NSLU2-Linux
- FAQ: Frequently Asked Questions
- Donations
- Downloads
- Trac Bug Tracker
- Package Search Engine
- All Recent Wiki Changes
General
- HowTo Recipes
- Cool Peripherals
- Cool Applications
- Information Pages
- Ideas and Wish List
- Slug Success Stories
- Slug-Related Articles
- Project Mailing Lists
- Project IRC Channels
- Donations and Sponsors
- NSLU2-Linux Photo Gallery
OS/Firmware Projects
- NSLU2-Linux Development
- How Do I Get Involved?
- Unslung Firmware
- Debian Installation
- SlugOS Firmware
- OpenSlug Firmware
- SlugOS/LE Firmware
- OpenWrt Firmware
- Angstrom Firmware
- UcSlugC Firmware
- GentooSlug Firmware
- UpSlug Upload Tool
- Puppy Topfield Access
Firmware Targets
Optware
Optware Targets
Other Hardware
Wiki Resources
Sponsored Links
hosting by:
Optware.FreeRadius History
Hide minor edits - Show changes to markup
If you're wondering about the 'under cron' comment, it's because there's a nightly script that restarts my server with updated X.509 !CRLs?/certificates. You need to do that if you have certificates that expire or can be revoked. An excerpt of mine (without some other site-specific stuff) follows.
If you're wondering about the 'under cron' comment, it's because there's a nightly script that restarts my server with updated X.509 CRLs/certificates. You need to do that if you have certificates that expire or can be revoked. An excerpt of mine (without some other site-specific stuff) follows.
If you're wondering about the 'under cron' comment, it's because there's a nightly script that restarts my server with updated X.509 CRLs?/certificates. You need to do that if you have certificates that expire or can be revoked. An excerpt of mine (without some other site-specific stuff) follows.
# bind to the correct interface address
# bind to the correct interface address - use either bind_address or listen directives
if ! grep -q "bind_address = $RADIUSBINDADDR" $RADIUSCFG ; then
if grep -q "bind_address = " $RADIUSCFG && ! grep -q "bind_address = $RADIUSBINDADDR" $RADIUSCFG ; then
if grep -q "ipaddr = " $RADIUSCFG && ! grep -q "ipaddr = $RADIUSBINDADDR" $RADIUSCFG ; then
sed -i -e "/listen {/,/}/s/ipaddr = .*$/ipaddr = $RADIUSBINDADDR/" $RADIUSCFG
fi
Finally, here's the 'resolve_dhcp' script (used by the startup script) - the name is historical; it simply does a realpath for a file.
/opt/bin/resolve_dhcp
#!/bin/sh
#
# Resolve symbolic link to underlying file
file=$1
parent=$2
case $file in
/*)
;;
*)
if [ -z "$parent" ]; then
PWD=`pwd`
file="$PWD/$file"
else
file="`dirname $parent`/$file"
fi
;;
esac
CHANGED=true
while [ "X$CHANGED" != "X" ]
do
# Change spaces to ":" so the tokens can be parsed by for.
file=`echo $file | sed -e 's; ;:;g'`
# Get the real path to this file, resolving any symbolic links
TOKENS=`echo $file | sed -e 's;/; ;g'`
REALPATH=
for C in $TOKENS; do
REALPATH="$REALPATH/$C"
while [ -h "$REALPATH" ] ; do
LS="`ls -ld "$REALPATH"`"
LINK="`expr "$LS" : '.*-> \(.*\)$'`"
if expr "$LINK" : '/.*' > /dev/null; then
REALPATH="$LINK"
else
REALPATH="`dirname "$REALPATH"`""/$LINK"
fi
done
done
# Change ":" chars back to spaces.
REALPATH=`echo $REALPATH | sed -e 's;:; ;g'`
if [ "$REALPATH" = "$file" ]
then
CHANGED=""
else
file="$REALPATH"
fi
done
echo $file
Update - the current feed is 1.1.7-2. However, I don't run Vista, so can't say if that's all that's rquired.
