Synology usage series 21 – Install FreeRadius Server and integrate with OpenLDAP Server


Update: 2015-01-08

To create more client certificate, for example, newclient

First make sure the cert directory is backuped.

# cd /opt/etc/raddb
# cp -r certs certs.bak

Then perform the procedures below to generate addition client certificate

  1. # cp client.cnf newclient.cnf
  2. edit newclient.cnf
    • change

      distinguished_name = newclient

    • change [client] to [newclient]
    • change

      commonName = newclient

    • Also need to change input_password and output_password as well.

      input_password = new input password
      output_password = new output password

    • Change other information if you see fit, such as organization name, email address, etc.
  3. Edit Makefile, add the following lines for newclient

    PASSWORD_NEWCLIENT= `grep output_password newclient.cnf | sed ‘s/.*=//;s/^ *//’`
    .PHONY: newclient
    newclient: newclient.pem

    ######################################################################
    #
    # Create a newclient certificate, signed by the the above server
    # certificate.
    #
    ######################################################################
    newclient.csr newclient.key: newclient.cnf
    /opt/bin/openssl req -new -out newclient.csr -keyout newclient.key -config ./newclient.cnf

    newclient.crt: newclient.csr server.crt server.key index.txt serial
    /opt/bin/openssl ca -batch -keyfile server.key -cert server.crt -in newclient.crt -extensions xpclient_ext -extfile xpextensions -config ./newclient.cnf

    newclient.p12: newclient.crt
    /opt/bin/openssl pkcs12 -export -in newclient.crt -inkey newclient.key -out newclient.p12 -passin pass:$(PASSWORD_NEWCLIENT) -passout pass:$(PASSWORD_CLIENT)

    newclient.pem: newclient.p12
    /opt/bin/openssl pkcs12 -in newclient.p12 -out newclient.pem -passin pass:$(PASSWORD_NEWCLIENT) -passout pass:$(PASSWORD_NEWCLIENT)

    .PHONY: server.vrfy
    newclient.vrfy: server.pem newclient.pem

    c_rehash .

    /opt/bin/openssl verify -CApath . newclient.pem

  4. Run the command below to generate newclient certificate

    # Make newclient.pem





16 thoughts


  1. I did as You described and the make process threw warning on missing openssl.cnf file and furthermore some errors. How can I “remake” the initial configuration in Your step no.7 in case sth failed? Is there anything special on Synology DSM3.0 compared to “standard” Linux as described on freeradius.org?

    • Please read the README in the certs directory. You can simply run the command below and do it all over again

      rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*

  2. Hi Ray.

    Awsome site 🙂

    I get this: when I run radiusd -X

    Makefile:69: *** missing separator. Stop.
    Exec-Program output:
    Exec-Program: returned: 2
    rlm_eap: Failed to initialize type tls
    /opt/etc/raddb/eap.conf[17]: Instantiation failed for module “eap”
    /opt/etc/raddb/radiusd.conf[1719]: Failed to find module “eap”.
    /opt/etc/raddb/radiusd.conf[1666]: Errors parsing authenticate section.
    }
    }
    Errors initializing modules

    Why is this ? I have double checked everything and I can´t seem to find any thing wrong.

    Please help 🙂

    BTW My DSM ver. is 3.2-1955

    Best regards Mads

    • radius failed to generate certificates for eap modules. Take a look to the /opt/etc/raddb/certs/Makefile line 69.

      In case you don’t need eap, or you don’t need certificates support at all, try comment all eap and $INCLUDE ${confdir}/eap.conf in the /opt/etc/raddb/radiusd.conf.

  3. Hi Ray.

    Thx for the fast respons 🙂

    I found some erros in the makefile that I some have had done wrong. I manage to lounch the RADIUS but i get erros in the radiuss.conf which said!

    sthlmdsx01> radiusd -X
    FreeRADIUS Version 2.0.5, for host i686-pc-linux-gnu, built on Nov 2 2010 at 00:15:35
    Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
    There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
    PARTICULAR PURPOSE.
    You may redistribute copies of FreeRADIUS under the terms of the
    GNU General Public License v2.
    Starting – reading configuration files …
    including configuration file /opt/etc/raddb/radiusd.conf
    including configuration file /opt/etc/raddb/proxy.conf
    including configuration file /opt/etc/raddb/clients.conf
    including configuration file /opt/etc/raddb/snmp.conf
    including configuration file /opt/etc/raddb/eap.conf
    including configuration file /opt/etc/raddb/sql.conf
    including configuration file /opt/etc/raddb/sql/mysql/dialup.conf
    /opt/etc/raddb/radiusd.conf[1721]: Too many closing braces
    Errors reading /opt/etc/raddb/radiusd.conf

    I look in the file att line 1721 and found that there was missing braces!!!? so I added the needed one, One brace, which is the one al the way in the end!

