Everything in the server is fully documented, and there are many
`how-to` guides available.
+include::ROOT:partial$externaldoc.adoc[]
+
The documentation is split into sections by subject area, oganized by
desired outcome. At a high level, the subject areas describe:
* xref:concepts:index.adoc[Concepts] and introduction for newcomers.
-* xref:installation:index.adoc[Installing] and xref:installation:upgrade.adoc[upgrading] FreeRADIUS.
+* xref:installation:index.adoc[Install] and xref:installation:upgrade.adoc[Upgrade] FreeRADIUS.
* The syntax of the xref:unlang:index.adoc[unlang] processing language.
-* The xref:raddb:index.adoc[configuration files] located in `/etc/raddb/`, or `/etc/freeradius/`
-* Various xref:howto:index.adoc[how-to] guides.
-* xref:developers:index.adoc[Developer documentation].
+* The https://github.com/FreeRADIUS/freeradius-server/tree/v3.2.x/raddb[configuration files][Configuration] files located in `/etc/raddb/`, or `/etc/freeradius/`
+* Various xref:howto:index.adoc[Howto] guides.
+* xref:developers:index.adoc[Developers] documentation.
This organization means that for example, the `ldap` module will have
documention located in multiple places. We feel that organizing the
== Getting Started with FreeRADIUS
FreeRADIUS can be installed using the pre-built packages available
-from http://packages.networkradius.com[Network RADIUS,
-window="_blank"]. That page contains packages for all common OS
-distributions. New packages are available as soon as a new version
-has been released. Packages for older releases are also available for
-historical purposes.
+from https://packages.inkbridgenetworks.com/[InkBridge Networks]. That page contains packages for all common OS distributions. New packages are available as soon as a new version has been released. Packages for older releases are also available for historical purposes.
FreeRADIUS can also be installed from the source code. Please see the
-xref:installation:index.adoc[installation guide] for instructions.
+xref:installation:index.adoc[Installation Guide] for instructions.
-WARNING: Many Operating System distributions ship versions of FreeRADIUS
+[WARNING]
+====
+Many Operating System distributions ship versions of FreeRADIUS
which are years out of date. Those versions may contain bugs which have
been fixed in newer releases. We recommend using the
-http://packages.networkradius.com[Network RADIUS, window="_blank"] packages where
-possible.
+https://packages.inkbridgenetworks.com/[InkBridge Networks] packages where possible.
+====
Administrators who are new to FreeRADIUS should read the
-xref:concepts:index.adoc[concepts section] as it describes the concepts behind
+xref:concepts:index.adoc[Concepts section] as it describes the concepts behind
FreeRADIUS. It is vital for newcomers to understand these concepts, as the rest
of the documentation assumes familiarity with them.
This section describes the syntax and functionality of the keywords,
data types, etc. used in the `unlang` processing language.
-All of the xref:raddb:index.adoc[configuration files] are available in
-hypertext format. In can often be easier to read the configuration files
-in a nicely formatted version, instead of as a fixed-width font in a
-text editor.
+All of the https://github.com/FreeRADIUS/freeradius-server/tree/v3.2.x/raddb[configuration files] are available in GitHub.
-For specific problem solving, we recommend the xref:howto:index.adoc[how-to]
-guides. These guides give instructions for reaching high-level goals, or
-for configuring and testing individual xref:howto:modules/index.adoc[modules].
+For specific problem solving, we recommend the xref:howto:index.adoc[Howto] and https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/sites-available/tls[TLS Config] and https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/sites-available/README[Virtual Server] guides. These guides give instructions for reaching high-level goals, or for configuring and testing individual https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/mods-available/README.rst[modules].
-There is also xref:developers:index.adoc[developer documentation]. This section
+There is also xref:developers:index.adoc[Developers]documentation. This section
documents the APIs for developers. Most people can ignore it.
== Debugging
going wrong, and how to fix it.
For further details, about the debug output see the
-http://wiki.freeradius.org/radiusd-X[radiusd-X, window="_blank"] page on the
-http://wiki.freeradius.org[wiki, window="_blank"].
+refer to the https://www.freeradius.org/documentation/freeradius-server/3.2.8/radiusd_x.html[debug output] page on the
+http://www.freeradius.org[freeradius org] website.
== Getting Help
posted there will not be answered.
Before posting to the list, please read the
-http://wiki.freeradius.org/list-help[list help, window="_blank"] page. That page explains
+https://www.freeradius.org/documentation/freeradius-server/3.2.8/radiusd_x.html[debugging] page. That page explains
how to run the server in debugging mode; how to understand the debug
output; and what information to post to the list.
Commercial support for FreeRADIUS is available from
-https://networkradius.com/freeradius-support/[Network RADIUS, window="_blank"].
+https://packages.inkbridgenetworks.com/[InkBridge Networks].
information to authenticate the user. It is almost always wrong to
use the LDAP "bind as user" method for authenticating users.
