.

I've tried to include many of the gotcha's that I encountered. =20

I would LOVE to have someone work with me on getting this turned into
a real HowTo because frankly using an eDirectory back end with
FreeRadius is an incredibly scalable way to take care of
authentication for really huge networks.

Here it is, version 0.01. Oh, and those of you not familiar with
Linux should consider using CygWin to get an X windows session on your
PC while doing this. It really saved me some trouble because I didn't
have to move the test box from the lab to my office. Email me if you
want that procedure.



Version 0.01 of this document...

Listen, this really isn't as much of a document as it is a place to
start. I realize it's not in the best of shape and that it's not the
easiest thing to read compared to some other mature HowTo's out there.

Anyone who wants to give this a shot, please try this procedure out
and let me know how it goes.

Dennis Comeaux dennis.comeaux@gmail.com

That email address is valid until the spambots collect it.

This procedure has worked.

EDIRECTORY WITH FREERADIUS

Software you'll need:

1. ConsoleOne 1.36d.
2. freeradius 1.0.2.
3. Sun Java 1.5.0.01.
4. Novell's scrub utility for linux (removes netware, handy for when
disasters happen).
5. The imanager snap-in for imanager (available from forge.novell.com
- it's the only tar file for the FreeRadius project and it's a *.npm
file inside of the tar)

Documents that are helpful:

1. Novell's freeradius integration guide (radadmin.pdf)
2. Anything that will give you a good background on what 802.11x
authentication is all about. I suggest googling for some information
before continuing. One little type-o and this document will not help.

Files that you will spend time editing:

1. /etc/raddb/radiusd.conf (the main radius configuration)
2. /etc/raddb/users (a list of users who can use radius)
3. /etc/raddb/clients.conf (a list of radius clients by IP)
4. /etc/init.d (a directory of startup scripts)

Install FreeRadius 1.02

This step is relatively easy provided that the compiler on your Linux
box is functional. As with many Linux apps, you first get the files,
then untar and unzip them, then you run a configure script, then make,
then make install.

1. Download freeradius-1.0.2.tar.gz to /usr/src.
2. Run tar -zxf /usr/src/freeradius-1.0.2.tar.gz
3. cd into /usr/src/freeradius-1.0.2.
4. Run ./configure --with-edir --localstatedir=3D/var --sysconfdir=3D/etc
5. Run make
6. Run make install

The =E2=80=93-localstatedir and =E2=80=93-sysconfdir options are worth look=
ing into.=20
I configured freeradius this way because it was how the last radius
box was configured. You may not want to use these options. See
INSTALL and ./configure =E2=80=93-help for more information. This document
assumes that you used the above switches.

Debugging freeradius can be done by stopping freeradius
(/etc/init.d/radiusd -stop) and then running /usr/sbin/radiusd -X in a
console window. If you do not have a radiusd script in /etc/init.d,
then I suggest looking into the freeradius-1.0.2/<your flavor of
linux> directory and editing and copying an appropriate script.

Install Java

This is fairly straight forward. I have one caution though - do not
do an rpm -e jre if you are currently running X. I have had my X
session lock up from uninstalling Java from within X. Use your
favorite ssh or telnet client to remove JRE if you need to.

1. Download jre-1_5_0_01-linux-i586.rpm from sun.com and save it to /usr/sr=
c.
2. run rpm -i /usr/src/jre-1_5_0_01-linux-i586.rpm.
3. This is important for java applications (including console one) run:
=09export JRE_HOME=3D/usr/java/jre1.5.0_01
4. Make the environment variable JRE_HOME permanent by:
=09a. Creating a file in /etc/profiles.d named JAVA
=09b. run chmod +x /etc/profiles.d/JAVA
=09c. edit the JAVA file and put the command from #3 in the file.

=09The above commands and directories are for redhat, your flavor may
have different ideas about how to set environment variables.


Install the Red Carpet Daemon:

1. Download a version applicable to your distro. I used
rcd-2.2.0-0.ximian.6.5.i386.rpm. Save it to /usr/src.
2. run rpm -i /usr/src/rcd-2.2.0-0.ximian.6.5.i386.rpm.

=09You may need to use rpm =E2=80=93U to get this installed.

Install eDirectory

Note that you MUST NOT HAVE CONSOLEONE INSTALLED when you run the
eDirectory installation. Having ConsoleOne installed has caused some
of my installs to hang. You should remove ConsoleOne if you want to
run the scrub script as well. To remove ConsoleOne, you will have to
run the c1-uninstall script.


