Top-Themen

AppleEntwicklungHardwareInternetLinuxMicrosoftMultimediaNetzwerkeOff TopicSicherheitSonstige SystemeVirtualisierungWeiterbildungZusammenarbeit

Aktuelle Themen

Administrator.de FeedbackApache ServerAppleAssemblerAudioAusbildungAuslandBackupBasicBatch & ShellBenchmarksBibliotheken & ToolkitsBlogsCloud-DiensteClusterCMSCPU, RAM, MainboardsCSSC und C++DatenbankenDatenschutzDebianDigitiales FernsehenDNSDrucker und ScannerDSL, VDSLE-BooksE-BusinessE-MailEntwicklungErkennung und -AbwehrExchange ServerFestplatten, SSD, RaidFirewallFlatratesGoogle AndroidGrafikGrafikkarten & MonitoreGroupwareHardwareHosting & HousingHTMLHumor (lol)Hyper-VIconsIDE & EditorenInformationsdiensteInstallationInstant MessagingInternetInternet DomäneniOSISDN & AnaloganschlüsseiTunesJavaJavaScriptKiXtartKVMLAN, WAN, WirelessLinuxLinux DesktopLinux NetzwerkLinux ToolsLinux UserverwaltungLizenzierungMac OS XMicrosoftMicrosoft OfficeMikroTik RouterOSMonitoringMultimediaMultimedia & ZubehörNetzwerkeNetzwerkgrundlagenNetzwerkmanagementNetzwerkprotokolleNotebook & ZubehörNovell NetwareOff TopicOpenOffice, LibreOfficeOutlook & MailPapierkorbPascal und DelphiPeripheriegerätePerlPHPPythonRechtliche FragenRedHat, CentOS, FedoraRouter & RoutingSambaSAN, NAS, DASSchriftartenSchulung & TrainingSEOServerServer-HardwareSicherheitSicherheits-ToolsSicherheitsgrundlagenSolarisSonstige SystemeSoziale NetzwerkeSpeicherkartenStudentenjobs & PraktikumSuche ProjektpartnerSuseSwitche und HubsTipps & TricksTK-Netze & GeräteUbuntuUMTS, EDGE & GPRSUtilitiesVB for ApplicationsVerschlüsselung & ZertifikateVideo & StreamingViren und TrojanerVirtualisierungVisual StudioVmwareVoice over IPWebbrowserWebentwicklungWeiterbildungWindows 7Windows 8Windows 10Windows InstallationWindows MobileWindows NetzwerkWindows ServerWindows SystemdateienWindows ToolsWindows UpdateWindows UserverwaltungWindows VistaWindows XPXenserverXMLZusammenarbeit
GELÖST

RadiusServer mit PEAP und OpenLDAP Problem

Frage Linux

Mitglied: pzenz16

pzenz16 (Level 1) - Jetzt verbinden

15.10.2009 um 17:19 Uhr, 12776 Aufrufe, 2 Kommentare

Hallo Liebe Admins und co.

Hier einmal die Informationen

Server: Ubuntu Desktop Version 8.10
Installierte Pakete:

-freeradius
-libfreeradius2
-freeradius-utils
-freeradius-ldap
-freeradius-common
-libssl0.9.8
-libssl0.9.8-dbg
-libssl-dev
-openssl
-openssl-blacklist
-ssl-cert
-openssl-doc
-ldap-utils
-libldap-2.4-2
-slapd
-slapd-dbg

Darunter sind die radiusd.conf und die eap.conf
Das ganze muss nächsten Freitag fertig sein und ich hänge hier...
Vlt hat ja jemand eine Idee dazu.

Ich habe hier ein Problem mit meinem Radius Server.
Im Debugg Modus (freeradius -x -h /etc/freeradius) bringt er mir immer folgende Meldung.

Ignoring EAP-Type/tls because we do not have OpenSSL support.
Ignoring EAP-Type/ttls because we do not have OpenSSL support.
Ignoring EAP-Type/peap because we do not have OpenSSL support.

Ich habe schon diverse Foren durchforstet und sitze schon seit Tagen vor diesem Problem finde aber keine Lösung.

Die libssl-devel sind installiert.
FreeRadius Server habe ich schon einmal neu installiert und konfiguriert.

Hier die Ausgabe von dem Debugg Befehl:

