# FreeRADIUS

## r3pek

Anyone installed FreeRADIUS? I emerged it but i can't started 'cause I get this in the logs:

Error: radiusd.conf[541] Failed to link to module 'rlm_unix': file not found

the libdir in the config file is ok. anyone with this problem?

----------

## hifi

 *r3pek wrote:*   

> 
> 
> the libdir in the config file is ok. anyone with this problem?

 

Does ok means the correct dir is set, or does it mean the rlm_unix.soXX is existend?

----------

## r3pek

It means that the correct path is set. my rlm_unix.* files are on /usr/lib and thats my libdir value.

----------

## jmcboots

I get the same thing!

radiusd.conf[541] Failed to link to module 'rlm_unix': file not found

prefix = /usr

exec_prefix = ${prefix}

libdir = ${exec_prefix}/lib

 ls -l /usr/lib/rlm_unix*

lrwxrwxrwx    1 root     root           11 Nov  7 10:00 /usr/lib/rlm_unix-0.9.0.la -> rlm_unix.la

-rwxr-xr-x    1 root     root        67271 Nov  7 10:00 /usr/lib/rlm_unix-0.9.0.so

-rw-r--r--    1 root     root        78578 Nov  7 10:00 /usr/lib/rlm_unix.a

-rwxr-xr-x    1 root     root          776 Nov  7 10:00 /usr/lib/rlm_unix.la

lrwxrwxrwx    1 root     root           17 Nov  7 10:00 /usr/lib/rlm_unix.so -> rlm_unix-0.9.0.so

help!

----------

## dma

Same here.  I'm thinking of just writing my own radius server using Net::RADIUS::Packet from CPAN.

I was going to use it for my WAP54G access point, but I can't get any radius traffic from the access point anyways... Not sure why.

----------

## sadistikal

I'd like to see a response from someone who has gotten around this problem. We have been migrating some of our production services over to gentoo, I'm about to implement a totally re-designed DNS system with 6 new servers running the latest gentoo, and we started to test a radius replacement on gentoo with freeradius and ran across the same problem. 

I'm not personally working on the project but a fellow sysadmin is and he is stumped. We moved over to sparc/solaris for testing until we can figure this one out but I'd much rather implement with gentoo on x86, I haven't tested other linux distros yet. 

Somebody...anybody? Got this working?

TIA

Gary

----------

## FlyingPenguin

I'm getting the same error. I had to disable unix.

The reason why I need freeradius ist becasue of 802.1x EPA TLS for my Access-Point.

But I don't get it running. I'm not sure if it the AP or freeradius.

----------

## sadistikal

I have tested free radius on:

Solaris

Slackware Linux

Red Hat Linux

Gentoo Linux

and so far it works on all of them except gentoo. I looked at google and google groups...I looked at the free radius docs and have not found an answer to this problem. 

I've done the ebuild and compiled from source with the same results.

Sad

----------

## jcostom

I'm using freeradius here.  I just stopped using rlm_unix in my radiusd.conf.  I don't really see the point of using it, especially when there's PAM support built-in.

I just use PAM instead and all is well.

----------

## Grathol

I spent the majority of today working on getting FreeRadius to work with my Gentoo machine...  Here's the gist of what I did, it uses a text file with crypted passwords (no fancy database stuff here, this means you must restart the server every time you add a user):

Configuring the FreeRADIUS-0.9.3 Server for Gentoo Linux:

---------------------------------------------------

```
useradd radiusd

groupadd radiusd
```

Edit /etc/passwd and point the login shell for radiusd to /bin/false

```
emerge freeradius
```

Edit /etc/raddb/radiusd.conf and do the following:

Comment the 'unix' module and all references to the 'unix' module to correct the rlm_unix not found error reported in this thread.

