3.1 Prerequisites for Configuring the FreeRADIUS Server

Download and install the following:

Install FreeRADIUS on SLES 11. For installation instructions, refer to Section 2.0, Installing FreeRADIUS.
Install Novell eDirectory 8.8 or later: For installation instructions, refer to the NetIQ eDirectory 8.8 Installation Guide.

After installing eDirectory, you need to use iManager to configure it. Refer to Configuring eDirectory for more information.

You also need to extract the self-signed certificate of the certificate authority (CA). For more information, refer to Extracting the Self-Signed Certificate of the Certificate Authority.
Install Novell iManager 2.7.x or later: For installation instructions, refer to the iManager 2.7 Installation Guide.
Install the Radius iManager plug-in. You can download the plug-in from the NetIQ Download site.

Security considerations:

Ensure that you meet the security considerations as discussed in Section 8.0, Security Considerations.

The following prerequisite tasks explain how to configure eDirectory so that you can log in to the system as a system administrator.

3.1.1 Configuring eDirectory

You need to use iManager to perform the following configuration tasks for eDirectory:

Enabling Universal Password for eDirectory Users

Ensure that you enable Universal Password for the users in eDirectory. After enabling, you need to set the Universal Password either manually or by logging in.

For more information, refer to Deploying Universal Password in the Password Management 3.3.x Guide.

Creating the RADIUS Administrator Object

An Administrator object is a User object.

For information on creating a RADIUS Administrator object in eDirectory, refer to the Managing User Accounts section in the NetIQ eDirectory Administration Guide.

You need to provide the DN of the RADIUS Administrator object while modifying the attributes in the LDAP module.

Granting Administration Rights for the RADIUS Administrator

Grant the RADIUS administrator the write right for the ACL attribute of the user object whose Universal Password needs to be read. This gives the RADIUS administrator administrative rights to that user object.

The eDirectory administrator can also be the RADIUS administrator. For more information on eDirectory rights, refer to the NetIQ eDirectory Administration Guide.

Granting Rights to RADIUS Administrator to Retrieve Password

By default, the administrator does not have the right to read the Universal Password. The eDirectory administrator needs to modify the password policy to enable the RADIUS Administrator to read The Universal Password.

Use the following procedure to grant rights to the RADIUS administrator in order to retrieve the Universal Password:

In iManager, click the Roles and Tasks button .
Click Passwords > Password Policies and select the password policy being used.
Click Universal Password > Configuration Options.
Select Allow admin to retrieve passwords from the Universal Password Retrieval section.
Click Apply, then click OK.

3.1.2 Extracting the Self-Signed Certificate of the Certificate Authority

Extract the self-signed certificate of the certificate authority in Base 64 format. For information on extracting the certificate, refer to the NetIQ Certificate Server Administration Guide.

You need to provide the extracted path and the certificate filename while modifying the attributes in the LDAP module of the radiusd.conf configuration file.

Parameter	Description
cacertfile	Specifies the full path of a certificate file in the UNIX file system.

NOTE:The RADIUS server administrator must ensure that the (UNIX) user with RADIUS server rights also has rights to read the certificate files.