packages: shorewall
packages: freeradius
Modified /etc/freeradius/3.0/mods-available/eap:
commented the following:
....
# md5 {
# }
....
# leap {
# }
....
# gtc {
# # The default challenge, which many clients
# # ignore..
# #challenge = "Password: "
#
# # The plain-text response which comes back
# # is put into a User-Password attribute,
# # and passed to another module for
# # authentication. This allows the EAP-GTC
# # response to be checked against plain-text,
# # or crypt'd passwords.
# #
# # If you say "Local" instead of "PAP", then
# # the module will look for a User-Password
# # configured for the request, and do the
# # authentication itself.
# #
# auth_type = PAP
# }
....
# tls {
# # Point to the common TLS configuration
# tls = tls-common
#
# #
# # As part of checking a client certificate, the EAP-TLS
# # sets some attributes such as TLS-Client-Cert-CN. This
# # virtual server has access to these attributes, and can
# # be used to accept or reject the request.
# #
# # virtual_server = check-eap-tls
# }
.... |
modified the 'default_eap_type' directive under section 'eap' to be:
default_eap_type = peap |
and the 'default_eap_type' directive under section 'ttls' to be:
default_eap_type = mschapv2 |
cd /etc/freeradius/3.0/ ln -s mods-available/python mods-enabled/ |
Put the following in it:
#
# Make sure the PYTHONPATH environmental variable contains the
# directory(s) for the modules listed below.
#
# Uncomment any func_* which are included in your module. If
# rlm_python is called for a section which does not have
# a function defined, it will return NOOP.
#
python {
module = script_launcher # @#$dy
python_path = ${modconfdir}/${.:name}:/usr/lib/python2.7 # @#$dy
mod_post_auth = ${.module} # @#$dy
func_post_auth = post_auth # @#$dy
}
|
Modify /etc/freeradius/3.0/sites-enabled/inner-tunnel:
... # Add this line just after 'sql' in the 'post-auth' section python ... |
Modify /etc/freeradius/3.0/mods-available/eap, modified the 'copy_request_to_tunnel' directive under both sections 'peap' and 'ttls' to be:
copy_request_to_tunnel = yes |
Place the script_launcher.py script at /etc/freeradius/3.0/mods-config/python/script_launcher.py
packages: sudo
packages: arp-scan
apt-get install arp-scan # Install the scripts in /usr/local/sbin/, and configure settings in each of them chown root:freerad /usr/local/sbin/shwl_* chmod 750 /usr/local/sbin/shwl_* |
Add the following line to freerad's crontab
*/1 * * * * /usr/local/sbin/shwl_del.sh # @#$dy # @@@ figure out optimal interval |
Pre-requisites from above steps: sudo, shwl_add / shwl_del scripts MySQL config, FreeRADIUS MySQL config
apt-get install libpam-script sshpass mkdir /usr/share/libpam-script/pam-script.d/pam_to_mysql_update cd /usr/share/libpam-script/pam-script.d/pam_to_mysql_update # Put the script in here, and configure MySQL settings inside ln -s pam_to_mysql_update.sh pam_script_auth ln -s pam_to_mysql_update.sh pam_script_passwd |
Add the following line at the end of /etc/pam.d/common-auth or as may be appropriate to the PAM configuration of the system:
... auth required pam_script.so onerr=fail dir=/usr/share/libpam-script/pam-script.d/pam_to_mysql_update/ |
Add the following line at the end of /etc/pam.d/common-password or as may be appropriate to the PAM configuration of the system:
... password required pam_script.so onerr=fail dir=/usr/share/libpam-script/pam-script.d/pam_to_mysql_update/ |