Differences

This shows you the differences between two versions of the page.

--- radius_on_centos7 [2015/06/24 14:07] – herwarth
+++ radius_on_centos7 [2018/02/26 21:36] (current) – [Update to CentOS 7.4] herwarth
@@ Line 1: / Line 1: @@
 ======FreeRadius on CentOS 7 with LDAP support======
+=====Prerequisite=====
+  * Download the WPA test script: {{:rad_eap_test.gz|}}
 =====Installation======
   yum install freeradius-ldap freeradius-utils freeradius
@@ Line 7: / Line 9: @@
 =====Configuration=====
+====LDAP====
   vi ldap
@@ Line 22: / Line 24: @@
                 control:Password-With-Header    += 'userPassword'
                 control:NT-Password             := 'SambaNTPassword'
+                reply:Reply-Message             := 'radiusReplyMessage'
+                reply:Tunnel-Type               := 'radiusTunnelType'
+                reply:Tunnel-Medium-Type        := 'radiusTunnelMediumType'
+                reply:Tunnel-Private-Group-ID   := 'radiusTunnelPrivategroupId'
         }
         user {
@@ Line 28: / Line 34: @@
         }
 }
+</code>
+====Clients====
+  vi /etc/raddb/clients.conf
+<code>
+client private-network-1 {
+	ipaddr		= 172.16.0.0/16
+	secret		= testing123
+}
+client private-network-1-ipv6 {
+        ipv6addr        = 2a02:22a0:bbb7:400::/56
+        secret          = testing123
+}
+</code>
+====TLS====
+In this situation I already have a CA and a certificate created on the CA for this machine. So I move the old directory and create a new one!
+  cd /etc/raddb
+  mv certs certs.org
+  mkdir certs
+  chown root:radiusd certs
+  chmod 770 certs
+Now let's copy the necessary files.
+  * the certificate and private key must be concatenated in server.pem
+  * the CA certificate must have the name ca.pem
+  * copy the dh file from the original certs directory
+  * set the correct permissions
+Result:
+  cd /etc/raddb/certs
+  ls -l
+<code>
+total 16
+-rw-r-----. 1 root radiusd 1375 Jun 24 16:24 ca.pem
+-rw-r-----. 1 root radiusd  245 Jun 24 16:24 dh
+-rw-r-----. 1 root radiusd 6297 Jun 24 16:24 server.pem
+</code>
+  systemctl enable radiusd
+  systemctl start radiusd
+=====Firewall=====
+  firewall-cmd --permanent --zone=management --add-service=radius
+  firewall-cmd --permanent --zone=local --add-service=radius
+  firewall-cmd --reload
+=====Testing=====
+Query user for normal access:
+  radtest <USERNAME> <SECRET> localhost 2 testing123
+Query user for WPA enterprise:
+  ./rad_eap_test -H localhost -P 1812 -S testing123 -u <USERNAME> -p <SECRET> -m WPA-EAP -e PEAP -2 MSCHAPV2
+  ./rad_eap_test -H localhost -P 1812 -S testing123 -u <USERNAME> -p <SECRET> -m WPA-EAP -e TTLS -2 PAP
+=====Update to CentOS 7.4=====
+The upgrade to CentOS 7.4 breaks FreeRadius with LDAP. I discovered some errors with dots (.) in the username. So I altered the filter file in /etc/raddb/policy.d
+THIS CODE IS OBSOLETE
+<code - /etc/raddb/policy.d/filter>
+.
+.
+.
+#               if (&User-Name =~ /\.\./ ) {
+#                       update request {
+#                               &Module-Failure-Message += 'Rejected: User-Name contains multiple ..s'
+#                       }
+#                       reject
+#               }
+.
+.
+#               if (&User-Name =~ /\.$/)  {
+#                       update request {
+#                               &Module-Failure-Message += 'Rejected: Realm ends with a dot'
+#                       }
+#                       reject
+#               }
+.
+.
+.
+</code>
+===== Peap config change for radius assigned VLAN ====
+<code - /etc/raddb/mods-available/eap>
+.
+.
+peap {
+.
+.
+                use_tunneled_reply = yes
+.
+.
+</code>
 {{tag>centos}}

User Tools

Site Tools

Differences

Page Tools