NSLU2-Linux
view · edit · print · history

(redirected from Unslung.FreeRadius)

FreeRadius is here, please test.


How to use FreeRadius

  • If someone knows more than me about radius please write a how to here
  • in the mean time look here for more information on the freeradius server.
  • You may also wish to check the official FreeRADIUS Wiki

If you have issues with this software post them here.

  • Try to install FreeRadius, but when try to run there is error message:

/opt/sbin/radiusd: error while loading shared libraries: libltdl.so.3: cannot open shared object file: No such file or directory

  • to solve the problem above, install the libtool package

---

  • I have also try to install FreeRadius on a DS101j?, but when try to run there is error message (radiusd -X):

Module: Library search path is /opt/lib radiusd.conf[1367] Failed to link to module 'rlm_exec': /opt/lib/libdl.so.2: sym bol _dl_open, version GLIBC_2.0 not defined in file libc.so.6 with link time ref erence

  • to solve the problem above, i have just type: rm /opt/lib/libdl.so.2

---

  • If you try to connect with a Windows Vista machine to an optware FreeRadius server, it won't connect although Windows XP works.

This is because the optware freeradius is version 1.0.5-4 and Vista compatibility is supported from version 1.1.3.

Update - the current feed is 1.1.7-2. However, I don't run Vista, so can't say if that's all that's rquired.


I have done some reading on this the confile(s) is LARGE :) and there is not so much help provided... FreeRadius works I confirmed it with a tool "ntradping" as a root and as a user. The problems I got is openssl and creating a certifikate for running it with PEAP and TLS. If cert. can be created Im finished for trying it on my wlan-

The most important parts in the conf files can be found here: http://tldp.org/HOWTO/html_single/8021X-HOWTO/ ssl help here (I got errors) http://www.eclectica.ca/howto/ssl-cert-howto.php

If you got errors when using the guide at http://www.eclectica.ca/howto/ssl-cert-howto.php Edit the openssl.cnf file like this:

  • private_key = $dir./private/cakey
  • aserial = $dir/serial
  • database = $dir/index.txt
  • new_certs_dir = $dir/newcerts
  • certificate = $dir/cacert.pem

change those lines to:

  • private_key = ./private/cakey.
  • aserial = ./serial
  • database = ./index.txt
  • new_certs_dir = ./newcerts
  • certificate = ./cacert.pem

I dont now why the eror occurs but with the changes its O.K.=)

  • finally change the first line from "dir" to "HOME"

Then follow the guide as is, it works for me at least.

"


It took quite a bit of work to get radiusd running on unslung.

Here is an improved startup script that handles the requisite configuration. (You still need to setup your radiusd.conf per your requirements.)

If you're wondering about the 'under cron' comment, it's because there's a nightly script that restarts my server with updated X.509 CRLs/certificates. You need to do that if you have certificates that expire or can be revoked. An excerpt of mine (without some other site-specific stuff) follows.

/opt/etc/init.d/S550radiusd

 
#!/bin/sh
#
# Setup for radiusd
#

if [ -e /opt/etc/config ]; then
    . /opt/etc/config
fi

RADIUSCFG=/opt/etc/raddb/radiusd.conf 

config () {
    #
    # bind to the correct interface address - use either bind_address or listen directives
    #
    if [ -n "$RADIUSBINDADDR" ]; then
	if grep -q "bind_address = " $RADIUSCFG && ! grep -q "bind_address = $RADIUSBINDADDR" $RADIUSCFG ; then
	    sed -i -e "s/bind_address = .*$/bind_address = $RADIUSBINDADDR/" \
		$RADIUSCFG
	fi
	if grep -q "ipaddr = " $RADIUSCFG && ! grep -q "ipaddr = $RADIUSBINDADDR" $RADIUSCFG ; then
	    sed -i -e "/listen {/,/}/s/ipaddr = .*$/ipaddr = $RADIUSBINDADDR/" \
		$RADIUSCFG
	fi
    fi

