Hi,
Trying to get Radius working for our AP in house but getting this error:
Warning: [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
Dumb question but are the user accounts created under System/Accounts/Users valid for authentication with Radius for Login when using WPA2-Ent on the AP (Client)?
The AP does work fine with WPA2-Ent with DaloRADIUS, just testing this version.
Also I have 2 NICs setup on this Hyper-V VM Standalone ClearOS Community Edition 7.4-1 and the access on the AP is via the External interfaces IP Network, can I change this somewhere to point to External (firewalled ports are opened as this is an internal network) or do I have to switch everything to LAN NIC?
Also if I go to System / Account Manager / Account Manager there are no plugins are extensions where I would of thought the Radius users might be setup.
Any help would be appreciated.
Jim
Trying to get Radius working for our AP in house but getting this error:
Warning: [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
Dumb question but are the user accounts created under System/Accounts/Users valid for authentication with Radius for Login when using WPA2-Ent on the AP (Client)?
The AP does work fine with WPA2-Ent with DaloRADIUS, just testing this version.
Also I have 2 NICs setup on this Hyper-V VM Standalone ClearOS Community Edition 7.4-1 and the access on the AP is via the External interfaces IP Network, can I change this somewhere to point to External (firewalled ports are opened as this is an internal network) or do I have to switch everything to LAN NIC?
Also if I go to System / Account Manager / Account Manager there are no plugins are extensions where I would of thought the Radius users might be setup.
Any help would be appreciated.
Jim
Share this post:
Responses (4)
-
Accepted Answer
-
Accepted Answer
I'm afraid my notes were hurriedly copied and pasted from notes sent to the devs to fix the package, so some of them may not be applicable and I don't have much time today. You probably only need steps 8-10 but I'd have to dig out my troubleshooting notes from somewhere.
There should also be a thread on the forum from last year, but I can't find it for the moment, and I have some other notes somewhere, but I am not going to get to them today. -
Accepted Answer
-
Accepted Answer
I am deleting your other post. New posters have their first couple of posts moderated so they don't appear immediately.
From the way it has been implemented, all regular users are automatically RADIUS users.
As far as I am concerned the Radius package is somewhat broken as it was intended to work but can be made to work much closer to the original Freeradius package. My notes read:
- remove from deploy/install the "Create random file for certs" section
- In the "Use ClearOS configlets" section remove the first section referring to clearos-eap.conf (but leave the two sections referring to clearos-clients.conf and clearos-users).
- remove the "Update mschap configlet" section so we use the upstream file and make an adjustment to it in 11.
- remove the "Create inner tunnel link" section (currently it is not used as it is called by clearos-eap.conf which is un-referenced)
- remove the "Enable LDAP" section so we use the upstream file (the upstream file has a line "-ldap" compared to this which has "ldap" but both work. The upstream file has more options, mainly related to sql where I guess they have developed the app further since we baselined our version of the file)
- remove the Create Default Certificates section
- there is no need for the /etc/raddb/clearos-certs folder or clearos-inner-tunnel or clearos-eap.conf files
- We need to create a domain entry in /etc/raddb/proxy.conf or in a separate file, say /etc/raddb/clearos-proxy.conf. In it put:
- This section in 8. needs to be maintained by ClearOS and the word "CLEARSYSTEM" should be set to the "workgroup" in /etc/samba/smb.conf. If you choose to put it in a separate file such as /etc/raddb/clearos-proxy.conf which is probably easier to maintain programatically then you will need to add a line "$INCLUDE clearos-proxy.conf" in /etc/raddb/radiusd.conf. This could go anywhere at top level in the file, so either at the end of it or next to the "$INCLUDE proxy.conf" line. It can be maintained by either some sort of event or just done as a prestart.sh in the systemd unit file.
- We then need to change the upstream files on installation:
In /etc/raddb/sites-available/default and /etc/raddb/sites-available/inner-tunnel uncomment the line "ntdomain"
realm CLEARSYSTEM {
}
In /etc/raddb/mods-available/mschap, uncomment the ntlm_auth line and change "/path/to/ntlm_auth" to the "/usr/bin/ntlm_auth"
I don't know if this helps. The other thing to do is run radius in debug mode:
and note the output. This can also be dumped to file.radiusd -X
There is also a recent HowTo to get guest users to use a different VLAN with Radius.
[edit]
Mote that my notes may be specifically with reference to domain joined devices but I'm not sure. I have not tried Radius for a while.
[/edit] - remove from deploy/install the "Create random file for certs" section
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »