[How To] Freeradius 2.14 (PEAP – MSCHAP)
For thoses, who are interested by setting up PEAP/MSHCAP under Freeradius 2.14, I wrote a simple how-to. I hope it could help someone. :) INSTALLATION PROCESS: FREERADIUS 2.14 (PEAP – MSCHAP) === OS : === - Ubuntu Server 8.10 ====== SWITCH: ====== - HP 2600 ========== Pre-requires : ========== - Samba installed (or sudo apt-get install samba smbfs) - Kerberos installed (or sudo apt-get install krb5-clients krb5-user) ============== Table of contents : ============== *Setting Procurve HP Switch *Installation of OpenSSL 0.9.8j *Installation of Freeradius 2.14 *Integrate the radius server to the domain *Testing to join the AD domain *Authenticate with NTLM using EAP – PEAP *Configuring Freeradius *Testing authentication process *Starting freeradius into background mode ===================== Setting Procurve HP Switch: ===================== ; J4900B Configuration Editor; Created on release #H.10.67 hostname "SWiTCH" no web-management web-management ssl no telnet-server ip ssh interface 1 no lacp ; see [1] at the bottom of the page exit [...] interface 26 no lacp exit vlan 1 name "XXXX" untagged 1-26 exit vlan 2 name "YYYYY" ip address 192.168.2.1 255.255.255.0 ip helper-address 192.168.0.2 exit aaa authentication port-access eap-radius radius-server key testing123 radius-server timeout 1 radius-server dead-time 1 radius-server host 172.28.32.16 aaa port-access authenticator 17-24 aaa port-access authenticator 17 auth-vid 2 aaa port-access authenticator 17 unauth-vid 3 [...] aaa port-access authenticator 24 auth-vid 2 aaa port-access authenticator 24 unauth-vid 3 aaa port-access authenticator active aaa port-access 17-24 ip routing gvrp ======================= Installation of OpenSSL 0.9.8j: ======================= $ wget http://www.openssl.org/source/openssl-0.9.8j.tar.gz $ tar xzf openssl-0.9.8j.tar.gz $ cd openssl-0.9.8j $ ./config --prefix=/usr/local/openssl shared $ make $ sudo make install ====================== Installation of Freeradius 2.14: ====================== $ wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.3.tar.gz $ tar xzf freeradius-server-2.1.3.tar.gz $ cd freeradius-server-2.1.3 $ ./configure --with-openssl --with-openssl-includes=/usr/local/openssl/include/ --with-openssl-libraries=/usr/local/openssl/lib/ $ make $ sudo make install PS: If needed, do a “sudo ldconfig”, and in case of error consult the file “config.log”. ==================== Configuration of Freeradius: ==================== The main configurations files are : - clients.conf (declaration of switchs and shared secrets) - radiusd.conf (listening ports) - users (create a local base of users, or select the method used for authenticate/authorization) - eap.conf (select the encoding method) * File /usr/local/etc/raddb/clients.conf : Declare your switch like that: client 192.168.1.1 { secret = testing123 } * File /usr/local/etc/raddb/users : Into the bottom of the file, just add (for purpose only) : DEFAULT Auth-Type = MS-CHAP * File /usr/local/etc/raddb/eap.conf : eap { default_eap_type = peap … } peap { default_eap_type = mschapv2 … } =============================== Integrate the radius server to the domain: =============================== * File /etc/samba/smb.conf : [global] # network name workgroup = DOMAINTEST # AD domain name (you have to create that, doesn’t exist into the config file) realm = DOMAINTEST.LOCAL # server’s name server string = Freeradius # security mode security = ADS * File /etc/krb5.conf : [libdefaults] default_realm = DOMAINTEST.LOCAL [realms] DOMAINTEST.LOCAL = { kdc = activedirectory.domaintest.local admin_server = IP_of_AD_Server default_domain = DOMAINTEST.LOCAL } [domain_realm] domaintest.local = DOMAINTEST.LOCAL * File /etc/resolv.conf : nameserver IP_of_AD_Server domain DOMAINTEST.LOCAL search DOMAINTEST.LOCAL * File /etc/nsswitch.conf : passwd: files winbind group: files winbind ====================== Testing to join the AD domain: ====================== $ sudo net ads join –U administrateur If it’s good, you will have : Joigned ‘FREERADIUS’ to realm ‘test.fr’ PS : If needed, you may syncronize time between the server running Freeradius and AD server. $ sudo ntpdate IP_of_AD_Server Authenticate with NTLM using EAP – PEAP: ============= Testing purpose : ============= $ sudo ntlm_auth --request-nt-key --domain=DOMAINTEST.LOCAL --username=existing_user password : ****** If all things are good, you must have : The command line returns NT_STATUS_OK : Success (0x0) ====================================== Configuring Freeradius to use NTLM authentication: ====================================== * File /usr/local/etc/raddb/modules/mschap : Uncomment the last line, and modify it like that: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{mschap:NT-Domain:-DOMAINTEST} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" ======================= Testing authentication process: ======================= Into a terminal do a: $ sudo radiusd –X –xx And into an another terminal: $ sudo radtest user password localhost 0 testing123 You will receive (if everything goes well): rad_recv : Access-Accept =============================== Starting freeradius into background mode: =============================== Just put this line into the /etc/rc.local file : /usr/local/sbin/rc.radiusd start [1] Link Aggregation Control Protocol (LACP) is part of an IEEE specification (802.3ad) that allows you to bundle several physical ports together to form a single logical channel. LACP allows a switch to negotiate an automatic bundle by sending LACP packets to the peer. -- View this message in context: http://www.nabble.com/-How-To--Freeradius-2.14-%28PEAP-%E2%80%93-MSCHAP%29-t... Sent from the FreeRadius - User mailing list archive at Nabble.com.
hi, nice - a good compendium of other resources to make a complete task. one small quirk though, you say its for FR 2.14 - in fact, its for FR 2.1.3 - (2.1.4 isnt yet released) alan
A.L.M.Buxey wrote:
one small quirk though, you say its for FR 2.14 - in fact, its for FR 2.1.3 - (2.1.4 isnt yet released)
modified :) thx! -- View this message in context: http://www.nabble.com/-How-To--Freeradius-2.14-%28PEAP-%E2%80%93-MSCHAP%29-t... Sent from the FreeRadius - User mailing list archive at Nabble.com.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Leosi,
For thoses, who are interested by setting up PEAP/MSHCAP under Freeradius 2.14, I wrote a simple how-to. I hope it could help someone. :)
INSTALLATION PROCESS: FREERADIUS 2.14 (PEAP – MSCHAP)
=== OS : === - Ubuntu Server 8.10
====== SWITCH: ====== - HP 2600
========== Pre-requires : ========== - Samba installed (or sudo apt-get install samba smbfs) - Kerberos installed (or sudo apt-get install krb5-clients krb5-user)
============== Table of contents : ============== *Setting Procurve HP Switch *Installation of OpenSSL 0.9.8j *Installation of Freeradius 2.14 *Integrate the radius server to the domain *Testing to join the AD domain *Authenticate with NTLM using EAP – PEAP *Configuring Freeradius *Testing authentication process *Starting freeradius into background mode
===================== Setting Procurve HP Switch: ===================== ; J4900B Configuration Editor; Created on release #H.10.67 hostname "SWiTCH" no web-management web-management ssl no telnet-server ip ssh interface 1 no lacp ; see [1] at the bottom of the page
There's a bug in <= H.10.74 (fixed in H.10.76, not yet released) where the port-access authenticator won't be initialised properly until the interface is 'cycled' (disabled/enabled). This wasn't discovered before, because when the port-access authenticator is enabled, the switch automatically disables LACP (cycling the port in the process). It's therefore a good idea to leave LACP enabled on ports before you enable the port-access authenticator, and not to disable it explicitly, but let the switch take care of disabling it for you.
