Modify

Opened 9 years ago

Closed 7 years ago

Last modified 4 years ago

#4930 closed defect (invalid)

freeradius2 update + fix

Reported by: jake1981 <oskari.rauta@…> Owned by: developers
Priority: normal Milestone: Barrier Breaker 14.07
Component: packages Version:
Keywords: freeradius2 Cc:

Description

I updated freeradius2 from 2.1.1 -> 2.1.4 which fixes a lot of bugs.
I was not able to use freeradius2 in openwrt as radius server for WPA/WPA2 Enterprise.. With this upgrade - it should be easy to get one running.

Also previous build had some problems, for e.g. democerts did not install ANY certifications, it only installed a script for generating one with openssl - but I wasn't able to find command openssl from openssl package, atleast for brcm47xx.. So I made it to compile proper demo certificates that are active from day of compilation (not from day I published this) and from that day - they are valid for one year.

I also added few modules to build.

Also previous build installed all modules to /usr/lib when freeradius2 modules should be found from /usr/lib/freeradius2.

I also made some changes to initial settings files - to make packages smaller, I removed some parts from configuration files, for example, openwrt doesn't have man page support, therefore every occurance about man pages have been stripped out. Secondly, some modules do not seem to want to compile at all - if these modules were mentioned in configurations, I removed those parts.

Also, as MOST people out there are wanting to use this for WPA or WPA2 enterprise (EAP) - I changed configurations to make it work out of the box (just add user definitions to users file or enable sql support) as WPA/WPA2 AP's radius server (orcourse you need to install democerts or your own certs).

Previous version's /etc/freeradius2 folder look like freeradius 1.x branches folder - I changed it to look more like it is supposed to look like. Although, I did simplify it a bit - but it should be pretty clear now - so because it now looks more like it is supposed to - it is far more easy to configure it because freeradius 2.x branches wiki and all documentation about it makes now pretty much more sense than it did before as everything is in places where they are supposed to be. (exception is that in this build, there is no sites-available and sites-enabled, there only is a directory sites as I think that no one is thinking about their routers might work great as file storages, atleast when files are kept in /etc :) )

Attachments (8)

Makefile (15.2 KB) - added by jake1981 <oskari.rauta@…> 9 years ago.
Overwrite old Makefile with this file
radiusd.init (338 bytes) - added by jake1981 <oskari.rauta@…> 9 years ago.
Overwrite old files/radiusd.init with this file
002-openwrt-paths.patch (29.3 KB) - added by jake1981 <oskari.rauta@…> 9 years ago.
Add this file to patches directory
Makefile.2 (15.3 KB) - added by jake1981 <oskari.rauta@…> 9 years ago.
adds uci to depends
radiusd.2.init (390 bytes) - added by jake1981 <oskari.rauta@…> 9 years ago.
uses uci to fetch lan ip addr from /etc/config/network
Makefile.3 (15.2 KB) - added by jake1981 <oskari.rauta@…> 9 years ago.
Removed uci dependancy
radiusd.3.init (428 bytes) - added by jake1981 <oskari.rauta@…> 9 years ago.
files/radiusd.init - autodetect lan ip address with help of ifconfig and sed
freeradius2.diff (42.6 KB) - added by jake1981 <oskari.rauta@…> 9 years ago.
svn diff (made from trunk/feeds/packages) for freeradius2

Download all attachments as: .zip

Change History (20)

Changed 9 years ago by jake1981 <oskari.rauta@…>

Overwrite old Makefile with this file

Changed 9 years ago by jake1981 <oskari.rauta@…>

Overwrite old files/radiusd.init with this file

Changed 9 years ago by jake1981 <oskari.rauta@…>

Add this file to patches directory

comment:1 Changed 9 years ago by jake1981 <oskari.rauta@…>

Remember to keep patch 001-rlm_ldap_configure.patch in patches directory, it applies for 2.1.4 as well.

I am terribly sorry that I did not post a svn diff - but that's because when I tried to - my svn bugged about some missing properties in feeds/packages repository.

comment:2 Changed 9 years ago by jake1981 <oskari.rauta@…>

Oh - and I've tested this as a radius server for WPA2 EAP - it works for apple's OS X, apple's iPhone and microsoft's XP, only in XP I had to manually change to use PEAP instead of smart card to make it ask credentials, but I think it's a XP feature - not freeradius2's..

comment:3 Changed 9 years ago by jake1981 <oskari.rauta@…>

This should not be defect, this should be a upgrade/update or feature enhancement..

comment:4 Changed 9 years ago by jake1981 <oskari.rauta@…>

There still seems to be SOME problems with freeradius2.

