FreeRADIUS

-----------------------------

FreeRADIUS Version 2 Documentation

Configuring the server can be a complex task. This task is made easier in Version 2, as the documentation and "default" configurations have been improved.
You can help! See the community page for guidance on contributing additional documentation.
If you are using Version 1 of the server, we suggest upgrading to Version 2. Version 2 is much easier to install and configure. The documentation available for Version 1 is thin, and often out of date. Even worse, there are many "third party" web sites that contain instructions for configuring FreeRADIUS

---

Nearly all of the documentation and How-To's on "third party" web sites is wrong and outdated. We strongly suggest that you do not follow any non-FreeRADIUS documentation. If you do follow external documentation, the result will likely be a server that does not work.

---

Installing the Server

Where possible, we recommend using the packaging system that is used by your operating system. The version that is supplied by your OS might be out of date, but it is likely to work "out of the box".
If you need to install it yourself, the Wiki installation page contains detailed instructions for a number of platforms.

Starting the Server

Once it has been installed, the first thing to do is as little as possible. The default configuration is designed to work everywhere, and to provide nearly every authentication method.

---

Do not edit the default configuration files until you understand what they do. This means reading the documentation contained in the comments of the configuration files.

---

Many common configurations are documented as suggestions or examples in the configuration files. Many common problems are discussed in the configuration files, along with suggested solutions.
We recommend reading the configuration files, in large part because most of the configuration items are documented only in the comments in the configuration files.
When the server has been installed on a new machine, the first step is to start it in debugging mode, as user root:

$ radiusd -X

This step demonstrates that the server is installed and configured properly. If you have installed Version 2 from source, this step will also create the default certificates used for EAP authentication.

Initial Tests

Testing authentication is simple. Edit the users file, and add the following line of text at the top, before anything else:

testing Cleartext-Password := "password"

Start the server in debugging mode (radiusd -X), and run radtest from another terminal window:

$ radtest testing password 127.0.0.1 0 testing123

You should see the server respond with an Access-Accept. If it doesn't, the debug log will show why. Paste the output into the debug form, and a colorized HTML version will be produced. Look for red or yellow text, and read the messages.
If you do see an Access-Accept, then congratulations, the following authentication methods now work for the testing user:

PAP, CHAP, MS-CHAPv1, MS-CHAPv2, PEAP, EAP-TTLS, EAP-GTC, EAP-MD5.

The next step is to add more users, and to configure databases. Those steps are outside of the scope of this short web page, but the general method to use is important, and is outlined in the next section.

---

The following steps outline the best known method for configuring the server. Following them lets you create complex configurations with a minimm of effort. Failure to follow them leads to days of frustration and wasted effort.

---

Configuring the Server

Changing the server configuration should be done via the following steps:

1. Start with a "known working" configuration, such as supplied by the default installation.
2. Make one small change to the configuration files.
3. Start the server in debugging mode (radiusd -X).
4. Verify that the results are what you expect
   • The debug output shows any configuration changes you have made.
   • Databases (if used) are connected and operating.
   • Test packets are accepted by the server.
   • The debug output shows that the packets are being processed as you expect.
   • The response packets are contain the attributes you expect to see.
5. If everything is OK, save a copy of the configuration, go back to step (2), and make another change.
6. If anything goes wrong,
   • double-check the configuration
   • read the entire debug output, looking for words like error or warning. These messages usually contain descriptions of what went wrong, and suggestions for how it can be fixed. (see also the debug form)
   • Try replace your configuration with a saved copy of a "known working" configuration, and start again. This process can clean up errors caused by temporary edits, or edits that you have forgotten about.
   • Ask for help on the freeradius-users mailing list. Include a description of what you are trying to do, and the entire debugging output, especially output showing the server receiving and processing test packets. You may want to scrub "secret" information from the output before posting it. (Shared secrets, passwords, etc.)

Debugging the Server

This process is the same as configuring the server. See the section above.
Also:

---

Run the server in debugging mode as suggested in the FAQ, README, INSTALL, man page, and daily on the mailing list.

---

We cannot emphasize that strongly enough. There is no way for anyone to help you unless you post the debugging output along with your question. If you do not post the debugging output, your question will either be ignored, or you will receive a number of responses saying

---

Post the debug output as suggested in the FAQ, README, INSTALL, man page, and daily on the mailing list.

---

A large number of problems can be trivially solved by having an expert read the debug output. If you do not post it to the list, you are making it impossible for anyone to help you.