It took quite a bit of work to get radiusd running on unslung.
Here is an improved startup script that handles the requisite configuration. (You still need to setup your radiusd.conf per your requirements.)
If you're wondering about the 'under cron' comment, it's because there's a nightly script that restarts my server with updated X.509 CRLs?/certificates. You need to do that if you have certificates that expire or can be revoked. An excerpt of mine (without some other site-specific stuff) follows.
/opt/etc/init.d/S550radiusd
#!/bin/sh
#
# Setup for radiusd
#
if [ -e /opt/etc/config ]; then
. /opt/etc/config
fi
RADIUSCFG=/opt/etc/raddb/radiusd.conf
config () {
#
# bind to the correct interface address
#
if [ -n "$RADIUSBINDADDR" ]; then
if ! grep -q "bind_address = $RADIUSBINDADDR" $RADIUSCFG ; then
sed -i -e "s/bind_address = .*$/bind_address = $RADIUSBINDADDR/" \
$RADIUSCFG
fi
fi
#
# define the radiusd user and group
#
sed -i -e'/radiusd/d' -e'/nobody/iradiusd:x:95:95:radiusd user:/:/opt/bin/false' `/opt/bin/resolve_dhcp /etc/passwd`
sed -i -e'/radiusd/d' -e'/nobody/iradiusd:x:95:' `/opt/bin/resolve_dhcp /etc/group`
#
# Remove kit's mis-placed files. Use this startup file rather than the distributed one.
#
rm -f /opt/etc/init.d/S55freeradius
if [ -d /var/spool/radius ]; then rm -rf /var/spool/radius ; fi
#
if [ ! -d /opt/var/log/radius/radacct ] ; then
mkdir -p /opt/var/log/radius/radacct
fi
if [ ! -d /opt/var/run/radiusd ] ; then
mkdir -p /opt/var/run/radiusd
fi
chmod g+rws,o-rw /opt/var/log/radius/ /opt/var/run/radiusd /opt/var/log/radius/radacct
chown root.radiusd /opt/var/log/radius/ /opt/var/run/radiusd
chown radiusd.radiusd /opt/var/log/radius/radacct
chmod g+rx,o+rx /opt/etc/raddb /opt/var/log
return
}
start () {
echo -n "Starting RADIUS Server: "
if [ -n "`pidof radiusd`" ]; then
echo "already running..."
false
return
fi
config
# export LD_LIBRARY_PATH=/opt/lib:/lib:/usr/lib:/usr/local/lib
export PATH=/opt/sbin:/opt/bin:/usr/sbin:/usr/bin:/sbin:/bin
echo ""
# The </dev/null ensures that radiusd has a stdin (it doesn't read from it).
# Under cron, stdin is not opened; radiusd writes infinite log files complaining about
# "socket operations to a non-socket." It probably thinks it's running under inetd...
# This hack prevents the runaway log files.
/opt/sbin/radiusd $RADIUSFLAGS </dev/null
# radiusd announces itself
# echo "started"
return
}
stop () {
echo -n "Shutting down RADIUS Server: "
if [ -n "`pidof radiusd`" ]; then
/bin/killall radiusd 2>/dev/null
sleep 5
fi
if [ -n "`pidof radiusd`" ]; then
echo "Failed"
/bin/false
else
echo "OK"
fi
return
}
rstatus () {
pids="`pidof radiusd`"
pidf=" `cat /opt/var/run/radiusd/radiusd.pid 2>&1`"
for p in $pids ; do
if [ $p = $pidf ]; then
echo "Server is running (pids $pids)"
return
fi
done
if [ -n "$pids" ]; then
echo "Server is running (pid $pid), but /opt/var/run/radiusd/radiusd.pid doesn't match"
else
echo "Server is stopped"
/bin/false
fi
return
}
restart () {
stop
start
}
#
# Mainline: command decode and dispatch
#
case "$1" in
start)
start
;;
stop)
stop
;;
status)
rstatus
;;
restart|reload)
restart
;;
condrestart)
[ -n "`pidof radiusd`" ] && restart
;;
*)
echo "Usage: $0 {start|stop|status|restart|condrestart}"
exit 1
esac
exit $?
