Allan, I thank you for your advice and your time. A person like you who is dealing with freeradius on a daily basis may have a tendency of thinking that using/installing/troubleshooting freeradius is very easy. But for a complete new beginner, like myself, things seem more complicated. I'll give an example from my own experience; 3 years ago when I started as a network admin in my company, it took me almost 10 days to figure out how to properly instal apache/mysql/php on a linux box. Now, it takes me under 15 minutes to install them all. I wrote a step-by-step instruction for the process at the time and distributed to everyone on the net. Based on the feedback I got from people, everyone seems to agree that it provided them a simple and easy to follow steps for the installation. I felt happy that I helped other people the way that I was helped at all the time through different forums on the internet. When I started implementing the FreeRadius, I thought I would find some documentation to start with. But unfortunately, after spending days, i couldn't find such a document. The more I read, the more i surprised that I couldn't figure this out. I know that it shouldn't be much difficult but here I am still struggling to make this work. I don't want to take your and other people's valuable time any more, so here is where I am now; I installed the FreeRadous 2.0.2 with Yast tool with SuSE SLES. It installed it OK. And then i made changes to eap.conf and radiusd.conf files to start my test. I run radiusd -X and here is what I got; # radiusd -X FreeRADIUS Version 2.0.2, for host i686-suse-linux-gnu, built on Feb 14 2008 at 15:34:49 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including configuration file /etc/raddb/snmp.conf including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/sql.conf including configuration file /etc/raddb/sql/mysql/dialup.conf including configuration file /etc/raddb/sql/mysql/counter.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/radiusd/radiusd.pid" user = "radiusd" group = "radiusd" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 10.10.30.3 { require_message_authenticator = no secret = "testing123" shortname = "10.10.30.3" nastype = "cisco" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/raddb/certs/bootstrap" } rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied rlm_eap_tls: Error reading certificate file /etc/raddb/certs/server.pem rlm_eap: Failed to initialize type tls /etc/raddb/eap.conf[17]: Instantiation failed for module "eap" /etc/raddb/sites-enabled/default[252]: Failed to find module "eap". /etc/raddb/sites-enabled/default[199]: Errors parsing authenticate section. } } Errors initializing modules comp-010:/home/srn # This is one. And other thing is that the command bootstrap couldn't finish creating certificates. How may I solve this problem. And if finish creating certs successfully, which certificates should I install to the XP SP2 client and where? You suggested to read the file at http://freeradius.org/doc/EAPTLS.pdf but believe me it didn't help me. And it also gives information for TLS implementation. NOthing for PEAP. I hope I am not asking silly questions that would make you feel like you are wasting your time. Thank you. George Knight On Tue, Apr 29, 2008 at 3:03 PM, Alan DeKok <aland@deployingradius.com> wrote:
George KNIGHT wrote:
Before I write my question here, I just want to let all of you know that I did lots of searching in both google and this email list. But couldn't find anything to get the answer.
My question is I have been looking for a HOWTO paper for a beginner to set freeradius as an AAA server in a wireless environment to Windows XP SP2 clients. I will use Windows' own PEAP client. Is there such a paper someone can give me the link?
$ ./configure $ make $ make install $ radiusd -X
- Un-check "verify server certificate" in Windows (ONLY for testing).
- Add a user to the database (username/password, example in the FAQ)
That's it.
I'm very frustrated to find out that there is no information available for a setup from the scratch.
Part of the problem is that in 2.0, there is so little to do...
I wrote papers like that before for various topics such as subversion implementation for a multiple OS environment, VoIP implementation with a Linux based open sources S/W etc. I have intention to write such a paper for how to set up PEAP implementation with freeradius as well. But for that, I'm hoping someone can give me a good start.
The EAP-TLS "howtos" contain additional documentation:
Clients are going to be computers with WinCE as their OS and they will contact to the LAN wirelessly. What I want to achieve is authenticating this clients with server-AAA using PEAP before letting them use the other network resources.
Install 2.0, start the server.
See also raddb/certs/README. You can create "real" certificates, and import them into WinCE.
There is very, very, little to change in order to get PEAP to work.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html