|Version 3 (modified by anonymous, 4 years ago)|
Wifidog RADIUS config
Work in progress. More to come : !
This document was based on FC10, and free-radius. The encryption method used were CHAP_MD5, and the other methods were not tested, or verified, though they should work.
You've got your distro working properly You have configured the WiFiDog Auth server and Gateway properly.
They work right, at least for the default-network login for the admin user.
If the above isn't done yet, finish that first.
Figuring out why radius isn't working is hard enough. Don't try to troubleshoot the whole mess at the same time.
Get the Auth server and GW working using local auth first!!!
I used Fedora. I'm sure you could use CentOS or RHEL, but many of the pieces aren't available via yum or RPM's, and I really don't care for compiling stuff by hand. So, the suggestion is to use a current Fedora, or something else that has most everything needed so you don't have to compile. If compiling everything by hand is your thing, then by all means - enjoy yourself - start with RH6 or something...
Make sure you have freeradius installed and working - follow the docs for which modules you'll need. You'll need quite of bit of stuff to make it all work. (i.e. Radius support for PHP etc.)
Configure Free-Radius. This config had everything (Auth Server, Postgres and Free-Radius on the same box.) So, make sure you configure the clients.conf - either for 127.0.0.1 for a Free-Radius server that's local, or for the appropriate "client" network.
If you're doing something more elaborate for user management on Free-Radius, make sure that works properly. I simply used the users file in Free-Radius - so that's straightforward.
The docs in WifiDog are MISLEADING [wrong might be more accurate, but less charitable] for the config string in the AuthServer? Network config. DO NOT LEAVE SPACES BETWEEN THE ELEMENTS! I'm sure I could go figure out why, but I'm buried so many hours at this point, I'm not very eager to do so. The config string should look something like the first example and NOT like the second!:
'default-network', 'localhost', 1812, 1813, 'xxxxxx', 'CHAP_MD5'
If you leave spaces in-between the elements, it's going to barf on you.
I kept getting an "Invalid RADIUS encryption method." when I tried to login. The examples show spaces - save yourself some serious agony, and leave them out!
AGAIN - DON'T PUT SPACES BETWEEN THE ELEMENTS IN "AUTHENTICATOR PARAMETERS"
The available Radius encryption/communication methods are: 'CHAP_MD5' 'MSCHAPv1' 'MSCHAPv2'
While there's reference to PAP in the code, it doesn't appear to work.
--- Create a new network, which will use RadiusAuth?. (This should allow you to login to the auth-server using the default network should your radius config be wrong.
Run radius in the foreground in debug mode while you're testing. That will make things a lot easier. (i.e. radiusd -X in a terminal window) This will let you see Free-Radius do the lookups etc and test them.
Also, make sure the clients file is correct. My most recent config I screwed something up in the clients config of Free-Radius and while the auth-server would contact Free-Radius and the debug for Free-Radius would show a successful authentication, the auth-server wouldn't get a response. (or so it claimed.) [I think the shared password was wrong in this case. But it certainly was frustrating when Free-Radius appeared to be giving a successful login but the auth-server wasn't seeing it.]
More later should I have time and energy.