Make sure your RADIUS library is configured to talk to the server of
your choice: see the example radsec.conf in this directory.
-On the RADIUS server side, you need to install dictionary.ukerna and
-include it from the main dictionary file.
+On the RADIUS server side, you need to install dictionary.ukerna to
+$prefix/etc/raddb and include it from the main dictionary file, by
+adding:
+
+ $INCLUDE dictionary.ukerna
+
+to $prefix/etc/raddb/dictionary. Make sure these files are world-
+readable; they weren't in my installation.
+
+Edit $prefix/etc/raddb/users to add your test user and password:
+
+ bob@PROJECT-MOONSHOT.ORG Cleartext-Password := secret
+
+Add an entry for your acceptor to $prefix/etc/raddb/clients.conf:
+
+ client somehost {
+ ipaddr = 127.0.0.1
+ secret = testing123
+ require_message_authenticator = yes
+ }
+
+Edit $prefix/etc/raddb/eap.conf and set:
+
+ eap {
+...
+ default_eap_type = ttls
+...
+ tls {
+ certdir = ...
+ cadir = ...
+ private_key_file = ...
+ certificate_file = ...
+ }
+ ttls {
+ default_eap_type = mschapv2
+ copy_request_to_tunnel = no
+ use_tunneled_reply = no
+ virtual_server = "inner-tunnel"
+ }
+...
+ }
+
+to enable EAP-TTLS.
If you want the acceptor be able to identify the user, the RADIUS
server needs to echo back the EAP username from the inner tunnel;
struct rs_error *err);
#define RS_CONFIG_FILE SYSCONFDIR "/radsec.conf"
-#define RS_DICT_FILE DATAROOTDIR "/freeradius/dictionary"
+#define RS_DICT_FILE SYSCONFDIR "/raddb/dictionary"
#define VENDORPEC_MS 311 /* RFC 2548 */
projects / mech_eap.orig / commitdiff