[How To] Freeradius 2.14 (PEAP – MSCHAP)
LEOSI
radius at pronetis.fr
Tue Mar 10 13:57:24 CET 2009
For thoses, who are interested by setting up PEAP/MSHCAP under Freeradius
2.14, I wrote a simple how-to.
I hope it could help someone. :)
INSTALLATION PROCESS: FREERADIUS 2.14 (PEAP – MSCHAP)
===
OS :
===
- Ubuntu Server 8.10
======
SWITCH:
======
- HP 2600
==========
Pre-requires :
==========
- Samba installed (or sudo apt-get install samba smbfs)
- Kerberos installed (or sudo apt-get install krb5-clients krb5-user)
==============
Table of contents :
==============
*Setting Procurve HP Switch
*Installation of OpenSSL 0.9.8j
*Installation of Freeradius 2.14
*Integrate the radius server to the domain
*Testing to join the AD domain
*Authenticate with NTLM using EAP – PEAP
*Configuring Freeradius
*Testing authentication process
*Starting freeradius into background mode
=====================
Setting Procurve HP Switch:
=====================
; J4900B Configuration Editor; Created on release #H.10.67
hostname "SWiTCH"
no web-management
web-management ssl
no telnet-server
ip ssh
interface 1
no lacp ; see [1] at the bottom of the page
exit
[...]
interface 26
no lacp
exit
vlan 1
name "XXXX"
untagged 1-26
exit
vlan 2
name "YYYYY"
ip address 192.168.2.1 255.255.255.0
ip helper-address 192.168.0.2
exit
aaa authentication port-access eap-radius
radius-server key testing123
radius-server timeout 1
radius-server dead-time 1
radius-server host 172.28.32.16
aaa port-access authenticator 17-24
aaa port-access authenticator 17 auth-vid 2
aaa port-access authenticator 17 unauth-vid 3
[...]
aaa port-access authenticator 24 auth-vid 2
aaa port-access authenticator 24 unauth-vid 3
aaa port-access authenticator active
aaa port-access 17-24
ip routing
gvrp
=======================
Installation of OpenSSL 0.9.8j:
=======================
$ wget http://www.openssl.org/source/openssl-0.9.8j.tar.gz
$ tar xzf openssl-0.9.8j.tar.gz
$ cd openssl-0.9.8j
$ ./config --prefix=/usr/local/openssl shared
$ make
$ sudo make install
======================
Installation of Freeradius 2.14:
======================
$ wget
ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.3.tar.gz
$ tar xzf freeradius-server-2.1.3.tar.gz
$ cd freeradius-server-2.1.3
$ ./configure --with-openssl
--with-openssl-includes=/usr/local/openssl/include/
--with-openssl-libraries=/usr/local/openssl/lib/
$ make
$ sudo make install
PS: If needed, do a “sudo ldconfig”, and in case of error consult the file
“config.log”.
====================
Configuration of Freeradius:
====================
The main configurations files are :
- clients.conf (declaration of switchs and shared secrets)
- radiusd.conf (listening ports)
- users (create a local base of users, or select the method used for
authenticate/authorization)
- eap.conf (select the encoding method)
* File /usr/local/etc/raddb/clients.conf :
Declare your switch like that:
client 192.168.1.1 {
secret = testing123
}
* File /usr/local/etc/raddb/users :
Into the bottom of the file, just add (for purpose only) :
DEFAULT Auth-Type = MS-CHAP
* File /usr/local/etc/raddb/eap.conf :
eap {
default_eap_type = peap
…
}
peap {
default_eap_type = mschapv2
…
}
===============================
Integrate the radius server to the domain:
===============================
* File /etc/samba/smb.conf :
[global]
# network name
workgroup = DOMAINTEST
# AD domain name (you have to create that, doesn’t exist
into the config file)
realm = DOMAINTEST.LOCAL
# server’s name
server string = Freeradius
# security mode
security = ADS
* File /etc/krb5.conf :
[libdefaults]
default_realm = DOMAINTEST.LOCAL
[realms]
DOMAINTEST.LOCAL = {
kdc = activedirectory.domaintest.local
admin_server = IP_of_AD_Server
default_domain = DOMAINTEST.LOCAL
}
[domain_realm]
domaintest.local = DOMAINTEST.LOCAL
* File /etc/resolv.conf :
nameserver IP_of_AD_Server
domain DOMAINTEST.LOCAL
search DOMAINTEST.LOCAL
* File /etc/nsswitch.conf :
passwd: files winbind
group: files winbind
======================
Testing to join the AD domain:
======================
$ sudo net ads join –U administrateur
If it’s good, you will have :
Joigned ‘FREERADIUS’ to realm ‘test.fr’
PS : If needed, you may syncronize time between the server running
Freeradius and AD server.
$ sudo ntpdate IP_of_AD_Server
Authenticate with NTLM using EAP – PEAP:
=============
Testing purpose :
=============
$ sudo ntlm_auth --request-nt-key --domain=DOMAINTEST.LOCAL
--username=existing_user
password : ******
If all things are good, you must have :
The command line returns
NT_STATUS_OK : Success (0x0)
======================================
Configuring Freeradius to use NTLM authentication:
======================================
* File /usr/local/etc/raddb/modules/mschap :
Uncomment the last line, and modify it like that:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{mschap:NT-Domain:-DOMAINTEST} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
=======================
Testing authentication process:
=======================
Into a terminal do a:
$ sudo radiusd –X –xx
And into an another terminal:
$ sudo radtest user password localhost 0 testing123
You will receive (if everything goes well):
rad_recv : Access-Accept
===============================
Starting freeradius into background mode:
===============================
Just put this line into the /etc/rc.local file :
/usr/local/sbin/rc.radiusd start
[1] Link Aggregation Control Protocol (LACP) is part of an IEEE
specification (802.3ad) that allows you to bundle several physical ports
together to form a single logical channel. LACP allows a switch to negotiate
an automatic bundle by sending LACP packets to the peer.
--
View this message in context: http://www.nabble.com/-How-To--Freeradius-2.14-%28PEAP-%E2%80%93-MSCHAP%29-tp22433641p22433641.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
More information about the Freeradius-Users
mailing list