FreeRADIUS FreeBSD port (was: Can't start FreeRadius after 1st

Dear Tek and everyone,

In message <20070107152555.330194d2.teklimbu@wlink.com.np>,
teklimbu@wlink.com.np writes
>I am very new to FreeRadius. Just today, I have installed FreeRadius
>1.13 from FreeBSD 6.0 (i386) ports.

I am the maintainer of the FreeBSD FreeRADIUS port starting from version
1.1.3. It's probably about time I revealed myself here.


>I am following this material from:
>http://www.onlamp.com/pub/a/onlamp/e..._5/index1.html

As Alan DeKok says, that material is very old (2002 vintage, which is
ancient history in FreeRADIUS terms). It really can't be recommended
now, and I suggest that you follow the usual advice to start from the
sample configuration shipped with FreeRADIUS.



As is usual for a FreeBSD port (see the FreeBSD Porter's Handbook,
section 7.2), the port installs the sample FreeRADIUS configuration, but
the name of each file has a suffix, in this case .sample. This is to
stop port upgrades, or deinstall/reinstalls, from wiping your
hand-crafted configuration.

In the case of FreeRADIUS, assuming you don't set PREFIX explicitly to
something else, the default configuration files go in
/usr/local/etc/raddb, suffixed with .sample - so
/usr/local/etc/raddb/radiusd.conf.sample and so on.


I suggest, therefore, that you
cd /usr/local/etc/raddb
cp -p radiusd.conf.sample radiusd.conf

and edit radiusd.conf to suit your environment. You will need to do the
same (unless you symlink if you don't need to make any changes, or you
make appropriate changes to the configuration) for:

clients.conf.sample
dictionary.sample
eap.conf.sample
hints.sample
huntgroups.sample
proxy.conf.sample
snmp.conf.sample
sql.conf.sample

and probably also:

acct_users.sample
preproxy_users.sample
users.sample



If you're using EAP, I suggest that you place your own certificates in
raddb/mycerts, and edit eap.conf accordingly. Placing your own
certificates in raddb/certs is likely to lead to them being wiped on an
upgrade. (Memo to self: changing the port to install the test
certificates in raddb/certs.sample is possibly worthwhile).

Do NOT use the certificates shipped with FreeRADIUS on a production
server - this is a significant security hole.


I've not had any reports, other than yours, of the FreeBSD port failing
since I took over the maintainership. I've had a few requests for
enhancement of the port, and I've dealt with all those other than ones
that I've dealt with and fixed the port for.

The FreeBSD port is now up to 1.1.4_1; in other words, the second
revision of the port of FreeRADIUS 1.1.4. The initial 1.1.4 port didn't
rm -r rlm_sql_firebird, which has already been acknowledged on this list
as broken, so configure failed when experimental modules were enabled.


For versions 1.1.2 to 1.1.4, I was working on FreeBSD 6.1-RELEASE i386,
but I have now moved to 6.2-RELEASE i386. FreeBSD's pointyhat cluster
monitors build failures on other architectures, but nothing monitors
whether the software runs on other architectures.

FreeBSD 6.0-RELEASE becomes end of life on 31 January 2007 - from that
point on there's no more security team support. It's worth considering
an upgrade to 6.2-RELEASE, though read the errata and other release
notes first.


I never used 6.0-RELEASE (I jumped from 5.4-RELEASE to 6.1-RELEASE on my
main box). 6.0-RELEASE is very nearly end of life, and I'm not much
interested in fixing the port to work on 6.0-RELEASE. If you tell me
that you can't get the port working on 6.0-RELEASE, I may set up a
virtual 6.0-RELEASE machine and try FreeRADIUS quickly with a
configuration that I know works. However, if there's a problem for which
there's not an obvious fix, I'll just mark the port as broken on
6.0-RELEASE.

As the FreeBSD Porter's Handbook says, in section 5.2.2:

FreeBSD only guarantees that the Ports Collection works on the
-STABLE branches. You should be running 5-STABLE or 6-STABLE,
preferably the latter. In theory, you should be able to get by
with running the latest release of each stable branch (since the
ABIs are not supposed to change) but if you can run the branch,
that is even better.

Considering that -STABLE is not recommended for production machines (it
means stable ABI, not that the operating system you'll get by
downloading -STABLE is necessarily stable), I'd upgrade to 6.2-RELEASE
if you need to upgrade.


Another thing that I suggest you consider is building the OpenSSL port
and rebuilding FreeRADIUS (portupgrade -f net/freeradius or similar) -
especially if you're going to use any part of FreeRADIUS that uses
OpenSSL, such as EAP. The FreeBSD FreeRADIUS port uses the OpenSSL port
if it's installed in preference to the base system's OpenSSL.

Indeed, I suggest you build the OpenSSL port if you're going to use any
software that uses OpenSSL, because the OpenSSL version in the base
system is somewhat out of date and this won't change until FreeBSD 7.0
(7.0-CURRENT has OpenSSL 0.9.8d in the base system).

Before building the OpenSSL port, you may want to add the line:
USE_OPENSSL_BETA=yes
to /etc/make.conf to make the ports system build OpenSSL 0.9.8d rather
than OpenSSL 0.9.7l - I don't see what's so beta about the 0.9.8 branch
of OpenSSL these days.



In summary, my suggested way ahead if you haven't already got this
working is:

Upgrade the FreeRADIUS port to 1.1.4_1 and build FreeRADIUS.

Build a simple configuration starting from the 1.1.4 sample
configuration, and test FreeRADIUS.

If you're still having problems, especially if you're attempting to use
any part of FreeRADIUS that relies on OpenSSL such as EAP, build the
OpenSSL port and rebuild FreeRADIUS. Consider doing this anyway.

If you're still having problems, upgrade the operating system (I suggest
to 6.2-RELEASE). Consider doing this anyway in the light of the upcoming
end of life of 6.0-RELEASE.


I have the FreeBSD FreeRADIUS port 1.1.4_1 working on 6.2-RELEASE i386
with OpenSSL 0.9.8d installed via the OpenSSL port.


Best wishes,




David
--
David Wood
david@wood2.org.uk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html