01.
FreeRADIUS Version 2.1.0, for host i486-pc-linux-gnu, built on Oct  9 2008 at 13:24:33 
02.
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.  
03.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A  
04.
PARTICULAR PURPOSE.  
05.
You may redistribute copies of FreeRADIUS under the terms of the  
06.
GNU General Public License v2.  
07.
Starting - reading configuration files ... 
08.
including configuration file /etc/freeradius//radiusd.conf 
09.
including configuration file /etc/freeradius//proxy.conf 
10.
including configuration file /etc/freeradius//clients.conf 
11.
including files in directory /etc/freeradius//modules/ 
12.
including configuration file /etc/freeradius//modules/etc_group 
13.
including configuration file /etc/freeradius//modules/wimax 
14.
including configuration file /etc/freeradius//modules/policy 
15.
including configuration file /etc/freeradius//modules/unix 
16.
including configuration file /etc/freeradius//modules/linelog 
17.
including configuration file /etc/freeradius//modules/exec 
18.
including configuration file /etc/freeradius//modules/sradutmp 
19.
including configuration file /etc/freeradius//modules/mac2vlan 
20.
including configuration file /etc/freeradius//modules/counter 
21.
including configuration file /etc/freeradius//modules/mschap 
22.
including configuration file /etc/freeradius//modules/digest 
23.
including configuration file /etc/freeradius//modules/ippool 
24.
including configuration file /etc/freeradius//modules/files 
25.
including configuration file /etc/freeradius//modules/attr_rewrite 
26.
including configuration file /etc/freeradius//modules/detail.example.com 
27.
including configuration file /etc/freeradius//modules/mac2ip 
28.
including configuration file /etc/freeradius//modules/pam 
29.
including configuration file /etc/freeradius//modules/realm 
30.
including configuration file /etc/freeradius//modules/inner-eap 
31.
including configuration file /etc/freeradius//modules/preprocess 
32.
including configuration file /etc/freeradius//modules/attr_filter 
33.
including configuration file /etc/freeradius//modules/radutmp 
34.
including configuration file /etc/freeradius//modules/passwd 
35.
including configuration file /etc/freeradius//modules/acct_unique 
36.
including configuration file /etc/freeradius//modules/chap 
37.
including configuration file /etc/freeradius//modules/ldap 
38.
including configuration file /etc/freeradius//modules/expr 
39.
including configuration file /etc/freeradius//modules/echo 
40.
including configuration file /etc/freeradius//modules/krb5 
41.
including configuration file /etc/freeradius//modules/detail.log 
42.
including configuration file /etc/freeradius//modules/pap 
43.
including configuration file /etc/freeradius//modules/expiration 
44.
including configuration file /etc/freeradius//modules/logintime 
45.
including configuration file /etc/freeradius//modules/detail 
46.
including configuration file /etc/freeradius//modules/sql_log 
47.
including configuration file /etc/freeradius//modules/smbpasswd 
48.
including configuration file /etc/freeradius//modules/checkval 
49.
including configuration file /etc/freeradius//modules/always 
50.
including configuration file /etc/freeradius//eap.conf 
51.
including configuration file /etc/freeradius//policy.conf 
52.
including files in directory /etc/freeradius//sites-enabled/ 
53.
including configuration file /etc/freeradius//sites-enabled/inner-tunnel 
54.
including configuration file /etc/freeradius//sites-enabled/default 
55.
including dictionary file /etc/freeradius//dictionary 
56.
main { 
57.
	prefix = "/usr" 
58.
	localstatedir = "/var" 
59.
	logdir = "/var/log/freeradius" 
60.
	libdir = "/usr/lib/freeradius" 
61.
	radacctdir = "/var/log/freeradius/radacct" 
62.
	hostname_lookups = no 
63.
	max_request_time = 30 
64.
	cleanup_delay = 5 
65.
	max_requests = 1024 
66.
	allow_core_dumps = no 
67.
	pidfile = "/var/run/radiusd/radiusd.pid" 
68.
	checkrad = "/usr/sbin/checkrad" 
69.
	debug_level = 0 
70.
	proxy_requests = yes 
71.
 log { 
72.
	stripped_names = no 
73.
	auth = no 
74.
	auth_badpass = no 
75.
	auth_goodpass = no 
76.
77.
 security { 
78.
	max_attributes = 200 
79.
	reject_delay = 1 
80.
	status_server = yes 
81.
82.
83.
 client localhost { 
84.
	ipaddr = 127.0.0.1 
85.
	require_message_authenticator = no 
86.
	secret = "testing123" 
87.
	nastype = "other" 
88.
89.
radiusd: #### Loading Realms and Home Servers #### 
90.
 proxy server { 
91.
	retry_delay = 5 
92.
	retry_count = 3 
93.
	default_fallback = no 
94.
	dead_time = 120 
95.
	wake_all_if_all_dead = no 
96.
97.
 home_server localhost { 
98.
	ipaddr = 127.0.0.1 
99.
	port = 1812 
100.
	type = "auth" 
101.
	secret = "testing123" 
102.
	response_window = 20 
103.
	max_outstanding = 65536 
104.
	zombie_period = 40 
105.
	status_check = "status-server" 
106.
	ping_interval = 30 
107.
	check_interval = 30 
108.
	num_answers_to_alive = 3 
109.
	num_pings_to_alive = 3 
110.
	revive_interval = 120 
111.
	status_check_timeout = 4 
112.
113.
 home_server_pool my_auth_failover { 
114.
	type = fail-over 
115.
	home_server = localhost 
116.
117.
 realm example.com { 
118.
	auth_pool = my_auth_failover 
119.
120.
 realm LOCAL { 
121.
122.
radiusd: #### Instantiating modules #### 
123.
 instantiate { 
124.
 Module: Linked to module rlm_exec 
125.
 Module: Instantiating exec 
126.
  exec { 
127.
	wait = no 
128.
	input_pairs = "request" 
129.
	shell_escape = yes 
130.
131.
 Module: Linked to module rlm_expr 
132.
 Module: Instantiating expr 
133.
 Module: Linked to module rlm_expiration 
134.
 Module: Instantiating expiration 
135.
  expiration { 
136.
	reply-message = "Password Has Expired  " 
137.
138.
 Module: Linked to module rlm_logintime 
139.
 Module: Instantiating logintime 
140.
  logintime { 
141.
	reply-message = "You are calling outside your allowed timespan  " 
142.
	minimum-timeout = 60 
143.
144.
145.
radiusd: #### Loading Virtual Servers #### 
146.
server inner-tunnel { 
147.
 modules { 
148.
 Module: Checking authenticate {...} for more modules to load 
149.
 Module: Linked to module rlm_pap 
150.
 Module: Instantiating pap 
151.
  pap { 
152.
	encryption_scheme = "auto" 
153.
	auto_header = no 
154.
155.
 Module: Linked to module rlm_chap 
156.
 Module: Instantiating chap 
157.
 Module: Linked to module rlm_mschap 
158.
 Module: Instantiating mschap 
159.
  mschap { 
160.
	use_mppe = yes 
161.
	require_encryption = no 
162.
	require_strong = no 
163.
	with_ntdomain_hack = no 
164.
165.
 Module: Linked to module rlm_unix 
166.
 Module: Instantiating unix 
167.
  unix { 
168.
	radwtmp = "/var/log/freeradius/radwtmp" 
169.
170.
 Module: Linked to module rlm_eap 
171.
 Module: Instantiating eap 
172.
  eap { 
173.
	default_eap_type = "md5" 
174.
	timer_expire = 60 
175.
	ignore_unknown_eap_types = no 
176.
	cisco_accounting_username_bug = no 
177.
	max_sessions = 2048 
178.
179.
 Module: Linked to sub-module rlm_eap_md5 
180.
 Module: Instantiating eap-md5 
181.
 Module: Linked to sub-module rlm_eap_leap 
182.
 Module: Instantiating eap-leap 
183.
 Module: Linked to sub-module rlm_eap_gtc 
184.
 Module: Instantiating eap-gtc 
185.
   gtc { 
186.
	challenge = "Password: " 
187.
	auth_type = "PAP" 
188.
189.
Ignoring EAP-Type/tls because we do not have OpenSSL support. 
190.
Ignoring EAP-Type/ttls because we do not have OpenSSL support. 
191.
Ignoring EAP-Type/peap because we do not have OpenSSL support. 
192.
 Module: Linked to sub-module rlm_eap_mschapv2 
193.
 Module: Instantiating eap-mschapv2 
194.
   mschapv2 { 
195.
	with_ntdomain_hack = no 
196.
197.
 Module: Checking authorize {...} for more modules to load 
198.
 Module: Linked to module rlm_realm 
199.
 Module: Instantiating suffix 
200.
  realm suffix { 
201.
	format = "suffix" 
202.
	delimiter = "@" 
203.
	ignore_default = no 
204.
	ignore_null = no 
205.
206.
 Module: Linked to module rlm_files 
207.
 Module: Instantiating files 
208.
  files { 
209.
	usersfile = "/etc/freeradius//users" 
210.
	acctusersfile = "/etc/freeradius//acct_users" 
211.
	preproxy_usersfile = "/etc/freeradius//preproxy_users" 
212.
	compat = "no" 
213.
214.
 Module: Checking session {...} for more modules to load 
215.
 Module: Linked to module rlm_radutmp 
216.
 Module: Instantiating radutmp 
217.
  radutmp { 
218.
	filename = "/var/log/freeradius/radutmp" 
219.
	username = "%{User-Name}" 
220.
	case_sensitive = yes 
221.
	check_with_nas = yes 
222.
	perm = 384 
223.
	callerid = yes 
224.
225.
 Module: Checking post-proxy {...} for more modules to load 
226.
 Module: Checking post-auth {...} for more modules to load 
227.
 Module: Linked to module rlm_attr_filter 
228.
 Module: Instantiating attr_filter.access_reject 
229.
  attr_filter attr_filter.access_reject { 
230.
	attrsfile = "/etc/freeradius//attrs.access_reject" 
231.
	key = "%{User-Name}" 
232.
233.
234.
235.
 modules { 
236.
 Module: Checking authenticate {...} for more modules to load 
237.
 Module: Checking authorize {...} for more modules to load 
238.
 Module: Linked to module rlm_preprocess 
239.
 Module: Instantiating preprocess 
240.
  preprocess { 
241.
	huntgroups = "/etc/freeradius//huntgroups" 
242.
	hints = "/etc/freeradius//hints" 
243.
	with_ascend_hack = no 
244.
	ascend_channels_per_line = 23 
245.
	with_ntdomain_hack = no 
246.
	with_specialix_jetstream_hack = no 
247.
	with_cisco_vsa_hack = no 
248.
	with_alvarion_vsa_hack = no 
249.
250.
 Module: Checking preacct {...} for more modules to load 
251.
 Module: Linked to module rlm_acct_unique 
252.
 Module: Instantiating acct_unique 
253.
  acct_unique { 
254.
	key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" 
255.
256.
 Module: Checking accounting {...} for more modules to load 
257.
 Module: Linked to module rlm_detail 
258.
 Module: Instantiating detail 
259.
  detail { 
260.
	detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" 
261.
	header = "%t" 
262.
	detailperm = 384 
263.
	dirperm = 493 
264.
	locking = no 
265.
	log_packet_header = no 
266.
267.
 Module: Instantiating attr_filter.accounting_response 
268.
  attr_filter attr_filter.accounting_response { 
269.
	attrsfile = "/etc/freeradius//attrs.accounting_response" 
270.
	key = "%{User-Name}" 
271.
272.
 Module: Checking session {...} for more modules to load 
273.
 Module: Checking post-proxy {...} for more modules to load 
274.
 Module: Checking post-auth {...} for more modules to load 
275.
276.
radiusd: #### Opening IP addresses and Ports #### 
277.
listen { 
278.
	type = "auth" 
279.
	ipaddr = * 
280.
	port = 0 
281.
Failed binding to socket: Address already in use  
282.
/etc/freeradius//radiusd.conf[236]: Error binding to port for 0.0.0.0 port 1812
Die Fehlermeldung am Schluss ist Nebensache, die habe ich erst seit heute und habe ich noch nicht Versucht zu lösen.

Ich muss gestehen ich arbeite sonst nie mit Linux, es ist nur für ein Abschlussprojekt.

Hier die radiusd.conf


01.
# -*- text -*- 
02.
## 
03.
## radiusd.conf	-- FreeRADIUS server configuration file. 
04.
## 
05.
##	http://www.freeradius.org/ 
06.
##	$Id$ 
07.
## 
08.
 
