| Anonymous | Login | 2024-11-21 01:34 MST |
| Main | My View | View Issues | Change Log | Roadmap | Repositories |
| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||
| 0006101 | ClearOS | app-radius - RADIUS Server | public | 2015-11-12 08:56 | 2016-04-27 18:42 | ||||
| Reporter | user2 | ||||||||
| Assigned To | dloper | ||||||||
| Priority | normal | Severity | minor | Reproducibility | have not tried | ||||
| Status | closed | Resolution | fixed | ||||||
| Platform | OS | OS Version | |||||||
| Product Version | 7.1.0 | ||||||||
| Target Version | 7.2.0 Updates | Fixed in Version | 7.2.0 Updates | ||||||
| Summary | 0006101: Complete RADIUS app in ClearOS 7 | ||||||||
| Description | See subject. Also see forum post: https://www.clearos.com/clearfoundation/social/community/working-radius-configuration-for-clearos-7 [^] | ||||||||
| Tags | No tags attached. | ||||||||
| Attached Files | |||||||||
 Relationships |
|
 Relationships |
|
Notes |
|
|
(0002101) dloper (administrator) 2015-11-12 09:07 |
For more info, see: https://www.clearos.com/clearfoundation/social/community/radius-server-not-starting#reply-89321 [^] |
|
(0003101) dloper (administrator) 2016-04-19 17:43 |
The file /etc/raddb/mods-available/ldap uses an older convention for its format. Should be more like this: ldap { server = "localhost" identity = "cn=manager,ou=Internal,dc=system,dc=lan" password = odt6Xj4EvVrY3ocj base_dn = "dc=system,dc=lan" update { control:Password-With-Header += 'userPassword' } user { base_dn = "${..base_dn}" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" } group { base_dn = "${..base_dn}" filter = "(objectClass=posixGroup)" membership_attribute = "memberOf" } profile { } client { base_dn = "${..base_dn}" filter = '(objectClass=frClient)' attribute { identifier = 'radiusClientIdentifier' secret = 'radiusClientSecret' } } accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" type { start { update { description := "Online at %S" } } interim-update { update { description := "Last seen at %S" } } stop { update { description := "Offline at %S" } } } } post-auth { update { description := "Authenticated at %S" } } options { chase_referrals = yes rebind = yes timeout = 10 timelimit = 3 net_timeout = 1 idle = 60 probes = 3 interval = 3 ldap_debug = 0x0028 } tls { start_tls = no } pool { start = 5 min = 4 max = ${thread[pool].max_servers} spare = 3 uses = 0 lifetime = 0 idle_timeout = 60 } } |
|
(0003111) dloper (administrator) 2016-04-20 13:09 |
For the EAP tunnel, it would be best to run it through MSCHAP rather than the older process of looking up the hashes directly in LDAP and then comparing the hashes. To make this change we merely do the following: usermod -a -G wbpriv radiusd This allow radius to submit ntlm_auth requests to the winbind socket at /var/lib/samba/winbindd_privileged/pipe Then you need to turn on the ntlm_auth with the following patch: --- /etc/raddb/mods-available/mschap.orig 2016-04-19 19:24:49.194497463 -0400 +++ /etc/raddb/mods-available/mschap 2016-04-20 15:03:55.731673388 -0400 @@ -56,6 +56,7 @@ # the "best" user name for the request. # # ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" + ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" # The default is to wait 10 seconds for ntlm_auth to # complete. This is a long time, and if it's taking that Making these changes, and the change prior, allows for EAP authentication from windows workstations to a wireless access point running WPA-Infrastructure mode against RADIUS. |
|
(0003121) dloper (administrator) 2016-04-22 08:44 |
base_dn in /etc/raddb/mods-available/ldap is improperly rendered as 'basedn' ntlm_auth parameter in /etc/raddb/mods-available/mschap is not set. Should be: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" Instead of: # ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2015-11-12 08:56 | user2 | New Issue | |
| 2015-11-12 08:56 | user2 | Assigned To | => dloper |
| 2015-11-12 08:56 | user2 | Status | new => assigned |
| 2015-11-12 09:07 | dloper | Note Added: 0002101 | |
| 2015-11-22 20:40 | user2 | Target Version | 7.1.0 Updates => 7.2.0 Updates |
| 2016-04-19 17:43 | dloper | Note Added: 0003101 | |
| 2016-04-20 13:09 | dloper | Note Added: 0003111 | |
| 2016-04-21 12:51 | user2 | Status | assigned => resolved |
| 2016-04-21 12:51 | user2 | Fixed in Version | => 7.2.0 Updates |
| 2016-04-21 12:51 | user2 | Resolution | open => fixed |
| 2016-04-22 08:44 | dloper | Note Added: 0003121 | |
| 2016-04-27 18:42 | user2 | Status | resolved => closed |
|
Issue History |