fipsinator
Goto Top

RadiusServer mit PEAP und OpenLDAP Problem

Hallo Liebe Admins und co.

Hier einmal die Informationen

Server: Ubuntu Desktop Version 8.10
Installierte Pakete:

-freeradius
-libfreeradius2
-freeradius-utils
-freeradius-ldap
-freeradius-common
-libssl0.9.8
-libssl0.9.8-dbg
-libssl-dev
-openssl
-openssl-blacklist
-ssl-cert
-openssl-doc
-ldap-utils
-libldap-2.4-2
-slapd
-slapd-dbg

Darunter sind die radiusd.conf und die eap.conf
Das ganze muss nächsten Freitag fertig sein und ich hänge hier...
Vlt hat ja jemand eine Idee dazu.

Ich habe hier ein Problem mit meinem Radius Server.
Im Debugg Modus (freeradius -x -h /etc/freeradius) bringt er mir immer folgende Meldung.

Ignoring EAP-Type/tls because we do not have OpenSSL support.
Ignoring EAP-Type/ttls because we do not have OpenSSL support.
Ignoring EAP-Type/peap because we do not have OpenSSL support.

Ich habe schon diverse Foren durchforstet und sitze schon seit Tagen vor diesem Problem finde aber keine Lösung.

Die libssl-devel sind installiert.
FreeRadius Server habe ich schon einmal neu installiert und konfiguriert.

Hier die Ausgabe von dem Debugg Befehl:

FreeRADIUS Version 2.1.0, for host i486-pc-linux-gnu, built on Oct  9 2008 at 13:24:33
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. 
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 
PARTICULAR PURPOSE. 
You may redistribute copies of FreeRADIUS under the terms of the 
GNU General Public License v2. 
Starting - reading configuration files ...
including configuration file /etc/freeradius//radiusd.conf
including configuration file /etc/freeradius//proxy.conf
including configuration file /etc/freeradius//clients.conf
including files in directory /etc/freeradius//modules/
including configuration file /etc/freeradius//modules/etc_group
including configuration file /etc/freeradius//modules/wimax
including configuration file /etc/freeradius//modules/policy
including configuration file /etc/freeradius//modules/unix
including configuration file /etc/freeradius//modules/linelog
including configuration file /etc/freeradius//modules/exec
including configuration file /etc/freeradius//modules/sradutmp
including configuration file /etc/freeradius//modules/mac2vlan
including configuration file /etc/freeradius//modules/counter
including configuration file /etc/freeradius//modules/mschap
including configuration file /etc/freeradius//modules/digest
including configuration file /etc/freeradius//modules/ippool
including configuration file /etc/freeradius//modules/files
including configuration file /etc/freeradius//modules/attr_rewrite
including configuration file /etc/freeradius//modules/detail.example.com
including configuration file /etc/freeradius//modules/mac2ip
including configuration file /etc/freeradius//modules/pam
including configuration file /etc/freeradius//modules/realm
including configuration file /etc/freeradius//modules/inner-eap
including configuration file /etc/freeradius//modules/preprocess
including configuration file /etc/freeradius//modules/attr_filter
including configuration file /etc/freeradius//modules/radutmp
including configuration file /etc/freeradius//modules/passwd
including configuration file /etc/freeradius//modules/acct_unique
including configuration file /etc/freeradius//modules/chap
including configuration file /etc/freeradius//modules/ldap
including configuration file /etc/freeradius//modules/expr
including configuration file /etc/freeradius//modules/echo
including configuration file /etc/freeradius//modules/krb5
including configuration file /etc/freeradius//modules/detail.log
including configuration file /etc/freeradius//modules/pap
including configuration file /etc/freeradius//modules/expiration
including configuration file /etc/freeradius//modules/logintime
including configuration file /etc/freeradius//modules/detail
including configuration file /etc/freeradius//modules/sql_log
including configuration file /etc/freeradius//modules/smbpasswd
including configuration file /etc/freeradius//modules/checkval
including configuration file /etc/freeradius//modules/always
including configuration file /etc/freeradius//eap.conf
including configuration file /etc/freeradius//policy.conf
including files in directory /etc/freeradius//sites-enabled/
including configuration file /etc/freeradius//sites-enabled/inner-tunnel
including configuration file /etc/freeradius//sites-enabled/default
including dictionary file /etc/freeradius//dictionary
main {
	prefix = "/usr"  
	localstatedir = "/var"  
	logdir = "/var/log/freeradius"  
	libdir = "/usr/lib/freeradius"  
	radacctdir = "/var/log/freeradius/radacct"  
	hostname_lookups = no
	max_request_time = 30
	cleanup_delay = 5
	max_requests = 1024
	allow_core_dumps = no
	pidfile = "/var/run/radiusd/radiusd.pid"  
	checkrad = "/usr/sbin/checkrad"  
	debug_level = 0
	proxy_requests = yes
 log {
	stripped_names = no
	auth = no
	auth_badpass = no
	auth_goodpass = no
 }
 security {
	max_attributes = 200
	reject_delay = 1
	status_server = yes
 }
}
 client localhost {
	ipaddr = 127.0.0.1
	require_message_authenticator = no
	secret = "testing123"  
	nastype = "other"  
 }
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
	retry_delay = 5
	retry_count = 3
	default_fallback = no
	dead_time = 120
	wake_all_if_all_dead = no
 }
 home_server localhost {
	ipaddr = 127.0.0.1
	port = 1812
	type = "auth"  
	secret = "testing123"  
	response_window = 20
	max_outstanding = 65536
	zombie_period = 40
	status_check = "status-server"  
	ping_interval = 30
	check_interval = 30
	num_answers_to_alive = 3
	num_pings_to_alive = 3
	revive_interval = 120
	status_check_timeout = 4
 }
 home_server_pool my_auth_failover {
	type = fail-over
	home_server = localhost
 }
 realm example.com {
	auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating exec
  exec {
	wait = no
	input_pairs = "request"  
	shell_escape = yes
  }
 Module: Linked to module rlm_expr
 Module: Instantiating expr
 Module: Linked to module rlm_expiration
 Module: Instantiating expiration
  expiration {
	reply-message = "Password Has Expired  "  
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating logintime
  logintime {
	reply-message = "You are calling outside your allowed timespan  "  
	minimum-timeout = 60
  }
 }
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating pap
  pap {
	encryption_scheme = "auto"  
	auto_header = no
  }
 Module: Linked to module rlm_chap
 Module: Instantiating chap
 Module: Linked to module rlm_mschap
 Module: Instantiating mschap
  mschap {
	use_mppe = yes
	require_encryption = no
	require_strong = no
	with_ntdomain_hack = no
  }
 Module: Linked to module rlm_unix
 Module: Instantiating unix
  unix {
	radwtmp = "/var/log/freeradius/radwtmp"  
  }
 Module: Linked to module rlm_eap
 Module: Instantiating eap
  eap {
	default_eap_type = "md5"  
	timer_expire = 60
	ignore_unknown_eap_types = no
	cisco_accounting_username_bug = no
	max_sessions = 2048
  }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
	challenge = "Password: "  
	auth_type = "PAP"  
   }
Ignoring EAP-Type/tls because we do not have OpenSSL support.
Ignoring EAP-Type/ttls because we do not have OpenSSL support.
Ignoring EAP-Type/peap because we do not have OpenSSL support.
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
	with_ntdomain_hack = no
   }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_realm
 Module: Instantiating suffix
  realm suffix {
	format = "suffix"  
	delimiter = "@"  
	ignore_default = no
	ignore_null = no
  }
 Module: Linked to module rlm_files
 Module: Instantiating files
  files {
	usersfile = "/etc/freeradius//users"  
	acctusersfile = "/etc/freeradius//acct_users"  
	preproxy_usersfile = "/etc/freeradius//preproxy_users"  
	compat = "no"  
  }
 Module: Checking session {...} for more modules to load
 Module: Linked to module rlm_radutmp
 Module: Instantiating radutmp
  radutmp {
	filename = "/var/log/freeradius/radutmp"  
	username = "%{User-Name}"  
	case_sensitive = yes
	check_with_nas = yes
	perm = 384
	callerid = yes
  }
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Linked to module rlm_attr_filter
 Module: Instantiating attr_filter.access_reject
  attr_filter attr_filter.access_reject {
	attrsfile = "/etc/freeradius//attrs.access_reject"  
	key = "%{User-Name}"  
  }
 }
}
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating preprocess
  preprocess {
	huntgroups = "/etc/freeradius//huntgroups"  
	hints = "/etc/freeradius//hints"  
	with_ascend_hack = no
	ascend_channels_per_line = 23
	with_ntdomain_hack = no
	with_specialix_jetstream_hack = no
	with_cisco_vsa_hack = no
	with_alvarion_vsa_hack = no
  }
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating acct_unique
  acct_unique {
	key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"  
  }
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_detail
 Module: Instantiating detail
  detail {
	detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"  
	header = "%t"  
	detailperm = 384
	dirperm = 493
	locking = no
	log_packet_header = no
  }
 Module: Instantiating attr_filter.accounting_response
  attr_filter attr_filter.accounting_response {
	attrsfile = "/etc/freeradius//attrs.accounting_response"  
	key = "%{User-Name}"  
  }
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 }
radiusd: #### Opening IP addresses and Ports ####
listen {
	type = "auth"  
	ipaddr = *
	port = 0
Failed binding to socket: Address already in use 
/etc/freeradius//radiusd.conf[236]: Error binding to port for 0.0.0.0 port 1812

