Synology usage series 21 – Install FreeRadius Server and integrate with OpenLDAP Server


Setup FreeRadius on DS207+

This radius package contains quite a lots of bugs. Be sure follow every single steps here.

  1. Telnet/SSH to the DS as root
  2. Install freeradius and make

    # ipkg install freeradius
    # ipkg install make

  3. There is a missing line in the config file, add it back
                    # vi /opt/etc/raddb/radiusd.conf
    
                    Add the following line to the radiusd.conf
    
                   log_destination = files
                 
  4. The file ‘bootstrap’ will be used to generate default certificate for the radius server. For some reason, the script cannot find the make command. For such case, I edit the bootstrap file and give it the full path of the make command


    # vi /opt/etc/raddb/certs/bootstrap

    /opt/bin/make ca server dh random

  5. I got the same problem for Makefile. It cannot locate the openssl command. I’ve tried using the openssl provided by optware (/opt/bin/openssl) and it is working good.

    Update Nov 12 2011 WARNING: NEVER use the openssl provided by synology (/usr/syno/bin/openssl), it will failed the installation.

    So go ahead and edit the Makefile and edit the path of every openssl command


    # vi /opt/etc/raddb/certs/Makefile

    /opt/bin/openssl ......

    ** Make sure edit all openssl command in the Makefile!

  6. Update Nov 24 2011

    Just figured out that there is a bug here when generating CA certificate. The cert being generated is valid for one month only, no matter what value you specified in the ca.cnf file. To fix this, edit the /opt/etc/raddb/certs/Makefile again.

    Add the following line to the top of the file

    CA_DEF_DAYS = `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'`

    Then looks for the line begin with ca.key ca.pem, changes highlighted in red.

    
    ca.key ca.pem:
            /opt/bin/openssl req -new -x509 -keyout ca.key -out ca.pem -days $(CA_DEF_DAYS) -config ./ca.cnf
    
  7. Edit certificate_authority information


    # vi /opt/etc/raddb/certs/ca.cnf

    [ CA_default]
    default_days = 365

    [ req ]
    input_password = my input password
    output_password = my output password

    [certificate_authority]
    .
    .
    .

    By default, CA certificate is created and only valid for 365 days. If you don’t want to recreate all certs things every year, modify the value of default_days.

    For the [ req ] section, make sure to change the input_password and output_password and use some strong password instead of something like helloworld.

    Feel free to modify the [certificate_authority] section and input some information regarding your own radius CA.

  8. Edit server information


    # vi /opt/etc/raddb/certs/server.cnf

    [ CA_default ]
    default_days = 365

    [ req ]
    input_password = my input password
    output_password = my output password

    [server]
    .
    .
    .

    By default, server certificate is created and only valid for 365 days. If you don’t want to recreate all certs things every year, modify the value of default_days.

    Looks for the [ req ] section, make sure to change the input_password and output_password and use some strong password instead of something like helloworld.

    Feel free to modify the [server] section and input some information regarding your own radius server.

    * By default, the field countryName, organizationName and stateOrProvinceName must be same as CA.

  9. Edit client information
    
    # vi /opt/etc/raddb/certs/client.cnf
    
    [ CA_default ]
    default_days = 365
    
    [ req ]
    input_password = my input password
    output_password = my output password
    
    [client]
    .
    .
    .
    

    By default, client certificate is created and only valid for 365 days. If you don't want to recreate all certs things every year, modify the value of default_days.

    Looks for the [ req ] section, make sure to change the input_password and output_password and use some strong password instead of something like helloworld.

    Feel free to modify the [client] section and input some information regarding your radius client.

    * By default, the field countryName, organizationName and stateOrProvinceName must be same as CA.

  10. Now backup the certs directory so that we can repeat the certs things all over again in case something go wrong.

    # cd /opt/etc/raddb
    # cp -r certs certs.bak

  11. Edit eap.conf and specify private key password
    
    # vi /opt/etc/raddb/eap.conf
    
    tls {
         #
         #  These is used to simplify later configurations.
         #
         certdir = ${confdir}/certs
         cadir = ${confdir}/certs
    
         private_key_password = [server output_password]
         private_key_file = ${certdir}/server.pem
    
    

    Input server's output password as private key password above, save the file.

