3. Authentication Server: Setting up FreeRADIUS

Installing FreeRADIUS

1. Head over to the FreeRADIUS site, http://www.freeradius.org/, and download the latest release.

   # cd /usr/local/src # wget ftp://ftp.freeradius.org/pub/radius/freeradius-1.0.0.tar.gz # tar zxfv freeradius-1.0.0.tar.gz # cd freeradius-1.0.0

2. Configure, make and install:

   # ./configure # make # make install

   You can pass options to configure. Use ./configure --help or read the README file, for more information.

Configuring FreeRADIUS

1. The configuration files can be found under /usr/local/etc/raddb/

   # cd /usr/local/etc/raddb/

2. Open the main configuration file radiusd.conf, and read the comments! Inside the encrypted PEAP tunnel, an MS-CHAPv2 authentication mechanism is used.

   1. MPPE [RFC3078] is responsible for sending the PMK to the AP. Make sure the following settings are set:

      # under MODULES, make sure mschap is uncommented! mschap { # authtype value, if present, will be used # to overwrite (or add) Auth-Type during # authorization. Normally, should be MS-CHAP authtype = MS-CHAP # if use_mppe is not set to no, mschap will # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2 # use_mppe = yes # if mppe is enabled, require_encryption makes # encryption moderate # require_encryption = yes # require_strong always requires 128 bit key # encryption # require_strong = yes authtype = MS-CHAP # The module can perform authentication itself, OR # use a Windows Domain Controller. See the radius.conf file # for how to do this. }

   2. Also make sure the "authorize" and "authenticate" contains:

      authorize { preprocess mschap suffix eap files } authenticate { # # MSCHAP authentication. Auth-Type MS-CHAP { mschap } # # Allow EAP authentication. eap }

3. Then, change the clients.conf file to specify what network it's serving:

   # Here, we specify which network we're serving client 192.168.0.0/16 { # This is the shared secret between the Authenticator (the # access point) and the Authentication Server (RADIUS). secret = SharedSecret99 shortname = testnet }

4. The eap.conf should also be pretty straightforward.

   1. Set "default_eap_type" to "peap":

      default_eap_type = peap

   2. Since PEAP is using TLS, the TLS section must contain:

      tls { # The private key password private_key_password = SecretKeyPass77 # The private key private_key_file = ${raddbdir}/certs/cert-srv.pem # Trusted Root CA list CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = /dev/urandom }

   3. Find the "peap" section, and make sure it contain the following:

      peap { # The tunneled EAP session needs a default # EAP type, which is separate from the one for # the non-tunneled EAP module. Inside of the # PEAP tunnel, we recommend using MS-CHAPv2, # as that is the default type supported by # Windows clients. default_eap_type = mschapv2 }

5. The user information is stored in a plain text file users. A more sophisticated solution to store user information may be preferred (SQL, LDAP, PDC, etc.).

   Make sure the users file contains the following entry:

   "testuser" User-Password == "Secret149"