Die Fehlermeldung am Schluss ist Nebensache, die habe ich erst seit heute und habe ich noch nicht Versucht zu lösen.

Ich muss gestehen ich arbeite sonst nie mit Linux, es ist nur für ein Abschlussprojekt.

Hier die radiusd.conf


# -*- text -*-
##
## radiusd.conf	-- FreeRADIUS server configuration file.
##
##	http://www.freeradius.org/
##	$Id$
##

######################################################################
#
#	Read "man radiusd" before editing this file.  See the section  
#	titled DEBUGGING.  It outlines a method where you can quickly
#	obtain the configuration you want, without running into
#	trouble.
#
#	Run the server in debugging mode, and READ the output.
#
#		$ radiusd -X
#
#	We cannot emphasize this point strongly enough.  The vast
#	majority of problems can be solved by carefully reading the
#	debugging output, which includes warnings about common issues,
#	and suggestions for how they may be fixed.
#
#	There may be a lot of output, but look carefully for words like:
#	"warning", "error", "reject", or "failure".  The messages there  
#	will usually be enough to guide you to a solution.
#
#	If you are going to ask a question on the mailing list, then
#	explain what you are trying to do, and include the output from
#	debugging mode (radiusd -X).  Failure to do so means that all
#	of the responses to your question will be people telling you
#	to "post the output of radiusd -X".  

######################################################################
#
#  	The location of other config files and logfiles are declared
#  	in this file.
#
#  	Also general configuration for modules can be done in this
#  	file, it is exported through the API to modules that ask for
#  	it.
#
#	See "man radiusd.conf" for documentation on the format of this  
#	file.  Note that the individual configuration items are NOT
#	documented in that "man" page.  They are only documented here,  
#	in the comments.
#
#	As of 2.0.0, FreeRADIUS supports a simple processing language
#	in the "authorize", "authenticate", "accounting", etc. sections.  
#	See "man unlang" for details.  
#

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct

#  Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd

# Should likely be ${localstatedir}/lib/radiusd
db_dir = ${raddbdir}

#
# libdir: Where to find the rlm_* modules.
#
#   This should be automatically set at configuration time.
#
#   If the server builds and installs, but fails at execution time
#   with an 'undefined symbol' error, then you can use the libdir  
#   directive to work around the problem.
#
#   The cause is usually that a library has been installed on your
#   system in a place where the dynamic linker CANNOT find it.  When
#   executing as root (or another user), your personal environment MAY
#   be set up to allow the dynamic linker to find the library.  When
#   executing as a daemon, FreeRADIUS MAY NOT have the same
#   personalized configuration.
#
#   To work around the problem, find out which library contains that symbol,
#   and add the directory containing that library to the end of 'libdir',  
#   with a colon separating the directory names.  NO spaces are allowed.
#
#   e.g. libdir = /usr/local/lib:/opt/package/lib
#
#   You can also try setting the LD_LIBRARY_PATH environment variable
#   in a script which starts the server.
#
#   If that does not work, then you can re-configure and re-build the
#   server to NOT use shared libraries, via:
#
#	./configure --disable-shared
#	make
#	make install
#
libdir = /usr/lib/freeradius

#  pidfile: Where to place the PID of the RADIUS server.
#
#  The server may be signalled while it's running by using this  
#  file.
#
#  This file is written when ONLY running in daemon mode.
#
#  e.g.:  kill -HUP `cat /var/run/radiusd/radiusd.pid`
#
pidfile = ${run_dir}/radiusd.pid

#  chroot: directory where the server does "chroot".  
#
#  The chroot is done very early in the process of starting the server.
#  After the chroot has been performed it switches to the "user" listed  
#  below (which MUST be specified).  If "group" is specified, it switchs  
#  to that group, too.  Any other groups listed for the specified "user"  
#  in "/etc/group" are also added as part of this process.  
#
#  The current working directory (chdir / cd) is left *outside* of the
#  chroot until all of the modules have been initialized.  This allows
#  the "raddb" directory to be left outside of the chroot.  Once the  
#  modules have been initialized, it does a "chdir" to ${logdir}.  This  
#  means that it should be impossible to break out of the chroot.
#
#  If you are worried about security issues related to this use of chdir,
#  then simply ensure that the "raddb" directory is inside of the chroot,  
#  end be sure to do "cd raddb" BEFORE starting the server.  
#
#  If the server is statically linked, then the only files that have
#  to exist in the chroot are ${run_dir} and ${logdir}.  If you do the
#  "cd raddb" as discussed above, then the "raddb" directory has to be  
#  inside of the chroot directory, too.
#
#chroot = /path/to/chroot/directory

# user/group: The name (or #number) of the user/group to run radiusd as.
#
#   If these are commented out, the server will run as the user/group
#   that started it.  In order to change to a different user/group, you
#   MUST be root ( or have root privleges ) to start the server.
#
#   We STRONGLY recommend that you run the server with as few permissions
#   as possible.  That is, if you're not using shadow passwords, the  
#   user and group items below should be set to radius'.  
#
#  NOTE that some kernels refuse to setgid(group) when the value of
#  (unsigned)group is above 60000; don't use group nobody on these systems!  
#
#  On systems with shadow passwords, you might have to set 'group = shadow'  
#  for the server to be able to read the shadow password file.  If you can
#  authenticate users while in debug mode, but not in daemon mode, it may be
#  that the debugging mode server is running as a user that can read the
#  shadow info, and the user listed below can not.
#
#  The server will also try to use "initgroups" to read /etc/groups.  
#  It will join all groups where "user" is a member.  This can allow  
#  for some finer-grained access controls.
#
#user = radius
#group = radius

#  max_request_time: The maximum time (in seconds) to handle a request.
#
#  Requests which take more time than this to process may be killed, and
#  a REJECT message is returned.
#
#  WARNING: If you notice that requests take a long time to be handled,
#  then this MAY INDICATE a bug in the server, in one of the modules
#  used to handle a request, OR in your local configuration.
#
#  This problem is most often seen when using an SQL database.  If it takes
#  more than a second or two to receive an answer from the SQL database,
#  then it probably means that you haven't indexed the database.  See your  
#  SQL server documentation for more information.
#
#  Useful range of values: 5 to 120
#
max_request_time = 30

#  cleanup_delay: The time to wait (in seconds) before cleaning up
#  a reply which was sent to the NAS.
#
#  The RADIUS request is normally cached internally for a short period
#  of time, after the reply is sent to the NAS.  The reply packet may be
#  lost in the network, and the NAS will not see it.  The NAS will then
#  re-send the request, and the server will respond quickly with the
#  cached reply.
#
#  If this value is set too low, then duplicate requests from the NAS
#  MAY NOT be detected, and will instead be handled as seperate requests.
#
#  If this value is set too high, then the server will cache too many
#  requests, and some new requests may get blocked.  (See 'max_requests'.)  
#
#  Useful range of values: 2 to 10
#
cleanup_delay = 5

#  max_requests: The maximum number of requests which the server keeps
#  track of.  This should be 256 multiplied by the number of clients.
#  e.g. With 4 clients, this number should be 1024.
#
#  If this number is too low, then when the server becomes busy,
#  it will not respond to any new requests, until the 'cleanup_delay'  
#  time has passed, and it has removed the old requests.
#
#  If this number is set too high, then the server will use a bit more
#  memory for no real benefit.
#
#  If you aren't sure what it should be set to, it's better to set it  
#  too high than too low.  Setting it to 1000 per client is probably
#  the highest it should be.
#
#  Useful range of values: 256 to infinity
#
max_requests = 1024

#  listen: Make the server listen on a particular IP address, and send
#  replies out from that address. This directive is most useful for
#  hosts with multiple IP addresses on one interface.
#
#  If you want the server to listen on additional addresses, or on
#  additionnal ports, you can use multiple "listen" sections.  
#
#  Each section make the server listen for only one type of packet,
#  therefore authentication and accounting have to be configured in
#  different sections.
#
#  The server ignore all "listen" section if you are using '-i' and '-p'  
#  on the command line.
#
listen {
	#  Type of packets to listen for.
	#  Allowed values are:
	#	auth	listen for authentication packets
	#	acct	listen for accounting packets
	#	proxy   IP to use for sending proxied packets
	#	detail  Read from the detail file.  For examples, see
	#               raddb/sites-available/copy-acct-to-home-server
	#
	type = auth

	#  Note: "type = proxy" lets you control the source IP used for  
	#        proxying packets, with some limitations:
	#
	#    * Only ONE proxy listener can be defined.
	#    * A proxy listener CANNOT be used in a virtual server section.
	#    * You should probably set "port = 0".  
	#    * Any "clients" configuration will be ignored.  

	#  IP address on which to listen.
	#  Allowed values are:
	#	dotted quad (1.2.3.4)
	#       hostname    (radius.example.com)
	#       wildcard    (*)
	ipaddr = *

	#  OR, you can use an IPv6 address, but not both
	#  at the same time.
#	ipv6addr = ::	# any.  ::1 == localhost

	#  Port on which to listen.
	#  Allowed values are:
	#	integer port number (1812)
	#	0 means "use /etc/services for the proper port"  
	port = 0

	#  Some systems support binding to an interface, in addition
	#  to the IP address.  This feature isn't strictly necessary,  
	#  but for sites with many IP addresses on one interface,
	#  it's useful to say "listen on all addresses for eth0".  
	#
	#  If your system does not support this feature, you will
	#  get an error if you try to use it.
	#
#	interface = eth0

	#  Per-socket lists of clients.  This is a very useful feature.
	#
	#  The name here is a reference to a section elsewhere in
	#  radiusd.conf, or clients.conf.  Having the name as
	#  a reference allows multiple sockets to use the same
	#  set of clients.
	#
	#  If this configuration is used, then the global list of clients
	#  is IGNORED for this "listen" section.  Take care configuring  
	#  this feature, to ensure you don't accidentally disable a  
	#  client you need.
	#
	#  See clients.conf for the configuration of "per_socket_clients".  
	#
#	clients = per_socket_clients
}

#  This second "listen" section is for listening on the accounting  
#  port, too.
#
listen {
	ipaddr = *
#	ipv6addr = ::
	port = 0
	type = acct
#	interface = eth0
#	clients = per_socket_clients
}

#  hostname_lookups: Log the names of clients or just their IP addresses
#  e.g., www.freeradius.org (on) or 206.47.27.232 (off).
#
#  The default is 'off' because it would be overall better for the net  
#  if people had to knowingly turn this feature on, since enabling it
#  means that each client request will result in AT LEAST one lookup
#  request to the nameserver.   Enabling hostname_lookups will also
#  mean that your server may stop randomly for 30 seconds from time
#  to time, if the DNS requests take too long.
#
#  Turning hostname lookups off also means that the server won't block  
#  for 30 seconds, if it sees an IP address which has no name associated
#  with it.
#
#  allowed values: {no, yes}
#
hostname_lookups = no

#  Core dumps are a bad thing.  This should only be set to 'yes'  
#  if you're debugging a problem with the server.  
#
#  allowed values: {no, yes}
#
allow_core_dumps = no

#  Regular expressions
#
#  These items are set at configure time.  If they're set to "yes",  
#  then setting them to "no" turns off regular expression support.  
#
#  If they're set to "no" at configure time, then setting them to "yes"  
#  WILL NOT WORK.  It will give you an error.
#
regular_expressions	= yes
extended_expressions	= yes

#
#  Logging section.  The various "log_*" configuration items  
#  will eventually be moved here.
#
log {
	#
	#  Destination for log messages.  This can be one of:
	#
	#	files - log to "file", as defined below.  
	#	syslog - to syslog (see also the "syslog_facility", below.  
	#	stdout - standard output
	#	stderr - standard error.
	#
	#  The command-line option "-X" over-rides this option, and forces  
	#  logging to go to stdout.
	#
	destination = files

	#
	#  The logging messages for the server are appended to the
	#  tail of this file if destination == "files"  
	#
	#  If the server is running in debugging mode, this file is
	#  NOT used.
	#
	file = ${logdir}/radius.log

	#
	#  If this configuration parameter is set, then log messages for
	#  a *request* go to this file, rather than to radius.log.
	#
	#  i.e. This is a log file per request, once the server has accepted
	#  the request as being from a valid client.  Messages that are
	#  not associated with a request still go to radius.log.
	#
	#  Not all log messages in the server core have been updated to use
	#  this new internal API.  As a result, some messages will still
	#  go to radius.log.  Please submit patches to fix this behavior.
	#
	#  The file name is expanded dynamically.  You should ONLY user
	#  server-side attributes for the filename (e.g. things you control).
	#  Using this feature MAY also slow down the server substantially,
	#  especially if you do thinks like SQL calls as part of the
	#  expansion of the filename.
	#
	#  The name of the log file should use attributes that don't change  
	#  over the lifetime of a request, such as User-Name,
	#  Virtual-Server or Packet-Src-IP-Address.  Otherwise, the log
	#  messages will be distributed over multiple files.
	#
	#requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log

	#
	#  Which syslog facility to use, if ${destination} == "syslog"  
	#
	#  The exact values permitted here are OS-dependent.  You probably
	#  don't want to change this.  
	#
	syslog_facility = daemon

	#  Log the full User-Name attribute, as it was found in the request.
	#
	# allowed values: {no, yes}
	#
	stripped_names = no

	#  Log authentication requests to the log file.
	#
	#  allowed values: {no, yes}
	#
	auth = no

	#  Log passwords with the authentication requests.
	#  auth_badpass  - logs password if it's rejected  
	#  auth_goodpass - logs password if it's correct  
	#
	#  allowed values: {no, yes}
	#
	auth_badpass = no
	auth_goodpass = no
}

#  The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad

# SECURITY CONFIGURATION
#
#  There may be multiple methods of attacking on the server.  This
#  section holds the configuration items which minimize the impact
#  of those attacks
#
security {
	#
	#  max_attributes: The maximum number of attributes
	#  permitted in a RADIUS packet.  Packets which have MORE
	#  than this number of attributes in them will be dropped.
	#
	#  If this number is set too low, then no RADIUS packets
	#  will be accepted.
	#
	#  If this number is set too high, then an attacker may be
	#  able to send a small number of packets which will cause
	#  the server to use all available memory on the machine.
	#
	#  Setting this number to 0 means "allow any number of attributes"  
	max_attributes = 200

	#
	#  reject_delay: When sending an Access-Reject, it can be
	#  delayed for a few seconds.  This may help slow down a DoS
	#  attack.  It also helps to slow down people trying to brute-force
	#  crack a users password.
	#
	#  Setting this number to 0 means "send rejects immediately"  
	#
	#  If this number is set higher than 'cleanup_delay', then the  
	#  rejects will be sent at 'cleanup_delay' time, when the request  
	#  is deleted from the internal cache of requests.
	#
	#  Useful ranges: 1 to 5
	reject_delay = 1

	#
	#  status_server: Whether or not the server will respond
	#  to Status-Server requests.
	#
	#  When sent a Status-Server message, the server responds with
	#  an Access-Accept or Accounting-Response packet.
	#
	#  This is mainly useful for administrators who want to "ping"  
	#  the server, without adding test users, or creating fake
	#  accounting packets.
	#
	#  It's also useful when a NAS marks a RADIUS server "dead".  
	#  The NAS can periodically "ping" the server with a Status-Server  
	#  packet.  If the server responds, it must be alive, and the
	#  NAS can start using it for real requests.
	#
	status_server = yes
}