09.
###################################################################### 
10.
11.
#	Read "man radiusd" before editing this file.  See the section 
12.
#	titled DEBUGGING.  It outlines a method where you can quickly 
13.
#	obtain the configuration you want, without running into 
14.
#	trouble. 
15.
16.
#	Run the server in debugging mode, and READ the output. 
17.
18.
#		$ radiusd -X 
19.
20.
#	We cannot emphasize this point strongly enough.  The vast 
21.
#	majority of problems can be solved by carefully reading the 
22.
#	debugging output, which includes warnings about common issues, 
23.
#	and suggestions for how they may be fixed. 
24.
25.
#	There may be a lot of output, but look carefully for words like: 
26.
#	"warning", "error", "reject", or "failure".  The messages there 
27.
#	will usually be enough to guide you to a solution. 
28.
29.
#	If you are going to ask a question on the mailing list, then 
30.
#	explain what you are trying to do, and include the output from 
31.
#	debugging mode (radiusd -X).  Failure to do so means that all 
32.
#	of the responses to your question will be people telling you 
33.
#	to "post the output of radiusd -X". 
34.
 
35.
###################################################################### 
36.
37.
#  	The location of other config files and logfiles are declared 
38.
#  	in this file. 
39.
40.
#  	Also general configuration for modules can be done in this 
41.
#  	file, it is exported through the API to modules that ask for 
42.
#  	it. 
43.
44.
#	See "man radiusd.conf" for documentation on the format of this 
45.
#	file.  Note that the individual configuration items are NOT 
46.
#	documented in that "man" page.  They are only documented here, 
47.
#	in the comments. 
48.
49.
#	As of 2.0.0, FreeRADIUS supports a simple processing language 
50.
#	in the "authorize", "authenticate", "accounting", etc. sections. 
51.
#	See "man unlang" for details. 
52.
53.
 
54.
prefix = /usr 
55.
exec_prefix = /usr 
56.
sysconfdir = /etc 
57.
localstatedir = /var 
58.
sbindir = ${exec_prefix}/sbin 
59.
logdir = /var/log/freeradius 
60.
raddbdir = /etc/freeradius 
61.
radacctdir = ${logdir}/radacct 
62.
 
63.
#  Location of config and logfiles. 
64.
confdir = ${raddbdir} 
65.
run_dir = ${localstatedir}/run/radiusd 
66.
 
67.
# Should likely be ${localstatedir}/lib/radiusd 
68.
db_dir = ${raddbdir} 
69.
 
70.
71.
# libdir: Where to find the rlm_* modules. 
72.
73.
#   This should be automatically set at configuration time. 
74.
75.
#   If the server builds and installs, but fails at execution time 
76.
#   with an 'undefined symbol' error, then you can use the libdir 
77.
#   directive to work around the problem. 
78.
79.
#   The cause is usually that a library has been installed on your 
80.
#   system in a place where the dynamic linker CANNOT find it.  When 
81.
#   executing as root (or another user), your personal environment MAY 
82.
#   be set up to allow the dynamic linker to find the library.  When 
83.
#   executing as a daemon, FreeRADIUS MAY NOT have the same 
84.
#   personalized configuration. 
85.
86.
#   To work around the problem, find out which library contains that symbol, 
87.
#   and add the directory containing that library to the end of 'libdir', 
88.
#   with a colon separating the directory names.  NO spaces are allowed. 
89.
90.
#   e.g. libdir = /usr/local/lib:/opt/package/lib 
91.
92.
#   You can also try setting the LD_LIBRARY_PATH environment variable 
93.
#   in a script which starts the server. 
94.
95.
#   If that does not work, then you can re-configure and re-build the 
96.
#   server to NOT use shared libraries, via: 
97.
98.
#	./configure --disable-shared 
99.
#	make 
100.
#	make install 
101.
102.
libdir = /usr/lib/freeradius 
103.
 
104.
#  pidfile: Where to place the PID of the RADIUS server. 
105.
106.
#  The server may be signalled while it's running by using this 
107.
#  file. 
108.
109.
#  This file is written when ONLY running in daemon mode. 
110.
111.
#  e.g.:  kill -HUP `cat /var/run/radiusd/radiusd.pid` 
112.
113.
pidfile = ${run_dir}/radiusd.pid 
114.
 
115.
#  chroot: directory where the server does "chroot". 
116.
117.
#  The chroot is done very early in the process of starting the server. 
118.
#  After the chroot has been performed it switches to the "user" listed 
119.
#  below (which MUST be specified).  If "group" is specified, it switchs 
120.
#  to that group, too.  Any other groups listed for the specified "user" 
121.
#  in "/etc/group" are also added as part of this process. 
122.
123.
#  The current working directory (chdir / cd) is left *outside* of the 
124.
#  chroot until all of the modules have been initialized.  This allows 
125.
#  the "raddb" directory to be left outside of the chroot.  Once the 
126.
#  modules have been initialized, it does a "chdir" to ${logdir}.  This 
127.
#  means that it should be impossible to break out of the chroot. 
128.
129.
#  If you are worried about security issues related to this use of chdir, 
130.
#  then simply ensure that the "raddb" directory is inside of the chroot, 
131.
#  end be sure to do "cd raddb" BEFORE starting the server. 
132.
133.
#  If the server is statically linked, then the only files that have 
134.
#  to exist in the chroot are ${run_dir} and ${logdir}.  If you do the 
135.
#  "cd raddb" as discussed above, then the "raddb" directory has to be 
136.
#  inside of the chroot directory, too. 
137.
138.
#chroot = /path/to/chroot/directory 
139.
 
140.
# user/group: The name (or #number) of the user/group to run radiusd as. 
141.
142.
#   If these are commented out, the server will run as the user/group 
143.
#   that started it.  In order to change to a different user/group, you 
144.
#   MUST be root ( or have root privleges ) to start the server. 
145.
146.
#   We STRONGLY recommend that you run the server with as few permissions 
147.
#   as possible.  That is, if you're not using shadow passwords, the 
148.
#   user and group items below should be set to radius'. 
149.
150.
#  NOTE that some kernels refuse to setgid(group) when the value of 
151.
#  (unsigned)group is above 60000; don't use group nobody on these systems! 
152.
153.
#  On systems with shadow passwords, you might have to set 'group = shadow' 
154.
#  for the server to be able to read the shadow password file.  If you can 
155.
#  authenticate users while in debug mode, but not in daemon mode, it may be 
156.
#  that the debugging mode server is running as a user that can read the 
157.
#  shadow info, and the user listed below can not. 
158.
159.
#  The server will also try to use "initgroups" to read /etc/groups. 
160.
#  It will join all groups where "user" is a member.  This can allow 
161.
#  for some finer-grained access controls. 
162.
163.
#user = radius 
164.
#group = radius 
165.
 
166.
#  max_request_time: The maximum time (in seconds) to handle a request. 
167.
168.
#  Requests which take more time than this to process may be killed, and 
169.
#  a REJECT message is returned. 
170.
171.
#  WARNING: If you notice that requests take a long time to be handled, 
172.
#  then this MAY INDICATE a bug in the server, in one of the modules 
173.
#  used to handle a request, OR in your local configuration. 
174.
175.
#  This problem is most often seen when using an SQL database.  If it takes 
176.
#  more than a second or two to receive an answer from the SQL database, 
177.
#  then it probably means that you haven't indexed the database.  See your 
178.
#  SQL server documentation for more information. 
179.
180.
#  Useful range of values: 5 to 120 
181.
182.
max_request_time = 30 
183.
 
184.
#  cleanup_delay: The time to wait (in seconds) before cleaning up 
185.
#  a reply which was sent to the NAS. 
186.
187.
#  The RADIUS request is normally cached internally for a short period 
188.
#  of time, after the reply is sent to the NAS.  The reply packet may be 
189.
#  lost in the network, and the NAS will not see it.  The NAS will then 
190.
#  re-send the request, and the server will respond quickly with the 
191.
#  cached reply. 
192.
193.
#  If this value is set too low, then duplicate requests from the NAS 
194.
#  MAY NOT be detected, and will instead be handled as seperate requests. 
195.
196.
#  If this value is set too high, then the server will cache too many 
197.
#  requests, and some new requests may get blocked.  (See 'max_requests'.) 
198.
199.
#  Useful range of values: 2 to 10 
200.
201.
cleanup_delay = 5 
202.
 