    #
    # define the radiusd user and group
    #
    sed -i -e'/radiusd/d' -e'/nobody/iradiusd:x:95:95:radiusd user:/:/opt/bin/false' `/opt/bin/resolve_dhcp /etc/passwd`
    sed -i -e'/radiusd/d' -e'/nobody/iradiusd:x:95:' `/opt/bin/resolve_dhcp /etc/group`

    #
    # Remove kit's mis-placed files.  Use this startup file rather than the distributed one.
    #
    rm -f /opt/etc/init.d/S55freeradius

    if [ -d /var/spool/radius ]; then rm -rf /var/spool/radius ; fi
    #
    if [ ! -d /opt/var/log/radius/radacct ] ;  then
	mkdir -p /opt/var/log/radius/radacct
    fi
    if [ ! -d /opt/var/run/radiusd ] ;  then
	mkdir -p /opt/var/run/radiusd
    fi

    chmod g+rws,o-rw /opt/var/log/radius/ /opt/var/run/radiusd /opt/var/log/radius/radacct
    chown root.radiusd /opt/var/log/radius/ /opt/var/run/radiusd
    chown radiusd.radiusd /opt/var/log/radius/radacct
    chmod g+rx,o+rx /opt/etc/raddb /opt/var/log

    return
}

start () {
    echo -n "Starting RADIUS Server: "
    if [ -n "`pidof radiusd`" ]; then 
	echo "already running..."
	false
	return
    fi

    config

#    export LD_LIBRARY_PATH=/opt/lib:/lib:/usr/lib:/usr/local/lib
    export PATH=/opt/sbin:/opt/bin:/usr/sbin:/usr/bin:/sbin:/bin
    echo ""
    # The </dev/null ensures that radiusd has a stdin (it doesn't read from it).
    # Under cron, stdin is not opened; radiusd writes infinite log files complaining about
    # "socket operations to a non-socket."  It probably thinks it's running under inetd...
    # This hack prevents the runaway log files.
    /opt/sbin/radiusd $RADIUSFLAGS </dev/null
#   radiusd announces itself
#    echo "started"
    return
}

stop () {
    echo -n "Shutting down RADIUS Server: "
    if [ -n "`pidof radiusd`" ]; then 
	/bin/killall radiusd 2>/dev/null
	sleep 5
    fi
    if [ -n "`pidof radiusd`" ]; then 
	echo "Failed"
	/bin/false
    else
	echo "OK"
    fi
    return
}

rstatus () {
    pids="`pidof radiusd`"
    pidf=" `cat /opt/var/run/radiusd/radiusd.pid 2>&1`"

    for p in $pids ; do
	if [ $p = $pidf ]; then
	    echo "Server is running (pids $pids)"
	    return
	fi
    done

    if [ -n "$pids" ]; then
	echo "Server is running (pid $pid), but /opt/var/run/radiusd/radiusd.pid doesn't match"
    else
	echo "Server is stopped"
	/bin/false
    fi
    return
}

restart () {
    stop
    start
}

#
# Mainline: command decode and dispatch
#
case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  status)
        rstatus
        ;;
  restart|reload)
        restart
        ;;
  condrestart)
        [ -n "`pidof radiusd`" ] && restart
        ;;
  *)
        echo "Usage: $0 {start|stop|status|restart|condrestart}"
        exit 1
esac
exit $?

This is (a subset of) the cron job

/etc/crontab

 
23 2 * * * root /opt/sbin/radiuscron updatecrl

/opt/sbin/radiuscron

 

#!/bin/sh

#
# url from which to fetch CRL updates
#
CRLSOURCE="http://somesite.example.com/mycrl.crl"
#
# filename of CRL
#
CRLNAME=crlfilename

updatecrl () {
    if [ -z "$CRLSOURCE" ]; then return ; fi
    PWD=`pwd`
    cd /opt/etc/raddb/certs
    if wget -q -O $CRLNAME.new $CRLSOURCE ; then
        mv $CRLNAME.new ca/$CRLNAME.pem
        chmod g+r,o+r ca/$CRLNAME.pem
        ./c_rehash ca >/dev/null
        /opt/etc/init.d/S550radiusd restart >/dev/null 2>&1
    fi
    cd $PWD
}

case "$1" in
    updatecrl)
        updatecrl
        ;;
    *)
        echo "Usage: $0 {updatecrl}"
        exit 1;;
esac
exit