# PROXY CONFIGURATION
#
#  proxy_requests: Turns proxying of RADIUS requests on or off.
#
#  The server has proxying turned on by default.  If your system is NOT
#  set up to proxy requests to another server, then you can turn proxying
#  off here.  This will save a small amount of resources on the server.
#
#  If you have proxying turned off, and your configuration files say
#  to proxy a request, then an error message will be logged.
#
#  To disable proxying, change the "yes" to "no", and comment the  
#  $INCLUDE line.
#
#  allowed values: {no, yes}
#
proxy_requests  = yes
$INCLUDE proxy.conf


# CLIENTS CONFIGURATION
#
#  Client configuration is defined in "clients.conf".    
#

#  The 'clients.conf' file contains all of the information from the old  
#  'clients' and 'naslist' configuration files.  We recommend that you  
#  do NOT use 'client's or 'naslist', although they are still  
#  supported.
#
#  Anything listed in 'clients.conf' will take precedence over the  
#  information from the old-style configuration files.
#
$INCLUDE clients.conf


# THREAD POOL CONFIGURATION
#
#  The thread pool is a long-lived group of threads which
#  take turns (round-robin) handling any incoming requests.
#
#  You probably want to have a few spare threads around,
#  so that high-load situations can be handled immediately.  If you
#  don't have any spare threads, then the request handling will  
#  be delayed while a new thread is created, and added to the pool.
#
#  You probably don't want too many spare threads around,  
#  otherwise they'll be sitting there taking up resources, and  
#  not doing anything productive.
#
#  The numbers given below should be adequate for most situations.
#
thread pool {
	#  Number of servers to start initially --- should be a reasonable
	#  ballpark figure.
	start_servers = 5

	#  Limit on the total number of servers running.
	#
	#  If this limit is ever reached, clients will be LOCKED OUT, so it
	#  should NOT BE SET TOO LOW.  It is intended mainly as a brake to
	#  keep a runaway server from taking the system with it as it spirals
	#  down...
	#
	#  You may find that the server is regularly reaching the
	#  'max_servers' number of threads, and that increasing  
	#  'max_servers' doesn't seem to make much difference.  
	#
	#  If this is the case, then the problem is MOST LIKELY that
	#  your back-end databases are taking too long to respond, and
	#  are preventing the server from responding in a timely manner.
	#
	#  The solution is NOT do keep increasing the 'max_servers'  
	#  value, but instead to fix the underlying cause of the
	#  problem: slow database, or 'hostname_lookups=yes'.  
	#
	#  For more information, see 'max_request_time', above.  
	#
	max_servers = 32

	#  Server-pool size regulation.  Rather than making you guess
	#  how many servers you need, FreeRADIUS dynamically adapts to
	#  the load it sees, that is, it tries to maintain enough
	#  servers to handle the current load, plus a few spare
	#  servers to handle transient load spikes.
	#
	#  It does this by periodically checking how many servers are
	#  waiting for a request.  If there are fewer than
	#  min_spare_servers, it creates a new spare.  If there are
	#  more than max_spare_servers, some of the spares die off.
	#  The default values are probably OK for most sites.
	#
	min_spare_servers = 3
	max_spare_servers = 10

	#  There may be memory leaks or resource allocation problems with
	#  the server.  If so, set this value to 300 or so, so that the
	#  resources will be cleaned up periodically.
	#
	#  This should only be necessary if there are serious bugs in the
	#  server which have not yet been fixed.
	#
	#  '0' is a special value meaning 'infinity', or 'the servers never  
	#  exit'  
	max_requests_per_server = 0
}

# MODULE CONFIGURATION
#
#  The names and configuration of each module is located in this section.
#
#  After the modules are defined here, they may be referred to by name,
#  in other sections of this configuration file.
#
modules {
	#
	#  Each module has a configuration as follows:
	#
	#	name [ instance ] {
	#		config_item = value
	#		...
	#	}
	#
	#  The 'name' is used to load the 'rlm_name' library  
	#  which implements the functionality of the module.
	#
	#  The 'instance' is optional.  To have two different instances  
	#  of a module, it first must be referred to by 'name'.  
	#  The different copies of the module are then created by
	#  inventing two 'instance' names, e.g. 'instance1' and 'instance2'  
	#
	#  The instance names can then be used in later configuration
	#  INSTEAD of the original 'name'.  See the 'radutmp' configuration  
	#  for an example.
	#

	#
	#  As of 2.0.5, most of the module configurations are in a
	#  sub-directory.  Files matching the regex /[a-zA-Z0-9_.]+/
	#  are loaded.  The modules are initialized ONLY if they are
	#  referenced in a processing section, such as authorize,
	#  authenticate, accounting, pre/post-proxy, etc.
	#
	$INCLUDE ${confdir}/modules/

	#  Extensible Authentication Protocol
	#
	#  For all EAP related authentications.
	#  Now in another file, because it is very large.
	#
	$INCLUDE eap.conf

	#  Include another file that has the SQL-related configuration.
	#  This is another file only because it tends to be big.
	#
	#$INCLUDE sql.conf

	#
	#  This module is an SQL enabled version of the counter module.
	#
	#  Rather than maintaining seperate (GDBM) databases of
	#  accounting info for each counter, this module uses the data
	#  stored in the raddacct table by the sql modules. This
	#  module NEVER does any database INSERTs or UPDATEs.  It is
	#  totally dependent on the SQL module to process Accounting
	#  packets.
	#
	#$INCLUDE sql/mysql/counter.conf
	#$INCLUDE sql/postgresql/counter.conf

	#
	#  IP addresses managed in an SQL table.
	#
	#$INCLUDE sqlippool.conf

	# OTP token support.  Not included by default.
	# $INCLUDE otp.conf
ldap ldap_1x {
                server = "srvgrp7"  
                identity = "uid=admin,cn=admin,dc=grp7,dc=local"  
                password = "1234qwer"  
                basedn = "dc=grp7,dc=local"  

                base_filter = "(objectclass=)"  
                start_tls = yes
                # This is your Certificate Authority (CA) certificate
                tls_cacertfile = /etc/ldap/certs/server.crt
                tls_require_cert = "demand"  
                # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"  
                # profile_attribute = "radiusProfileDn"  
                access_attr = "uid"  
                dictionary_mapping = ${raddbdir}/ldap.attrmap
                authtype = ldap

                ldap_connections_number = 5
                timeout = 4
                timelimit = 3
                net_timeout = 1
	}