1. Mount the Nterprise CD. =20

If the CD is local, the mount command is:

=09mount /dev/cdrom /mnt/cdrom

If you're using an ISO:

=09mount -o loop /<path to iso> /mnt/cdrom

2. Unload openldap or edirectory or you will have problems installing.
Run /etc/init.d/ldap stop and /etc/init.d/ndsd stop.
3. cd to /mnt/cdrom and run ./install.sh.
4. Select install.
5. Change the selected packages to install to ONLY install Apache,
Tomcat, the JVM, eDirectory, Linux User Management, and iManager.=20
Install ALL of the options for Linux User Management when prompted.
=09(note, these are options 1-4 and 11)
6. Enter the path to your nfk file when prompted.
7. Install to a New Tree or to an existing tree.
8. Answer the remaining prompts and use default values for all ports.
9. Be patient. This install can take some time.

Install ConsoleOne

1. Download c1_136d-linux.tar.gz to /usr/src.
2. cd to /usr/src and run tar -zxf ./c1_136d-linux.tar.gz.
3. cd into the Linux directory that is extracted.
4. Run ./c1-install and=20
=09a. do NOT install the Java Runtime Environment that comes with this prog=
ram.
=09b. DO install all of the snapins.
5. Test ConsoleOne by running /usr/ConsoleOne/bin/ConsoleOne and
logging into your eDirectory.

Configuring iManager and freeradius.

1. Download and save radius_npm.tar.gz to /usr/src (this file is
available from forge.novell.com and is the plug-in for imanager)
2. cd to /usr/src.
3. run tar -zxf radius_npm.tar.gz. This will extract radius_npm.
4. Open a http browser to your linux box.
5. Click on the imanger link and authenticate.
6. Click configure, install module package.
7. browse to the npm (/usr/src/radius.npm) and click install.
8. restart your web server (or the box)
9. open imanager (via steps above)
10. Enable Universal Password (NMAS, universal password config).=20
Enable it for the OU that you have your radius users in. Click APPLY,
not done when you set this.

11. Create a file containing the following:

=09dn: cn=3Dschema
=09changetype: modify
=09add: objectClasses
=09objectClasses: ( 2.16.810.1.113719.1.39.42.2.0.10 NAME 'novellRadius
Profile' X-NDS_NAME 'RADIUS:Profile')

12 Open ConsoleOne and disable "require TLS with simple bind" on the
ldap group object.

13. Run the following command:

ldapmodify -D <cn=3Dadmin,o=3Dsomething> -x -w <adimn password> -h
127.0.01 -f <path to hte file you created in #2>

You should have NO error when you run this command. Note that the DN
is specified with the LDAP syntanx (using commas instead of periods).

14. Open ConsoleOne and ENABLE "require TLS with simple bind" on the
ldap group object.


15. Login to imanager and extend the radius schema. (roles+tasks,
radius, extend schema)

16. Exit your browser and then reopen iManager to change a user in the
container you specified for universal password into a radius user.=20
Again, there should be NO errors.

17. Now you need to enable password administrators to read universal
passwords. Imanager, eDirectory Administration role, modify object,
Universal Password On from password policies in the security
container, edit nspmConfigurationOptions attribute and add 32 to the
value shown.

18. In ConsoleOne, extract the self signed certificate (from the
security container, the CA object) to /etc/raddb/cacert.b64.

19. Make your /usr/etc/raddb/radiusd.conf file's radius section look
like what you see here:

=09# Lightweight Directory Access Protocol (LDAP)
=09#
=09# This module definition allows you to use LDAP for
=09# authorization and authentication (Auth-Type :=3D LDAP)
=09#
=09# See doc/rlm_ldap for description of configuration options=20
=09# and sample authorize{} and authenticate{} blocks=20
=09ldap {
=09=09server =3D "you.yourcompany.com"
=09=09identity =3D "cn=3Dadmin,o=3Dyouro"
=09=09password =3D youradminpassword
=09=09basedn =3D "ou=3Dwhereyourradiususersare,o=3Dyouro"
=09=09filter =3D "(cn=3D%{Stripped-User-Name:-%{User-Name}})"

=09=09base_filter =3D "(objectclass=3Dradiusprofile)"
=09=09# set this to 'yes' to use TLS encrypted connections
=09=09# to the LDAP database by using the StartTLS extended
=09=09# operation.
=09=09# The StartTLS operation is supposed to be used with normal
=09=09# ldap connections instead of using ldaps (port 689) connections
=09=09start_tls =3D yes

