Re: HOWTO PEAP + FreeRadius + XP Client

To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org>
Subject: Re: HOWTO PEAP + FreeRadius + XP Client
From: "George KNIGHT" <georgeknight@gmail.com>
Date: Wed, 30 Apr 2008 18:21:34 -0400
In-reply-to: <481770EE.8010803@deployingradius.com>
References: <d6da8e1d0804291114g56d9d9bfr2f58e923357e093e@mail.gmail.com> <481770EE.8010803@deployingradius.com>
Reply-to: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>

Allan,

I thank you for your advice and your time.

A person like you who is dealing with freeradius on a daily basis may have a tendency of thinking that using/installing/troubleshooting freeradius is very easy. But for a complete new beginner, like myself, things seem more complicated. I'll give an example from my own experience; 3 years ago when I started as a network admin in my company, it took me almost 10 days to figure out how to properly instal apache/mysql/php on a linux box. Now, it takes me under 15 minutes to install them all. I wrote a step-by-step instruction for the process at the time and distributed to everyone on the net. Based on the feedback I got from people, everyone seems to agree that it provided them a simple and easy to follow steps for the installation. I felt happy that I helped other people the way that I was helped at all the time through different forums on the internet.

When I started implementing the FreeRadius, I thought I would find some documentation to start with. But unfortunately, after spending days, i couldn't find such a document. The more I read, the more i surprised that I couldn't figure this out. I know that it shouldn't be much difficult but here I am still struggling to make this work.

I don't want to take your and other people's valuable time any more, so here is where I am now;

I installed the FreeRadous 2.0.2 with Yast tool with SuSE SLES. It installed it OK. And then i made changes to eap.conf and radiusd.conf files to start my test. I run radiusd -X and here is what I got;

# radiusd -X

FreeRADIUS Version 2.0.2, for host i686-suse-linux-gnu, built on Feb 14 2008 at 15:34:49

There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE.

You may redistribute copies of FreeRADIUS under the terms of the

GNU General Public License.

Starting - reading configuration files ...

including configuration file /etc/raddb/radiusd.conf

including configuration file /etc/raddb/proxy.conf

including configuration file /etc/raddb/clients.conf

including configuration file /etc/raddb/snmp.conf

including configuration file /etc/raddb/eap.conf

including configuration file /etc/raddb/sql.conf

including configuration file /etc/raddb/sql/mysql/dialup.conf

including configuration file /etc/raddb/sql/mysql/counter.conf

including configuration file /etc/raddb/policy.conf

including files in directory /etc/raddb/sites-enabled/

including configuration file /etc/raddb/sites-enabled/default

including dictionary file /etc/raddb/dictionary

main {

prefix = "/usr"

localstatedir = "/var"

logdir = "/var/log/radius"

libdir = "/usr/lib/freeradius"

radacctdir = "/var/log/radius/radacct"

hostname_lookups = no

max_request_time = 30

cleanup_delay = 5

max_requests = 1024

allow_core_dumps = no

pidfile = "/var/run/radiusd/radiusd.pid"

user = "radiusd"

group = "radiusd"

checkrad = "/usr/sbin/checkrad"

debug_level = 0

proxy_requests = yes

security {

max_attributes = 200

reject_delay = 1

status_server = yes

}

client localhost {

ipaddr = 127.0.0.1

require_message_authenticator = no

secret = "testing123"

nastype = "other"

}

client 10.10.30.3 {

require_message_authenticator = no

secret = "testing123"

shortname = "10.10.30.3"

nastype = "cisco"

}

radiusd: #### Loading Realms and Home Servers ####

proxy server {

retry_delay = 5

retry_count = 3

default_fallback = no

dead_time = 120

wake_all_if_all_dead = no

}

home_server localhost {

ipaddr = 127.0.0.1

port = 1812

type = "auth"

secret = "testing123"

response_window = 20

max_outstanding = 65536

zombie_period = 40

status_check = "status-server"

ping_check = "none"

ping_interval = 30

check_interval = 30

num_answers_to_alive = 3

num_pings_to_alive = 3

revive_interval = 120

status_check_timeout = 4

}

home_server_pool my_auth_failover {

type = fail-over

home_server = localhost

}

realm example.com {

auth_pool = my_auth_failover

}

realm LOCAL {

}

radiusd: #### Instantiating modules ####

instantiate {

Module: Linked to module rlm_exec

Module: Instantiating exec

exec {

wait = yes

input_pairs = "request"

shell_escape = yes

}

Module: Linked to module rlm_expr

Module: Instantiating expr

Module: Linked to module rlm_expiration

Module: Instantiating expiration

expiration {

reply-message = "Password Has Expired "