# under MODULES, make sure mschap is uncommented!
    mschap {
      # authtype value, if present, will be used
      # to overwrite (or add) Auth-Type during
      # authorization. Normally, should be MS-CHAP
      authtype = MS-CHAP

      # if use_mppe is not set to no, mschap will
      # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
      # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
      #
      use_mppe = yes

      # if mppe is enabled, require_encryption makes
      # encryption moderate
      #
      require_encryption = yes

      # require_strong always requires 128 bit key
      # encryption
      #
      require_strong = yes

      authtype = MS-CHAP
      # The module can perform authentication itself, OR
      # use a Windows Domain Controller. See the radius.conf file
      # for how to do this.
    }
}

# Instantiation
#
#  This section orders the loading of the modules.  Modules
#  listed here will get loaded BEFORE the later sections like
#  authorize, authenticate, etc. get examined.
#
#  This section is not strictly needed.  When a section like
#  authorize refers to a module, it's automatically loaded and  
#  initialized.  However, some modules may not be listed in any
#  of the following sections, so they can be listed here.
#
#  Also, listing modules here ensures that you have control over
#  the order in which they are initalized.  If one module needs
#  something defined by another module, you can list them in order
#  here, and ensure that the configuration will be OK.
#
instantiate {
	#
	#  Allows the execution of external scripts.
	#  The entire command line (and output) must fit into 253 bytes.
	#
	#  e.g. Framed-Pool = `%{exec:/bin/echo foo}`
	exec

	#
	#  The expression module doesn't do authorization,  
	#  authentication, or accounting.  It only does dynamic
	#  translation, of the form:
	#
	#	Session-Timeout = `%{expr:2 + 3}`
	#
	#  So the module needs to be instantiated, but CANNOT be
	#  listed in any other section.  See 'doc/rlm_expr' for  
	#  more information.
	#
	expr

	#
	# We add the counter module here so that it registers
	# the check-name attribute before any module which sets
	# it
#	daily
	expiration
	logintime

	# subsections here can be thought of as "virtual" modules.  
	#
	# e.g. If you have two redundant SQL servers, and you want to
	# use them in the authorize and accounting sections, you could
	# place a "redundant" block in each section, containing the  
	# exact same text.  Or, you could uncomment the following
	# lines, and list "redundant_sql" in the authorize and  
	# accounting sections.
	#
	#redundant redundant_sql {
	#	sql1
	#	sql2
	#}
authorize {
        preprocess
        mschap
	suffix
	eap
	files
	chap
	ldap_1x
	openssl
    }
    
    authenticate {
         
         #
         #  MSCHAP authentication.    
         Auth-Type MS-CHAP {
               mschap
          }
	
	 #
         #  Allow EAP authentication.
         eap
     }

}

######################################################################
#
#	Policies that can be applied in multiple places are listed
#	globally.  That way, they can be defined once, and referred
#	to multiple times.
#
######################################################################
$INCLUDE policy.conf

######################################################################
#
#	As of 2.0.0, the "authorize", "authenticate", etc. sections  
#	are in separate configuration files, per virtual host.
#
######################################################################

######################################################################
#
#	Include all enabled virtual hosts.
#
#	The following directory is searched for files that match
#	the regex:
#
#		/[a-zA-Z0-9_.]+/
#
#	The files are then included here, just as if they were cut
#	and pasted into this file.
#
#	See "sites-enabled/default" for some additional documentation.  
#
$INCLUDE sites-enabled/

Und Hier die eap.conf

# -*- text -*-
##
##  eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
##
##	$Id$

#######################################################################
#
#  Whatever you do, do NOT set 'Auth-Type := EAP'.  The server  
#  is smart enough to figure this out on its own.  The most
#  common side effect of setting 'Auth-Type := EAP' is that the  
#  users then cannot use ANY other authentication method.
#
#  EAP types NOT listed here may be supported via the "eap2" module.  
#  See experimental.conf for documentation.
#
	eap {
		#  Invoke the default supported EAP type when
		#  EAP-Identity response is received.
		#
		#  The incoming EAP messages DO NOT specify which EAP
		#  type they will be using, so it MUST be set here.
		#
		#  For now, only one default EAP type may be used at a time.
		#
		#  If the EAP-Type attribute is set by another module,
		#  then that EAP type takes precedence over the
		#  default type configured here.
		#
		default_eap_type = md5

		#  A list is maintained to correlate EAP-Response
		#  packets with EAP-Request packets.  After a
		#  configurable length of time, entries in the list
		#  expire, and are deleted.
		#
		timer_expire     = 60

		#  There are many EAP types, but the server has support
		#  for only a limited subset.  If the server receives
		#  a request for an EAP type it does not support, then
		#  it normally rejects the request.  By setting this
		#  configuration to "yes", you can tell the server to  
		#  instead keep processing the request.  Another module
		#  MUST then be configured to proxy the request to
		#  another RADIUS server which supports that EAP type.
		#
		#  If another module is NOT configured to handle the
		#  request, then the request will still end up being
		#  rejected.
		ignore_unknown_eap_types = no

		# Cisco AP1230B firmware 12.2(13)JA1 has a bug.  When given
		# a User-Name attribute in an Access-Accept, it copies one
		# more byte than it should.
		#
		# We can work around it by configurably adding an extra
		# zero byte.
		cisco_accounting_username_bug = no

		#
		#  Help prevent DoS attacks by limiting the number of
		#  sessions that the server is tracking.  Most systems
		#  can handle ~30 EAP sessions/s, so the default limit
		#  of 2048 is more than enough.
		max_sessions = 2048

		# Supported EAP-types

		#
		#  We do NOT recommend using EAP-MD5 authentication
		#  for wireless connections.  It is insecure, and does
		#  not provide for dynamic WEP keys.
		#
		md5 {
		}