=09=09tls_cacertfile=09=3D /etc/raddb/cacert.b64

=09=09# tls_cacertdir=09=09=3D /path/to/ca/dir/
=09=09# tls_certfile=09=09=3D /path/to/radius.crt
=09=09# tls_keyfile=09=09=3D /path/to/radius.key
=09=09# tls_randfile=09=09=3D /path/to/rnd
=09=09
=09=09tls_require_cert=09=3D "demand"

=09=09# default_profile =3D "cn=3Dradprofile,ou=3Ddialup,o=3DMy Org,c=3DUA"
=09=09# profile_attribute =3D "radiusProfileDn"
=09=09# access_attr =3D "dialupAccess"

=09=09# Mapping of RADIUS dictionary attributes to LDAP
=09=09# directory attributes.
=09=09
=09=09dictionary_mapping =3D ${raddbdir}/ldap.attrmap

=09=09ldap_connections_number =3D 5

=09=09#
=09=09# NOTICE: The password_header directive is NOT case insensitive
=09=09#
=09=09# password_header =3D "{clear}"
=09=09#
=09=09# The server can usually figure this out on its own, and pull
=09=09# the correct User-Password or NT-Password from the database.
=09=09#
=09=09# Note that NT-Passwords MUST be stored as a 32-digit hex
=09=09# string, and MUST start off with "0x", such as:
=09=09#
=09=09#=090x000102030405060708090a0b0c0d0e0f
=09=09#
=09=09# Without the leading "0x", NT-Passwords will not work.
=09=09# This goes for NT-Passwords stored in SQL, too.
=09=09#
=09=09password_attribute =3D nspmPassword
=09=09# groupname_attribute =3D cn
=09=09# groupmembership_filter =3D
"(|(&(objectClass=3DGroupOfNames)(member=3D%{L dap-UserDn}))(&(objectClass=
=3DGroupOfUniqueNames)(uniquemember=3D%{Ldap-UserDn})))"
=09=09# groupmembership_attribute =3D radiusGroupName
=09=09timeout =3D 4
=09=09timelimit =3D 3
=09=09net_timeout =3D 1
=09=09# compare_check_items =3D yes
=09=09# do_xlat =3D yes
=09=09# access_attr_used_for_allow =3D yes
=09=09edir_account_policy_check =3D yes
=09}

7. Modify the authorize { ... } portion of radiusd.conf. You want to
add "ldap" before files. Also, the authenticate { =E2=80=A6 } portion shou=
ld
have ldap commented out.

# Authorization. First preprocess (hints and huntgroups files),
# then realms, and finally look in the "users" file.
#
# The order of the realm modules will determine the order that
# we try to find a matching realm.
#
# Make *sure* that 'preprocess' comes before any realm if you=20
# need to setup hints for the remote radius server
authorize {
=09#
=09# The preprocess module takes care of sanitizing some bizarre
=09# attributes in the request, and turning them into attributes
=09# which are more standard.
=09#
=09# It takes care of processing the 'raddb/hints' and the
=09# 'raddb/huntgroups' files.
=09#
=09# It also adds the %{Client-IP-Address} attribute to the request.
=09preprocess

=09#
=09# If you want to have a log of authentication requests,
=09# un-comment the following line, and the 'detail auth_log'
=09# section, above.
#=09auth_log
=09
#=09attr_filter

=09#
=09# The chap module will set 'Auth-Type :=3D CHAP' if we are
=09# handling a CHAP request and Auth-Type has not already been set
=09chap

=09#
=09# If the users are logging in with an MS-CHAP-Challenge
=09# attribute for authentication, the mschap module will find
=09# the MS-CHAP-Challenge attribute, and add 'Auth-Type :=3D MS-CHAP'
=09# to the request, which will cause the server to then use
=09# the mschap module for authentication.
=09mschap

=09#
=09# If you have a Cisco SIP server authenticating against
=09# FreeRADIUS, uncomment the following line, and the 'digest'
=09# line in the 'authenticate' section.
#=09digest

=09#
=09# Look for IPASS style 'realm/', and if not found, look for
=09# '@realm', and decide whether or not to proxy, based on
=09# that.
#=09IPASS

=09#
=09# If you are using multiple kinds of realms, you probably
=09# want to set "ignore_null =3D yes" for all of them.
=09# Otherwise, when the first style of realm doesn't match,
=09# the other styles won't be checked.
=09#
=09suffix
#=09ntdomain