+include::ROOT:partial$externaldoc.adoc[]
+
The only caveat to the above recommendation is Active Directory. For
"security" reasons, Active Directory will not return the "known good"
password to FreeRADIUS over a standard LDAP query. Therefore when
PAP::
Use "bind as user"
-MS-CHAP::
-Use xref:raddb:mods-available/ntlm_auth.adoc[`ntlm`] or xref:raddb:mods-available/winbind.adoc[`winbind`].
+https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/mods-available/mschap[MS-CHAP::]
+Use https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/mods-available/ntlm_auth[`ntlm`] and https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/mods-available/mschap[`winbind`] configuration.
Due to the limitations of Active Directory, There are unfortunately no
other possible choices.
connect to your LDAP server(s) should be secure. We make the
following recommendations for LDAP "best practices" security.
-* Create a dedicated account for use by FreeRADIUS
+* Create a dedicated account for use by FreeRADIUS.
-* Ensure that this account does not have administrator access
+* Ensure that this account does not have administrator access.
-* Ensure that this account is read-only, and has no write permissions
+* Ensure that this account is read-only, and has no write permissions.
* Start by using 'simple authentication' instead of
https://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer[SASL].
authentication' has been verified to work.
* Use TLS for connecting between FreeRADIUS and the LDAP server. See
- the `tls` sub-section of the default `ldap` module for instructions
+ the `tls` sub-section of the default `ldap` module for instructions.
* When storing RADIUS user profiles (quotas, `Simultaneous-Use` flags,
access time restrictions, etc) in LDAP, the LDAP schema
servers are databases, and do not support authentication protocols
such as CHAP, MS-CHAP, or EAP.
-PAP::
+https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/mods-available/pap[PAP::]
The user supplies a `User-Password` (plaintext or EAP-TTLS/PAP)
+
FreeRADIUS reads the "known good" password from LDAP, and compares
supplied `User-Name` and `User-Password. If the bind is successfull,
the user is authenticated. Otherwise, authentication fails.
-CHAP::
+https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/mods-available/chap[CHAP::]
The user supplies a `CHAP` password attribute.
+
FreeRADIUS reads the "known good" password from LDAP in cleartext, and
compares that to what the user entered.
-MS-CHAP::
+https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/mods-available/mschap[MS-CHAP::]
The user supplies a `MS-CHAP` password attribute. Either as
MS-CHAPv2, or as PEAP/MSCHAPv2, or as EAP-TTLS/MS-CHAPv2.
+
`userPassword` field.
Again, the best method is to test authentication is with the
-xref:howto:modules/ldap/ldapsearch/index.adoc[ldapsearch] tool.
+https://www.freeradius.org/documentation/freeradius-server/4.0.0/howto/modules/ldap/ldapsearch/index.html[ldapsearch] tool.
These tests *must* be run prior to configuring FreeRADIUS. We strongly
recommend having the LDAP database return the `userPassword` field to
FreeRADIUS, so that FreeRADIUS can authenticate the user.
If the `userPassword` field is returned from LDAP to FreeRADIUS, that
information can be stored in a number of different formats:
-* the value can be cleartext
-* the value can be prepended with a string enclosed by braces, such as with `{crypt}` or `{ssha3}`.
-* the value can be have a suffix of `::`, in which case the password is generally a https://en.wikipedia.org/wiki/Base64[base64] encoded version of the real password
+* The value can be cleartext.
+* The value can be prepended with a string enclosed by braces, such as with `{crypt}` or `{ssha3}`.
+* The value can be have a suffix of `::`, in which case the password is generally a https://en.wikipedia.org/wiki/Base64[base64] encoded version of the real password.
TIP: Base64 values can be decoded via the command: `printf "%s"
"VALUE" | base64 -d`
determine what format it is in (base64, binary, or text), and what
password "encryption" mechanism has been used (crypt, MD5, SHA, SSHA2,
SHA3, etc). All that is necessary is that the
-xref:raddb:mods-available/ldap.adoc[ldap module] be configured to map
+https://github.com/FreeRADIUS/freeradius-server/tree/v3.2.x/raddb/mods-available/ldap[ldap module] be configured to map
the `userPassword` LDAP field to the `&control.Password.With-Header`
attribute in FreeRADIUS. FreeRADIUS will then "do the right thing" to
authenticate the user.
This mapping is done in the default module configuration. There are
no additional changes required for FreeRADIUS to correctly read and
decode the `userPassword` field from LDAP. Please see the
-xref:raddb:mods-available/pap.adoc[pap module] for a full list of
+https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/mods-available/pap[pap module] for a full list of
supported password "encryption" formats.
== Additional Considerations
integrating with RADIUS. Also, you can make use of the intruder lockout
facility of eDirectory by logging the failed logins into eDirectory.
-For configuration information please refer to the Novell documentation
-https://www.netiq.com/documentation/edir_radius/
+For configuration information please refer to the https://www.netiq.com/documentation/edir_radius/[Novell documentation].
projects / thirdparty / freeradius-server.git / commitdiff
