Hi,
We have a school Wifi with a default password that students and teachers can use. Problem is some people overuse it and the password gets shared with people that do not need access to it. Its merely a matter of resources, since the Wifi is totally separated from the rest of the lan via a vlan.
I tried to find a better way to manage this, so I looked at freeradius. My idea is to let radius give access to users in our system, collected from tjeners ldap server.
To not to mess up tjener to much and to get everything regarding wifi on its own I installed a debian 6.06 vm, with radius and mysql (for accounting). Now, radius works with flatfile and mysql- users, but i cant make it to talk to tjener using TLS...
The reason of the problem is not really radius or ldap, buth how to get radius to connect using
TLS
I set the access_attr = "uid", which means everyone with an account on our school will have access to login via radius
This is the log from a testlogin via radius, using ldap connection to tjener;
# radtest tesstu userpwd 127.0.0.1 100 testnaskey
[ldap] performing user authorization for tesstu
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> tesstu
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=tesstu)
[ldap] expand: dc=skole,dc=skolelinux,dc=no -> dc=skole,dc=skolelinux,dc=no
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to ldap.intern:636, authentication 0
[ldap] setting TLS mode to 1
[ldap] setting TLS CACert File to
/etc/freeradius/certs/ldap-server-pubkey.pem
[ldap] setting TLS Cert File to /etc/freeradius/certs/server.pem
[ldap] setting TLS Key File to /etc/freeradius/certs/server.key
[ldap] starting TLS
[ldap] ldap_start_tls_s()
[ldap] could not start TLS Operations error [ldap] (re)connection attempt failed
[ldap] search failed
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns fail
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> tesstu
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
TLS Cert File is created by radius at install
time
TLS Key File is created by radius at install time
TLS CACert File is copied from tjener:/etc/ldap/ssl/ldap-server-pubkey.pem
There are also possible options for cacertdir and for randfile.
I attach the ldap part of radiusd.conf
The only change Ive done on tjener is to add the radius.schema to ldap. Not strictly a must to make it work, but it gives more options.
Im aware this is a radius, not skolelinux issue, but I did test to install a small ldapserver at the same machine as radius (not using tls...) and that works. So the problem has to do with managing those certificates and /or how ldap is setup on tjener. It does try to connect to tjener, its just that it cant connect via TLS of some reason.. The error message does not reveal much
unfortunately. I have worked with this for some days now and this is as far as I seem to come on my own. (Christmas fun ;) )
Any help is apreciated.
Regards /George