203.
#  max_requests: The maximum number of requests which the server keeps 
204.
#  track of.  This should be 256 multiplied by the number of clients. 
205.
#  e.g. With 4 clients, this number should be 1024. 
206.
207.
#  If this number is too low, then when the server becomes busy, 
208.
#  it will not respond to any new requests, until the 'cleanup_delay' 
209.
#  time has passed, and it has removed the old requests. 
210.
211.
#  If this number is set too high, then the server will use a bit more 
212.
#  memory for no real benefit. 
213.
214.
#  If you aren't sure what it should be set to, it's better to set it 
215.
#  too high than too low.  Setting it to 1000 per client is probably 
216.
#  the highest it should be. 
217.
218.
#  Useful range of values: 256 to infinity 
219.
220.
max_requests = 1024 
221.
 
222.
#  listen: Make the server listen on a particular IP address, and send 
223.
#  replies out from that address. This directive is most useful for 
224.
#  hosts with multiple IP addresses on one interface. 
225.
226.
#  If you want the server to listen on additional addresses, or on 
227.
#  additionnal ports, you can use multiple "listen" sections. 
228.
229.
#  Each section make the server listen for only one type of packet, 
230.
#  therefore authentication and accounting have to be configured in 
231.
#  different sections. 
232.
233.
#  The server ignore all "listen" section if you are using '-i' and '-p' 
234.
#  on the command line. 
235.
236.
listen { 
237.
	#  Type of packets to listen for. 
238.
	#  Allowed values are: 
239.
	#	auth	listen for authentication packets 
240.
	#	acct	listen for accounting packets 
241.
	#	proxy   IP to use for sending proxied packets 
242.
	#	detail  Read from the detail file.  For examples, see 
243.
	#               raddb/sites-available/copy-acct-to-home-server 
244.
245.
	type = auth 
246.
 
247.
	#  Note: "type = proxy" lets you control the source IP used for 
248.
	#        proxying packets, with some limitations: 
249.
250.
	#    * Only ONE proxy listener can be defined. 
251.
	#    * A proxy listener CANNOT be used in a virtual server section. 
252.
	#    * You should probably set "port = 0". 
253.
	#    * Any "clients" configuration will be ignored. 
254.
 
255.
	#  IP address on which to listen. 
256.
	#  Allowed values are: 
257.
	#	dotted quad (1.2.3.4) 
258.
	#       hostname    (radius.example.com) 
259.
	#       wildcard    (*) 
260.
	ipaddr = * 
261.
 
262.
	#  OR, you can use an IPv6 address, but not both 
263.
	#  at the same time. 
264.
#	ipv6addr = ::	# any.  ::1 == localhost 
265.
 
266.
	#  Port on which to listen. 
267.
	#  Allowed values are: 
268.
	#	integer port number (1812) 
269.
	#	0 means "use /etc/services for the proper port" 
270.
	port = 0 
271.
 
272.
	#  Some systems support binding to an interface, in addition 
273.
	#  to the IP address.  This feature isn't strictly necessary, 
274.
	#  but for sites with many IP addresses on one interface, 
275.
	#  it's useful to say "listen on all addresses for eth0". 
276.
277.
	#  If your system does not support this feature, you will 
278.
	#  get an error if you try to use it. 
279.
280.
#	interface = eth0 
281.
 
282.
	#  Per-socket lists of clients.  This is a very useful feature. 
283.
284.
	#  The name here is a reference to a section elsewhere in 
285.
	#  radiusd.conf, or clients.conf.  Having the name as 
286.
	#  a reference allows multiple sockets to use the same 
287.
	#  set of clients. 
288.
289.
	#  If this configuration is used, then the global list of clients 
290.
	#  is IGNORED for this "listen" section.  Take care configuring 
291.
	#  this feature, to ensure you don't accidentally disable a 
292.
	#  client you need. 
293.
294.
	#  See clients.conf for the configuration of "per_socket_clients". 
295.
296.
#	clients = per_socket_clients 
297.
298.
 
299.
#  This second "listen" section is for listening on the accounting 
300.
#  port, too. 
301.
302.
listen { 
303.
	ipaddr = * 
304.
#	ipv6addr = :: 
305.
	port = 0 
306.
	type = acct 
307.
#	interface = eth0 
308.
#	clients = per_socket_clients 
309.
310.
 
311.
#  hostname_lookups: Log the names of clients or just their IP addresses 
312.
#  e.g., www.freeradius.org (on) or 206.47.27.232 (off). 
313.
314.
#  The default is 'off' because it would be overall better for the net 
315.
#  if people had to knowingly turn this feature on, since enabling it 
316.
#  means that each client request will result in AT LEAST one lookup 
317.
#  request to the nameserver.   Enabling hostname_lookups will also 
318.
#  mean that your server may stop randomly for 30 seconds from time 
319.
#  to time, if the DNS requests take too long. 
320.
321.
#  Turning hostname lookups off also means that the server won't block 
322.
#  for 30 seconds, if it sees an IP address which has no name associated 
323.
#  with it. 
324.
325.
#  allowed values: {no, yes} 
326.
327.
hostname_lookups = no 
328.
 
329.
#  Core dumps are a bad thing.  This should only be set to 'yes' 
330.
#  if you're debugging a problem with the server. 
331.
332.
#  allowed values: {no, yes} 
333.
334.
allow_core_dumps = no 
335.
 
336.
#  Regular expressions 
337.
338.
#  These items are set at configure time.  If they're set to "yes", 
339.
#  then setting them to "no" turns off regular expression support. 
340.
341.
#  If they're set to "no" at configure time, then setting them to "yes" 
342.
#  WILL NOT WORK.  It will give you an error. 
343.
344.
regular_expressions	= yes 
345.
extended_expressions	= yes 
346.
 
347.
348.
#  Logging section.  The various "log_*" configuration items 
349.
#  will eventually be moved here. 
350.
351.
log { 
352.
353.
	#  Destination for log messages.  This can be one of: 
354.
355.
	#	files - log to "file", as defined below. 
356.
	#	syslog - to syslog (see also the "syslog_facility", below. 
357.
	#	stdout - standard output 
358.
	#	stderr - standard error. 
359.
360.
	#  The command-line option "-X" over-rides this option, and forces 
361.
	#  logging to go to stdout. 
362.
363.
	destination = files 
364.
 
365.
366.
	#  The logging messages for the server are appended to the 
367.
	#  tail of this file if destination == "files" 
368.
369.
	#  If the server is running in debugging mode, this file is 
370.
	#  NOT used. 
371.
372.
	file = ${logdir}/radius.log 
373.
 
374.
375.
	#  If this configuration parameter is set, then log messages for 
376.
	#  a *request* go to this file, rather than to radius.log. 
377.
378.
	#  i.e. This is a log file per request, once the server has accepted 
379.
	#  the request as being from a valid client.  Messages that are 
380.
	#  not associated with a request still go to radius.log. 
381.
382.
	#  Not all log messages in the server core have been updated to use 
383.
	#  this new internal API.  As a result, some messages will still 
384.
	#  go to radius.log.  Please submit patches to fix this behavior. 
385.
386.
	#  The file name is expanded dynamically.  You should ONLY user 
387.
	#  server-side attributes for the filename (e.g. things you control). 
388.
	#  Using this feature MAY also slow down the server substantially, 
389.
	#  especially if you do thinks like SQL calls as part of the 
390.
	#  expansion of the filename. 
391.
392.
	#  The name of the log file should use attributes that don't change 
393.
	#  over the lifetime of a request, such as User-Name, 
394.
	#  Virtual-Server or Packet-Src-IP-Address.  Otherwise, the log 
395.
	#  messages will be distributed over multiple files. 
396.
397.
	#requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log 
398.
 
399.
400.
	#  Which syslog facility to use, if ${destination} == "syslog" 
401.
402.
	#  The exact values permitted here are OS-dependent.  You probably 
403.
	#  don't want to change this. 
404.
405.
	syslog_facility = daemon 
406.
 
407.
	#  Log the full User-Name attribute, as it was found in the request. 
408.
409.
	# allowed values: {no, yes} 
410.
411.
	stripped_names = no 
412.
 
413.
	#  Log authentication requests to the log file. 
414.
415.
	#  allowed values: {no, yes} 
416.
417.
	auth = no 
418.
 
419.
	#  Log passwords with the authentication requests. 
420.
	#  auth_badpass  - logs password if it's rejected 
421.
	#  auth_goodpass - logs password if it's correct 
422.
423.
	#  allowed values: {no, yes} 
424.
425.
	auth_badpass = no 
426.
	auth_goodpass = no 
427.
428.
 
429.
#  The program to execute to do concurrency checks. 
430.
checkrad = ${sbindir}/checkrad 
431.
 
