HOWTO PEAP + FreeRadius + XP Client

George KNIGHT georgeknight at
Thu May 1 00:21:34 CEST 2008

I thank you for your advice and your time.

A person like you who is dealing with freeradius on a daily basis may have a
tendency of thinking that using/installing/troubleshooting freeradius is
very easy. But for a complete new beginner, like myself, things seem more
complicated. I'll give an example from my own experience; 3 years ago when I
started as a network admin in my company, it took me almost 10 days to
figure out how to properly instal apache/mysql/php on a linux box. Now, it
takes me under 15 minutes to install them all. I wrote a step-by-step
instruction for the process at the time and distributed to everyone on the
net. Based on the feedback I got from people, everyone seems to agree that
it provided them a simple and easy to follow steps for the installation. I
felt happy that I helped other people the way that I was helped at all the
time through different forums on the internet.

When I started implementing the FreeRadius, I thought I would find some
documentation  to start with. But unfortunately, after spending days, i
couldn't find such a document. The more I read, the more i surprised that I
couldn't figure this out. I know that it shouldn't be much difficult but
here I am still struggling to make this work.

I don't want to take your and other people's valuable time any more, so here
is where I am now;

I installed the FreeRadous 2.0.2 with Yast tool with SuSE SLES. It installed
it OK. And then i made changes to eap.conf and radiusd.conf files to start
my test. I run radiusd -X and here is what I got;

# radiusd -X
FreeRADIUS Version 2.0.2, for host i686-suse-linux-gnu, built on Feb 14 2008
at 15:34:49
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including configuration file /etc/raddb/snmp.conf
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/sql/mysql/counter.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including dictionary file /etc/raddb/dictionary
main {
        prefix = "/usr"
        localstatedir = "/var"
        logdir = "/var/log/radius"
        libdir = "/usr/lib/freeradius"
        radacctdir = "/var/log/radius/radacct"
        hostname_lookups = no
        max_request_time = 30
        cleanup_delay = 5
        max_requests = 1024
        allow_core_dumps = no
        pidfile = "/var/run/radiusd/"
        user = "radiusd"
        group = "radiusd"
        checkrad = "/usr/sbin/checkrad"
        debug_level = 0
        proxy_requests = yes
 security {
        max_attributes = 200
        reject_delay = 1
        status_server = yes
 client localhost {
        ipaddr =
        require_message_authenticator = no
        secret = "testing123"
        nastype = "other"
 client {
        require_message_authenticator = no
        secret = "testing123"
        shortname = ""
        nastype = "cisco"
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
        retry_delay = 5
        retry_count = 3
        default_fallback = no
        dead_time = 120
        wake_all_if_all_dead = no
 home_server localhost {
        ipaddr =
        port = 1812
        type = "auth"
        secret = "testing123"
        response_window = 20
        max_outstanding = 65536
        zombie_period = 40
        status_check = "status-server"
        ping_check = "none"
        ping_interval = 30
        check_interval = 30
        num_answers_to_alive = 3
        num_pings_to_alive = 3
        revive_interval = 120
        status_check_timeout = 4
 home_server_pool my_auth_failover {
        type = fail-over
        home_server = localhost
 realm {
        auth_pool = my_auth_failover
 realm LOCAL {
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating exec
  exec {
        wait = yes
        input_pairs = "request"
        shell_escape = yes
 Module: Linked to module rlm_expr
 Module: Instantiating expr
 Module: Linked to module rlm_expiration
 Module: Instantiating expiration
  expiration {
        reply-message = "Password Has Expired  "
 Module: Linked to module rlm_logintime
 Module: Instantiating logintime
  logintime {
        reply-message = "You are calling outside your allowed timespan  "
        minimum-timeout = 60
radiusd: #### Loading Virtual Servers ####
server {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating pap
  pap {
        encryption_scheme = "auto"
        auto_header = no
 Module: Linked to module rlm_chap
 Module: Instantiating chap
 Module: Linked to module rlm_mschap
 Module: Instantiating mschap
  mschap {
        use_mppe = yes
        require_encryption = no
        require_strong = no
        with_ntdomain_hack = no
 Module: Linked to module rlm_unix
 Module: Instantiating unix
  unix {
        radwtmp = "/var/log/radius/radwtmp"
 Module: Linked to module rlm_eap
 Module: Instantiating eap
  eap {
        default_eap_type = "peap"
        timer_expire = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
        challenge = "Password: "
        auth_type = "PAP"
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
        rsa_key_exchange = no
        dh_key_exchange = yes
        rsa_key_length = 512
        dh_key_length = 512
        verify_depth = 0
        pem_file_type = yes
        private_key_file = "/etc/raddb/certs/server.pem"
        certificate_file = "/etc/raddb/certs/server.pem"
        CA_file = "/etc/raddb/certs/ca.pem"
        private_key_password = "whatever"
        dh_file = "/etc/raddb/certs/dh"
        random_file = "/etc/raddb/certs/random"
        fragment_size = 1024
        include_length = yes
        check_crl = no
        cipher_list = "DEFAULT"
        make_cert_command = "/etc/raddb/certs/bootstrap"
rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied
rlm_eap_tls: Error reading certificate file /etc/raddb/certs/server.pem
rlm_eap: Failed to initialize type tls
/etc/raddb/eap.conf[17]: Instantiation failed for module "eap"
/etc/raddb/sites-enabled/default[252]: Failed to find module "eap".
/etc/raddb/sites-enabled/default[199]: Errors parsing authenticate section.
Errors initializing modules
comp-010:/home/srn #

This is one.
And other thing is that the command bootstrap couldn't finish creating
certificates. How may I solve this problem. And if finish creating
certs successfully, which certificates should I install to the XP SP2 client
and where? You suggested to read the file at but believe me it didn't help me. And
it also gives information for TLS implementation. NOthing for PEAP.

I hope I am not asking silly questions that would make you feel like you are
wasting your time.

Thank you.

George Knight

On Tue, Apr 29, 2008 at 3:03 PM, Alan DeKok <aland at>

> George KNIGHT wrote:
> > Before I write my question here, I just want to let all of you know that
> > I did lots of searching in both google and this email list. But couldn't
> > find anything to get the answer.
> >
> > My question is I have been looking for a HOWTO paper for a beginner to
> > set freeradius as an AAA server in a wireless environment to Windows XP
> > SP2 clients. I will use Windows' own PEAP client. Is there such a paper
> > someone can give me the link?
> $ ./configure
> $ make
> $ make install
> $ radiusd -X
> - Un-check "verify server certificate" in Windows (ONLY for testing).
> - Add a user to the database (username/password, example in the FAQ)
>  That's it.
> > I'm very frustrated to find out that there is no information available
> > for a setup from the scratch.
>   Part of the problem is that in 2.0, there is so little to do...
> > I wrote papers like that before for
> > various topics such as subversion implementation for a multiple OS
> > environment, VoIP implementation with a Linux based open sources S/W
> > etc. I have intention to write such a paper for how to set up PEAP
> > implementation with freeradius as well. But for that, I'm hoping someone
> > can give me a good start.
>   The EAP-TLS "howtos" contain additional documentation:
> > Clients are going to be computers with WinCE as their OS and they will
> > contact to the LAN wirelessly. What I want to achieve is authenticating
> > this clients with server-AAA using PEAP before letting them use the
> > other network resources.
>   Install 2.0, start the server.
>  See also raddb/certs/README.  You can create "real" certificates, and
> import them into WinCE.
>  There is very, very, little to change in order to get PEAP to work.
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list