  12. Next we need a testing account 'dummy' with password 'password'. Edit the 'users' file.


    # vi /opt/etc/raddb/users

    dummy Cleartext-Password := "password"

  13. If you are DS213+ owner and already installed gcc package, chance are that you already installed libnsl. The libnsl package is incompatible with the radiusd that we need to run in the next step. To proceed, you need to remove the libnsl.

    # ipkg -force-depends remove libnsl

  14. Execute the radius server in debug mode, in order to generates default certificate.

    # cd /opt/etc/raddb/certs
    # radiusd -X

  15. If configuration correct, it will display 'Ready to process requests.'.
  16. Open another terminal (telnet or ssh), testing the server using the dummy account

    # radtest dummy password localhost 0 testing123

  17. If success, it will return message like below
    rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=152, length=20
  18. Also verify the expiration date of CA cert:


    # cd /opt/etc/raddb/certs
    # openssl x509 -in ca.pem -noout -dates
    notBefore=Nov 24 10:27:49 2011 GMT
    notAfter=Nov 21 10:27:49 2021 GMT

Now I've the FreeRadius running on my DS!





16 thoughts


  1. I did as You described and the make process threw warning on missing openssl.cnf file and furthermore some errors. How can I “remake” the initial configuration in Your step no.7 in case sth failed? Is there anything special on Synology DSM3.0 compared to “standard” Linux as described on freeradius.org?

    • Please read the README in the certs directory. You can simply run the command below and do it all over again

      rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*

  2. Hi Ray.

    Awsome site 🙂

    I get this: when I run radiusd -X

    Makefile:69: *** missing separator. Stop.
    Exec-Program output:
    Exec-Program: returned: 2
    rlm_eap: Failed to initialize type tls
    /opt/etc/raddb/eap.conf[17]: Instantiation failed for module “eap”
    /opt/etc/raddb/radiusd.conf[1719]: Failed to find module “eap”.
    /opt/etc/raddb/radiusd.conf[1666]: Errors parsing authenticate section.
    }
    }
    Errors initializing modules

    Why is this ? I have double checked everything and I can´t seem to find any thing wrong.

    Please help 🙂

    BTW My DSM ver. is 3.2-1955

    Best regards Mads

    • radius failed to generate certificates for eap modules. Take a look to the /opt/etc/raddb/certs/Makefile line 69.

      In case you don’t need eap, or you don’t need certificates support at all, try comment all eap and $INCLUDE ${confdir}/eap.conf in the /opt/etc/raddb/radiusd.conf.

  3. Hi Ray.

    Thx for the fast respons 🙂

    I found some erros in the makefile that I some have had done wrong. I manage to lounch the RADIUS but i get erros in the radiuss.conf which said!

    sthlmdsx01> radiusd -X
    FreeRADIUS Version 2.0.5, for host i686-pc-linux-gnu, built on Nov 2 2010 at 00:15:35
    Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
    There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
    PARTICULAR PURPOSE.
    You may redistribute copies of FreeRADIUS under the terms of the
    GNU General Public License v2.
    Starting – reading configuration files …
    including configuration file /opt/etc/raddb/radiusd.conf
    including configuration file /opt/etc/raddb/proxy.conf
    including configuration file /opt/etc/raddb/clients.conf
    including configuration file /opt/etc/raddb/snmp.conf
    including configuration file /opt/etc/raddb/eap.conf
    including configuration file /opt/etc/raddb/sql.conf
    including configuration file /opt/etc/raddb/sql/mysql/dialup.conf
    /opt/etc/raddb/radiusd.conf[1721]: Too many closing braces
    Errors reading /opt/etc/raddb/radiusd.conf

    I look in the file att line 1721 and found that there was missing braces!!!? so I added the needed one, One brace, which is the one al the way in the end!

