Setup FreeRadius on DS207+
This radius package contains quite a lots of bugs. Be sure follow every single steps here.
- Telnet/SSH to the DS as root
- Install freeradius and make
# ipkg install freeradius
# ipkg install make - There is a missing line in the config file, add it back
# vi /opt/etc/raddb/radiusd.conf Add the following line to the radiusd.conf log_destination = files
- The file ‘bootstrap’ will be used to generate default certificate for the radius server. For some reason, the script cannot find the make command. For such case, I edit the bootstrap file and give it the full path of the make command
# vi /opt/etc/raddb/certs/bootstrap/opt/bin/make ca server dh random
- I got the same problem for Makefile. It cannot locate the openssl command. I’ve tried using the openssl provided by optware (/opt/bin/openssl) and it is working good.
Update Nov 12 2011 WARNING: NEVER use the openssl provided by synology (/usr/syno/bin/openssl), it will failed the installation.
So go ahead and edit the Makefile and edit the path of every openssl command
# vi /opt/etc/raddb/certs/Makefile/opt/bin/openssl ......
** Make sure edit all openssl command in the Makefile!
- Update Nov 24 2011
Just figured out that there is a bug here when generating CA certificate. The cert being generated is valid for one month only, no matter what value you specified in the ca.cnf file. To fix this, edit the /opt/etc/raddb/certs/Makefile again.
Add the following line to the top of the file
CA_DEF_DAYS = `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'`Then looks for the line begin with ca.key ca.pem, changes highlighted in red.
ca.key ca.pem: /opt/bin/openssl req -new -x509 -keyout ca.key -out ca.pem -days $(CA_DEF_DAYS) -config ./ca.cnf - Edit certificate_authority information
# vi /opt/etc/raddb/certs/ca.cnf[ CA_default]
default_days = 365[ req ]
input_password = my input password
output_password = my output password[certificate_authority]
.
.
.
By default, CA certificate is created and only valid for 365 days. If you don’t want to recreate all certs things every year, modify the value of default_days.
For the [ req ] section, make sure to change the input_password and output_password and use some strong password instead of something like helloworld.
Feel free to modify the [certificate_authority] section and input some information regarding your own radius CA.
- Edit server information
# vi /opt/etc/raddb/certs/server.cnf[ CA_default ]
default_days = 365[ req ]
input_password = my input password
output_password = my output password[server]
.
.
.
By default, server certificate is created and only valid for 365 days. If you don’t want to recreate all certs things every year, modify the value of default_days.
Looks for the [ req ] section, make sure to change the input_password and output_password and use some strong password instead of something like helloworld.
Feel free to modify the [server] section and input some information regarding your own radius server.
* By default, the field countryName, organizationName and stateOrProvinceName must be same as CA.
- Edit client information
# vi /opt/etc/raddb/certs/client.cnf [ CA_default ] default_days = 365 [ req ] input_password = my input password output_password = my output password [client] . . .By default, client certificate is created and only valid for 365 days. If you don't want to recreate all certs things every year, modify the value of default_days.
Looks for the [ req ] section, make sure to change the input_password and output_password and use some strong password instead of something like helloworld.
Feel free to modify the [client] section and input some information regarding your radius client.
* By default, the field countryName, organizationName and stateOrProvinceName must be same as CA.
- Now backup the certs directory so that we can repeat the certs things all over again in case something go wrong.
# cd /opt/etc/raddb
# cp -r certs certs.bak - Edit eap.conf and specify private key password
# vi /opt/etc/raddb/eap.conf tls { # # These is used to simplify later configurations. # certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = [server output_password] private_key_file = ${certdir}/server.pemInput server's output password as private key password above, save the file.
- Next we need a testing account 'dummy' with password 'password'. Edit the 'users' file.
# vi /opt/etc/raddb/usersdummy Cleartext-Password := "password"
- Execute the radius server in debug mode, in order to generates default certificate.
# radiusd -X
- If configuration correct, it will display 'Ready to process requests.'.
- Open another terminal (telnet or ssh), testing the server using the dummy account
# radtest dummy password localhost 0 testing123
- If success, it will return message like below
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=152, length=20
- Also verify the expiration date of CA cert:
# cd /opt/etc/raddb/certs
# openssl x509 -in ca.pem -noout -dates
notBefore=Nov 24 10:27:49 2011 GMT
notAfter=Nov 21 10:27:49 2021 GMT
Now I've the FreeRadius running on my DS!
Hi, I’m getting Makefile:46: *** missing separator. Stop. when i run radiusd -X.
Any ideas?
Thanks in advance.
Hi Paul, can you post the line 46 of your Makefile here? File can be find here
/opt/etc/raddb/certs
I did as You described and the make process threw warning on missing openssl.cnf file and furthermore some errors. How can I “remake” the initial configuration in Your step no.7 in case sth failed? Is there anything special on Synology DSM3.0 compared to “standard” Linux as described on freeradius.org?
Please read the README in the certs directory. You can simply run the command below and do it all over again
rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*
Hi Ray.
Awsome site
I get this: when I run radiusd -X
Makefile:69: *** missing separator. Stop.
Exec-Program output:
Exec-Program: returned: 2
rlm_eap: Failed to initialize type tls
/opt/etc/raddb/eap.conf[17]: Instantiation failed for module “eap”
/opt/etc/raddb/radiusd.conf[1719]: Failed to find module “eap”.
