Setting up FreeRADIUS and eDirectory for 802.1X Authentication

This document describes the configuration alterations neccesary to enable FreeRADIUS to handle encrypted authentication requests, such as 802.1x (EAP), and MS-CHAP-V2 protocols.

*** NOTE - This document assumes that FreeRADIUS has already been configured to authenticate against LDAP. If this is not the case, please consultTID 3003857on the steps to accomplish this task. ***

1. Ensure that Universal Password is installed - this can be identified by checking the schema in ConsoleOne (Schema Manager -> Attributes) or DSBROWSE (Schema Browse -> Attribute Definitions) for the existence of nspmPassword and nspmPasswordKey attributes, or by the existence of the "Password Policies" in the "Passwords" role for iManager
   
2. Using iManager, open the role for "Passwords"
   
3. Select the password policy used by the RADIUS users
   
4. Click "Edit"
5. On the Password Policy web page, there will be a drop down with"Summary" listed - change this to "ConfigurationOptions"
6. Under "Universal Password Retrieval", place a check mark in"Allow admin to retrieve passwords"
7. Click "Apply"
8. On the FreeRADIUS server, edit the /etc/raddb/clients.conf file, and add the 802.1X switch as a client
9. Create the necessary dictionary files the switch/access point will require in the /etc/raddb/dictionary file
10. Open the /etc/raddb/radiusd.conf file
11. Locate the LDAP configuration (just search for the "ldap {" section)
12. Set the server to an appropriate LDAP server for eDirectory (usually a master Directory Services server)
13. Set the identity to an administrative account (e.g. cn=admin,o=novell) - this is a requirement for retrieval of the Universal Password
14. Set the password for the above specified account
15. Set the Base DN to the container from which FreeRADIUS will start looking for users
16. Comment out the "start_tls = yes" and add a "tls_mode = yes"
17. Add a "port = 636" setting. (This and the previous options are designed to force the entire connection over SSL/TLS, another requirement for retrieving the nspmPassword* attributes)
18. Set the "password_attribute" option to "nspmPassword"
19. Set the "edir_account_policy_check" option to "yes"
20. Locate the "authorize {" section in the same file
21. Uncomment the "ldap" option in there
22. Locate the "authenticate {" section
23. Uncomment the "Auth-Type LDAP" section (3 lines)
24. Open the /etc/raddb/users file
25. Add any VLAN/Tunnelling/Default attributes you wish returned to the radius client (configured in step 9)
26. Restart radiusd (/etc/init.d/radiusd stop && /etc/init.d/radiusd start)
27. Test the authentication

In order to handle 802.1x authentication, FreeRADIUSmustbe able to obtain access to the plain-text password. This can only be done under the following circumstances :

• The "identity" must be an admin user account.
• The flag for allowing admin user accounts to retrieve the universal password must be set (in the password policy).
• The connectionMUSTstart on port 636 with SSL encrypted LDAP (also referred to as "ldaps"). Starting on the clear-text port and switching to TLS mode doesnotsatisfy eDirectories requiremends on obtaining the universal password.
  

If the above criteria is met, and authentication still fails during testing, examine the log files to determine why. These can be obtained using the documentTID 7014552 Debuggin Free Radius with radtest, which discusses the use of some debugging techniques. Additionally, it may be wise to use the Lightweight Directory Access Protocol debugging tools provided with eDirectory, such as DSTRACE, in the debugging process.

Wed Feb 12 13:55:50 MST 2014 - Rance Burker updated Link 7014552