This is (a subset of) the cron job
/etc/crontab
23 2 * * * root /opt/sbin/radiuscron updatecrl
/opt/sbin/radiuscron
#!/bin/sh
#
# url from which to fetch CRL updates
#
CRLSOURCE="http://somesite.example.com/mycrl.crl"
#
# filename of CRL
#
CRLNAME=crlfilename
updatecrl () {
if [ -z "$CRLSOURCE" ]; then return ; fi
PWD=`pwd`
cd /opt/etc/raddb/certs
if wget -q -O $CRLNAME.new $CRLSOURCE ; then
mv $CRLNAME.new ca/$CRLNAME.pem
chmod g+r,o+r ca/$CRLNAME.pem
./c_rehash ca >/dev/null
/opt/etc/init.d/S550radiusd restart >/dev/null 2>&1
fi
cd $PWD
}
case "$1" in
updatecrl)
updatecrl
;;
*)
echo "Usage: $0 {updatecrl}"
exit 1;;
esac
exit
This is the c_rehash utility:
/opt/etc/raddb/certs/c_rehash
#!/bin/sh
#
# Ben Secrest <blsecres@gmail.com>
#
# sh c_rehash script, scan all files in a directory
# and add symbolic links to their hash values.
#
# based on the c_rehash perl script distributed with openssl
#
# LICENSE: See OpenSSL license
# ^^acceptable?^^
#
# default certificate location
DIR=/etc/openssl
# for filetype bitfield
IS_CERT=$(( 1 << 0 ))
IS_CRL=$(( 1 << 1 ))
#
# check to see if a file is a certificate file or a CRL file
# arguments:
# 1. the filename to be scanned
# returns:
# bitfield of file type; uses ${IS_CERT} and ${IS_CRL}
#
check_file()
{
local IS_TYPE=0
# make IFS a newline so we can process grep output line by line
local OLDIFS=${IFS}
IFS=$( printf "\n" )
# XXX: could be more efficient to have two 'grep -m' but is -m portable?
for LINE in $( grep '^-----BEGIN .*-----' ${1} )
do
if echo ${LINE} \
| grep -q -E '^-----BEGIN (X509 |TRUSTED )?CERTIFICATE-----'
then
IS_TYPE=$(( ${IS_TYPE} | ${IS_CERT} ))
if [ $(( ${IS_TYPE} & ${IS_CRL} )) -ne 0 ]
then
break
fi
elif echo ${LINE} | grep -q '^-----BEGIN X509 CRL-----'
then
IS_TYPE=$(( ${IS_TYPE} | ${IS_CRL} ))
if [ $(( ${IS_TYPE} & ${IS_CERT} )) -ne 0 ]
then
break
fi
fi
done
# restore IFS
IFS=${OLDIFS}
return ${IS_TYPE}
}
#
# use openssl to fingerprint a file
# arguments:
# 1. the filename to fingerprint
# 2. the method to use (x509, crl)
# returns:
# none
# assumptions:
# user will capture output from last stage of pipeline
#
fingerprint()
{
${SSL_CMD} ${2} -fingerprint -noout -in ${1} | sed 's/^.*=//' | tr -d ':'
}
#
# link_hash - create links to certificate files
# arguments:
# 1. the filename to create a link for
# 2. the type of certificate being linked (x509, crl)
# returns:
# 0 on success, 1 otherwise
#
link_hash()
{
local FINGERPRINT=$( fingerprint ${1} ${2} )
local HASH=$( ${SSL_CMD} ${2} -hash -noout -in ${1} )
local SUFFIX=0
local LINKFILE=''
local TAG=''
if [ ${2} = "crl" ]
then
TAG='r'
fi
LINKFILE=${HASH}.${TAG}${SUFFIX}
while [ -f ${LINKFILE} ]
do
if [ ${FINGERPRINT} = $( fingerprint ${LINKFILE} ${2} ) ]
then
printf "WARNING: Skipping duplicate file ${1}\n" >&2
return 1
fi
SUFFIX=$(( ${SUFFIX} + 1 ))
LINKFILE=${HASH}.${TAG}${SUFFIX}
done
printf "${1} => ${LINKFILE}\n"
# assume any system with a POSIX shell will either support symlinks or
# do something to handle this gracefully
ln -s ${1} ${LINKFILE}
return 0
}
# hash_dir create hash links in a given directory
hash_dir()
{
printf "Doing ${1}\n"