Next, find the following:

```
#user=nobody

#group=nobody
```

And change them to:

```
user=radiusd

group=radiusd
```

The following files are unused and deprecated, and will only give you warnings in your radiusd startup logs, so we delete them (as long as you aren't upgrading and have important information in them of course)

```
rm /etc/raddb/clients

rm /etc/raddb/naslist

rm /etc/raddb/realms
```

Edit /etc/raddb/clients.conf and do the following:

Comment the localhost client (unless you need it)

Add new clients for your network, example follows:

```
client 10.0.0.0/8 {

   secret = secret_key

   shortname = logging-name

}

```

The secret_key is never transmitted over the network but must match on both client and server.

The logging-name is what is seen in the logs (example.com, for instance)

Edit /etc/raddb/users and do the following:

Comment all DEFAULT logins that you do not approve of/understand

Add an "$INCLUDE myuserfile" to the end (sans quotes)

Create "myuserfile" and format it in the following manner:

```
username     Auth-Type := System, Crypt-Password == "md5crypt_of_password"
```

The auth-type can be System or Local, I have not found anything that indicates it makes a difference in the source code (the system auth does not even seem to be used, only #DEFINE'd)

Example entry (for user name of "bad"):

```
bad   Auth-Type := System, Crypt-Password == "$1$37l.BBR2$bcYRkPw.bkkTAz3gkjsZZ1"
```

(In case you were wondering, "$1$37l.BBR2$bcYRkPw.bkkTAz3gkjsZZ1" is the md5 crypt of "password")

It is fairly easy to use the source tarball's scripts/cryptpasswd utility to generate these md5 hashes (however, the Gentoo ebuild does not install this script - a quick code listing of the md5 portion of the script is at the end of this post).

Before starting the server (using /etc/init.d/radiusd start) make sure that /var/log/radius/ exists, /var/log/radius/radacct/ exists, and that the files in both are owned by 'radiusd' (except for .keep)

Here's the md5 portion of the cryptpasswd script written by the FreeRadius group (I take no credit for writing this, all I did was rip out the parts pertaining to md5 crypting):

```
#!/usr/bin/perl

@saltc = ( '.', '/', '0'..'9', 'A'..'Z', 'a'..'z' );

$salt = '$1$';

for ($i = 0; $i < 8; $i++) {

   $salt .= $saltc[rand 64];

}

$salt .= '$';

print crypt($ARGV[0], $salt), "\n";

```

Please let me know if this was helpful or if I should clarify anything.

----------

## TheJackal

This post by myself is pretty much out of context but I'm new to RADIUS and as part of a final year University project, I'm researching methods of possibly combining it with some other system (PAM possibly?) to provide a basis for a Single Sign-On mechanism (Kerberos style).

I was just wondering if anyone could give me any tips or point me in the right direction!

----------

## Grathol

A quick google search turned up this:

http://www.freeradius.org/pam_radius_auth/

So it looks like they have code to combine it with PAM.  Enabling options such as "try_first_pass " and authenticating against a common server might help you get a single sign on method down.  Kerberos is unique in that it gives each authenticated user tickets, though - I don't believe freeradius does that.  Not sure about PAM though.

----------

## TheJackal

Thanks, I came accross the RADIUS PAM as well when I researched the FreeRADIUS server but as far as I can assertain, it would only provide a "reduced single sign-on" mechanism in the sense that you would have a centrally managed NAS which other services can then authenticate against using PAM. 

Each service would still require a standard challenge to authenticate itself thus asking the user for their username/password each time. I was kind of looking for a way around this and pretty much everything has crossed my mind, from using a PKI style system (public key instead of a password in the RADIUS database) to using X.509 certificates but this would require extensive modification of FreeRADIUS (or developing a PAM) and is pretty much pushing the envelope for a 10 week project!

I'm not too sure about combining RADIUS and PAM (for a pseudo SSO) myself as I'm new to it but is there any way of say for instance a service (lets take for example Apache) requesting authentication/authorisation from RADIUS without the need for a username/password challenge? In other words, first check to see if the user has been already authenticated and if not ask the user for his credentials. Sort of like a pseudo SSO.... :Confused: 

----------

## Grathol

Most browsers already do that, if I'm not mistaken...  I know that when I go to various web services that require a logon/password if I've already authenticated, it won't ask me unless I close my browser and re-open it.