432.
# SECURITY CONFIGURATION 
433.
434.
#  There may be multiple methods of attacking on the server.  This 
435.
#  section holds the configuration items which minimize the impact 
436.
#  of those attacks 
437.
438.
security { 
439.
440.
	#  max_attributes: The maximum number of attributes 
441.
	#  permitted in a RADIUS packet.  Packets which have MORE 
442.
	#  than this number of attributes in them will be dropped. 
443.
444.
	#  If this number is set too low, then no RADIUS packets 
445.
	#  will be accepted. 
446.
447.
	#  If this number is set too high, then an attacker may be 
448.
	#  able to send a small number of packets which will cause 
449.
	#  the server to use all available memory on the machine. 
450.
451.
	#  Setting this number to 0 means "allow any number of attributes" 
452.
	max_attributes = 200 
453.
 
454.
455.
	#  reject_delay: When sending an Access-Reject, it can be 
456.
	#  delayed for a few seconds.  This may help slow down a DoS 
457.
	#  attack.  It also helps to slow down people trying to brute-force 
458.
	#  crack a users password. 
459.
460.
	#  Setting this number to 0 means "send rejects immediately" 
461.
462.
	#  If this number is set higher than 'cleanup_delay', then the 
463.
	#  rejects will be sent at 'cleanup_delay' time, when the request 
464.
	#  is deleted from the internal cache of requests. 
465.
466.
	#  Useful ranges: 1 to 5 
467.
	reject_delay = 1 
468.
 
469.
470.
	#  status_server: Whether or not the server will respond 
471.
	#  to Status-Server requests. 
472.
473.
	#  When sent a Status-Server message, the server responds with 
474.
	#  an Access-Accept or Accounting-Response packet. 
475.
476.
	#  This is mainly useful for administrators who want to "ping" 
477.
	#  the server, without adding test users, or creating fake 
478.
	#  accounting packets. 
479.
480.
	#  It's also useful when a NAS marks a RADIUS server "dead". 
481.
	#  The NAS can periodically "ping" the server with a Status-Server 
482.
	#  packet.  If the server responds, it must be alive, and the 
483.
	#  NAS can start using it for real requests. 
484.
485.
	status_server = yes 
486.
487.
 
488.
# PROXY CONFIGURATION 
489.
490.
#  proxy_requests: Turns proxying of RADIUS requests on or off. 
491.
492.
#  The server has proxying turned on by default.  If your system is NOT 
493.
#  set up to proxy requests to another server, then you can turn proxying 
494.
#  off here.  This will save a small amount of resources on the server. 
495.
496.
#  If you have proxying turned off, and your configuration files say 
497.
#  to proxy a request, then an error message will be logged. 
498.
499.
#  To disable proxying, change the "yes" to "no", and comment the 
500.
#  $INCLUDE line. 
501.
502.
#  allowed values: {no, yes} 
503.
504.
proxy_requests  = yes 
505.
$INCLUDE proxy.conf 
506.
 
507.
 
508.
# CLIENTS CONFIGURATION 
509.
510.
#  Client configuration is defined in "clients.conf".   
511.
512.
 
513.
#  The 'clients.conf' file contains all of the information from the old 
514.
#  'clients' and 'naslist' configuration files.  We recommend that you 
515.
#  do NOT use 'client's or 'naslist', although they are still 
516.
#  supported. 
517.
518.
#  Anything listed in 'clients.conf' will take precedence over the 
519.
#  information from the old-style configuration files. 
520.
521.
$INCLUDE clients.conf 
522.
 
523.
 
524.
# THREAD POOL CONFIGURATION 
525.
526.
#  The thread pool is a long-lived group of threads which 
527.
#  take turns (round-robin) handling any incoming requests. 
528.
529.
#  You probably want to have a few spare threads around, 
530.
#  so that high-load situations can be handled immediately.  If you 
531.
#  don't have any spare threads, then the request handling will 
532.
#  be delayed while a new thread is created, and added to the pool. 
533.
534.
#  You probably don't want too many spare threads around, 
535.
#  otherwise they'll be sitting there taking up resources, and 
536.
#  not doing anything productive. 
537.
538.
#  The numbers given below should be adequate for most situations. 
539.
540.
thread pool { 
541.
	#  Number of servers to start initially --- should be a reasonable 
542.
	#  ballpark figure. 
543.
	start_servers = 5 
544.
 
545.
	#  Limit on the total number of servers running. 
546.
547.
	#  If this limit is ever reached, clients will be LOCKED OUT, so it 
548.
	#  should NOT BE SET TOO LOW.  It is intended mainly as a brake to 
549.
	#  keep a runaway server from taking the system with it as it spirals 
550.
	#  down... 
551.
552.
	#  You may find that the server is regularly reaching the 
553.
	#  'max_servers' number of threads, and that increasing 
554.
	#  'max_servers' doesn't seem to make much difference. 
555.
556.
	#  If this is the case, then the problem is MOST LIKELY that 
557.
	#  your back-end databases are taking too long to respond, and 
558.
	#  are preventing the server from responding in a timely manner. 
559.
560.
	#  The solution is NOT do keep increasing the 'max_servers' 
561.
	#  value, but instead to fix the underlying cause of the 
562.
	#  problem: slow database, or 'hostname_lookups=yes'. 
563.
564.
	#  For more information, see 'max_request_time', above. 
565.
566.
	max_servers = 32 
567.
 
568.
	#  Server-pool size regulation.  Rather than making you guess 
569.
	#  how many servers you need, FreeRADIUS dynamically adapts to 
570.
	#  the load it sees, that is, it tries to maintain enough 
571.
	#  servers to handle the current load, plus a few spare 
572.
	#  servers to handle transient load spikes. 
573.
574.
	#  It does this by periodically checking how many servers are 
575.
	#  waiting for a request.  If there are fewer than 
576.
	#  min_spare_servers, it creates a new spare.  If there are 
577.
	#  more than max_spare_servers, some of the spares die off. 
578.
	#  The default values are probably OK for most sites. 
579.
580.
	min_spare_servers = 3 
581.
	max_spare_servers = 10 
582.
 
583.
	#  There may be memory leaks or resource allocation problems with 
584.
	#  the server.  If so, set this value to 300 or so, so that the 
585.
	#  resources will be cleaned up periodically. 
586.
587.
	#  This should only be necessary if there are serious bugs in the 
588.
	#  server which have not yet been fixed. 
589.
590.
	#  '0' is a special value meaning 'infinity', or 'the servers never 
591.
	#  exit' 
592.
	max_requests_per_server = 0 
593.
594.
 
595.
# MODULE CONFIGURATION 
596.
597.
#  The names and configuration of each module is located in this section. 
598.
599.
#  After the modules are defined here, they may be referred to by name, 
600.
#  in other sections of this configuration file. 
601.
602.
modules { 
603.
604.
	#  Each module has a configuration as follows: 
605.
606.
	#	name [ instance ] { 
607.
	#		config_item = value 
608.
	#		... 
609.
	#	} 
610.
611.
	#  The 'name' is used to load the 'rlm_name' library 
612.
	#  which implements the functionality of the module. 
613.
614.
	#  The 'instance' is optional.  To have two different instances 
615.
	#  of a module, it first must be referred to by 'name'. 
616.
	#  The different copies of the module are then created by 
617.
	#  inventing two 'instance' names, e.g. 'instance1' and 'instance2' 
618.
619.
	#  The instance names can then be used in later configuration 
620.
	#  INSTEAD of the original 'name'.  See the 'radutmp' configuration 
621.
	#  for an example. 
622.
623.
 
624.
625.
	#  As of 2.0.5, most of the module configurations are in a 
626.
	#  sub-directory.  Files matching the regex /[a-zA-Z0-9_.]+/ 
627.
	#  are loaded.  The modules are initialized ONLY if they are 
628.
	#  referenced in a processing section, such as authorize, 
629.
	#  authenticate, accounting, pre/post-proxy, etc. 
630.
631.
	$INCLUDE ${confdir}/modules/ 
632.
 
633.
	#  Extensible Authentication Protocol 
634.
635.
	#  For all EAP related authentications. 
636.
	#  Now in another file, because it is very large. 
637.
638.
	$INCLUDE eap.conf 
639.
 
640.
	#  Include another file that has the SQL-related configuration. 
641.
	#  This is another file only because it tends to be big. 
642.
643.
	#$INCLUDE sql.conf 
644.
 
645.
646.
	#  This module is an SQL enabled version of the counter module. 
647.
648.
	#  Rather than maintaining seperate (GDBM) databases of 
649.
	#  accounting info for each counter, this module uses the data 
650.
	#  stored in the raddacct table by the sql modules. This 
651.
	#  module NEVER does any database INSERTs or UPDATEs.  It is 
652.
	#  totally dependent on the SQL module to process Accounting 
653.
	#  packets. 
654.
655.
	#$INCLUDE sql/mysql/counter.conf 
656.
	#$INCLUDE sql/postgresql/counter.conf 
657.
 