cd ${1}
for FILE in *
do
# no files in directory at all, no point in continuing
# TL: Added -h to handle first file being a link.
if ! [ -f ${FILE} ] && ! [ -h ${FILE} ]
then
return 1
fi
if echo ${FILE} | grep -q -E '^[[:xdigit:]]{8}\.r?[[:digit:]]+$' \
&& [ -h "${FILE}" ]
then
rm ${FILE}
fi
done
for FILE in *.pem
do
# no pem files so FILE gets set to the unexpanded *.pem
# TL: allow links
if [ ! -f ${FILE} ] && [ ! -h ${FILE} ]
then
break
fi
# hash links aren't *.pem, so nothing special for links.
check_file ${FILE}
local FILE_TYPE=${?}
local TYPE_STR=''
if [ $(( ${FILE_TYPE} & ${IS_CERT} )) -ne 0 ]
then
TYPE_STR='x509'
elif [ $(( ${FILE_TYPE} & ${IS_CRL} )) -ne 0 ]
then
TYPE_STR='crl'
else
printf "WARNING: ${FILE} does not contain a certificate or CRL: skipping\n" >&2
continue
fi
link_hash ${FILE} ${TYPE_STR}
done
}
# choose the name of an ssl application
if [ -n "${OPENSSL}" ]
then
SSL_CMD=${OPENSSL}
else
SSL_CMD=openssl
OPENSSL=${SSL_CMD}
export ${OPENSSL}
fi
# fix paths
PATH=${PATH}:${DIR}/bin
export PATH
# confirm existance/executability of ssl command
if ! [ -x $( which ${SSL_CMD} ) ]
then
printf "${0}: rehashing skipped ('openssl' program not available)\n" >&2
exit 0
fi
# determine which directories to process
# XXX: can't handle directories with spaces in names
# XXX: ...use \n as dir separator and manipulate IFS?
if [ ${#} -gt 0 ]
then
DIRLIST=${*}
elif [ -n "${SSL_CERT_DIR}" ]
then
DIRLIST=$( echo ${SSL_CERT_DIR} | tr ':' ' ' )
else
DIRLIST=${DIR}/certs
fi
# process directories
for CERT_DIR in ${DIRLIST}
do
if [ -d ${CERT_DIR} -a -w ${CERT_DIR} ]
then
hash_dir ${CERT_DIR}
fi
done
enjoy,
--tlhackque
- If you try to connect with a Windows Vista machine to an optware FreeRADIUS? server, it won't connect although Windows XP works.
- If you try to connect with a Windows Vista machine to an optware FreeRadius server, it won't connect although Windows XP works.
---
- If you try to connect with a Windows Vista machine to an optware FreeRADIUS? server, it won't connect although Windows XP works.
This is because the optware freeradius is version 1.0.5-4 and Vista compatibility is supported from version 1.1.3.
---
- I have also try to install FreeRadius on a DS101j?, but when try to run there is error message (radiusd -X):
Module: Library search path is /opt/lib radiusd.conf[1367] Failed to link to module 'rlm_exec': /opt/lib/libdl.so.2: sym bol _dl_open, version GLIBC_2.0 not defined in file libc.so.6 with link time ref erence
- to solve the problem above, i have just type: rm /opt/lib/libdl.so.2
I dont now why the eror occurs but with the changes its O.K.=)
- private_key = $dir./private/cakey
Edit the openssl.cnf file like this:
follow the guide as is, it works for me at least.