		# Cisco LEAP
		#
		#  We do not recommend using LEAP in new deployments.  See:
		#  http://www.securiteam.com/tools/5TP012ACKE.html
		#
		#  Cisco LEAP uses the MS-CHAP algorithm (but not
		#  the MS-CHAP attributes) to perform it's authentication.  
		#
		#  As a result, LEAP *requires* access to the plain-text
		#  User-Password, or the NT-Password attributes.
		#  'System' authentication is impossible with LEAP.  
		#
		leap {
		}

		#  Generic Token Card.
		#
		#  Currently, this is only permitted inside of EAP-TTLS,
		#  or EAP-PEAP.  The module "challenges" the user with  
		#  text, and the response from the user is taken to be
		#  the User-Password.
		#
		#  Proxying the tunneled EAP-GTC session is a bad idea,
		#  the users password will go over the wire in plain-text,
		#  for anyone to see.
		#
		gtc {
			#  The default challenge, which many clients
			#  ignore..
			#challenge = "Password: "  

			#  The plain-text response which comes back
			#  is put into a User-Password attribute,
			#  and passed to another module for
			#  authentication.  This allows the EAP-GTC
			#  response to be checked against plain-text,
			#  or crypt'd passwords.  
			#
			#  If you say "Local" instead of "PAP", then  
			#  the module will look for a User-Password
			#  configured for the request, and do the
			#  authentication itself.
			#
			auth_type = PAP
		}

		## EAP-TLS
		#
		#  See raddb/certs/README for additional comments
		#  on certificates.
		#
		#  If OpenSSL was not found at the time the server was
		#  built, the "tls", "ttls", and "peap" sections will  
		#  be ignored.
		#
		#  Otherwise, when the server first starts in debugging
		#  mode, test certificates will be created.  See the
		#  "make_cert_command" below for details, and the README  
		#  file in raddb/certs
		#
		#  These test certificates SHOULD NOT be used in a normal
		#  deployment.  They are created only to make it easier
		#  to install the server, and to perform some simple
		#  tests with EAP-TLS, TTLS, or PEAP.
		#
		#  See also:
		#
		#  http://www.dslreports.com/forum/remark,9286052~mode=flat
		#
		tls {
			#
			#  These is used to simplify later configurations.
			#
			certdir = ${confdir}/certs
			cadir = ${confdir}/certs

			private_key_password = whatever
			private_key_file = ${certdir}/server.pem

			#  If Private key & Certificate are located in
			#  the same file, then private_key_file &
			#  certificate_file must contain the same file
			#  name.
			#
			#  If CA_file (below) is not used, then the
			#  certificate_file below MUST include not
			#  only the server certificate, but ALSO all
			#  of the CA certificates used to sign the
			#  server certificate.
			certificate_file = ${certdir}/server.pem

			#  Trusted Root CA list
			#
			#  ALL of the CA's in this list will be trusted  
			#  to issue client certificates for authentication.
			#
			#  In general, you should use self-signed
			#  certificates for 802.1x (EAP) authentication.
			#  In that case, this CA file should contain
			#  *one* CA certificate.
			#
			#  This parameter is used only for EAP-TLS,
			#  when you issue client certificates.  If you do
			#  not use client certificates, and you do not want
			#  to permit EAP-TLS authentication, then delete
			#  this configuration item.
			CA_file = ${cadir}/ca.pem

			#
			#  For DH cipher suites to work, you have to
			#  run OpenSSL to create the DH file first:
			#
			#  	openssl dhparam -out certs/dh 1024
			#
			dh_file = ${certdir}/dh
			random_file = ${certdir}/random

			#
			#  This can never exceed the size of a RADIUS
			#  packet (4096 bytes), and is preferably half
			#  that, to accomodate other attributes in
			#  RADIUS packet.  On most APs the MAX packet
			#  length is configured between 1500 - 1600
			#  In these cases, fragment size should be
			#  1024 or less.
			#
		#	fragment_size = 1024

			#  include_length is a flag which is
			#  by default set to yes If set to
			#  yes, Total Length of the message is
			#  included in EVERY packet we send.
			#  If set to no, Total Length of the
			#  message is included ONLY in the
			#  First packet of a fragment series.
			#
		#	include_length = yes

			#  Check the Certificate Revocation List
			#
			#  1) Copy CA certificates and CRLs to same directory.
			#  2) Execute 'c_rehash <CA certs&CRLs Directory>'.  
			#    'c_rehash' is OpenSSL's command.  
			#  3) uncomment the line below.
			#  5) Restart radiusd
		#	check_crl = yes
		#	CA_path = /path/to/directory/with/ca_certs/and/crls/

		       #
		       #  If check_cert_issuer is set, the value will
		       #  be checked against the DN of the issuer in
		       #  the client certificate.  If the values do not
		       #  match, the cerficate verification will fail,
		       #  rejecting the user.
		       #
		#       check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"  

		       #
		       #  If check_cert_cn is set, the value will
		       #  be xlat'ed and checked against the CN  
		       #  in the client certificate.  If the values
		       #  do not match, the certificate verification
		       #  will fail rejecting the user.
		       #
		       #  This check is done only if the previous
		       #  "check_cert_issuer" is not set, or if  
		       #  the check succeeds.
		       #
		#	check_cert_cn = %{User-Name}
		#
			# Set this option to specify the allowed
			# TLS cipher suites.  The format is listed
			# in "man 1 ciphers".  
			cipher_list = "DEFAULT"  

			#

			#  This configuration entry should be deleted
			#  once the server is running in a normal
			#  configuration.  It is here ONLY to make
			#  initial deployments easier.
			#
			make_cert_command = "${certdir}/bootstrap"  

			#
			#  Session resumption / fast reauthentication
			#  cache.
			#
			cache {
			      #
			      #  Enable it.  The default is "no".  
			      #  Deleting the entire "cache" subsection  
			      #  Also disables caching.
			      #
			      #  You can disallow resumption for a
			      #  particular user by adding the following
			      #  attribute to the control item list:
			      #
			      #		Allow-Session-Resumption = No
			      #
			      #  If "enable = no" below, you CANNOT  
			      #  enable resumption for just one user
			      #  by setting the above attribute to "yes".  
			      #
			      enable = no

			      #
			      #  Lifetime of the cached entries, in hours.
			      #  The sessions will be deleted after this
			      #  time.
			      #
			      lifetime = 24 # hours