---

Other sources of Documentation

Wiki

The Wiki has a fair amount of documentation and How-To's. It is also searchable.

Manual pages

The on-line man pages contain documentation for programs, configuration files, and modules.

Useful How-To's

The web site Deploying RADIUS has a number of useful documents that are kept up to date with newer versions of the server. These documents include:

• A step by step guide to configuring EAP.
• How to configure Active Directory for authentication.
• More instructions on setting up the server
• A table describing which authentication protocols are compatible with back-end databases and password storage methods.

Older Documents

EAPTLS.pdf
Another eap-tls HOWTO
EAP-MD5

Novell eDirectory Integration

An administration guide to FreeRADIUS and Novell eDirectory is available. For the latest version of the "Integrating Novell eDirectory with FreeRADIUS" administration guide, refer to http://www.novell.com/documentation/edir_radius/index.html To edit the document, use the XML version of the document at http://www.novell.com/documentation/edir_radius/xml/edir_radius_xml.zip.

If all else fails

If all else fails, commercial support is available.



----------------

http://packages.ubuntu.com/hardy/source/freeradius

----------------

   HOWTO certificates

1. Introduction

How you handle certificates depend a great deal on what your role is.
Your role can be one or several of:

  - User of some client software
  - User of some server software
  - Certificate authority

This file is for users who wish to get a certificate of their own.
Certificate authorities should read ca.txt.

In all the cases shown below, the standard configuration file, as
compiled into openssl, will be used.  You may find it in /etc/,
/usr/local/ssl/ or somewhere else.  The name is openssl.cnf, and
is better described in another HOWTO .  If you want to
use a different configuration file, use the argument '-config {file}'
with the command shown below.


2. Relationship with keys

Certificates are related to public key cryptography by containing a
public key.  To be useful, there must be a corresponding private key
somewhere.  With OpenSSL, public keys are easily derived from private
keys, so before you create a certificate or a certificate request, you
need to create a private key.

Private keys are generated with 'openssl genrsa' if you want a RSA
private key, or 'openssl gendsa' if you want a DSA private key.
Further information on how to create private keys can be found in
another HOWTO .  The rest of this text assumes you have
a private key in the file privkey.pem.


3. Creating a certificate request

To create a certificate, you need to start with a certificate
request (or, as some certificate authorities like to put
it, "certificate signing request", since that's exactly what they do,
they sign it and give you the result back, thus making it authentic
according to their policies).  A certificate request can then be sent
to a certificate authority to get it signed into a certificate, or if
you have your own certificate authority, you may sign it yourself, or
if you need a self-signed certificate (because you just want a test
certificate or because you are setting up your own CA).

The certificate request is created like this:

  openssl req -new -key privkey.pem -out cert.csr

Now, cert.csr can be sent to the certificate authority, if they can
handle files in PEM format.  If not, use the extra argument '-outform'
followed by the keyword for the format to use (see another HOWTO
).  In some cases, that isn't sufficient and you will
have to be more creative.

When the certificate authority has then done the checks the need to
do (and probably gotten payment from you), they will hand over your
new certificate to you.

Section 5 will tell you more on how to handle the certificate you
received.


4. Creating a self-signed test certificate

If you don't want to deal with another certificate authority, or just
want to create a test certificate for yourself.  This is similar to
creating a certificate request, but creates a certificate instead of
a certificate request.  This is NOT the recommended way to create a
CA certificate, see ca.txt.

  openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095


5. What to do with the certificate

If you created everything yourself, or if the certificate authority
was kind enough, your certificate is a raw DER thing in PEM format.
Your key most definitely is if you have followed the examples above.
However, some (most?) certificate authorities will encode them with
things like PKCS7 or PKCS12, or something else.  Depending on your
applications, this may be perfectly OK, it all depends on what they
know how to decode.  If not, There are a number of OpenSSL tools to
convert between some (most?) formats.

So, depending on your application, you may have to convert your
certificate and your key to various formats, most often also putting
them together into one file.  The ways to do this is described in
another HOWTO , I will just mention the simplest case.
In the case of a raw DER thing in PEM format, and assuming that's all
right for yor applications, simply concatenating the certificate and
the key into a new file and using that one should be enough.  With
some applications, you don't even have to do that.


By now, you have your cetificate and your private key and can start
using the software that depend on it.

-- 
Richard Levitte

http://www.openssl.org/docs/HOWTO/certificates.txt
http://freeradius.org/doc/
http://freeradius.org/download.html