New Thread: EAP for Cisco AP.

Thibault Le Meur Thibault.LeMeur at supelec.fr
Mon Jan 15 11:47:24 CET 2007


> But, I don't completely understand PEAP, and how it relates 
> to MS-CHAP v2.

PEAP first establish a TLS tunnel (and thus uses the freeradius eap 'tls'
module).
Then a new Request is sent protected by this TLS tunnel. This inner request
can be based on ms-chapv2 or another EAP method).

> I want to try to use PEAP to secure my network.
> 
> Here is my current eap.conf
> 
>     eap {
>         default_eap_type = peap
>         timer_expire     = 60
>         ignore_unknown_eap_types = no
>         cisco_accounting_username_bug = no
>         md5 {
>         }
>         leap {
>         }
>         gtc {
>             auth_type = PAP
>         }
>         tls {
>             private_key_password = whatever
>             private_key_file = ${raddbdir}/certs/cert-srv.pem
>             certificate_file = ${raddbdir}/certs/cert-srv.pem
>             CA_file = ${raddbdir}/certs/demoCA/cacert.pem
>             dh_file = ${raddbdir}/certs/dh
>             random_file = /dev/urandom
>         }

Take care to setup the freeradius certificate/private key cause it will be
used to establish the first TLS tunnel.

Also take care to install the cacert in the client certificate store.


>         peap {
>         default_eap_type = mschapv2
>         }
>         mschapv2 {
>         }
>     }
> 
> I have eap in authenticate and authorize. What else do I need 
> to do, and are there more dictionaries.

Should be enough for the Freeradius part (I suppose you have define your APs
in the clients.conf file).

Configure the radius parameters in your AP and setup the PEAP client to
check the freeradius server's name and certificate to be protected from Man
in the middle attacks.

Thibault






More information about the Freeradius-Users mailing list