    FYI: The file look like this:

    # The common reasons to set the Auth-Type attribute by hand
    # is to either forcibly reject the user, or forcibly accept him.
    #
    authenticate {

    # PAP authentication, when a back-end database listed
    # in the ‘authorize’ section supplies a password. The
    # password can be clear-text, or encrypted.
    Auth-Type PAP {
    pap
    }

    #
    # Most people want CHAP authentication
    # A back-end database listed in the ‘authorize’ section
    # MUST supply a CLEAR TEXT password. Encrypted passwords
    # won’t work.
    Auth-Type CHAP {
    chap
    }

    #
    # MSCHAP authentication.
    Auth-Type MS-CHAP {
    mschap
    }

    #
    # If you have a Cisco SIP server authenticating against
    # FreeRADIUS, uncomment the following line, and the ‘digest’
    # line in the ‘authorize’ section.
    # digest

    #
    # Pluggable Authentication Modules.
    # pam

    #
    # See ‘man getpwent’ for information on how the ‘unix’
    # module checks the users password. Note that packets
    # containing CHAP-Password attributes CANNOT be authenticated
    # against /etc/passwd! See the FAQ for details.
    #
    unix

    # Uncomment it if you want to use ldap for authentication
    #
    # Note that this means “check plain-text password against
    # the ldap database”, which means that EAP won’t work,
    # as it does not supply a plain-text password.
    #Auth-Type LDAP {ldap}

    #
    #Allow eap authentication.
    Auth-Type eap {
    eap
    }
    }

    #
    # Pre-accounting. Decide which accounting type to use
    I have looked and when i set in the amount of braces whiches is needed it comes with the error that it cant find the eap module … I just don´t get it!

    This is what i get when I add in the right amount of braces in the file.

    make: *** [ca.pem] Error 1
    Exec-Program output: /opt/bin/openssl req -new -x509 -keyout ca.key -out ca.pem -days -config ./ca.cnf
    Exec-Program-Wait: plaintext: /opt/bin/openssl req -new -x509 -keyout ca.key -out ca.pem -days -config ./ca.cnf
    Exec-Program: returned: 2
    rlm_eap: Failed to initialize type tls
    /opt/etc/raddb/eap.conf[17]: Instantiation failed for module “eap”
    /opt/etc/raddb/radiusd.conf[1719]: Failed to find module “eap”.
    /opt/etc/raddb/radiusd.conf[1719]: Failed to parse “eap” entry.
    }
    }
    Errors initializing modules

    Any Ideas?

    • Ok I think I guessed what’s your issue now.

      From your first line:

      sthlmdsx01> radiusd -X

      It seems like that you are running radiusd as sthlmdsx01. Please look at step 1 here and run radiusd as root.

      Please follow every single steps, unless it was marked optional, otherwise all steps I mentioned is necessary to make things happen.

  4. Hi Ray.

    Ryd for the respons. I ssh to the höst as root, i know it is à bad habit bit i do. I would be thrilled if you would look at my files. If I zip them how kan I send them to you? Via FTP or mail ?
    Best regards,

    And thx for the help again 🙂

    • It is required to run radiusd as root the first time so that radius got enough permission to generate certificates things for the eap/tls module. Once setup completed it is not a must to run radiusd as root.

      If you still encountered any issues pls zip the config/log to somewhere and lemme know the url either here or using the contact form above.

      Good luck!

  5. Hi Ray.

    I would def. want to use EAP, so if you don´t mind looking over my conf. it wold be awesome.
    I have zipped eap, radiusd and Makefile do it for you?
    Which log do you want and from which dir?

    Thanks Ray.

    Best regards

    Mads

  6. Hey Ray,

    first of all, thx for the great work!
    I followed your guide, step by step on my 107+, but when i issue the Radiud -X, i get the following errors:

    rlm_eap: SSL error error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm
    rlm_eap_tls: Error reading private key file /opt/etc/raddb/certs/server.pem
    rlm_eap: Failed to initialize type tls
    /opt/etc/raddb/eap.conf[17]: Instantiation failed for module “eap”
    /opt/etc/raddb/radiusd.conf[1721]: Failed to find module “eap”.
    /opt/etc/raddb/radiusd.conf[1668]: Errors parsing authenticate section.
    }
    }
    Errors initializing modules

    Could you pls help me out on this. Would be too nice having a Radius running.

    Thx in advance,

    Thomas

Leave a Reply

Your email address will not be published. Required fields are marked *