This is the c_rehash utility:

/opt/etc/raddb/certs/c_rehash

 
#!/bin/sh
#
# Ben Secrest <blsecres@gmail.com>
#
# sh c_rehash script, scan all files in a directory
# and add symbolic links to their hash values.
#
# based on the c_rehash perl script distributed with openssl
#
# LICENSE: See OpenSSL license
# ^^acceptable?^^
#

# default certificate location
DIR=/etc/openssl

# for filetype bitfield
IS_CERT=$(( 1 << 0 ))
IS_CRL=$(( 1 << 1 ))


#
# check to see if a file is a certificate file or a CRL file
# arguments:
#       1. the filename to be scanned
# returns:
#       bitfield of file type; uses ${IS_CERT} and ${IS_CRL}
#
check_file()
{
    local IS_TYPE=0

    # make IFS a newline so we can process grep output line by line
    local OLDIFS=${IFS}
    IFS=$( printf "\n" )

    # XXX: could be more efficient to have two 'grep -m' but is -m portable?
    for LINE in $( grep '^-----BEGIN .*-----' ${1} )
    do
        if echo ${LINE} \
            | grep -q -E '^-----BEGIN (X509 |TRUSTED )?CERTIFICATE-----'
        then
            IS_TYPE=$(( ${IS_TYPE} | ${IS_CERT} ))

            if [ $(( ${IS_TYPE} & ${IS_CRL} )) -ne 0 ]
            then
                break
            fi
        elif echo ${LINE} | grep -q '^-----BEGIN X509 CRL-----'
        then
            IS_TYPE=$(( ${IS_TYPE} | ${IS_CRL} ))

            if [ $(( ${IS_TYPE} & ${IS_CERT} )) -ne 0 ]
            then
                break
            fi
        fi
    done

    # restore IFS
    IFS=${OLDIFS}

    return ${IS_TYPE}
}


#
# use openssl to fingerprint a file
#    arguments:
#       1. the filename to fingerprint
#       2. the method to use (x509, crl)
#    returns:
#       none
#    assumptions:
#       user will capture output from last stage of pipeline
#
fingerprint()
{
    ${SSL_CMD} ${2} -fingerprint -noout -in ${1} | sed 's/^.*=//' | tr -d ':'
}


#
# link_hash - create links to certificate files
#    arguments:
#       1. the filename to create a link for
#       2. the type of certificate being linked (x509, crl)
#    returns:
#       0 on success, 1 otherwise
#
link_hash()
{
    local FINGERPRINT=$( fingerprint ${1} ${2} )
    local HASH=$( ${SSL_CMD} ${2} -hash -noout -in ${1} )
    local SUFFIX=0
    local LINKFILE=''
    local TAG=''

    if [ ${2} = "crl" ]
    then
        TAG='r'
    fi

    LINKFILE=${HASH}.${TAG}${SUFFIX}

    while [ -f ${LINKFILE} ]
    do
        if [ ${FINGERPRINT} = $( fingerprint ${LINKFILE} ${2} ) ]
        then
            printf "WARNING: Skipping duplicate file ${1}\n" >&2
            return 1
        fi

        SUFFIX=$(( ${SUFFIX} + 1 ))
        LINKFILE=${HASH}.${TAG}${SUFFIX}
    done

    printf "${1} => ${LINKFILE}\n"

    # assume any system with a POSIX shell will either support symlinks or
    # do something to handle this gracefully
    ln -s ${1} ${LINKFILE}

    return 0
}


# hash_dir create hash links in a given directory
hash_dir()
{
    printf "Doing ${1}\n"

    cd ${1}

    for FILE in *
    do
        # no files in directory at all, no point in continuing
        # TL: Added -h to handle first file being a link.
        if ! [ -f ${FILE} ] && ! [ -h ${FILE} ]
        then
            return 1
        fi

        if echo ${FILE} | grep -q -E '^[[:xdigit:]]{8}\.r?[[:digit:]]+$' \
                && [ -h "${FILE}" ]
        then
            rm ${FILE}
        fi
    done

    for FILE in *.pem
    do
        # no pem files so FILE gets set to the unexpanded *.pem
        # TL: allow links
        if [ ! -f ${FILE} ] && [ ! -h ${FILE} ]
        then
            break
        fi

