Je colle ici mes fichier de configuration. J'écrirais la documentation un peu plus tard...Il est déjà  23h40 quand j'écris ce billet et Simba m'attend pour dormir LOL..
FreeRadius: Compilation et installation (mode quick)
J'ai effectué les tests su une Ubutnu 8.04.3 Server Edition fraà ®chement installé sous ma VMWare
apt-get install gcc make libldap2-dev libssl-dev openssl
wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.7.tar.gz -O - | tar xzf -
cd freeradius-server-2.1.7
./configure --prefix=/opt/freeradius && make && make install
Génération des certificats
Une fois freeradius installé, se conformer au fichier
/opt/freeradius/etc/raddb/certs/README
que je ne détaillerais pas ici.
A la fin de la génération, ne pas oublier de faire
make random
make dh
Configuration cliente en utilisant wpa_supplicant
Avec la configuration suivante dans le fichier
root@bremko:/var/lib/david/# cat /etc/wpa_supplicant/wifi_belkin54g.conf |grep -v '#'
ctrl_interface=/var/run/wpa_supplicant
ap_scan=1
network={
ssid="belkin54g"
scan_ssid=1
key_mgmt=WPA-EAP
phase2="auth=PAP"
identity="LOGIN_LDAP"
password="PASSWORD_LDAP"
ca_cert="/etc/wpa_supplicant/certs/ca.pem"
}
Bien sà »r, ici on prendra soin de remplaçer comme il se doit les paramètres
identify
et
password
. Puisque on utilise ici de l'EAP-TTLS, le certificat n'est pas obligatoire mais bon c'est l'habitude de l'avoir
On aura en lançant la connexion
root@bremko:~# /sbin/wpa_supplicant -P /var/run/wpa_supplicant.ath0.pid -i ath0 -Dwext -c /etc/wpa_supplicant/wifi_belkin54g.conf
Trying to associate with 00:30:bd:98:88:5b (SSID='belkin54g' freq=2462 MHz)
Associated with 00:30:bd:98:88:5b
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
OpenSSL: tls_connection_handshake - Failed to read possible Application Data error:00000000:lib(0):func(0):reason(0)
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
WPA: Key negotiation completed with 00:30:bd:98:88:5b [PTK=TKIP GTK=TKIP]
CTRL-EVENT-CONNECTED - Connection to 00:30:bd:98:88:5b completed (auth) [id=0 id_str=]
WPA: Group rekeying completed with 00:30:bd:98:88:5b [GTK=TKIP]
Cà ´té serveur: fichiers de configurations
- fichier etc/raddb/radiusd.conf
prefix = /opt/freeradius
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/${name}.pid
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 0
}
listen {
ipaddr = *
port = 0
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = yes
msg_goodpass = "[* * * GOOD LOGIN * * *]"
msg_badpass = "[* * * BAD LOGIN * * *]"
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
}
instantiate {
exec
expr
expiration
logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/
- fichier etc/raddb/modules/pap
pap {
auto_header = yes
}
- fichier etc/raddb/modules/ldap
ldap {
server = "olivia.davidgis.fr"
basedn = "dc=chezdavid,dc=local"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
password_attribute = userPassword
edir_account_policy_check = no
set_auth_type = yes
}
- fichier etc/raddb/eap.conf
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = 20091206
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
include_length = yes
check_cert_cn = %{User-Name}
cipher_list = "DEFAULT"
make_cert_command = "${certdir}/bootstrap"
cache {
enable = no
max_entries = 255
}
}
ttls {
default_eap_type = gtc
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
include_length = yes
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
- fichier etc/raddb/clients.conf
client 127.0.0.1 {
secret = oliviatuesmonamour
shortname = monroe
}
client 192.168.2.0/24 {
secret = oliviatuesmonamour
shortname = reseaudavidgis
}
client 192.168.2.254 {
secret = oliviatuesmonamour
shortname = belkin54g
}
Ici le mot secret est a saisir depuis l'interface de l'A.P dont l'IP est 192.168.2.254
- fichier etc/raddb/sites-enabled/default
authorize {
preprocess
chap
mschap
suffix
eap {
ok = return
}
unix
files
ldap
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
ldap
}
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
- fichier etc/raddb/sites-enabled/inner-tunnel
server inner-tunnel {
authorize {
chap
mschap
unix
suffix
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
files
ldap
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
ldap
}
eap
}
session {
radutmp
}
post-auth {
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}