=09#
=09# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
=09# authentication.
=09#
=09# It also sets the EAP-Type attribute in the request
=09# attribute list to the EAP type from the packet.
=09eap

=09#
=09# Read the 'users' file
=09# and enable ldap for edir
=09ldap
=09files

=09#
=09# Look in an SQL database. The schema of the database
=09# is meant to mirror the "users" file.
=09#
=09# See "Authorization Queries" in sql.conf
#=09sql

=09#
=09# If you are using /etc/smbpasswd, and are also doing
=09# mschap authentication, the un-comment this line, and
=09# configure the 'etc_smbpasswd' module, above.
#=09etc_smbpasswd

=09#
=09# The ldap module will set Auth-Type to LDAP if it has not
=09# already been set
#=09ldap

=09#
=09# Enforce daily limits on time spent logged in.
#=09daily

=09#
=09# Use the checkval module
#=09checkval
}


# Authentication.
#
#
# This section lists which modules are available for authentication.
# Note that it does NOT mean 'try each module in order'. It means
# that a module from the 'authorize' section adds a configuration
# attribute 'Auth-Type :=3D FOO'. That authentication type is then
# used to pick the apropriate module from the list below.
#

# In general, you SHOULD NOT set the Auth-Type attribute. The server
# will figure it out on its own, and will do the right thing. The
# most common side effect of erroneously setting the Auth-Type
# attribute is that one authentication method will work, but the
# others will not.
#
# The common reasons to set the Auth-Type attribute by hand
# is to either forcibly reject the user, or forcibly accept him.
#
authenticate {
=09#
=09# PAP authentication, when a back-end database listed
=09# in the 'authorize' section supplies a password. The
=09# password can be clear-text, or encrypted.
=09Auth-Type PAP {
=09=09pap
=09}

=09#
=09# Most people want CHAP authentication
=09# A back-end database listed in the 'authorize' section
=09# MUST supply a CLEAR TEXT password. Encrypted passwords
=09# won't work.
=09Auth-Type CHAP {
=09=09chap
=09}

=09#
=09# MSCHAP authentication.
=09Auth-Type MS-CHAP {
=09=09mschap
=09}

=09#
=09# If you have a Cisco SIP server authenticating against
=09# FreeRADIUS, uncomment the following line, and the 'digest'
=09# line in the 'authorize' section.
#=09digest

=09#
=09# Pluggable Authentication Modules.
#=09pam

=09#
=09# See 'man getpwent' for information on how the 'unix'
=09# module checks the users password. Note that packets
=09# containing CHAP-Password attributes CANNOT be authenticated
=09# against /etc/passwd! See the FAQ for details.
=09# =20
=09unix

=09# Uncomment it if you want to use ldap for authentication
=09#
=09# Note that this means "check plain-text password against
=09# the ldap database", which means that EAP won't work,
=09# as it does not supply a plain-text password.
#=09Auth-Type LDAP {
#=09=09ldap
#=09}

=09#
=09# Allow EAP authentication.
=09eap
}

7.5 Modify the Post-Auth { =E2=80=A6 } section and include a Post-Auth Reje=
ct
section and uncomment the ldap part:

# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
post-auth {
=09# Get an address from the IP Pool.
#=09main_pool

=09#
=09# If you want to have a log of authentication replies,
=09# un-comment the following line, and the 'detail reply_log'
=09# section, above.
#=09reply_log

=09#
=09# After authenticating the user, do another SQL qeury.
=09#
=09# See "Authentication Logging Queries" in sql.conf
#=09sql

=09#
=09# Un-comment the following if you have set
=09# 'edir_account_policy_check =3D yes' in the ldap module sub-section of
=09# the 'modules' section.
=09#
#=09ldap
=09#
=09# Access-Reject packets are sent through the REJECT sub-section of the
=09# post-auth section.
=09# Uncomment the following and set the module name to the ldap instance
=09# name if you have set 'edir_account_policy_check =3D yes' in the ldap
=09# module sub-section of the 'modules' section.
=09#
=09Post-Auth-Type REJECT {
=09=09ldap
=09}





Final Configuration Steps

1. Edit /etc/raddb/clients.conf and add in your own client. Typically
this is the switch you will be using. The format in this file is
EXTREMELY self explanatory. It's basically this:

client <client domain name or ip address> {
=09secret =3D somesecretpasswordyouaresharingwiththeclient
=09shortname =3D someshortnametoidentifytheclient
=09}

=20

2. Test the server....
=09a00. run /usr/local/sbin/radiusd -X
=09a01. Run the radtest command or connect from an outside client. You
should see the action on the radiusd screen.
=09a02. Hook up a workstation to your switch on a port that requires
EAP. Attempt to authenticate.