exit [...] interface 26 no lacp exit vlan 1 name "XXXX" untagged 1-26 exit vlan 2 name "YYYYY" ip address 192.168.2.1 255.255.255.0 ip helper-address 192.168.0.2 exit
aaa authentication port-access eap-radius radius-server key testing123 radius-server timeout 1 radius-server dead-time 1 radius-server host 172.28.32.16
aaa port-access authenticator 17-24
Use port ranges .... aaa port-access authenticator 17-24 auth-vid 2 aaa port-access authenticator 17-24 unauth-vid 3 I'd recommend against using an auth-vid, it's not necessary in this setup, and may add unnecessary delay between the client being authenticated, and traffic passing from the client onto the correct VLAN. I'd recommend you set a default PVID for the port instead 'VLAN x untagged 17-24'.
aaa port-access authenticator 17 auth-vid 2 aaa port-access authenticator 17 unauth-vid 3 [...] aaa port-access authenticator 24 auth-vid 2 aaa port-access authenticator 24 unauth-vid 3 aaa port-access authenticator active aaa port-access 17-24
ip routing
Why turn this on ? It's off by default and it's not required for 802.1x authentication.
gvrp
Think what would happen if a GVRP enabled client connected to an 802.1x authenticated port... They could request *ANY* VLAN available on the switch. The 'auth-vid' and 'unauth-vid' features only control the PVID, they do not control statically or dynamically tagged VLANs configured for the port. If you want to explain how to use GVRP properly as part of dynamic VLAN assignment, then add the following: # Stops GVRP advertisements being forwarded to stations on the edge # and blocks ingress GVRP advertisements. int 17-24 unknown-vlan disable # Allows the switch to use GVRP VLANs in dynamic VLAN assignment aaa port-access gvrp-vlans GVRP is an incredibly useful protocol, but you need to know what you're doing, else it becomes a huge security hole. Would you like this in the wiki somewhere? If so email me directly and i'll create an account for you.. Thanks, Arran - -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkm2epQACgkQcaklux5oVKJhUwCeNI68rdSw4x0zD/ARB2gxlNbS yNcAn3B3Y648NG/8Z+iE8f66yJ04JtuP =SwCe -----END PGP SIGNATURE-----
On Tue, Mar 10, 2009 at 7:57 PM, LEOSI <radius@pronetis.fr> wrote:
For thoses, who are interested by setting up PEAP/MSHCAP under Freeradius 2.14, I wrote a simple how-to. I hope it could help someone. :)
Thanks for the how-to. Sorry if this is such a basic question, but what are the advantages of using freeradius for this purpose (PEAP/MSCHAP) compared to using Microsoft's IAS/NPS? Regards, Fajar
Hi,
For thoses, who are interested by setting up PEAP/MSHCAP under Freeradius 2.14, I wrote a simple how-to. I hope it could help someone. :)
Thanks for the how-to.
Sorry if this is such a basic question, but what are the advantages of using freeradius for this purpose (PEAP/MSCHAP) compared to using Microsoft's IAS/NPS?
apart from flexibility, capabilities and logging (you can use FR for more than just PEAP and EAP-TLS, the server functionality is extensible with new features added very frequently, live debugging and tracing of packets, live low-level 'console' access) ? I'd add in much much better attribute handling/filtering, much more powerful and configurable proxying or both auth and accouting packets. also add in better statistics, better RFC obeyance. the only other product in the same sort of ball-park is RADIATOR if, however, you have no need to have visibility, dont need to proxy, have a system where PEAP (or EAP-TLS) is the only method of authentication, have your users in AD (rather than in flat file, SQL, unix, OTP, etc) and you want to spend money too - then IAS. alan
Fajar A. Nugraha wrote:
Sorry if this is such a basic question, but what are the advantages of using freeradius for this purpose (PEAP/MSCHAP) compared to using Microsoft's IAS/NPS?
Microsoft's IAS works well with Microsoft machines, and is well integrated with Active Directory. That's about the *only* reason to use it. It's intended to do one thing: get Microsoft machines on the net, by authenticating via AD. *Anything* else is not in its list of features. If you want a RADIUS server with "features", use FreeRADIUS. It is less tightly integrated with Active Directory (but Samba helps), and Microsoft occasionally breaks their clients so that they don't work with 3rd party RADIUS servers. If you compare performance, features, database integration, ease of management, debugging, etc. FreeRADIUS is better in every possible way. Alan DeKok.
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Arran Cudbard-Bell -
Fajar A. Nugraha -
LEOSI