/opt/etc/raddb/radiusd.conf[1666]: Errors parsing authenticate section.
}
}
Errors initializing modules
Why is this ? I have double checked everything and I can´t seem to find any thing wrong.
Please help
BTW My DSM ver. is 3.2-1955
Best regards Mads
radius failed to generate certificates for eap modules. Take a look to the /opt/etc/raddb/certs/Makefile line 69.
In case you don’t need eap, or you don’t need certificates support at all, try comment all eap and $INCLUDE ${confdir}/eap.conf in the /opt/etc/raddb/radiusd.conf.
Hi Ray.
Thx for the fast respons
I found some erros in the makefile that I some have had done wrong. I manage to lounch the RADIUS but i get erros in the radiuss.conf which said!
sthlmdsx01> radiusd -X
FreeRADIUS Version 2.0.5, for host i686-pc-linux-gnu, built on Nov 2 2010 at 00:15:35
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting – reading configuration files …
including configuration file /opt/etc/raddb/radiusd.conf
including configuration file /opt/etc/raddb/proxy.conf
including configuration file /opt/etc/raddb/clients.conf
including configuration file /opt/etc/raddb/snmp.conf
including configuration file /opt/etc/raddb/eap.conf
including configuration file /opt/etc/raddb/sql.conf
including configuration file /opt/etc/raddb/sql/mysql/dialup.conf
/opt/etc/raddb/radiusd.conf[1721]: Too many closing braces
Errors reading /opt/etc/raddb/radiusd.conf
I look in the file att line 1721 and found that there was missing braces!!!? so I added the needed one, One brace, which is the one al the way in the end!
FYI: The file look like this:
# The common reasons to set the Auth-Type attribute by hand
# is to either forcibly reject the user, or forcibly accept him.
#
authenticate {
# PAP authentication, when a back-end database listed
# in the ‘authorize’ section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the ‘authorize’ section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won’t work.
Auth-Type CHAP {
chap
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the ‘digest’
# line in the ‘authorize’ section.
# digest
#
# Pluggable Authentication Modules.
# pam
#
# See ‘man getpwent’ for information on how the ‘unix’
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
unix
# Uncomment it if you want to use ldap for authentication
#
# Note that this means “check plain-text password against
# the ldap database”, which means that EAP won’t work,
# as it does not supply a plain-text password.
#Auth-Type LDAP {ldap}
#
#Allow eap authentication.
Auth-Type eap {
eap
}
}
#
# Pre-accounting. Decide which accounting type to use
I have looked and when i set in the amount of braces whiches is needed it comes with the error that it cant find the eap module … I just don´t get it!
This is what i get when I add in the right amount of braces in the file.
make: *** [ca.pem] Error 1
Exec-Program output: /opt/bin/openssl req -new -x509 -keyout ca.key -out ca.pem -days -config ./ca.cnf
Exec-Program-Wait: plaintext: /opt/bin/openssl req -new -x509 -keyout ca.key -out ca.pem -days -config ./ca.cnf
Exec-Program: returned: 2
rlm_eap: Failed to initialize type tls
/opt/etc/raddb/eap.conf[17]: Instantiation failed for module “eap”
/opt/etc/raddb/radiusd.conf[1719]: Failed to find module “eap”.
/opt/etc/raddb/radiusd.conf[1719]: Failed to parse “eap” entry.
}
}
Errors initializing modules
Any Ideas?
Ok I think I guessed what’s your issue now.
From your first line:
sthlmdsx01> radiusd -X
It seems like that you are running radiusd as sthlmdsx01. Please look at step 1 here and run radiusd as root.
Please follow every single steps, unless it was marked optional, otherwise all steps I mentioned is necessary to make things happen.
Hi Ray.
Ryd for the respons. I ssh to the höst as root, i know it is à bad habit bit i do. I would be thrilled if you would look at my files. If I zip them how kan I send them to you? Via FTP or mail ?
Best regards,
And thx for the help again
It is required to run radiusd as root the first time so that radius got enough permission to generate certificates things for the eap/tls module. Once setup completed it is not a must to run radiusd as root.
If you still encountered any issues pls zip the config/log to somewhere and lemme know the url either here or using the contact form above.
Good luck!
Hi Ray.
I would def. want to use EAP, so if you don´t mind looking over my conf. it wold be awesome.
I have zipped eap, radiusd and Makefile do it for you?
Which log do you want and from which dir?
Thanks Ray.
Best regards
Mads
Hey Ray,
first of all, thx for the great work!
I followed your guide, step by step on my 107+, but when i issue the Radiud -X, i get the following errors:
rlm_eap: SSL error error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm
rlm_eap_tls: Error reading private key file /opt/etc/raddb/certs/server.pem
rlm_eap: Failed to initialize type tls
/opt/etc/raddb/eap.conf[17]: Instantiation failed for module “eap”
/opt/etc/raddb/radiusd.conf[1721]: Failed to find module “eap”.
/opt/etc/raddb/radiusd.conf[1668]: Errors parsing authenticate section.
}
}
Errors initializing modules
Could you pls help me out on this. Would be too nice having a Radius running.
Thx in advance,
Thomas
No reply?
Sorry I’m busying with real life stuff now.