HOWTO PEAP + FreeRadius + XP Client

George KNIGHT georgeknight at gmail.com
Thu May 1 17:45:01 CEST 2008 

Hi Allan,

Sorry that It was a mistake to say that I made changes at the config files.
 In fact I didn't not change anything on radiusd.conf and the only change I
made at eap.conf is this line;

default_eap_type = peap

As it was md5 before.


Yes, I run all the commands as a root.  Is this wrong?

When I run the bootstrap script, again, as a root,  here is what I get;

comp-010:/etc/raddb/certs # ./bootsrap
bash: ./bootsrap: No such file or directory
comp-010:/etc/raddb/certs # ./bootstrap
make: Nothing to be done for `ca'.
make: Nothing to be done for `server'.
make: `dh' is up to date.
make: `random' is up to date.
comp-010:/etc/raddb/certs #

I will use the default certs for just testing purposes. Once I make this
work with defaults ones, I will sure go ahead and create new certificates.
But at this moment, all I want to see  a working version of PEAP
authentication in my test environment.


Thank you

George Knight





On Thu, May 1, 2008 at 2:00 AM, Alan DeKok <aland at deployingradius.com>
wrote:

> George KNIGHT wrote:
> > A person like you who is dealing with freeradius on a daily basis may
> > have a tendency of thinking that using/installing/troubleshooting
> > freeradius is very easy.
>
>   The goal is to *make* it that easy.  A large number of problems on the
> list are because people think it's complicated, and start changing large
> amounts of the default config.
>
> > Based on the feedback I
> > got from people, everyone seems to agree that it provided them a simple
> > and easy to follow steps for the installation. I felt happy that I
> > helped other people the way that I was helped at all the time through
> > different forums on the internet.
>
>   Based on the feedback I've seen, I've edited/updated the software
> itself to be easier to use.  I don't like reading "howto's", because
> many are out of date, and many others are simply wrong.  I would
> *prefer* that people shipped software that worked, and was easy to use.
>
> > When I started implementing the FreeRadius, I thought I would find some
> > documentation  to start with. But unfortunately, after spending days, i
> > couldn't find such a document. The more I read, the more i surprised
> > that I couldn't figure this out. I know that it shouldn't be much
> > difficult but here I am still struggling to make this work.
>
>   The 5-6 line instructions I gave are all that's needed.
>
> > I installed the FreeRadous 2.0.2 with Yast tool with SuSE SLES. It
> > installed it OK. And then i made changes to eap.conf and radiusd.conf
> > files to start my test. I run radiusd -X and here is what I got;
>
>   Why change eap.conf && radiusd.conf?
>
> > # radiusd -X
> ...
> > rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied
>
>   That should be a pretty simple problem to fix.  It's file permissions...
>
>  Are you starting the server as root?
>
> > And other thing is that the command bootstrap couldn't finish creating
> > certificates.
>
>   Why not?  What's the error message?  Is it secret?
>
>  Did you run the "bootstrap" script as root?
>
> > How may I solve this problem. And if finish creating
> > certs successfully, which certificates should I install to the XP SP2
> > client and where?
>
>   To be honest, you *shouldn't* install the default certificates.
> They're only for testing.
>
>  For testing, un-check the "validate server certificate" in XP.
>
>  For real certificates, edit the conf files as described in the
> raddb/certs/ documentation, and re-build the certs.  Then, install the
> CA cert, as described in the EAP-TLS howto... with pictures.
>
> > You suggested to read the file
> > at http://freeradius.org/doc/EAPTLS.pdf but believe me it didn't help
> > me. And it also gives information for TLS implementation. NOthing for
> PEAP.
>
>   PEAP *is* EAP-TLS.  It's a variation of EAP-TLS, and all of the
> certificate requirements for EAP-TLS apply to PEAP, too.
>
>  If you have any ideas for what documentation needs to be updated,
> please submit suggested text.  We can include it in the next release.
>
>  But my experience (unfortunately) is that the people who have the most
> problems are reading third-party "howtos" that are *wrong*, and are
> ignoring the server documentation that is *right*.  That's a problem I
> can't fix.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080501/827c4344/attachment.html>

More information about the Freeradius-Users mailing list