[How To] Freeradius 2.14 (PEAP – MSCHAP)

LEOSI radius at pronetis.fr
Tue Mar 10 13:57:24 CET 2009


For thoses, who are interested by setting up PEAP/MSHCAP under Freeradius
2.14, I wrote a simple how-to.
I hope it could help someone. :)


INSTALLATION PROCESS: FREERADIUS 2.14 (PEAP – MSCHAP)

===
OS :
===
  - Ubuntu Server 8.10

======
SWITCH:
======
  - HP 2600

==========
Pre-requires :
==========
  - Samba installed (or sudo apt-get install samba smbfs)
  - Kerberos installed (or sudo apt-get install krb5-clients krb5-user)

==============
Table of contents :
==============
  *Setting Procurve HP Switch
  *Installation of OpenSSL 0.9.8j
  *Installation of Freeradius 2.14
  *Integrate the radius server to the domain
  *Testing to join the AD domain
  *Authenticate with NTLM using EAP – PEAP
  *Configuring Freeradius
  *Testing authentication process
  *Starting freeradius into background mode


=====================
Setting Procurve HP Switch:
=====================
; J4900B Configuration Editor; Created on release #H.10.67
hostname "SWiTCH"
no web-management
web-management ssl
no telnet-server
ip ssh
interface 1 
   no lacp ; see [1] at the bottom of the page
exit
[...]
interface 26 
   no lacp
exit
vlan 1 
   name "XXXX" 
   untagged 1-26 
   exit 
vlan 2 
   name "YYYYY" 
   ip address 192.168.2.1 255.255.255.0 
   ip helper-address 192.168.0.2 
   exit 

aaa authentication port-access eap-radius
radius-server key testing123
radius-server timeout 1
radius-server dead-time 1 
radius-server host 172.28.32.16

aaa port-access authenticator 17-24
aaa port-access authenticator 17 auth-vid 2
aaa port-access authenticator 17 unauth-vid 3
[...]
aaa port-access authenticator 24 auth-vid 2
aaa port-access authenticator 24 unauth-vid 3
aaa port-access authenticator active
aaa port-access 17-24
ip routing
gvrp


=======================
Installation of OpenSSL 0.9.8j:
=======================
$ wget http://www.openssl.org/source/openssl-0.9.8j.tar.gz
$ tar xzf openssl-0.9.8j.tar.gz
$ cd openssl-0.9.8j
$ ./config --prefix=/usr/local/openssl shared
$ make
$ sudo make install


======================
Installation of Freeradius 2.14: 
======================
$ wget
ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.3.tar.gz
$ tar xzf freeradius-server-2.1.3.tar.gz
$ cd freeradius-server-2.1.3
$ ./configure --with-openssl
--with-openssl-includes=/usr/local/openssl/include/
--with-openssl-libraries=/usr/local/openssl/lib/
$ make
$ sudo make install
PS: If needed, do a “sudo ldconfig”, and in case of error consult the file
“config.log”.


====================
Configuration of Freeradius:
====================
The main configurations files are :
- clients.conf (declaration of switchs and shared secrets)
- radiusd.conf (listening ports)
- users (create a local base of users, or select the method used for
authenticate/authorization)
- eap.conf (select the encoding method)

* File /usr/local/etc/raddb/clients.conf :
Declare your switch like that:
client 192.168.1.1 {
               secret = testing123
}

* File /usr/local/etc/raddb/users :
Into the bottom of the file, just add (for purpose only) :


DEFAULT Auth-Type = MS-CHAP
* File /usr/local/etc/raddb/eap.conf :
eap {
	default_eap_type = peap
…
}

peap {
	default_eap_type = mschapv2
…
}


===============================
Integrate the radius server to the domain:
===============================
* File /etc/samba/smb.conf :
   [global]
                # network name
                workgroup  = DOMAINTEST

                # AD domain name (you have to create that, doesn’t exist
into the config file)
                realm = DOMAINTEST.LOCAL

                # server’s name
                server string = Freeradius

                 # security mode
                security = ADS

* File /etc/krb5.conf :
    [libdefaults]
                default_realm = DOMAINTEST.LOCAL

            [realms]
                DOMAINTEST.LOCAL = {
                               kdc = activedirectory.domaintest.local
                               admin_server = IP_of_AD_Server
                               default_domain = DOMAINTEST.LOCAL
                }

            [domain_realm]
                               domaintest.local = DOMAINTEST.LOCAL


* File /etc/resolv.conf :
nameserver IP_of_AD_Server
domain DOMAINTEST.LOCAL
search DOMAINTEST.LOCAL


* File /etc/nsswitch.conf :
passwd: files winbind
group: files winbind


======================
Testing to join the AD domain:
======================
$ sudo net ads join –U administrateur
If it’s good, you will have :
Joigned ‘FREERADIUS’ to realm ‘test.fr’
PS : If needed, you may syncronize time between the server running
Freeradius and AD server.
$ sudo ntpdate IP_of_AD_Server
Authenticate with NTLM using EAP – PEAP:


=============
Testing purpose :
=============
$ sudo ntlm_auth --request-nt-key --domain=DOMAINTEST.LOCAL
--username=existing_user
password : ******
If all things are good, you must have :
The command line returns
NT_STATUS_OK : Success (0x0)


======================================
Configuring Freeradius to use NTLM authentication:
======================================
* File /usr/local/etc/raddb/modules/mschap :
Uncomment the last line, and modify it like that:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{mschap:NT-Domain:-DOMAINTEST} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"


=======================
Testing authentication process:
=======================
Into a terminal do a:
$ sudo radiusd –X –xx
And into an another terminal:
$ sudo radtest user password localhost 0 testing123
You will receive (if everything goes well):
rad_recv : Access-Accept


===============================
Starting freeradius into background mode:
===============================
Just put this line into the /etc/rc.local file :
/usr/local/sbin/rc.radiusd start


[1] Link Aggregation Control Protocol (LACP) is part of an IEEE
specification (802.3ad) that allows you to bundle several physical ports
together to form a single logical channel. LACP allows a switch to negotiate
an automatic bundle by sending LACP packets to the peer. 
-- 
View this message in context: http://www.nabble.com/-How-To--Freeradius-2.14-%28PEAP-%E2%80%93-MSCHAP%29-tp22433641p22433641.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.





More information about the Freeradius-Users mailing list