26 février 2009

Freeradius avec EAP-TLS/TTLS/PEAP

Debian's FreeRadius package is built without support for EAP/TLS/TTLS/PEAP because of the licensing problems of the OpenSSL library. But, if you want to implement 802.1x network authentication with strong security, you'll need it. This is a short tutorial that explains how to build Debian (sid aka unstable) package linked to libssl and with EAP/TLS/TTLS/PEAP support compiled in.

I suppose you work with lenny (minimal installation + apt-get install x-window-system-core + apt-get install gnome-core synaptic)

First apt-get install dpkg-dev fakeroot

Download the newest source package (orig.tar.gz), Debian diffs (diff.gz) and description file (dsc) from the freeradius package page. The version I tested the procedure with is freeradius-2.0.4+dfsg$

Unpack the source and switch to the resulting directory like this:

% dpkg-source -x *.dsc
dpkg-source: extracting freeradius in freeradius-2.0.4+dfsg$
dpkg-source: unpacking freeradius_2.0.4+dfsg-6.diff.gz
dpkg-source: applying ./freeradius_2.0.4+dfsg-6.diff.gz
% cd freeradius-*

There are four changes that must be done in order to successfully build the package:

1. edit debian/rules, search for eap and change every mentioning of --without-rlm_eap-* to --with-rlm_eap-* excepted --without-rlm_eap_ikev2, --without-rlm_eap_tnc --without-rlm_sql_oracle --without-rlm_sql_unixodbc
2. few lines below, in the same file, replace --without-openssl with --with-openssl
3. still editing the same file, find the following chuck of code and comment it entirely:

for pkg in ${pkgs} ; do \
if dh_shlibdeps -p $$pkg -- -O 2>/dev/null | grep -q libssl; then \
echo "$$pkg links to openssl" ;\
exit 1 ;\
fi ;\
done

4. finally, edit debian/control and at the end of the line starting with Build-Depends: (second line in the file) add , libssl-dev

Finally, I needed to install piles of packages before running "dpkg-buildpackage -rfakeroot":

# apt-get install libssl-dev debhelper libgdbm-dev libiodbc2-dev libkrb5-dev libldap2-dev libltdl3-dev libmysqlclient15-dev libpam0g-dev libpcap-dev libperl-dev libpq-dev libsasl2-dev libsnmp-dev python-dev

That should do it, you can now build package like this:

% dpkg-buildpackage -rfakeroot

You're doing all the above steps as a normal user, and if everything goes well, you'll find 10 debian packages in the parent directory which you can now install. Don't forget to hold newly installed packages in your package manager so that you don't experience breakage when you pull upgrades next time, and new official versions (without EAP/TLS/TTLS/PEAP support) overwrite your custom built packages.
To hold the packages, as suggested after step 4, I used the command:
# aptitude hold freeradius-common freeradius freeradius-dbg freeradius-iodbc freeradius-krb5 freeradius-ldap freeradius-mysql freeradius-postgresql freeradius-utils libfreeradius-dev libfreeradius2

Then you can see that they are in the "hold" state when you use aptitude. Although for some reason they appear in the "install" state when you use:
# dpkg --get-selections freer*
Probably why they say you shouldn't mix and match dpkg and apt.

More info about package management here:
http://www.debian.org/doc/FAQ/ch-pkg_basics.en.html

Installation:
-------------

hp-debian-stable:/home/hanoteau# dpkg --install freeradius-common_2.0.4+dfsg-6_all.deb
Sélection du paquet freeradius-common précédemment désélectionné.
(Lecture de la base de données... 99926 fichiers et répertoires déjà installés.)
Dépaquetage de freeradius-common (à partir de freeradius-common_2.0.4+dfsg-6_all.deb) ...
Paramétrage de freeradius-common (2.0.4+dfsg-6) ...
Ajout de l'utilisateur freerad au groupe shadow
Traitement des actions différées (« triggers ») pour « man-db »...

hp-debian-stable:/home/hanoteau# dpkg --install libfreeradius2_2.0.4+dfsg-6_i386.deb
Sélection du paquet libfreeradius2 précédemment désélectionné.
(Lecture de la base de données... 100311 fichiers et répertoires déjà installés.)
Dépaquetage de libfreeradius2 (à partir de libfreeradius2_2.0.4+dfsg-6_i386.deb) ...
Paramétrage de libfreeradius2 (2.0.4+dfsg-6) ...

hp-debian-stable:/home/hanoteau# dpkg --install freeradius_2.0.4+dfsg-6_i386.deb
(Lecture de la base de données... 100317 fichiers et répertoires déjà installés.)
Préparation du remplacement de freeradius 2.0.4+dfsg-6 (en utilisant freeradius_2.0.4+dfsg-6_i386.deb) ...
Dépaquetage de la mise à jour de freeradius ...
Paramétrage de freeradius (2.0.4+dfsg-6) ...
suppression du / final
suppression du / final
suppression du / final
Starting FreeRADIUS daemon: freeradius.

1 commentaire:

Anonyme a dit…

Hi,

For the dependencies *-dev, you can do a
#aptitude build-dep freeradius
I like it :)
It just misses libssl-dev and fakeroot