HOWTO PEAP + FreeRadius + XP Client

George KNIGHT georgeknight at gmail.com
Thu May 1 00:21:34 CEST 2008 

Allan,
I thank you for your advice and your time.

A person like you who is dealing with freeradius on a daily basis may have a
tendency of thinking that using/installing/troubleshooting freeradius is
very easy. But for a complete new beginner, like myself, things seem more
complicated. I'll give an example from my own experience; 3 years ago when I
started as a network admin in my company, it took me almost 10 days to
figure out how to properly instal apache/mysql/php on a linux box. Now, it
takes me under 15 minutes to install them all. I wrote a step-by-step
instruction for the process at the time and distributed to everyone on the
net. Based on the feedback I got from people, everyone seems to agree that
it provided them a simple and easy to follow steps for the installation. I
felt happy that I helped other people the way that I was helped at all the
time through different forums on the internet.

When I started implementing the FreeRadius, I thought I would find some
documentation  to start with. But unfortunately, after spending days, i
couldn't find such a document. The more I read, the more i surprised that I
couldn't figure this out. I know that it shouldn't be much difficult but
here I am still struggling to make this work.

I don't want to take your and other people's valuable time any more, so here
is where I am now;

I installed the FreeRadous 2.0.2 with Yast tool with SuSE SLES. It installed
it OK. And then i made changes to eap.conf and radiusd.conf files to start
my test. I run radiusd -X and here is what I got;


# radiusd -X
FreeRADIUS Version 2.0.2, for host i686-suse-linux-gnu, built on Feb 14 2008
at 15:34:49
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including configuration file /etc/raddb/snmp.conf
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/sql/mysql/counter.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including dictionary file /etc/raddb/dictionary
main {
        prefix = "/usr"
        localstatedir = "/var"
        logdir = "/var/log/radius"
        libdir = "/usr/lib/freeradius"
        radacctdir = "/var/log/radius/radacct"
        hostname_lookups = no
        max_request_time = 30
        cleanup_delay = 5
        max_requests = 1024
        allow_core_dumps = no
        pidfile = "/var/run/radiusd/radiusd.pid"
        user = "radiusd"
        group = "radiusd"
        checkrad = "/usr/sbin/checkrad"
        debug_level = 0
        proxy_requests = yes
 security {
        max_attributes = 200
        reject_delay = 1
        status_server = yes
 }
}
 client localhost {
        ipaddr = 127.0.0.1
        require_message_authenticator = no
        secret = "testing123"
        nastype = "other"
 }
 client 10.10.30.3 {
        require_message_authenticator = no
        secret = "testing123"
        shortname = "10.10.30.3"
        nastype = "cisco"
 }
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
        retry_delay = 5
        retry_count = 3
        default_fallback = no
        dead_time = 120
        wake_all_if_all_dead = no
 }
 home_server localhost {
        ipaddr = 127.0.0.1
        port = 1812
        type = "auth"
        secret = "testing123"
        response_window = 20
        max_outstanding = 65536
        zombie_period = 40
        status_check = "status-server"
        ping_check = "none"
        ping_interval = 30
        check_interval = 30
        num_answers_to_alive = 3
        num_pings_to_alive = 3
        revive_interval = 120
        status_check_timeout = 4
 }
 home_server_pool my_auth_failover {
        type = fail-over
        home_server = localhost
 }
 realm example.com {
        auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating exec
  exec {
        wait = yes
        input_pairs = "request"
        shell_escape = yes
  }
 Module: Linked to module rlm_expr
 Module: Instantiating expr
 Module: Linked to module rlm_expiration
 Module: Instantiating expiration
  expiration {
        reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating logintime
  logintime {
        reply-message = "You are calling outside your allowed timespan  "
        minimum-timeout = 60
  }
 }
radiusd: #### Loading Virtual Servers ####
server {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating pap
  pap {
        encryption_scheme = "auto"
        auto_header = no
  }
 Module: Linked to module rlm_chap
 Module: Instantiating chap
 Module: Linked to module rlm_mschap
 Module: Instantiating mschap
  mschap {
        use_mppe = yes
        require_encryption = no
        require_strong = no
        with_ntdomain_hack = no
  }
 Module: Linked to module rlm_unix
 Module: Instantiating unix
  unix {
        radwtmp = "/var/log/radius/radwtmp"
  }
 Module: Linked to module rlm_eap
 Module: Instantiating eap
  eap {
        default_eap_type = "peap"
        timer_expire = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
  }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
        challenge = "Password: "
        auth_type = "PAP"
   }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
        rsa_key_exchange = no
        dh_key_exchange = yes
        rsa_key_length = 512
        dh_key_length = 512
        verify_depth = 0
        pem_file_type = yes
        private_key_file = "/etc/raddb/certs/server.pem"
        certificate_file = "/etc/raddb/certs/server.pem"
        CA_file = "/etc/raddb/certs/ca.pem"
        private_key_password = "whatever"
        dh_file = "/etc/raddb/certs/dh"
        random_file = "/etc/raddb/certs/random"
        fragment_size = 1024
        include_length = yes
        check_crl = no
        cipher_list = "DEFAULT"
        make_cert_command = "/etc/raddb/certs/bootstrap"
   }
rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied
rlm_eap_tls: Error reading certificate file /etc/raddb/certs/server.pem
rlm_eap: Failed to initialize type tls
/etc/raddb/eap.conf[17]: Instantiation failed for module "eap"
/etc/raddb/sites-enabled/default[252]: Failed to find module "eap".
/etc/raddb/sites-enabled/default[199]: Errors parsing authenticate section.
 }
}
Errors initializing modules
comp-010:/home/srn #