			      #
			      #  The maximum number of entries in the
			      #  cache.  Set to "0" for "infinite".  
			      #
			      #  This could be set to the number of users
			      #  who are logged in... which can be a LOT.
			      #
			      max_entries = 255
			}
		}

		#  The TTLS module implements the EAP-TTLS protocol,
		#  which can be described as EAP inside of Diameter,
		#  inside of TLS, inside of EAP, inside of RADIUS...
		#
		#  Surprisingly, it works quite well.
		#
		#  The TTLS module needs the TLS module to be installed
		#  and configured, in order to use the TLS tunnel
		#  inside of the EAP packet.  You will still need to
		#  configure the TLS module, even if you do not want
		#  to deploy EAP-TLS in your network.  Users will not
		#  be able to request EAP-TLS, as it requires them to
		#  have a client certificate.  EAP-TTLS does not
		#  require a client certificate.
		#
		#  You can make TTLS require a client cert by setting
		#
		#	EAP-TLS-Require-Client-Cert = Yes
		#
		#  in the control items for a request.
		#
		ttls {
			#  The tunneled EAP session needs a default
			#  EAP type which is separate from the one for
			#  the non-tunneled EAP module.  Inside of the
			#  TTLS tunnel, we recommend using EAP-MD5.
			#  If the request does not contain an EAP
			#  conversation, then this configuration entry
			#  is ignored.
			default_eap_type = md5

			#  The tunneled authentication request does
			#  not usually contain useful attributes
			#  like 'Calling-Station-Id', etc.  These  
			#  attributes are outside of the tunnel,
			#  and normally unavailable to the tunneled
			#  authentication request.
			#
			#  By setting this configuration entry to
			#  'yes', any attribute which NOT in the  
			#  tunneled authentication request, but
			#  which IS available outside of the tunnel,
			#  is copied to the tunneled request.
			#
			# allowed values: {no, yes}
			copy_request_to_tunnel = no

			#  The reply attributes sent to the NAS are
			#  usually based on the name of the user
			#  'outside' of the tunnel (usually  
			#  'anonymous').  If you want to send the  
			#  reply attributes based on the user name
			#  inside of the tunnel, then set this
			#  configuration entry to 'yes', and the reply  
			#  to the NAS will be taken from the reply to
			#  the tunneled request.
			#
			# allowed values: {no, yes}
			use_tunneled_reply = no

			#
			#  The inner tunneled request can be sent
			#  through a virtual server constructed
			#  specifically for this purpose.
			#
			#  If this entry is commented out, the inner
			#  tunneled request will be sent through
			#  the virtual server that processed the
			#  outer requests.
			#
			virtual_server = "inner-tunnel"  
		}

		##################################################
		#
		#  !!!!! WARNINGS for Windows compatibility  !!!!!
		#
		##################################################
		#
		#  If you see the server send an Access-Challenge,
		#  and the client never sends another Access-Request,
		#  then
		#
		#		STOP!
		#
		#  The server certificate has to have special OID's  
		#  in it, or else the Microsoft clients will silently
		#  fail.  See the "scripts/xpextensions" file for  
		#  details, and the following page:
		#
		#	http://support.microsoft.com/kb/814394/en-us
		#
		#  For additional Windows XP SP2 issues, see:
		#
		#	http://support.microsoft.com/kb/885453/en-us
		#
		#  Note that we do not necessarily agree with their
		#  explanation... but the fix does appear to work.
		#
		##################################################

		#
		#  The tunneled EAP session needs a default EAP type
		#  which is separate from the one for the non-tunneled
		#  EAP module.  Inside of the TLS/PEAP tunnel, we
		#  recommend using EAP-MS-CHAPv2.
		#
		#  The PEAP module needs the TLS module to be installed
		#  and configured, in order to use the TLS tunnel
		#  inside of the EAP packet.  You will still need to
		#  configure the TLS module, even if you do not want
		#  to deploy EAP-TLS in your network.  Users will not
		#  be able to request EAP-TLS, as it requires them to
		#  have a client certificate.  EAP-PEAP does not
		#  require a client certificate.
		#
		#
		#  You can make PEAP require a client cert by setting
		#
		#	EAP-TLS-Require-Client-Cert = Yes
		#
		#  in the control items for a request.
		#
		peap {
			#  The tunneled EAP session needs a default
			#  EAP type which is separate from the one for
			#  the non-tunneled EAP module.  Inside of the
			#  PEAP tunnel, we recommend using MS-CHAPv2,
			#  as that is the default type supported by
			#  Windows clients.
			default_eap_type = mschapv2

			#  the PEAP module also has these configuration
			#  items, which are the same as for TTLS.
			copy_request_to_tunnel = no
			use_tunneled_reply = no

			#  When the tunneled session is proxied, the
			#  home server may not understand EAP-MSCHAP-V2.
			#  Set this entry to "no" to proxy the tunneled  
			#  EAP-MSCHAP-V2 as normal MSCHAPv2.
		#	proxy_tunneled_request_as_eap = yes

			#
			#  The inner tunneled request can be sent
			#  through a virtual server constructed
			#  specifically for this purpose.
			#
			#  If this entry is commented out, the inner
			#  tunneled request will be sent through
			#  the virtual server that processed the
			#  outer requests.
			#
			virtual_server = "inner-tunnel"  
		}

		#
		#  This takes no configuration.
		#
		#  Note that it is the EAP MS-CHAPv2 sub-module, not
		#  the main 'mschap' module.  
		#
		#  Note also that in order for this sub-module to work,
		#  the main 'mschap' module MUST ALSO be configured.  
		#
		#  This module is the *Microsoft* implementation of MS-CHAPv2
		#  in EAP.  There is another (incompatible) implementation
		#  of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
		#  currently support.
		#
		mschapv2 {
		}
	}

Lg
Philipp

Content-ID: 127219

Url: https://administrator.de/forum/radiusserver-mit-peap-und-openldap-problem-127219.html

Ausgedruckt am: 23.12.2024 um 23:12 Uhr

dog
dog 15.10.2009 um 19:03:06 Uhr
Goto Top
fipsinator
fipsinator 16.10.2009 um 07:23:36 Uhr
Goto Top
Danke werd ich mir mal anschaun.
Sollte ja nicht so schwer sei das auf ubuntu zu übertragen =)

Lg

EDIT: Danke hat Funktioniert!

Vielen Dank