    FYI: The file look like this:

    # The common reasons to set the Auth-Type attribute by hand
    # is to either forcibly reject the user, or forcibly accept him.
    #
    authenticate {

    # PAP authentication, when a back-end database listed
    # in the ‘authorize’ section supplies a password. The
    # password can be clear-text, or encrypted.
    Auth-Type PAP {
    pap
    }

    #
    # Most people want CHAP authentication
    # A back-end database listed in the ‘authorize’ section
    # MUST supply a CLEAR TEXT password. Encrypted passwords
    # won’t work.
    Auth-Type CHAP {
    chap
    }

    #
    # MSCHAP authentication.
    Auth-Type MS-CHAP {
    mschap
    }

    #
    # If you have a Cisco SIP server authenticating against
    # FreeRADIUS, uncomment the following line, and the ‘digest’
    # line in the ‘authorize’ section.
    # digest

    #
    # Pluggable Authentication Modules.
    # pam

    #
    # See ‘man getpwent’ for information on how the ‘unix’
    # module checks the users password. Note that packets
    # containing CHAP-Password attributes CANNOT be authenticated
    # against /etc/passwd! See the FAQ for details.
    #
    unix

    # Uncomment it if you want to use ldap for authentication
    #
    # Note that this means “check plain-text password against
    # the ldap database”, which means that EAP won’t work,
    # as it does not supply a plain-text password.
    #Auth-Type LDAP {ldap}

    #
    #Allow eap authentication.
    Auth-Type eap {
    eap
    }
    }

    #
    # Pre-accounting. Decide which accounting type to use
    I have looked and when i set in the amount of braces whiches is needed it comes with the error that it cant find the eap module … I just don´t get it!

    This is what i get when I add in the right amount of braces in the file.

    make: *** [ca.pem] Error 1
    Exec-Program output: /opt/bin/openssl req -new -x509 -keyout ca.key -out ca.pem -days -config ./ca.cnf
    Exec-Program-Wait: plaintext: /opt/bin/openssl req -new -x509 -keyout ca.key -out ca.pem -days -config ./ca.cnf
    Exec-Program: returned: 2
    rlm_eap: Failed to initialize type tls
    /opt/etc/raddb/eap.conf[17]: Instantiation failed for module “eap”
    /opt/etc/raddb/radiusd.conf[1719]: Failed to find module “eap”.
    /opt/etc/raddb/radiusd.conf[1719]: Failed to parse “eap” entry.
    }
    }
    Errors initializing modules

    Any Ideas?

    • Ok I think I guessed what’s your issue now.

      From your first line:

      sthlmdsx01> radiusd -X

      It seems like that you are running radiusd as sthlmdsx01. Please look at step 1 here and run radiusd as root.

      Please follow every single steps, unless it was marked optional, otherwise all steps I mentioned is necessary to make things happen.

  4. Hi Ray.

    Ryd for the respons. I ssh to the höst as root, i know it is à bad habit bit i do. I would be thrilled if you would look at my files. If I zip them how kan I send them to you? Via FTP or mail ?
    Best regards,

    And thx for the help again 🙂

    • It is required to run radiusd as root the first time so that radius got enough permission to generate certificates things for the eap/tls module. Once setup completed it is not a must to run radiusd as root.

      If you still encountered any issues pls zip the config/log to somewhere and lemme know the url either here or using the contact form above.

      Good luck!

  5. Hi Ray.

    I would def. want to use EAP, so if you don´t mind looking over my conf. it wold be awesome.
    I have zipped eap, radiusd and Makefile do it for you?
    Which log do you want and from which dir?

    Thanks Ray.

    Best regards

    Mads

  6. Hey Ray,

    first of all, thx for the great work!
    I followed your guide, step by step on my 107+, but when i issue the Radiud -X, i get the following errors:

    rlm_eap: SSL error error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm
    rlm_eap_tls: Error reading private key file /opt/etc/raddb/certs/server.pem
    rlm_eap: Failed to initialize type tls
    /opt/etc/raddb/eap.conf[17]: Instantiation failed for module “eap”
    /opt/etc/raddb/radiusd.conf[1721]: Failed to find module “eap”.
    /opt/etc/raddb/radiusd.conf[1668]: Errors parsing authenticate section.
    }
    }
    Errors initializing modules

    Could you pls help me out on this. Would be too nice having a Radius running.

    Thx in advance,

    Thomas

Leave a Reply

Your email address will not be published. Required fields are marked *