658.
659.
	#  IP addresses managed in an SQL table. 
660.
661.
	#$INCLUDE sqlippool.conf 
662.
 
663.
	# OTP token support.  Not included by default. 
664.
	# $INCLUDE otp.conf 
665.
ldap ldap_1x { 
666.
                server = "srvgrp7" 
667.
                identity = "uid=admin,cn=admin,dc=grp7,dc=local" 
668.
                password = "1234qwer" 
669.
                basedn = "dc=grp7,dc=local" 
670.
 
671.
                base_filter = "(objectclass=)" 
672.
                start_tls = yes 
673.
                # This is your Certificate Authority (CA) certificate 
674.
                tls_cacertfile = /etc/ldap/certs/server.crt 
675.
                tls_require_cert = "demand" 
676.
                # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" 
677.
                # profile_attribute = "radiusProfileDn" 
678.
                access_attr = "uid" 
679.
                dictionary_mapping = ${raddbdir}/ldap.attrmap 
680.
                authtype = ldap 
681.
 
682.
                ldap_connections_number = 5 
683.
                timeout = 4 
684.
                timelimit = 3 
685.
                net_timeout = 1 
686.
687.
 
688.
# under MODULES, make sure mschap is uncommented! 
689.
    mschap { 
690.
      # authtype value, if present, will be used 
691.
      # to overwrite (or add) Auth-Type during 
692.
      # authorization. Normally, should be MS-CHAP 
693.
      authtype = MS-CHAP 
694.
 
695.
      # if use_mppe is not set to no, mschap will 
696.
      # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and 
697.
      # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2 
698.
699.
      use_mppe = yes 
700.
 
701.
      # if mppe is enabled, require_encryption makes 
702.
      # encryption moderate 
703.
704.
      require_encryption = yes 
705.
 
706.
      # require_strong always requires 128 bit key 
707.
      # encryption 
708.
709.
      require_strong = yes 
710.
 
711.
      authtype = MS-CHAP 
712.
      # The module can perform authentication itself, OR 
713.
      # use a Windows Domain Controller. See the radius.conf file 
714.
      # for how to do this. 
715.
716.
717.
 
718.
# Instantiation 
719.
720.
#  This section orders the loading of the modules.  Modules 
721.
#  listed here will get loaded BEFORE the later sections like 
722.
#  authorize, authenticate, etc. get examined. 
723.
724.
#  This section is not strictly needed.  When a section like 
725.
#  authorize refers to a module, it's automatically loaded and 
726.
#  initialized.  However, some modules may not be listed in any 
727.
#  of the following sections, so they can be listed here. 
728.
729.
#  Also, listing modules here ensures that you have control over 
730.
#  the order in which they are initalized.  If one module needs 
731.
#  something defined by another module, you can list them in order 
732.
#  here, and ensure that the configuration will be OK. 
733.
734.
instantiate { 
735.
736.
	#  Allows the execution of external scripts. 
737.
	#  The entire command line (and output) must fit into 253 bytes. 
738.
739.
	#  e.g. Framed-Pool = `%{exec:/bin/echo foo}` 
740.
	exec 
741.
 
742.
743.
	#  The expression module doesn't do authorization, 
744.
	#  authentication, or accounting.  It only does dynamic 
745.
	#  translation, of the form: 
746.
747.
	#	Session-Timeout = `%{expr:2 + 3}` 
748.
749.
	#  So the module needs to be instantiated, but CANNOT be 
750.
	#  listed in any other section.  See 'doc/rlm_expr' for 
751.
	#  more information. 
752.
753.
	expr 
754.
 
755.
756.
	# We add the counter module here so that it registers 
757.
	# the check-name attribute before any module which sets 
758.
	# it 
759.
#	daily 
760.
	expiration 
761.
	logintime 
762.
 
763.
	# subsections here can be thought of as "virtual" modules. 
764.
765.
	# e.g. If you have two redundant SQL servers, and you want to 
766.
	# use them in the authorize and accounting sections, you could 
767.
	# place a "redundant" block in each section, containing the 
768.
	# exact same text.  Or, you could uncomment the following 
769.
	# lines, and list "redundant_sql" in the authorize and 
770.
	# accounting sections. 
771.
772.
	#redundant redundant_sql { 
773.
	#	sql1 
774.
	#	sql2 
775.
	#} 
776.
authorize { 
777.
        preprocess 
778.
        mschap 
779.
	suffix 
780.
	eap 
781.
	files 
782.
	chap 
783.
	ldap_1x 
784.
	openssl 
785.
786.
     
787.
    authenticate { 
788.
          
789.
790.
         #  MSCHAP authentication.     
791.
         Auth-Type MS-CHAP { 
792.
               mschap 
793.
794.
	 
795.
796.
         #  Allow EAP authentication. 
797.
         eap 
798.
799.
 
800.
801.
 
802.
###################################################################### 
803.
804.
#	Policies that can be applied in multiple places are listed 
805.
#	globally.  That way, they can be defined once, and referred 
806.
#	to multiple times. 
807.
808.
###################################################################### 
809.
$INCLUDE policy.conf 
810.
 
811.
###################################################################### 
812.
813.
#	As of 2.0.0, the "authorize", "authenticate", etc. sections 
814.
#	are in separate configuration files, per virtual host. 
815.
816.
###################################################################### 
817.
 
818.
###################################################################### 
819.
820.
#	Include all enabled virtual hosts. 
821.
822.
#	The following directory is searched for files that match 
823.
#	the regex: 
824.
825.
#		/[a-zA-Z0-9_.]+/ 
826.
827.
#	The files are then included here, just as if they were cut 
828.
#	and pasted into this file. 
829.
830.
#	See "sites-enabled/default" for some additional documentation. 
831.
832.
$INCLUDE sites-enabled/
Und Hier die eap.conf

01.
# -*- text -*- 
02.
## 
03.
##  eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.) 
04.
## 
05.
##	$Id$ 
06.
 
07.
####################################################################### 
08.
09.
#  Whatever you do, do NOT set 'Auth-Type := EAP'.  The server 
10.
#  is smart enough to figure this out on its own.  The most 
11.
#  common side effect of setting 'Auth-Type := EAP' is that the 
12.
#  users then cannot use ANY other authentication method. 
13.
14.
#  EAP types NOT listed here may be supported via the "eap2" module. 
15.
#  See experimental.conf for documentation. 
16.
17.
	eap { 
18.
		#  Invoke the default supported EAP type when 
19.
		#  EAP-Identity response is received. 
20.
21.
		#  The incoming EAP messages DO NOT specify which EAP 
22.
		#  type they will be using, so it MUST be set here. 
23.
24.
		#  For now, only one default EAP type may be used at a time. 
25.
26.
		#  If the EAP-Type attribute is set by another module, 
27.
		#  then that EAP type takes precedence over the 
28.
		#  default type configured here. 
29.
30.
		default_eap_type = md5 
31.
 
32.
		#  A list is maintained to correlate EAP-Response 
33.
		#  packets with EAP-Request packets.  After a 
34.
		#  configurable length of time, entries in the list 
35.
		#  expire, and are deleted. 
36.
37.
		timer_expire     = 60 
38.
 
39.
		#  There are many EAP types, but the server has support 
40.
		#  for only a limited subset.  If the server receives 
41.
		#  a request for an EAP type it does not support, then 
42.
		#  it normally rejects the request.  By setting this 
43.
		#  configuration to "yes", you can tell the server to 
44.
		#  instead keep processing the request.  Another module 
45.
		#  MUST then be configured to proxy the request to 
46.
		#  another RADIUS server which supports that EAP type. 
47.
48.
		#  If another module is NOT configured to handle the 
49.
		#  request, then the request will still end up being 
50.
		#  rejected. 
51.
		ignore_unknown_eap_types = no 
52.
 
53.
		# Cisco AP1230B firmware 12.2(13)JA1 has a bug.  When given 
54.
		# a User-Name attribute in an Access-Accept, it copies one 
55.
		# more byte than it should. 
56.
57.
		# We can work around it by configurably adding an extra 
58.
		# zero byte. 
59.
		cisco_accounting_username_bug = no 
60.
 
61.
62.
		#  Help prevent DoS attacks by limiting the number of 
63.
		#  sessions that the server is tracking.  Most systems 
64.
		#  can handle ~30 EAP sessions/s, so the default limit 
65.
		#  of 2048 is more than enough. 
66.
		max_sessions = 2048 
67.
 