----------

## taskara

oh my goodness.. what a nightmare.. don't use the ebuild!

module errors everywhere.. so much to edit..

----------

## mam82

Hi

I'm trying to install freeradius with gentoo. I followed Grathol's instructions very carefully but there's still an error with the unix module : in the file /var/log/radius/startup.log, Cannot find an entry for module "unix" is written after mschap has been instantiated.

Please could you tell me what I can do ?

----------

## quaiky

i set it up like in Garthol's post but i get the following error:

root@troll raddb # /etc/init.d/radiusd start

 * Config not ok! (try /usr/sbin/check-radiusd-config )

if i executee the check-radiusd-config i get the following error after it completes lots of checks successfull:

auth bind: Address already in use

  There appears to be another RADIUS server already running on the authentication port UDP 32768.

where does this come from? i let port set to 0 to get it running on the standard port.

@mam82 did you uncomment the lines where  "unix" is included in authentication and accounting at the end of the file

----------

## flickerfly

Excellent directions by Grathol. Thank you much. They allowed me to get in a few minutes where I would have been a few days figuring out. Unfortunately, I'm not quite off the ground yet. I'm also getting the error:

```
auth bind: Address already in use

  There appears to be another RADIUS server already running on the authentication port UDP 32768.

```

I have port = 0 set so it should be pulling the port from /etc/services which says:

```
datametrics     1645/tcp        old-radius      # datametrics / old radius entry

datametrics     1645/udp        old-radius      # datametrics / old radius entry

radius          1812/tcp                        # Radius

radius          1812/udp                        # Radius
```

So back to the main question, where is it getting port 32768 from? That number isn't in the /etc/services file at all. I searched radiusd.conf and all its included files and didn't find any other port designations that might be over-riding the main one.

Also, if I set a specific port, port = 1812 for example, it still tries to use 32768.

----------

## flickerfly

I'm back on this again, apparently if I start it with the command 'radiusd -p1812' it works nicely, but if I start it using the scripts provided I run into the error above. It must be something small in the startup script. I also tried adding -p1812 to the RADIUS_OPTS by placing it appropriately in /etc/conf.d/radius, but that didn't man any difference at all.

If I run '/usr/sbin/check-radiusd-config' the same error shows up. I'm thinking that if I comment out the /etc/init.d/radius line in the start function that calls the checkconfig function it also won't start but puts the error message: 

```
Aug 17 15:03:55 penguin rc-scripts: Config not ok! (try /usr/sbin/check-radiusd-config )
```

 in my logs.

From what I can tell, it's got to be something in the start-stop-daemon that is starting it. Is there a way to tell exactly what command it is using to start radiusd?

----------

## flickerfly

Talk about really bizarre, If I change the login script start function to this it works nicely.

```
start() {

        # Comment out the following line to get faster startups

        #checkconfig || return 1

        ebegin "Starting radiusd"

        echo `start-stop-daemon --start --quiet --exec /usr/sbin/radiusd -- ${RADIUSD_OPTS}` #>/dev/null

        eend $?

}
```

I can't just comment out the 'checkconfig' portion. I have to also surround the start command with backticks and prepend the echo command.

I reported a start-stop-daemon bug: Bug 60703

----------

## neonknight

 *jcostom wrote:*   

> I just use PAM instead and all is well.

 

Could you please post your /etc/pam.d/radiusd? I'm getting stuck there...

edit:

never mind, found out how to configure pam, but it needs root privileges... 

https://forums.gentoo.org/viewtopic-p-3036056.html#3036056

----------

## ramsypl

Hi,

I would like to integrate my AAC module of citrix to authenticate with a raidus server. I would like to use the Free radius server for this purpose. I have installed the free radius server and the server also starts up fine without any error.

But when i test ofr package sendin the request is denied. Can any one help me to configure Free radius server to authenticate a user name and password that from a client i am going to send to it.

Is there any wya to test if the rdius is accepting the reuest sent to it by normal command line test on the linux server itself.

Pleas edo let me know oin it by a detailed instruction of the configuration of the Radisu server for accepting my Raidus authentication request from a client machine.

----------

