This is a quick write up of my encounter with FreeRADIUS over the past couple weeks. This isn’t necessarily a full blown how-to guide. I just want to point out the main differences I noticed when configuring this version over previous versions. When searching for details on how to configure FreeRADIUS, all the versions date back prior to version 2. Since the middle of 2007, FreeRADIUS 2 had been born with little documentation of changes. From my point of view, unless you are spending every day staring at radius.conf, you won’t know what has really happened after you upgrade to version 2. The main change is that they have split up radiusd.conf into modules. From a programmers point of view, good on them, but from a user who looks at this a couple times a year, this was quite confusing.
To outline, the radiusd.conf file used to be about 1900 lines and is now down to about 750. What they have done is put this: $INCLUDE ${confdir}/modules/ in the conf file which has remove a lot of the configurations. So now each module/method appears in its own file inside the modules folder. Another significant and overlooked directory is sites-available / sites-enabled. Inside sites-available are default and inner-tunnel, both of which were required for our PEAP-MSCHAPv2 implementation against smbpasswd. The module directory might not be overlooked so easily, but the sites-enabled is, which is a bunch of symlinks back to sites-available.
So to get FreeRADIUS to work against smbpasswd you will need to modify the following:
/usr/local/etc/raddb/sites-available/default
auth_log #uncomment this line so there is a log file produced.
etc_smbpasswd #uncomment this line so radiusd compiles this module.
/usr/local/etc/raddb/sites-available/inner-tunnel
etc_smbpasswd #uncomment this line so radiusd compiles this module.
/usr/local/etc/raddb/modules/
rename smbpasswd to etc_smbpasswd to keep the names consistent
/usr/local/etc/raddb/modules/etc_smbpasswd
passwd smbpasswd { #rename this line to: passwd etc_smbpasswd {
They are the main changes which will allow FreeRadius to authenticate against your smbpasswd file. Other modifications should be made in:
/usr/local/etc/raddb/eap.conf
wireless certificate
/usr/local/etc/raddb/modules/mschap
authentication options
/usr/local/etc/raddb/clients.conf
client configuration
Little or no modifications were made to radius.conf in our installation apart from turning authentication log requests on.
One main problem experienced was when changing user passwords, the new samba passwords didn’t authenticate right away. This is due to the hashsize in the etc_smbpasswd module being set at 100. What this flag does is hold up to 100 username and passwords in memory so every authentication request won’t hammer your smbpasswd file. We set this to 0 so every time there was a request the smbpasswd file would be read. This ended up with radiusd crashing every 3 hours or so. We are running this on Solaris 9. In some instances, a restart would solve it, but on occasion, it wouldn’t restart. An error was found when trying to recompile all the modules. What was happening was a core dump file was being generated and placed in /usr/local/etc/raddb/modules/ and so when it came time to recompile, the $INCLUDES function would try to read and compile what is a binary file. The last error read when compiling with debug on (radiusd -X) is:
/usr/local/etc/raddb/modules/core[9]: Invalid expansion: `
Errors reading /usr/local/etc/raddb/radiusd.conf
The Invalid expansion varies depending upon the dump file.
Currently the hashsize is back to 100 and when creating new accounts or changing passwords, kill -HUP is run so all the configuration files are re-read (smbpasswd).
Written by Milton Lai
One Comment