ClearOS Bug Tracker


View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0006101ClearOSapp-radius - RADIUS Serverpublic2015-11-12 08:562016-04-27 18:42
Reporteruser2 
Assigned Todloper 
PrioritynormalSeverityminorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version7.1.0 
Target Version7.2.0 UpdatesFixed in Version7.2.0 Updates 
Summary0006101: Complete RADIUS app in ClearOS 7
DescriptionSee subject. Also see forum post:

https://www.clearos.com/clearfoundation/social/community/working-radius-configuration-for-clearos-7 [^]
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
(0002101)
dloper (administrator)
2015-11-12 09:07

For more info, see: https://www.clearos.com/clearfoundation/social/community/radius-server-not-starting#reply-89321 [^]
(0003101)
dloper (administrator)
2016-04-19 17:43

The file /etc/raddb/mods-available/ldap uses an older convention for its format. Should be more like this:



ldap {
    server = "localhost"
    identity = "cn=manager,ou=Internal,dc=system,dc=lan"
    password = odt6Xj4EvVrY3ocj
    base_dn = "dc=system,dc=lan"
    update {
        control:Password-With-Header += 'userPassword'
    }
    user {
        base_dn = "${..base_dn}"
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
    }
    group {
        base_dn = "${..base_dn}"
        filter = "(objectClass=posixGroup)"
        membership_attribute = "memberOf"
    }
    profile {
    }
    client {
        base_dn = "${..base_dn}"
        filter = '(objectClass=frClient)'
        attribute {
            identifier = 'radiusClientIdentifier'
            secret = 'radiusClientSecret'
        }
    }
    accounting {
        reference = "%{tolower:type.%{Acct-Status-Type}}"
        type {
            start {
                update {
                    description := "Online at %S"
                }
            }

            interim-update {
                update {
                    description := "Last seen at %S"
                }
            }

            stop {
                update {
                    description := "Offline at %S"
                }
            }
        }
    }
    post-auth {
        update {
            description := "Authenticated at %S"
        }
    }

    options {
        chase_referrals = yes
        rebind = yes
        timeout = 10
        timelimit = 3
        net_timeout = 1
        idle = 60
        probes = 3
        interval = 3
        ldap_debug = 0x0028
    }
    tls {
        start_tls = no
    }
    pool {
        start = 5
        min = 4
        max = ${thread[pool].max_servers}
        spare = 3
        uses = 0
        lifetime = 0
        idle_timeout = 60
    }
}
(0003111)
dloper (administrator)
2016-04-20 13:09

For the EAP tunnel, it would be best to run it through MSCHAP rather than the older process of looking up the hashes directly in LDAP and then comparing the hashes. To make this change we merely do the following:

usermod -a -G wbpriv radiusd

This allow radius to submit ntlm_auth requests to the winbind socket at /var/lib/samba/winbindd_privileged/pipe

Then you need to turn on the ntlm_auth with the following patch:

--- /etc/raddb/mods-available/mschap.orig 2016-04-19 19:24:49.194497463 -0400
+++ /etc/raddb/mods-available/mschap 2016-04-20 15:03:55.731673388 -0400
@@ -56,6 +56,7 @@
     # the "best" user name for the request.
     #
 # ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
+ ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
 
     # The default is to wait 10 seconds for ntlm_auth to
     # complete. This is a long time, and if it's taking that

Making these changes, and the change prior, allows for EAP authentication from windows workstations to a wireless access point running WPA-Infrastructure mode against RADIUS.
(0003121)
dloper (administrator)
2016-04-22 08:44

base_dn in /etc/raddb/mods-available/ldap is improperly rendered as 'basedn'

ntlm_auth parameter in /etc/raddb/mods-available/mschap is not set. Should be:

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"

Instead of:

# ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"

- Issue History
Date Modified Username Field Change
2015-11-12 08:56 user2 New Issue
2015-11-12 08:56 user2 Assigned To => dloper
2015-11-12 08:56 user2 Status new => assigned
2015-11-12 09:07 dloper Note Added: 0002101
2015-11-22 20:40 user2 Target Version 7.1.0 Updates => 7.2.0 Updates
2016-04-19 17:43 dloper Note Added: 0003101
2016-04-20 13:09 dloper Note Added: 0003111
2016-04-21 12:51 user2 Status assigned => resolved
2016-04-21 12:51 user2 Fixed in Version => 7.2.0 Updates
2016-04-21 12:51 user2 Resolution open => fixed
2016-04-22 08:44 dloper Note Added: 0003121
2016-04-27 18:42 user2 Status resolved => closed