Allan,
I thank you for your advice and your time.
A person like you who is dealing with freeradius on a daily basis may have a tendency of thinking that using/installing/troubleshooting freeradius is very easy. But for a complete new beginner, like myself, things seem more complicated. I'll give an example from my own experience; 3 years ago when I started as a network admin in my company, it took me almost 10 days to figure out how to properly instal apache/mysql/php on a linux box. Now, it takes me under 15 minutes to install them all. I wrote a step-by-step instruction for the process at the time and distributed to everyone on the net. Based on the feedback I got from people, everyone seems to agree that it provided them a simple and easy to follow steps for the installation. I felt happy that I helped other people the way that I was helped at all the time through different forums on the internet.
When I started implementing the FreeRadius, I thought I would find some documentation to start with. But unfortunately, after spending days, i couldn't find such a document. The more I read, the more i surprised that I couldn't figure this out. I know that it shouldn't be much difficult but here I am still struggling to make this work.
I don't want to take your and other people's valuable time any more, so here is where I am now;
I installed the FreeRadous 2.0.2 with Yast tool with SuSE SLES. It installed it OK. And then i made changes to eap.conf and radiusd.conf files to start my test. I run radiusd -X and here is what I got;
# radiusd -X
FreeRADIUS Version 2.0.2, for host i686-suse-linux-gnu, built on Feb 14 2008 at 15:34:49
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including configuration file /etc/raddb/snmp.conf
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/sql/mysql/counter.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
user = "radiusd"
group = "radiusd"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
require_message_authenticator = no
secret = "testing123"
nastype = "cisco"
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_check = "none"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/raddb/certs/bootstrap"
}
rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied
rlm_eap_tls: Error reading certificate file /etc/raddb/certs/server.pem
rlm_eap: Failed to initialize type tls
/etc/raddb/eap.conf[17]: Instantiation failed for module "eap"
/etc/raddb/sites-enabled/default[252]: Failed to find module "eap".
/etc/raddb/sites-enabled/default[199]: Errors parsing authenticate section.
}
}
Errors initializing modules
comp-010:/home/srn #
This is one.
And other thing is that the command bootstrap couldn't finish creating certificates. How may I solve this problem. And if finish creating certs successfully, which certificates should I install to the XP SP2 client and where? You suggested to read the file at
http://freeradius.org/doc/EAPTLS.pdf but believe me it didn't help me. And it also gives information for TLS implementation. NOthing for PEAP.
I hope I am not asking silly questions that would make you feel like you are wasting your time.
Thank you.
George Knight
On Tue, Apr 29, 2008 at 3:03 PM, Alan DeKok <
aland@deployingradius.com> wrote:
George KNIGHT wrote:
> Before I write my question here, I just want to let all of you know that
> I did lots of searching in both google and this email list. But couldn't
> find anything to get the answer.
>
> My question is I have been looking for a HOWTO paper for a beginner to
> set freeradius as an AAA server in a wireless environment to Windows XP
> SP2 clients. I will use Windows' own PEAP client. Is there such a paper
> someone can give me the link?
$ ./configure
$ make
$ make install
$ radiusd -X
- Un-check "verify server certificate" in Windows (ONLY for testing).
- Add a user to the database (username/password, example in the FAQ)
That's it.
> I'm very frustrated to find out that there is no information available
> for a setup from the scratch.
Part of the problem is that in 2.0, there is so little to do...
> I wrote papers like that before for
> various topics such as subversion implementation for a multiple OS
> environment, VoIP implementation with a Linux based open sources S/W
> etc. I have intention to write such a paper for how to set up PEAP
> implementation with freeradius as well. But for that, I'm hoping someone
> can give me a good start.
The EAP-TLS "howtos" contain additional documentation:
http://freeradius.org/doc/
> Clients are going to be computers with WinCE as their OS and they will
> contact to the LAN wirelessly. What I want to achieve is authenticating
> this clients with server-AAA using PEAP before letting them use the
> other network resources.
Install 2.0, start the server.
See also raddb/certs/README. You can create "real" certificates, and
import them into WinCE.
There is very, very, little to change in order to get PEAP to work.
Alan DeKok.