ships with scripts which can create a CA, server certificates, and client
certificates.
-See xref:reference:raddb/certs/index.adoc[Certificates] in the Configuration Files section on how to generate certificates and the corresponding `raddb/certs/Makefile` for more details.
+See xref:reference:raddb/certs/index.adoc[Certificates] in the Configuration Files section on how to generate certificates and the corresponding `certs/Makefile` for more details.
== Loading certificates onto the RADIUS servers
Certificates to be loaded onto the RADIUS servers must be copied into
-`raddb/certs` directory. Use file names which help to identify
+`certs` directory. Use file names which help to identify
what the certificates are.
The freeradius certificates required at a minimum are:
-* ca.pem: `raddb/certs/ca.pem`
-* server.pem: `raddb/certs/server.pem`
-* server.key: `raddb/certs/server.key`
+* ca.pem: `certs/ca.pem`
+* server.pem: `certs/server.pem`
+* server.key: `certs/server.key`
If additional certificates are needed for different EAP methods (e.g. EAP-PEAP
using one server certificate and EAP-TLS using another) then generate and add the required certificates into this directory.
== Certificates in the FreeRADIUS EAP Configuration
Certificate settings for EAP are found in the eap module configuration
-located in the `raddb/mods-enabled/eap` directory.
+located in the `mods-enabled/eap` directory.
If a common set of certificates is used by all EAP methods then it will
be set in a `tls-config` section called `tls-common`. This section is referenced
.Troubleshooting Checklist
[%collapsible]
====
-1. Check that you added your NAS to `raddb/clients.conf` and selected the correct NAS type. Verify the the password.
+1. Check that you added your NAS to `clients.conf` and selected the correct NAS type. Verify the the password.
2. Run `radiusd -X` and see if it parses the Simultaneous-Use line.
3. Try to run `checkrad` manually; maybe you may have a wrong version of perl, don't have cmu-snmp installed etc.
4. Check the database. If it says no one is logged in, Simultaneous-Use *won't* work.
== Test ntlm_auth
-Add the following text for testing purposes only to the top of the users file. The "users" file is located at `raddb/mods-config/files/authorize`.
+Add the following text for testing purposes only to the top of the users file. The "users" file is located at `mods-config/files/authorize`.
```
DEFAULT Auth-Type = ntlm_auth
time to ensure that it is not empty on the next round; we can use
Tmp-String-1 to note the type of log record.
-Make these changes in the default server (`raddb/sites-enabled/default`).
+Make these changes in the default server (`sites-enabled/default`).
authorize {
if (!session-state.) {
## Recording the inner User-Name
To log the inner User-Name, it needs to be copied from the
-inner-tunnel to the outer. In `raddb/sites-enabled/inner-tunnel`,
+inner-tunnel to the outer. In `sites-enabled/inner-tunnel`,
update `post-auth`:
server inner-tunnel {
You can now edit the configuration files for your local system. You will
usually want to start with `sites-enabled/default` for main
configurations. To set which NASes (clients) can communicate with this
-server, edit `raddb/clients.conf`. Please read the configuration files
+server, edit `clients.conf`. Please read the configuration files
carefully, as many configuration options are only documented in comments
in the file.
ldapsearch -LL -H ldap://localhost -x -D cn=freeradius,dc=example,dc=com -w mypassword -b dc=example,dc=com '(uid=john)'
----
** found `uid=john,ou=people,dc=example,dc=com`
- *** if for you no user is found, but you know the user is in your directory, recheck the `user { ... }` section in `raddb/mods-available/ldap` as you may have a filter or attribute configuration set incorrectly
+ *** if for you no user is found, but you know the user is in your directory, recheck the `user { ... }` section in `mods-available/ldap` as you may have a filter or attribute configuration set incorrectly
** found some useful attributes associated with that user
*** the password which it placed into `control.Password.With-Header`
*** as RADIUS attributes were changed, it returns `updated` as a result code to unlang
ldapsearch -LL -H ldap://localhost -x -D cn=freeradius,dc=example,dc=com -w mypassword -b dc=example,dc=com '(uid=john)'
----
** found `uid=john,ou=people,dc=example,dc=com`
- *** if for you no user is found, but you know the user is in your directory, recheck the `user { ... }` section in `raddb/mods-available/ldap` as you may have a filter or attribute configuration set incorrectly
+ *** if for you no user is found, but you know the user is in your directory, recheck the `user { ... }` section in `mods-available/ldap` as you may have a filter or attribute configuration set incorrectly
** found some useful attributes associated with that user
*** the password which it placed into `control.Password-With-Header`
*** as RADIUS attributes were changed, it returns `updated` as a result code to unlang
== Schema and usage
-The schemas are available in `raddb/sql/*`, where is the name of the
+The schemas are available in `sql/*`, where is the name of the
database (mysql, postgresql, etc.)
