freeRADIUS and WPA-2 Enterprise

Alan DeKok aland at
Sat May 17 18:35:04 CEST 2008

William E. Russell wrote:
> We are trying to setup WPA2 Enterprise authentication to work with the
> FreeRadius server. We have configured EAP-PEAP authentication. We have
> installed all the certificates and corrected the EAP.conf certificate paths.
> We tried to connect from the supplicant from Windows XP. Windows asked for
> the login/password and this is the output of the radiusd -X. The user is
> configured in the users file. We couldn't see any error, however the
> authentication didn't succeed.

  This problem is because the certificates don't have the magic Windows
OID's, OR because the Windows client doesn't have the CA cert in it's list.

  1) install freeradius-2.0.4
  2) add a username/password 'bob/bob'.  See the FAQ.
  3) start it as root.  Watch it create temporary certificates
  4) Use radtest for 'bob/bob' to see if it works.
  5) Configure PEAP on the Windows client.
  6) un-check "validate server certificate" on the Windows client
  7) point Access point to FreeRADIUS
  8) Add access point IP/secret to the server (and re-start)
  9) validate that PEAP works, with 'bob/bob'

  That's most of it.  After that, you want *real* certificates.  Edit
the files in raddb/certs/*cnf, and re-make the certificates.  Copy
ca.der to your Windows desktop, and double-click on it.  This should
install the certificate into the root store.

  If you want to use your own certificates for RADIUS.  See
raddb/certs/README.  You MUST also include the magic Windows OID's.  If
you don't know what these are, see raddb/certs/*

  Alan DeKok.

More information about the Freeradius-Users mailing list