This is one.
And other thing is that the command bootstrap couldn't finish creating
certificates. How may I solve this problem. And if finish creating
certs successfully, which certificates should I install to the XP SP2 client
and where? You suggested to read the file at
http://freeradius.org/doc/EAPTLS.pdf but believe me it didn't help me. And
it also gives information for TLS implementation. NOthing for PEAP.

I hope I am not asking silly questions that would make you feel like you are
wasting your time.

Thank you.

George Knight



On Tue, Apr 29, 2008 at 3:03 PM, Alan DeKok <aland at deployingradius.com>
wrote:

> George KNIGHT wrote:
> > Before I write my question here, I just want to let all of you know that
> > I did lots of searching in both google and this email list. But couldn't
> > find anything to get the answer.
> >
> > My question is I have been looking for a HOWTO paper for a beginner to
> > set freeradius as an AAA server in a wireless environment to Windows XP
> > SP2 clients. I will use Windows' own PEAP client. Is there such a paper
> > someone can give me the link?
>
> $ ./configure
> $ make
> $ make install
> $ radiusd -X
>
> - Un-check "verify server certificate" in Windows (ONLY for testing).
>
> - Add a user to the database (username/password, example in the FAQ)
>
>  That's it.
>
> > I'm very frustrated to find out that there is no information available
> > for a setup from the scratch.
>
>   Part of the problem is that in 2.0, there is so little to do...
>
> > I wrote papers like that before for
> > various topics such as subversion implementation for a multiple OS
> > environment, VoIP implementation with a Linux based open sources S/W
> > etc. I have intention to write such a paper for how to set up PEAP
> > implementation with freeradius as well. But for that, I'm hoping someone
> > can give me a good start.
>
>   The EAP-TLS "howtos" contain additional documentation:
>
> http://freeradius.org/doc/
>
> > Clients are going to be computers with WinCE as their OS and they will
> > contact to the LAN wirelessly. What I want to achieve is authenticating
> > this clients with server-AAA using PEAP before letting them use the
> > other network resources.
>
>   Install 2.0, start the server.
>
>  See also raddb/certs/README.  You can create "real" certificates, and
> import them into WinCE.
>
>  There is very, very, little to change in order to get PEAP to work.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080430/0dfcb405/attachment.html>

More information about the Freeradius-Users mailing list