Now, make the jump to eap.

EAP doesn't work right out of the box, it must be configured.

1.=09Enable EAP on the switch / wap
2.=09Download and install OpenSSL 0.9.7e or later.
a.=09After tar =E2=80=93zxf <gz file>
b.=09./config [[[[[[ note that this is NOT configure which is more common ]=
]]]]
c.=09make
d.=09make install
3.=09edit /usr/src/freeradius-1.0.2/scripts/CA.cert. Fill it in with
your information AND change the SSL line at the top to point to
/usr/local/ssl.

Note that later you will need to replace whatever as the password when
you configure eap.conf.

4.=09make a temporary directory and cd into it. Then run
/usr/src/freeradius-1.0.2/scripts/CA.cert.
a.=09You will get many files. We need to copy 2 of them. Copy root.pem
to /etc/raddb/certs/demoCA.
b.=09Copy cert-srv.pem to /etc/raddb/certs.
i.=09Note that I had problems running freeradius when I didn't have this
file in the certs directory.
5.=09edit eap.conf. You need to change the default eap type to peap,
enable TLS, and enable the peap section. See below:

=09eap {
=09=09default_eap_type =3D peap
=09=09
=09=09=E2=80=A6

=09=09tls {
=09=09=09private_key_password =3D whatever
=09=09=09private_key_file =3D ${raddbdir}/certs/cert-srv.pem

=09=09=09# If Private key & Certificate are located in
=09=09=09# the same file, then private_key_file &
=09=09=09# certificate_file must contain the same file
=09=09=09# name.
=09=09=09certificate_file =3D ${raddbdir}/certs/cert-srv.pem

=09=09=09# Trusted Root CA list
=09=09=09CA_file =3D ${raddbdir}/certs/demoCA/cacert.pem

=09=09=09dh_file =3D ${raddbdir}/certs/dh
=09=09=09random_file =3D ${raddbdir}/certs/random

=09=09=09#
=09=09=09# This can never exceed the size of a RADIUS
=09=09=09# packet (4096 bytes), and is preferably half
=09=09=09# that, to accomodate other attributes in
=09=09=09# RADIUS packet. On most APs the MAX packet
=09=09=09# length is configured between 1500 - 1600
=09=09=09# In these cases, fragment size should be
=09=09=09# 1024 or less.
=09=09=09#
=09=09=09fragment_size =3D 1024

=09=09=09# include_length is a flag which is
=09=09=09# by default set to yes If set to
=09=09=09# yes, Total Length of the message is
=09=09=09# included in EVERY packet we send.
=09=09=09# If set to no, Total Length of the
=09=09=09# message is included ONLY in the
=09=09=09# First packet of a fragment series.
=09=09=09#
=09=09=09include_length =3D yes

=09=09=09# Check the Certificate Revocation List
=09=09=09# =20
=09=09=09# 1) Copy CA certificates and CRLs to same directory.
=09=09=09# 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
=09=09=09# 'c_rehash' is OpenSSL's command.
=09=09=09# 3) Add 'CA_path=3D<CA certs&CRLs directory>'
=09=09=09# to radiusd.conf's tls section.
=09=09=09# 4) uncomment the line below.
=09=09=09# 5) Restart radiusd
=09=09#=09check_crl =3D yes

#
# If check_cert_cn is set, the value will
# be xlat'ed and checked against the CN
# in the client certificate. If the values
# do not match, the certificate verification
# will fail rejecting the user.
#
# check_cert_cn =3D %{User-Name}
=09=09}

=09=09=E2=80=A6

=09=09peap {
=09=09=09# The tunneled EAP session needs a default
=09=09=09# EAP type which is separate from the one for
=09=09=09# the non-tunneled EAP module. Inside of the
=09=09=09# PEAP tunnel, we recommend using MS-CHAPv2,
=09=09=09# as that is the default type supported by
=09=09=09# Windows clients.
=09=09=09default_eap_type =3D mschapv2
=09=09}

=09}





Finally=E2=80=A6. Go to the fridge and treat yourself.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html