HOWTO PEAP + FreeRadius + XP Client

Alan DeKok aland at deployingradius.com
Thu May 1 08:00:26 CEST 2008


George KNIGHT wrote:
> A person like you who is dealing with freeradius on a daily basis may
> have a tendency of thinking that using/installing/troubleshooting
> freeradius is very easy.

  The goal is to *make* it that easy.  A large number of problems on the
list are because people think it's complicated, and start changing large
amounts of the default config.

> Based on the feedback I
> got from people, everyone seems to agree that it provided them a simple
> and easy to follow steps for the installation. I felt happy that I
> helped other people the way that I was helped at all the time through
> different forums on the internet.

  Based on the feedback I've seen, I've edited/updated the software
itself to be easier to use.  I don't like reading "howto's", because
many are out of date, and many others are simply wrong.  I would
*prefer* that people shipped software that worked, and was easy to use.

> When I started implementing the FreeRadius, I thought I would find some
> documentation  to start with. But unfortunately, after spending days, i
> couldn't find such a document. The more I read, the more i surprised
> that I couldn't figure this out. I know that it shouldn't be much
> difficult but here I am still struggling to make this work.

  The 5-6 line instructions I gave are all that's needed.

> I installed the FreeRadous 2.0.2 with Yast tool with SuSE SLES. It
> installed it OK. And then i made changes to eap.conf and radiusd.conf
> files to start my test. I run radiusd -X and here is what I got;

  Why change eap.conf && radiusd.conf?

> # radiusd -X
...
> rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied

  That should be a pretty simple problem to fix.  It's file permissions...

  Are you starting the server as root?

> And other thing is that the command bootstrap couldn't finish creating
> certificates.

  Why not?  What's the error message?  Is it secret?

  Did you run the "bootstrap" script as root?

> How may I solve this problem. And if finish creating
> certs successfully, which certificates should I install to the XP SP2
> client and where?

  To be honest, you *shouldn't* install the default certificates.
They're only for testing.

  For testing, un-check the "validate server certificate" in XP.

  For real certificates, edit the conf files as described in the
raddb/certs/ documentation, and re-build the certs.  Then, install the
CA cert, as described in the EAP-TLS howto... with pictures.

> You suggested to read the file
> at http://freeradius.org/doc/EAPTLS.pdf but believe me it didn't help
> me. And it also gives information for TLS implementation. NOthing for PEAP.

  PEAP *is* EAP-TLS.  It's a variation of EAP-TLS, and all of the
certificate requirements for EAP-TLS apply to PEAP, too.

  If you have any ideas for what documentation needs to be updated,
please submit suggested text.  We can include it in the next release.

  But my experience (unfortunately) is that the people who have the most
problems are reading third-party "howtos" that are *wrong*, and are
ignoring the server documentation that is *right*.  That's a problem I
can't fix.

  Alan DeKok.



More information about the Freeradius-Users mailing list