Then follow the guide as is, it works for me at least.
To be continued...
If you got errors when using the guide at http://www.eclectica.ca/howto/ssl-cert-howto.php
- aserial = $dir/serial
- database = $dir/index.txt
- new_certs_dir = $dir/newcerts
- certificate = $dir/cacert.pem
change those lines to:
- private_key = ./private/cakey.
- aserial = ./serial
- database = ./index.txt
- new_certs_dir = ./newcerts
- certificate = ./cacert.pem
- finally change the first line from "dir" to "HOME"
follow the guide as is, it works for me at least.
"
I have done some reading on this the confiles is LARGE :) and there is not so
I have done some reading on this the confile(s) is LARGE :) and there is not so
one problem is that I cant find any helpscript for creating the "cacert.pem" since this is not included in radbb-folder for doing the certificates (or is it me doing wrong?) so one must do this: 1.install opensll 2. then command: openssl genrsa -out privkey.pem 2048 then: openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095 The searchway to "cacert.pem" should later be in the eap.conf
also "cert-srv.pem" should be there under "Trusted Root CA list"
hope someone can verify Im on the right direction here
FreeRadius works I confirmed it with a tool "ntradping" as a root and as a user. The problems I got is openssl and creating a certifikate for running it with PEAP and TLS. If cert. can be created Im finished for trying it on my wlan-
The most important parts in the conf files can be found here: http://tldp.org/HOWTO/html_single/8021X-HOWTO/ ssl help here (I got errors) http://www.eclectica.ca/howto/ssl-cert-howto.php
To be continued...
- to solve the problem above, install the libtool package
- to solve the problem above, install the libtool package
I have done some reading on this the confiles is LARGE :) and there is not so much help provided... one problem is that I cant find any helpscript for creating the "cacert.pem" since this is not included in radbb-folder for doing the certificates (or is it me doing wrong?) so one must do this: 1.install opensll 2. then command: openssl genrsa -out privkey.pem 2048 then: openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095 The searchway to "cacert.pem" should later be in the eap.conf
also "cert-srv.pem" should be there under "Trusted Root CA list"
hope someone can verify Im on the right direction here
- to solve the problem above, install the libtool package
- Try to install FreeRadius, but when try to run there is error message:
/opt/sbin/radiusd: error while loading shared libraries: libltdl.so.3: cannot open shared object file: No such file or directory
- You may also wish to check the official FreeRADIUS Wiki
Coming soon to a NSLU2 near you.
FreeRadius is here, please test.
Updates:
- Packages compiles and runs. It should show up on the ipkg server in the next few days. It would be helpful if someone who knew more about radius than I do could check it out and maybe write a mini how-to here.
How to use FreeRadius
- If someone knows more than me about radius please write a how to here
- in the mean time look http://www.onlamp.com/pub/a/onlamp/excerpt/radius_5/index1.html here for more information on the freeradius server.
If you have issues with this software post them here.
Coming soon to a NSLU2 near you. Keep checking back for updates. Should be done in the next 2 days.
Coming soon to a NSLU2 near you.
- Packages compiles and runs, need to clean up packaging a library implemention.
- Packages compiles and runs. It should show up on the ipkg server in the next few days. It would be helpful if someone who knew more about radius than I do could check it out and maybe write a mini how-to here.
Coming soon to a NSLU2 near you. Keep checking back for updates. Should be done in a week or so.
Coming soon to a NSLU2 near you. Keep checking back for updates. Should be done in the next 2 days.
- Packages compiles and daemon runs seem to be configuration issues though
- Packages compiles and runs, need to clean up packaging a library implemention.
Describe FreeRadius here.
Coming soon to a NSLU2 near you. Keep checking back for updates. Should be done in a week or so.
Updates:
- Packages compiles and daemon runs seem to be configuration issues though