        # hash links aren't *.pem, so nothing special for links.

        check_file ${FILE}
        local FILE_TYPE=${?}
        local TYPE_STR=''

        if [ $(( ${FILE_TYPE} & ${IS_CERT} )) -ne 0 ]
        then
            TYPE_STR='x509'
        elif [ $(( ${FILE_TYPE} & ${IS_CRL} )) -ne 0 ]
        then
            TYPE_STR='crl'
        else
            printf "WARNING: ${FILE} does not contain a certificate or CRL: skipping\n" >&2
            continue
        fi

        link_hash ${FILE} ${TYPE_STR}
    done
}


# choose the name of an ssl application
if [ -n "${OPENSSL}" ]
then
    SSL_CMD=${OPENSSL}
else
    SSL_CMD=openssl
    OPENSSL=${SSL_CMD}
    export ${OPENSSL}
fi

# fix paths
PATH=${PATH}:${DIR}/bin
export PATH

# confirm existance/executability of ssl command
if ! [ -x $( which ${SSL_CMD} ) ]
then
    printf "${0}: rehashing skipped ('openssl' program not available)\n" >&2
    exit 0
fi

# determine which directories to process
# XXX: can't handle directories with spaces in names
# XXX: ...use \n as dir separator and manipulate IFS?
if [ ${#} -gt 0 ]
then
    DIRLIST=${*}
elif [ -n "${SSL_CERT_DIR}" ]
then
    DIRLIST=$( echo ${SSL_CERT_DIR} | tr ':' ' ' )
else
    DIRLIST=${DIR}/certs
fi

# process directories
for CERT_DIR in ${DIRLIST}
do
    if [ -d ${CERT_DIR} -a -w ${CERT_DIR} ]
    then
        hash_dir ${CERT_DIR}
    fi
done

Finally, here's the 'resolve_dhcp' script (used by the startup script) - the name is historical; it simply does a realpath for a file.

/opt/bin/resolve_dhcp

 
#!/bin/sh
#
# Resolve symbolic link to underlying file

file=$1
parent=$2
case $file in
    /*)
        ;;
    *)
        if [ -z "$parent" ]; then
            PWD=`pwd`
            file="$PWD/$file"
        else
            file="`dirname $parent`/$file"
        fi
        ;;
esac
CHANGED=true
while [ "X$CHANGED" != "X" ]
do
    # Change spaces to ":" so the tokens can be parsed by for.
    file=`echo $file | sed -e 's; ;:;g'`
    # Get the real path to this file, resolving any symbolic links
    TOKENS=`echo $file | sed -e 's;/; ;g'`
    REALPATH=
    for C in $TOKENS; do
        REALPATH="$REALPATH/$C"
        while [ -h "$REALPATH" ] ; do
            LS="`ls -ld "$REALPATH"`"
            LINK="`expr "$LS" : '.*-> \(.*\)$'`"
            if expr "$LINK" : '/.*' > /dev/null; then
                REALPATH="$LINK"
            else
                REALPATH="`dirname "$REALPATH"`""/$LINK"
            fi
        done
    done
    # Change ":" chars back to spaces.
    REALPATH=`echo $REALPATH | sed -e 's;:; ;g'`

    if [ "$REALPATH" = "$file" ]
    then
        CHANGED=""
    else
        file="$REALPATH"
    fi
done
echo $file

enjoy,

    --tlhackque

view · edit · print · history · Last edited by tlhackque.
Based on work by tlhackque, Gary Tomato, ArnaudSt, janne5011, rodmcban, TuanND from VIETnam, Nix, and ChrisE.
Originally by ChrisE.
Page last modified on April 27, 2008, at 06:40 PM