G1I recently implemented FreeRadius on Fedora Core 7 to provide authentication for our Cisco Wireless Network. I then had to extend that to provide PAM authentication to our RSA Authentication Manager for our remote office VPN because their router didn’t support direct RSA authentication. While that sounded simple it actually was quite painful at first.
For some reason, probably configuration errors on my part, I could not get the remote Cisco 2801 router to successfully authenticate to the RSA device through PAM on the freeradius server. It always returned an error stating “No Auth-Type set.” After trying several modifications I found that I could successfully do pam authentication by adding:
Update control{
Auth-Type:=PAM
}
into the Authorize{} section. However, this forced ALL authentication to be PAM and that broke wireless authentication. After more fiddling I added a second IP address to the radius server and configured freeradius to use virtual servers listening on two separate IP addresses. The first virtual server handles normal EAP-PEAP authentication and the second virtual server handles PAM authentication.
Here are the important parts of my config:
The listen section:
listen {
type = auth
ipaddr = 1.2.3.1
port = 1642
virtual_server = one
}
listen {
ipaddr = 1.2.3.1
port = 1652
type = acct
virtual_server = one
}
listen {
type = auth
ipaddr = 1.2.3.2
port = 1642
virtual_server = two
}
listen {
ipaddr = 1.2.3.2
port = 1652
type = acct
virtual_server = two
}
The virtual server section:
server one{
authenticate {
eap
pam
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
}
authorize {
mschap
eap
}
}
server two {
authenticate {
eap
pam
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
}
authorize {
mschap
eap
update control {
Auth-Type:=PAM
}
}
}
There are probably some things I can remove from the second virtual server since I am forcing it to use pam, but it works so I’ll leave it alone for now.
Later,
Gary
Posts
0 comments:
Post a Comment