}

Module: Linked to module rlm_logintime

Module: Instantiating logintime

logintime {

reply-message = "You are calling outside your allowed timespan "

minimum-timeout = 60

}

radiusd: #### Loading Virtual Servers ####

server {

modules {

Module: Checking authenticate {...} for more modules to load

Module: Linked to module rlm_pap

Module: Instantiating pap

pap {

encryption_scheme = "auto"

auto_header = no

}

Module: Linked to module rlm_chap

Module: Instantiating chap

Module: Linked to module rlm_mschap

Module: Instantiating mschap

mschap {

use_mppe = yes

require_encryption = no

require_strong = no

with_ntdomain_hack = no

}

Module: Linked to module rlm_unix

Module: Instantiating unix

unix {

radwtmp = "/var/log/radius/radwtmp"

}

Module: Linked to module rlm_eap

Module: Instantiating eap

eap {

default_eap_type = "peap"

timer_expire = 60

ignore_unknown_eap_types = no

cisco_accounting_username_bug = no

}

Module: Linked to sub-module rlm_eap_md5

Module: Instantiating eap-md5

Module: Linked to sub-module rlm_eap_leap

Module: Instantiating eap-leap

Module: Linked to sub-module rlm_eap_gtc

Module: Instantiating eap-gtc

gtc {

challenge = "Password: "

auth_type = "PAP"

}

Module: Linked to sub-module rlm_eap_tls

Module: Instantiating eap-tls

tls {

rsa_key_exchange = no

dh_key_exchange = yes

rsa_key_length = 512

dh_key_length = 512

verify_depth = 0

pem_file_type = yes

private_key_file = "/etc/raddb/certs/server.pem"

certificate_file = "/etc/raddb/certs/server.pem"

CA_file = "/etc/raddb/certs/ca.pem"

private_key_password = "whatever"

dh_file = "/etc/raddb/certs/dh"

random_file = "/etc/raddb/certs/random"

fragment_size = 1024

include_length = yes

check_crl = no

cipher_list = "DEFAULT"

make_cert_command = "/etc/raddb/certs/bootstrap"

}

rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied

rlm_eap_tls: Error reading certificate file /etc/raddb/certs/server.pem

rlm_eap: Failed to initialize type tls

/etc/raddb/eap.conf[17]: Instantiation failed for module "eap"

/etc/raddb/sites-enabled/default[252]: Failed to find module "eap".

/etc/raddb/sites-enabled/default[199]: Errors parsing authenticate section.

}

Errors initializing modules

comp-010:/home/srn #

This is one.

And other thing is that the command bootstrap couldn't finish creating certificates. How may I solve this problem. And if finish creating certs successfully, which certificates should I install to the XP SP2 client and where? You suggested to read the file at http://freeradius.org/doc/EAPTLS.pdf but believe me it didn't help me. And it also gives information for TLS implementation. NOthing for PEAP.

I hope I am not asking silly questions that would make you feel like you are wasting your time.

Thank you.

George Knight

On Tue, Apr 29, 2008 at 3:03 PM, Alan DeKok <aland@deployingradius.com> wrote:

George KNIGHT wrote:
> Before I write my question here, I just want to let all of you know that
> I did lots of searching in both google and this email list. But couldn't
> find anything to get the answer.
>
> My question is I have been looking for a HOWTO paper for a beginner to
> set freeradius as an AAA server in a wireless environment to Windows XP
> SP2 clients. I will use Windows' own PEAP client. Is there such a paper
> someone can give me the link?

$ ./configure
$ make
$ make install
$ radiusd -X

- Un-check "verify server certificate" in Windows (ONLY for testing).

- Add a user to the database (username/password, example in the FAQ)

That's it.

> I'm very frustrated to find out that there is no information available
> for a setup from the scratch.

Part of the problem is that in 2.0, there is so little to do...

> I wrote papers like that before for
> various topics such as subversion implementation for a multiple OS
> environment, VoIP implementation with a Linux based open sources S/W
> etc. I have intention to write such a paper for how to set up PEAP
> implementation with freeradius as well. But for that, I'm hoping someone
> can give me a good start.

The EAP-TLS "howtos" contain additional documentation:

http://freeradius.org/doc/

> Clients are going to be computers with WinCE as their OS and they will
> contact to the LAN wirelessly. What I want to achieve is authenticating
> this clients with server-AAA using PEAP before letting them use the
> other network resources.

Install 2.0, start the server.

See also raddb/certs/README. You can create "real" certificates, and
import them into WinCE.

There is very, very, little to change in order to get PEAP to work.

Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Follow-Ups:
- Re: HOWTO PEAP + FreeRadius + XP Client
  - From: Alan DeKok <aland@deployingradius.com>

Previous by Date: Re: Deny Users AD on Freeradius + Wireless&VPN
Next by Date: Re: How to implement two possible passwords? (one for PEAP andotherforTTLS)
Previous by Thread: howto EAP-TLS on freeradius 2.0.2-3 ??
Next by Thread: Re: HOWTO PEAP + FreeRadius + XP Client
Freeradius-Users May 2008 archives indexes sorted by: [ thread ] [ subject ] [ author ] [ date ]
Freeradius-Users list archive Table of Contents
More information about the Freeradius-Users mailing list

This archive was generated by a fusion of Pipermail (Mailman edition) and MHonArc.