Posted by mirrorshades , 18 April 2008 · 323 views
K.I.S.D... for "Keep It Simple, Dumbass"I don't know much about RADIUS as a protocol, and I don't know much about the FreeRADIUS app. I have used Microsoft's bizarro-RADIUS implementation called "Internet Authentication Service"... through which I managed to set up what I think is EAP-TLS on a domain, used for wireless and VPN authentication. I more or less clickey-clicked my way through, and couldn't re-explain to anyone else at this point how I managed to do it. (I hope it doesn't break!)Anyway, as with most things in the *nix world, FreeRADIUS uses various configuration files to keep track of the program options. I found a web-based GUI utility, called Dialup Admin, that is apparently the "official" GUI for FreeRADIUS (never mind that it hasn't been updated in the last few years). I thought it would help ease my transition into the wonderful world of AAA/RADIUS if I installed this utility. You know, just until I figured out the configuration files.So... I had to enable httpd on OpenBSD. This is basically a tweaked version of Apache that, among other things, runs in a chroot setting. The devs of Dialup Admin have the program configured in such a way that is designed to have its main directory "somewhere" in the filesystem, and use soft links to get between /var/www and wherever you put the rest. Works fine in theory, except that chroot breaks the hell out of that setup. Spent some time trying to move files back and forth and change the references... then just went ahead and dropped the whole thing into the /var/www directory (which, you know, includes the config files with passwords and stuff).After several hours of frustration, I finally just scrapped the whole Dialup Admin program. Time spent trying to get all the files to point to each other while not spitting config files out into the browser was time I *wasn't* learning about RADIUS.Tried to add complexity to the overall setup, cost me some time without getting me any closer to a working environment.Next on the list... FreeRADIUS has support for using MySQL to keep track of the data and configuration. Not being one to just use the default setup originally, I proceeded to install MySQL on the OpenBSD box, then set up the necessary configuration for FreeRADIUS. Now... MySQL runs from the command line by default, and it can be a bit goofy to use if you're like me and haven't done command line MySQL syntax for the last few years. I was able to add a new user and grant access to the database, but I hate having to type SQL queries out by hand to see what all is going on, or to have to insert new data (then I have to read through the shema and data dictionary, and wonder what each field means). phpMyAdmin is (yet again) a web-based GUI for MySQL that basically removes the command-line mystique and actually lets you get into your data.So... since I already had httpd running, I decided I'd set up phpMyAdmin and use that for MySQL administration. Initial setup seemed to go okay, right up until I got to the main login screen. I tried logging in as both root and the freeradius user, and in each case received an odd error about the socket not being configured correctly. Spent another couple hours clickey-clicking about Teh Interweb, looking for some possible solutions (again, OpenBSD's uber-secure setup causes some different stuff to happen in different places). Tried changing the phpMyAdmin configuration to hard-code the user/pass into the config file, but that didn't work out either. Decided to abandon phpMyAdmin, again having spent some time trying to solve problems not directly related to the task at hand.Now it turns out that the config files for FreeRADIUS aren't really that difficult to understand... if you go about them the right way. The default/sample files that come with the program are chock-full of all sorts of special conditions and various options that might make sense if I were rolling my own ISP or telco, but not so much for a basic setup like I'm trying. My firewall box (running pfSense) has a working FreeRADIUS implementation on it, which I use for VPN authentication into my home LAN. I took a quick look at the config files for that install, and they are much easier to understand.Thus, I was able to get the OpenBSD FreeRADIUS config files looking the way I needed them to.I was now at the point where I was ready to use the radtest app to verify that FreeRADIUS would return an approval if I provided a valid user/pass combo. Of course, everything I tried (even double and triple checking the spelling, IP addresses, shared secrets) was failing. So... spent some more time poking around for yet another answer.Turns out that if MySQL is configured, then FreeRADIUS pays no attention to the config files. I hadn't eliminated the database yet, and MySQL was still running on the server. Thus, it was looking at an empty database for config info, instead of my carefully crafted text files. Shut down MySQL, removed all references to it in FreeRADIUS, and BAM -- got the approval note straight away from radtest.So basically, I spent several hours fiddling with a modified web server, various GUIs that didn't work right, and some MySQL tomfoolery in order to try and make my life easier... instead of just spending a bit of time *looking* at what I needed which, as it turned out, wasn't as complex as I thought it was.That's what being lazy got me. Lots and lots of extra work with no additional payoff. :)Then I spent a while writing up this blog entry, instead of actually working on the setup some more. Hm... I'll have to blog about that, too.When I get the chance.