[How To] Freeradius 2.14 (PEAP – MSCHAP)

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Tue Mar 10 15:35:00 CET 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Leosi,

> For thoses, who are interested by setting up PEAP/MSHCAP under Freeradius
> 2.14, I wrote a simple how-to.
> I hope it could help someone. :)
> 
> 
> INSTALLATION PROCESS: FREERADIUS 2.14 (PEAP – MSCHAP)
> 
> ===
> OS :
> ===
>   - Ubuntu Server 8.10
> 
> ======
> SWITCH:
> ======
>   - HP 2600
> 
> ==========
> Pre-requires :
> ==========
>   - Samba installed (or sudo apt-get install samba smbfs)
>   - Kerberos installed (or sudo apt-get install krb5-clients krb5-user)
> 
> ==============
> Table of contents :
> ==============
>   *Setting Procurve HP Switch
>   *Installation of OpenSSL 0.9.8j
>   *Installation of Freeradius 2.14
>   *Integrate the radius server to the domain
>   *Testing to join the AD domain
>   *Authenticate with NTLM using EAP – PEAP
>   *Configuring Freeradius
>   *Testing authentication process
>   *Starting freeradius into background mode
> 
> =====================
> Setting Procurve HP Switch:
> =====================
> ; J4900B Configuration Editor; Created on release #H.10.67
> hostname "SWiTCH"
> no web-management
> web-management ssl
> no telnet-server
> ip ssh
> interface 1 
>    no lacp ; see [1] at the bottom of the page

There's a bug in <= H.10.74 (fixed in H.10.76, not yet released) where
the port-access authenticator won't be initialised properly until the
interface is 'cycled' (disabled/enabled). This wasn't discovered before,
because when the port-access authenticator is enabled, the switch
automatically disables LACP (cycling the port in the process).

It's therefore a good idea to leave LACP enabled on  ports before you
enable the port-access authenticator, and not to disable it explicitly,
but let the switch take care of disabling it for you.

> exit
> [...]
> interface 26 
>    no lacp
> exit
> vlan 1 
>    name "XXXX" 
>    untagged 1-26 
>    exit 
> vlan 2 
>    name "YYYYY" 
>    ip address 192.168.2.1 255.255.255.0 
>    ip helper-address 192.168.0.2 
>    exit 
> 
> aaa authentication port-access eap-radius
> radius-server key testing123
> radius-server timeout 1
> radius-server dead-time 1 
> radius-server host 172.28.32.16
> 
> aaa port-access authenticator 17-24

Use port ranges ....

aaa port-access authenticator 17-24 auth-vid 2
aaa port-access authenticator 17-24 unauth-vid 3

I'd recommend against using an auth-vid, it's not necessary in this
setup, and may add unnecessary delay between the client being
authenticated, and traffic passing from the client onto the correct
VLAN. I'd recommend you set a default PVID for the port instead 'VLAN x
untagged 17-24'.

> aaa port-access authenticator 17 auth-vid 2
> aaa port-access authenticator 17 unauth-vid 3
> [...]
> aaa port-access authenticator 24 auth-vid 2
> aaa port-access authenticator 24 unauth-vid 3
> aaa port-access authenticator active
> aaa port-access 17-24

> ip routing

Why turn this on ? It's off by default and it's not required for 802.1x
authentication.

> gvrp

Think what would happen if a GVRP enabled client connected to an 802.1x
authenticated port... They could request *ANY* VLAN available on the
switch. The 'auth-vid' and 'unauth-vid' features only control the PVID,
they do not control statically or dynamically tagged VLANs configured
for the port.

If you want to explain how to use GVRP properly as part of dynamic VLAN
assignment, then add the following:

# Stops GVRP advertisements being forwarded to stations on the edge
# and blocks ingress GVRP advertisements.
int 17-24 unknown-vlan disable

# Allows the switch to use GVRP VLANs in dynamic VLAN assignment
aaa port-access gvrp-vlans


GVRP is an incredibly useful protocol, but you need to know what you're
doing, else it becomes a huge security hole.

Would you like this in the wiki somewhere? If so email me directly and
i'll create an account for you..

Thanks,
Arran

- --
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkm2epQACgkQcaklux5oVKJhUwCeNI68rdSw4x0zD/ARB2gxlNbS
yNcAn3B3Y648NG/8Z+iE8f66yJ04JtuP
=SwCe
-----END PGP SIGNATURE-----

More information about the Freeradius-Users mailing list