The SQL module employs two sets of check and reply item tables for
== Configuration
-A sample module configuration is provided in `raddb/mods-available/sqlcounter`.
+A sample module configuration is provided in `mods-available/sqlcounter`.
This includes configurations which cover daily and monthly periods, plus a
couple of examples where there are no reset dates on the periods being considered.
The SQL queries associated with these sample module configurations are found
-in `raddb/mods-config/sql/counter/<dialect>/*.conf` with each instances query
+in `mods-config/sql/counter/<dialect>/*.conf` with each instances query
in a different file.
As provided, the counters are all based on session time, using the `acctsessiontime`,
[NOTE]
====
If you are not starting from the default configuration, check that
-`status_server` is still set to `yes` in `raddb/radiusd.conf` as
+`status_server` is still set to `yes` in `radiusd.conf` as
well.
====
prints attributes, it will always print the new v4 names.
These alias dictionaries can be enabled by editing the
-`raddb/dictionary` file. Please see that file for more information.
+`dictionary` file. Please see that file for more information.
== Tools to help
= Attributes
Much of the information in this section is also in the
-`raddb/dictionary` file
+`dictionary` file
All of the attributes have been renamed from v3. This change was
necessary in order to support new functionality in v4. The
=== rlm_radius
The `radius` module has taken over much of the functionality of
-`proxy.conf`. See `raddb/mods-available/radius` for documentation
+`proxy.conf`. See `mods-available/radius` for documentation
and configuration examples.
The `radius` module connects to one home server, just like the
The in-memory SSL cache was removed. Changes in OpenSSL and FreeRADIUS
made it difficult to continue using the OpenSSL implementation of a
-cache. See `raddb/sites-available/tls-cache` for a better replacement.
+cache. See `sites-available/tls-cache` for a better replacement.
The OpenSSL cache can now be placed on disk, in memory, in memcache,
or in a redis cache. The result is both higher performance, and more
configurable.
The `use_tunneled_reply` and `copy_request_to_tunnel` configuration
items have been removed. Their functionality has been replaced with the
`use_tunneled_reply` and `copy_request_to_tunnel` policies. See
-`raddb/sites-available/inner-tunnel` and `raddb/policy.d/eap` for
+`sites-available/inner-tunnel` and `policy.d/eap` for
more information.
These configuration items were removed because they caused issues for a
=== rlm_expiration
The `expiration` module has been replaced with an `unlang` policy.
-The policy is located in `raddb/policy.d/time`. The `Expiration`
+The policy is located in `policy.d/time`. The `Expiration`
attribute should continue to work the same as with v3.
[#rlm_ldap]
== home_server
The `home_server` configuration has been replaced with the `radius`
-module. See `raddb/mods-available/radius` for examples and
+module. See `mods-available/radius` for examples and
documentation.
== home_server_pool
only the OLD style Ascend attributes, which may be problematic.
You can make FreeRADIUS send the OLD style attributes by prefixing the
-Ascend attributes with `X-` in the `raddb/mods-config/files/authorize` file,
+Ascend attributes with `X-` in the `mods-config/files/authorize` file,
`sql` table, `ldap` directory, `attr_filter` module, etc…
The original VSA Ascend attribute:
Testing authentication is simple. Edit the `users` file (in v3 this has
-been moved to `raddb/mods-config/files/authorize`), and add the
+been moved to `mods-config/files/authorize`), and add the
following line of text at the top of the file, before anything else:
testing Cleartext-Password := "password"
projects / thirdparty / freeradius-server.git / commitdiff