68.
		# Supported EAP-types 
69.
 
70.
71.
		#  We do NOT recommend using EAP-MD5 authentication 
72.
		#  for wireless connections.  It is insecure, and does 
73.
		#  not provide for dynamic WEP keys. 
74.
75.
		md5 { 
76.
77.
 
78.
		# Cisco LEAP 
79.
80.
		#  We do not recommend using LEAP in new deployments.  See: 
81.
		#  http://www.securiteam.com/tools/5TP012ACKE.html 
82.
83.
		#  Cisco LEAP uses the MS-CHAP algorithm (but not 
84.
		#  the MS-CHAP attributes) to perform it's authentication. 
85.
86.
		#  As a result, LEAP *requires* access to the plain-text 
87.
		#  User-Password, or the NT-Password attributes. 
88.
		#  'System' authentication is impossible with LEAP. 
89.
90.
		leap { 
91.
92.
 
93.
		#  Generic Token Card. 
94.
95.
		#  Currently, this is only permitted inside of EAP-TTLS, 
96.
		#  or EAP-PEAP.  The module "challenges" the user with 
97.
		#  text, and the response from the user is taken to be 
98.
		#  the User-Password. 
99.
100.
		#  Proxying the tunneled EAP-GTC session is a bad idea, 
101.
		#  the users password will go over the wire in plain-text, 
102.
		#  for anyone to see. 
103.
104.
		gtc { 
105.
			#  The default challenge, which many clients 
106.
			#  ignore.. 
107.
			#challenge = "Password: " 
108.
 
109.
			#  The plain-text response which comes back 
110.
			#  is put into a User-Password attribute, 
111.
			#  and passed to another module for 
112.
			#  authentication.  This allows the EAP-GTC 
113.
			#  response to be checked against plain-text, 
114.
			#  or crypt'd passwords. 
115.
116.
			#  If you say "Local" instead of "PAP", then 
117.
			#  the module will look for a User-Password 
118.
			#  configured for the request, and do the 
119.
			#  authentication itself. 
120.
121.
			auth_type = PAP 
122.
123.
 
124.
		## EAP-TLS 
125.
126.
		#  See raddb/certs/README for additional comments 
127.
		#  on certificates. 
128.
129.
		#  If OpenSSL was not found at the time the server was 
130.
		#  built, the "tls", "ttls", and "peap" sections will 
131.
		#  be ignored. 
132.
133.
		#  Otherwise, when the server first starts in debugging 
134.
		#  mode, test certificates will be created.  See the 
135.
		#  "make_cert_command" below for details, and the README 
136.
		#  file in raddb/certs 
137.
138.
		#  These test certificates SHOULD NOT be used in a normal 
139.
		#  deployment.  They are created only to make it easier 
140.
		#  to install the server, and to perform some simple 
141.
		#  tests with EAP-TLS, TTLS, or PEAP. 
142.
143.
		#  See also: 
144.
145.
		#  http://www.dslreports.com/forum/remark,9286052~mode=flat 
146.
147.
		tls { 
148.
149.
			#  These is used to simplify later configurations. 
150.
151.
			certdir = ${confdir}/certs 
152.
			cadir = ${confdir}/certs 
153.
 
154.
			private_key_password = whatever 
155.
			private_key_file = ${certdir}/server.pem 
156.
 
157.
			#  If Private key & Certificate are located in 
158.
			#  the same file, then private_key_file & 
159.
			#  certificate_file must contain the same file 
160.
			#  name. 
161.
162.
			#  If CA_file (below) is not used, then the 
163.
			#  certificate_file below MUST include not 
164.
			#  only the server certificate, but ALSO all 
165.
			#  of the CA certificates used to sign the 
166.
			#  server certificate. 
167.
			certificate_file = ${certdir}/server.pem 
168.
 
169.
			#  Trusted Root CA list 
170.
171.
			#  ALL of the CA's in this list will be trusted 
172.
			#  to issue client certificates for authentication. 
173.
174.
			#  In general, you should use self-signed 
175.
			#  certificates for 802.1x (EAP) authentication. 
176.
			#  In that case, this CA file should contain 
177.
			#  *one* CA certificate. 
178.
179.
			#  This parameter is used only for EAP-TLS, 
180.
			#  when you issue client certificates.  If you do 
181.
			#  not use client certificates, and you do not want 
182.
			#  to permit EAP-TLS authentication, then delete 
183.
			#  this configuration item. 
184.
			CA_file = ${cadir}/ca.pem 
185.
 
186.
187.
			#  For DH cipher suites to work, you have to 
188.
			#  run OpenSSL to create the DH file first: 
189.
190.
			#  	openssl dhparam -out certs/dh 1024 
191.
192.
			dh_file = ${certdir}/dh 
193.
			random_file = ${certdir}/random 
194.
 
195.
196.
			#  This can never exceed the size of a RADIUS 
197.
			#  packet (4096 bytes), and is preferably half 
198.
			#  that, to accomodate other attributes in 
199.
			#  RADIUS packet.  On most APs the MAX packet 
200.
			#  length is configured between 1500 - 1600 
201.
			#  In these cases, fragment size should be 
202.
			#  1024 or less. 
203.
204.
		#	fragment_size = 1024 
205.
 
206.
			#  include_length is a flag which is 
207.
			#  by default set to yes If set to 
208.
			#  yes, Total Length of the message is 
209.
			#  included in EVERY packet we send. 
210.
			#  If set to no, Total Length of the 
211.
			#  message is included ONLY in the 
212.
			#  First packet of a fragment series. 
213.
214.
		#	include_length = yes 
215.
 
216.
			#  Check the Certificate Revocation List 
217.
218.
			#  1) Copy CA certificates and CRLs to same directory. 
219.
			#  2) Execute 'c_rehash <CA certs&CRLs Directory>'. 
220.
			#    'c_rehash' is OpenSSL's command. 
221.
			#  3) uncomment the line below. 
222.
			#  5) Restart radiusd 
223.
		#	check_crl = yes 
224.
		#	CA_path = /path/to/directory/with/ca_certs/and/crls/ 
225.
 
226.
227.
		       #  If check_cert_issuer is set, the value will 
228.
		       #  be checked against the DN of the issuer in 
229.
		       #  the client certificate.  If the values do not 
230.
		       #  match, the cerficate verification will fail, 
231.
		       #  rejecting the user. 
232.
233.
		#       check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" 
234.
 
235.
236.
		       #  If check_cert_cn is set, the value will 
237.
		       #  be xlat'ed and checked against the CN 
238.
		       #  in the client certificate.  If the values 
239.
		       #  do not match, the certificate verification 
240.
		       #  will fail rejecting the user. 
241.
242.
		       #  This check is done only if the previous 
243.
		       #  "check_cert_issuer" is not set, or if 
244.
		       #  the check succeeds. 
245.
246.
		#	check_cert_cn = %{User-Name} 
247.
248.
			# Set this option to specify the allowed 
249.
			# TLS cipher suites.  The format is listed 
250.
			# in "man 1 ciphers". 
251.
			cipher_list = "DEFAULT" 
252.
 
253.
254.
 
255.
			#  This configuration entry should be deleted 
256.
			#  once the server is running in a normal 
257.
			#  configuration.  It is here ONLY to make 
258.
			#  initial deployments easier. 
259.
260.
			make_cert_command = "${certdir}/bootstrap" 
261.
 
262.
263.
			#  Session resumption / fast reauthentication 
264.
			#  cache. 
265.
266.
			cache { 
267.
268.
			      #  Enable it.  The default is "no". 
269.
			      #  Deleting the entire "cache" subsection 
270.
			      #  Also disables caching. 
271.
272.
			      #  You can disallow resumption for a 
273.
			      #  particular user by adding the following 
274.
			      #  attribute to the control item list: 
275.
276.
			      #		Allow-Session-Resumption = No 
277.
278.
			      #  If "enable = no" below, you CANNOT 
279.
			      #  enable resumption for just one user 
280.
			      #  by setting the above attribute to "yes". 
281.
282.
			      enable = no 
283.
 
284.
285.
			      #  Lifetime of the cached entries, in hours. 
286.
			      #  The sessions will be deleted after this 
287.
			      #  time. 
288.
289.
			      lifetime = 24 # hours 
290.
 
291.
292.
			      #  The maximum number of entries in the 
293.
			      #  cache.  Set to "0" for "infinite". 
294.
295.
			      #  This could be set to the number of users 
296.
			      #  who are logged in... which can be a LOT. 
297.
298.
			      max_entries = 255 
299.
300.
301.
 