Bugs:

  • freeradius2 cannot get ipaddress of interface properly
  • openwrt does not ship with /etc/services and therefore port = 0 (<- autodetect) does not work.

How to fix?
It's hard to fix it as this information is kept in configuration files, and configuration files do not have a mechanism
that could run a shell command to fill in options value - therefore this must be defined elsewhere than inside configuration file (radiusd.conf).

Solution:
this information can be passed along with command line. I made freeradius2 to require uci as I use uci to fetch ip address from network configuration file. This is a temp solution, because if dynamic ip address is being used for LAN ip, this won't work - but for the moment, this will do until I get some more time to figure out a nice way to fetch ip address of br-lan interface.

Anyway, I made changes to initfile:
radiusd -i $(uci get network.lan.ipaddr) -p 1812,1813 $(OPTIONS)

This enables auth and accounting services on lan ipaddr defined in /etc/config/network

new makefile and radiusd.init are attached.

Changed 9 years ago by jake1981 <oskari.rauta@…>

adds uci to depends

Changed 9 years ago by jake1981 <oskari.rauta@…>

uses uci to fetch lan ip addr from /etc/config/network

comment:5 Changed 9 years ago by jake1981 <oskari.rauta@…>

Okay - I made one final change. It no longer is dependant on uci - it no longer is dependant of /etc/config/network also as it uses ifconfig and sed to get ip address of br-lan. I have tested it and it does work.

Easiest way to install freeradius2 server for doing WPA2/EAP is to install freeradius2, freeradius2-mod-files, freeradius2-mod-radutmp, freeradius2-mod-peap, freeradius2-mod-mschapv2, freeradius2-mod-pap, freeradius2-mod-chap, freeradius2-mod-eap, freeradius22-mod-mschap and freeradius2-mod-eap-tls.

After installing these, put your own certifications under certs - or if you are just testing - you can use freeradius2-democerts.

Add users to /etc/freeradius2/users file like this:
username ClearText-Password := "password"

If you want to create anonymous user account that will go with ANY password, add this:
anonymous Auth-Type := ACCEPT

After this, start up your radiusd server with initscript and set up WPA-Enterprise or WPA2-Enterprise - in setup it wants a port number which is default authentication port of radius server: 1812

For more examples, read docs of freeradius or see freeradius wiki. In sources there are also lot of examples under raddb/sites-available

I made it to log as default to /var/log/radiusd.log but you can change settings so it logs to syslog as well if you prefer that choice. With default settings you need no more than this to get started with your radius server and WPA/WPA2 enterprise - but all other settings are visible and documented in setup files - they are just commented out to ease out setup of WPA enterprise server..

Changed 9 years ago by jake1981 <oskari.rauta@…>

Removed uci dependancy

Changed 9 years ago by jake1981 <oskari.rauta@…>

files/radiusd.init - autodetect lan ip address with help of ifconfig and sed

comment:6 Changed 9 years ago by jake1981 <oskari.rauta@…>

It stopped from compiling in latest trunk. Problem is libtool and always-plugin related. Adding -no_rlm_always to configure options solved the issue. New svn diff is included.

Changed 9 years ago by jake1981 <oskari.rauta@…>

svn diff (made from trunk/feeds/packages) for freeradius2

comment:7 Changed 9 years ago by jake1981 <oskari.rauta@…>

other files (except latest svn diff; freeradius2.diff ) are not necessary anymore..

comment:8 Changed 9 years ago by jake1981 <oskari.rauta@…>

Sorry - forget the last one. There was something wrong with my buildroot, I made a new svn checkout and now it's fine - rlm_always in configure is definetly necessary..! peap does not compile without it and freeradius2 compiles just fine with it now..

comment:9 Changed 9 years ago by florian

  • Resolution set to fixed
  • Status changed from new to closed

Applied in [15791], with some minor modifications to the threads handling. Thanks !

comment:10 Changed 7 years ago by anonymous

  • Resolution fixed deleted
  • Status changed from closed to reopened

comment:11 Changed 7 years ago by jow

  • Resolution set to invalid
  • Status changed from reopened to closed

-ENODATA

comment:12 Changed 4 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.