Install FreeRADIUS OES / SuSE Linux Open YaST. Click on "Install and Remove Software". Type "freeradius" (without the quotes) in the search box. Click the "Search" button. Place a checkmark in the package for freeradius. Click the "Accept" button. other operating systems Installing FreeRADIUS should be simple and straightforward. However, if there are questions about installing FreeRADIUS on a system other than OES or SuSE linux, please consult the operating system vendor or the FreeRADIUS manual.

Configure eDirectory Locate the "LDAP Group" object for the server that will authenticate the users. View the properties. Click on the "Attribute Mappings" tab. Click the "Add" button. Add an "NDS Attribute" of "RADIUS:Enable Dial Access". In the "Primary LDAP Attribute" box, enter "dialupAccess". Click the "OK" button. NOTE : If FreeRADIUS will be using an anonymous bind (no identity specified in FreeRADIUS configuration file), the public pseudo user must be given rights to the "RADIUS:Enable Dial Access" attribute. If this attribute is not returned to FreeRADIUS because the public user does not have rights, no user will authenticate. Refresh NLDAP by unloading and reloading NLDAP at the servers console.

Configure FreeRADIUS Copy the /etc/raddb/radiusd.conf to another location so that a backup is present. Open the /etc/raddb/radiusd.conf file. Locate the modules section by searching for the line "modules {". In that section, locate the ldap section (search for ldap). Change the "server" setting to point to the eDirectory LDAP server that was previously configured. If anonymous binds are not allowed, change the "identity" and "password" settings for an appropriate eDirectory account (one with rights to "dialupAccess" or "RADIUS:Enable Dial Access"), and remove the pound sign in front of them. Change the "basedn" setting to point to the top organization in the tree (e.g. "o=novell"). If TLS/SSL is a requirement on the server, add a "port = 636" line to the ldap section, and a "tls_mode = yes". These two configuration directives are not listed by default, but allow you to force SSL on the LDAP connection from the start. "default_profile" and "profile_attributes" are optional settings for obtaining profile information from the LDAP server. Locate the authorize section start by searching for the line "authorize {". In that secion, uncomment the line for "ldap". Locate the authenticate section start by searching for the line "authenticate {". That section also has a "unix" option. Comment this out. A few lines below that, it will have three lines for an "Auth-Type LDAP" subsection - uncomment those lines. Save and close the file. Open the /etc/raddb/users file. Locate the line setting for "DEFAULT Auth-Type = System". Change the setting from "System" to "LDAP". Comment out the "Fall-Through = 1" line immediately below that.

Test FreeRADIUS Start FreeRADIUS by typing the command "/etc/init.d/radiusd start". Send a test RADIUS packet using the command "radtest username password localhost 0 testing123". View the results. If you have problems, stop radius (using "/etc/init.d/radiusd stop"), and restart radius in debug mode (by running "radiusd -X") and try the radtest command again. Also, additional information may be available using DSTRACE with the LDAP option on the eDirectory server. If everything looks good on the FreeRADIUS side, you can mimmick the LDAP search to see what is returned by using the ldapsearch command (e.g. : "ldapsearch -D cn=admin,o=novell -W -h ldap.server.com -s sub -x -b o=novell '(uid=testuser)'").

Group-Enabled LDAP using FreeRADIUS Change the DEFAULT Auth-Type in the /etc/raddb/users file to Reject instead of LDAP. Duplicate the DEFAULT section. On the first DEFAULT entry, change Auth-Type to LDAP. On the first DEFAULT entry, change Fall-Through to "no" or 0. On the first DEFAULT entry (and before the Auth-Type), insert a new parameter of "Ldap-Group == ", followed by the group name in quotes, followed by a comma. Remove the attribute mapping in the "LDAP Group - SERVER" object for "RADIUS:Enable Dial Access" to "dialupAccess". Restart the FreeRADIUS service (/etc/init.d/radiusd restart).

FreeRADIUS getting too many responses because of aliases Open the /etc/raddb/radiusd.conf file. Locate the "ldap" section. Locate the "filter" configuration element. Insert "(&(objectClass=inetOrgPerson)" on the front of your filter, and add ")" to the end of it. For example: filter = "(&(objectClass=inetOrgPerson)(uid=%{Stripped-User-Name:-%{User-Name}}))" Restart the FreeRADIUS service (/etc/init.d/radiusd restart).

Setting up FreeRADIUS and eDirectory for 802.1X Authentication Prepare eDirectory by ensuring the schema is ready for Universal Password (the Schema should have nspmPassword and nspmPasswordKey attributes) Enable Universal Password. Locate the password policy you are using in your security container. On the "other" tab for it, locate the "nspmConfigurationOptions" attribute. Ensure that the attribute has the 0x20 (hexidecimal) bit set. This allows an administrator to retrieve the nspmPassword* attributes required. Add the switch or access point that will be attempting the 802.1X authentication to the /etc/raddb/clients.conf file. Create the necessary dictionary files the switch/access point will require in the /etc/raddb/dictionary file. Open the /etc/raddb/radiusd.conf file. Locate the ldap configuration (just search for the "ldap {" section). Set the server to an appropriate LDAP server for eDirectory. Set the identity to an administrative account (e.g. cn=admin,o=novell). Set the password for the above specified account. Set the Base DN to the container where you want to start looking for users. Comment out the "start_tls = yes" and add a "tls_mode = yes". Add a "port = 636" setting. (This and the previous options are designed to force the entire connection over SSL/TLS, a requirement for retrieving the nspmPassword* attributes). Set the "password_attribute" option to "nspmPassword". Set the "edir_account_policy_check" option to "yes". *optional* If not using the dialAccess attribute, create an option "access_attr_used_for_allow" with a value of "no". Locate the "authorize {" section in the same file. Uncomment the "ldap" option in there. Locate the "authenticate {" section. Uncomment the "Auth-Type LDAP" section (3 lines). Open the /etc/raddb/users file. Create a new line : "DEFAULT Auth-Type := EAP" . *optional* If your clients are sending a domain with them, add a ', Prefix == "DOMAIN\\", Strip-User-Name = Yes' to the line. Add any VLAN/Tunnelling/Default attributes you wish returned to the radius client (configured in step 7) Restart radiusd (/etc/init.d/radiusd stop && /etc/init.d/radiusd start) Test the authentication.

There is a difference between the radiusd binary and the radiusd startup script in the /etc/init.d/ directory. If you use the startup script, you will need to use only parameters for start, stop, or restart. If using the binary, you have the option of using any parameters and switches that the 'man radiusd' will show. If you have eliminated anonymous binds, you will need to set the "identity" and "password" settings in the radiusd.conf file. If you have requirements for TLS for all operations, you will need to set the "start_tls" option to "yes". RADIUS:Profile objects in eDirectory will have an objectClass attribute of "radiusprofile", and that can easily get in the way of some profile attributes on user accounts. You can change what information is returned on the "LDAP Group" object's "Attribute Mappings" tab. The option is available if desired to filter on objectClass's. The setting in the radiusd.conf file is "base_filter". This can be used to require certain attributes, or objectClass values (e.g. "(objectClass=iFolderUser)").