302.
		#  The TTLS module implements the EAP-TTLS protocol, 
303.
		#  which can be described as EAP inside of Diameter, 
304.
		#  inside of TLS, inside of EAP, inside of RADIUS... 
305.
306.
		#  Surprisingly, it works quite well. 
307.
308.
		#  The TTLS module needs the TLS module to be installed 
309.
		#  and configured, in order to use the TLS tunnel 
310.
		#  inside of the EAP packet.  You will still need to 
311.
		#  configure the TLS module, even if you do not want 
312.
		#  to deploy EAP-TLS in your network.  Users will not 
313.
		#  be able to request EAP-TLS, as it requires them to 
314.
		#  have a client certificate.  EAP-TTLS does not 
315.
		#  require a client certificate. 
316.
317.
		#  You can make TTLS require a client cert by setting 
318.
319.
		#	EAP-TLS-Require-Client-Cert = Yes 
320.
321.
		#  in the control items for a request. 
322.
323.
		ttls { 
324.
			#  The tunneled EAP session needs a default 
325.
			#  EAP type which is separate from the one for 
326.
			#  the non-tunneled EAP module.  Inside of the 
327.
			#  TTLS tunnel, we recommend using EAP-MD5. 
328.
			#  If the request does not contain an EAP 
329.
			#  conversation, then this configuration entry 
330.
			#  is ignored. 
331.
			default_eap_type = md5 
332.
 
333.
			#  The tunneled authentication request does 
334.
			#  not usually contain useful attributes 
335.
			#  like 'Calling-Station-Id', etc.  These 
336.
			#  attributes are outside of the tunnel, 
337.
			#  and normally unavailable to the tunneled 
338.
			#  authentication request. 
339.
340.
			#  By setting this configuration entry to 
341.
			#  'yes', any attribute which NOT in the 
342.
			#  tunneled authentication request, but 
343.
			#  which IS available outside of the tunnel, 
344.
			#  is copied to the tunneled request. 
345.
346.
			# allowed values: {no, yes} 
347.
			copy_request_to_tunnel = no 
348.
 
349.
			#  The reply attributes sent to the NAS are 
350.
			#  usually based on the name of the user 
351.
			#  'outside' of the tunnel (usually 
352.
			#  'anonymous').  If you want to send the 
353.
			#  reply attributes based on the user name 
354.
			#  inside of the tunnel, then set this 
355.
			#  configuration entry to 'yes', and the reply 
356.
			#  to the NAS will be taken from the reply to 
357.
			#  the tunneled request. 
358.
359.
			# allowed values: {no, yes} 
360.
			use_tunneled_reply = no 
361.
 
362.
363.
			#  The inner tunneled request can be sent 
364.
			#  through a virtual server constructed 
365.
			#  specifically for this purpose. 
366.
367.
			#  If this entry is commented out, the inner 
368.
			#  tunneled request will be sent through 
369.
			#  the virtual server that processed the 
370.
			#  outer requests. 
371.
372.
			virtual_server = "inner-tunnel" 
373.
374.
 
375.
		################################################## 
376.
377.
		#  !!!!! WARNINGS for Windows compatibility  !!!!! 
378.
379.
		################################################## 
380.
381.
		#  If you see the server send an Access-Challenge, 
382.
		#  and the client never sends another Access-Request, 
383.
		#  then 
384.
385.
		#		STOP! 
386.
387.
		#  The server certificate has to have special OID's 
388.
		#  in it, or else the Microsoft clients will silently 
389.
		#  fail.  See the "scripts/xpextensions" file for 
390.
		#  details, and the following page: 
391.
392.
		#	http://support.microsoft.com/kb/814394/en-us 
393.
394.
		#  For additional Windows XP SP2 issues, see: 
395.
396.
		#	http://support.microsoft.com/kb/885453/en-us 
397.
398.
		#  Note that we do not necessarily agree with their 
399.
		#  explanation... but the fix does appear to work. 
400.
401.
		################################################## 
402.
 
403.
404.
		#  The tunneled EAP session needs a default EAP type 
405.
		#  which is separate from the one for the non-tunneled 
406.
		#  EAP module.  Inside of the TLS/PEAP tunnel, we 
407.
		#  recommend using EAP-MS-CHAPv2. 
408.
409.
		#  The PEAP module needs the TLS module to be installed 
410.
		#  and configured, in order to use the TLS tunnel 
411.
		#  inside of the EAP packet.  You will still need to 
412.
		#  configure the TLS module, even if you do not want 
413.
		#  to deploy EAP-TLS in your network.  Users will not 
414.
		#  be able to request EAP-TLS, as it requires them to 
415.
		#  have a client certificate.  EAP-PEAP does not 
416.
		#  require a client certificate. 
417.
418.
419.
		#  You can make PEAP require a client cert by setting 
420.
421.
		#	EAP-TLS-Require-Client-Cert = Yes 
422.
423.
		#  in the control items for a request. 
424.
425.
		peap { 
426.
			#  The tunneled EAP session needs a default 
427.
			#  EAP type which is separate from the one for 
428.
			#  the non-tunneled EAP module.  Inside of the 
429.
			#  PEAP tunnel, we recommend using MS-CHAPv2, 
430.
			#  as that is the default type supported by 
431.
			#  Windows clients. 
432.
			default_eap_type = mschapv2 
433.
 
434.
			#  the PEAP module also has these configuration 
435.
			#  items, which are the same as for TTLS. 
436.
			copy_request_to_tunnel = no 
437.
			use_tunneled_reply = no 
438.
 
439.
			#  When the tunneled session is proxied, the 
440.
			#  home server may not understand EAP-MSCHAP-V2. 
441.
			#  Set this entry to "no" to proxy the tunneled 
442.
			#  EAP-MSCHAP-V2 as normal MSCHAPv2. 
443.
		#	proxy_tunneled_request_as_eap = yes 
444.
 
445.
446.
			#  The inner tunneled request can be sent 
447.
			#  through a virtual server constructed 
448.
			#  specifically for this purpose. 
449.
450.
			#  If this entry is commented out, the inner 
451.
			#  tunneled request will be sent through 
452.
			#  the virtual server that processed the 
453.
			#  outer requests. 
454.
455.
			virtual_server = "inner-tunnel" 
456.
457.
 
458.
459.
		#  This takes no configuration. 
460.
461.
		#  Note that it is the EAP MS-CHAPv2 sub-module, not 
462.
		#  the main 'mschap' module. 
463.
464.
		#  Note also that in order for this sub-module to work, 
465.
		#  the main 'mschap' module MUST ALSO be configured. 
466.
467.
		#  This module is the *Microsoft* implementation of MS-CHAPv2 
468.
		#  in EAP.  There is another (incompatible) implementation 
469.
		#  of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not 
470.
		#  currently support. 
471.
472.
		mschapv2 { 
473.
474.
	}
Lg
Philipp
Mitglied: pzenz16
16.10.2009 um 07:23 Uhr
Danke werd ich mir mal anschaun.
Sollte ja nicht so schwer sei das auf ubuntu zu übertragen =)

Lg

EDIT: Danke hat Funktioniert!

Vielen Dank
Bitte warten ..
Neuester Wissensbeitrag
Windows 10

Powershell 5 BSOD

(8)

Tipp von agowa338 zum Thema Windows 10 ...

Ähnliche Inhalte
DSL, VDSL
Problem mit variernder Internetgeschwindigkeit (12)

Frage von schaurian zum Thema DSL, VDSL ...

Windows Netzwerk
gelöst Problem mit PSexec64 von Sysinternals (8)

Frage von MaxMoritz6 zum Thema Windows Netzwerk ...

Windows Server
gelöst Problem nach DC-Installation unter Server 2012 R2 (9)

Frage von manuel1985 zum Thema Windows Server ...

Heiß diskutierte Inhalte
Microsoft
Ordner mit LW-Buchstaben versehen und benennen (20)

Frage von Xaero1982 zum Thema Microsoft ...

Outlook & Mail
gelöst Outlook 2010 findet ost datei nicht (19)

Frage von Floh21 zum Thema Outlook & Mail ...

Netzwerkmanagement
gelöst Anregungen, kleiner Betrieb, IT-Umgebung (18)

Frage von Unwichtig zum Thema Netzwerkmanagement ...

Festplatten, SSD, Raid
M.2 SSD wird nicht erkannt (14)

Frage von uridium69 zum Thema Festplatten, SSD, Raid ...