<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML
><HEAD
><TITLE
>Authentication Server: Setting up FreeRADIUS</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
REL="HOME"
TITLE="802.1X Port-Based Authentication HOWTO"
HREF="index.html"><LINK
REL="PREVIOUS"
TITLE="Obtaining Certificates"
HREF="cert.html"><LINK
REL="NEXT"
TITLE="Supplicant: Setting up Xsupplicant"
HREF="xsupplicant.html"></HEAD
><BODY
CLASS="sect1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>802.1X Port-Based Authentication HOWTO</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="cert.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="xsupplicant.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="sect1"
><H1
CLASS="sect1"
><A
NAME="FreeRADIUS"
></A
>3. Authentication Server: Setting up FreeRADIUS</H1
><P
> <SPAN
CLASS="application"
>FreeRADIUS</SPAN
> is a fully GPLed RADIUS server
implementation. It supports a wide range of authentication mechanisms,
but PEAP is used for the example in this document.
</P
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="instradius"
></A
>3.1. Installing FreeRADIUS</H2
><DIV
CLASS="procedure"
><P
><B
>Installing FreeRADIUS</B
></P
><OL
TYPE="1"
><LI
><P
> Head over to the <SPAN
CLASS="application"
>FreeRADIUS</SPAN
> site, <A
HREF="http://www.freeradius.org/"
TARGET="_top"
>http://www.freeradius.org/</A
>,
and download the latest release.
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
> <TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>cd </B
>/usr/local/src</B
></TT
>
<TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>wget </B
>ftp://ftp.freeradius.org/pub/radius/freeradius-1.0.0.tar.gz</B
></TT
>
<TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>tar </B
>zxfv freeradius-1.0.0.tar.gz</B
></TT
>
<TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>cd </B
>freeradius-1.0.0</B
></TT
>
</PRE
></FONT
></TD
></TR
></TABLE
></LI
><LI
><P
> Configure, make and install:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
> <TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>./configure</B
></B
></TT
>
<TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>make</B
></B
></TT
>
<TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>make install</B
></B
></TT
>
</PRE
></FONT
></TD
></TR
></TABLE
><P
> <EM
>You can pass options to
<B
CLASS="command"
>configure</B
>. Use <B
CLASS="command"
>./configure
--help</B
> or read the README file, for more
information.</EM
>
</P
></LI
></OL
></DIV
><P
> The binaries are installed in <TT
CLASS="filename"
>/usr/local/bin</TT
> and
<TT
CLASS="filename"
>/usr/local/sbin</TT
>. The configuration files are found
under <TT
CLASS="filename"
>/usr/local/etc/raddb</TT
>.
</P
><P
> If something went wrong, check the <TT
CLASS="filename"
>INSTALL</TT
> and
<TT
CLASS="filename"
>README</TT
> included with the source. The <A
HREF="http://www.freeradius.org/faq/"
TARGET="_top"
>RADIUS FAQ</A
> also contains
valuable information.
</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="confradius"
></A
>3.2. Configuring FreeRADIUS</H2
><P
> <SPAN
CLASS="application"
>FreeRADIUS</SPAN
> has a big and mighty
configuration file. It's so big, it has been split into several
smaller files that are just <SPAN
CLASS="QUOTE"
>"included"</SPAN
> into the main
<TT
CLASS="filename"
>radius.conf</TT
> file.
</P
><P
> There is numerous ways of using and setting up FreeRADIUS to do
what you want: i.e., fetch user information from LDAP, SQL, PDC,
Kerberos, etc. In this document, user information from a plain text
file, <TT
CLASS="filename"
>users</TT
>, is used.
</P
><DIV
CLASS="tip"
><P
></P
><TABLE
CLASS="tip"
WIDTH="100%"
BORDER="0"
><TR
><TD
WIDTH="25"
ALIGN="CENTER"
VALIGN="TOP"
><IMG
SRC="../images/tip.gif"
HSPACE="5"
ALT="Tip"></TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
><P
> The configuration files are thoroughly commented, and, if that is not
enough, the <TT
CLASS="filename"
>doc/</TT
> folder that comes with the source
contains additional information.
</P
></TD
></TR
></TABLE
></DIV
><DIV
CLASS="procedure"
><P
><B
>Configuring FreeRADIUS</B
></P
><OL
TYPE="1"
><LI
><P
> The configuration files can be found under <TT
CLASS="filename"
>/usr/local/etc/raddb/</TT
>
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
> <TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>cd </B
>/usr/local/etc/raddb/</B
></TT
>
</PRE
></FONT
></TD
></TR
></TABLE
></LI
><LI
><P
> Open the main configuration file <TT
CLASS="filename"
>radiusd.conf</TT
>,
<EM
>and read the comments!</EM
> Inside the encrypted
PEAP tunnel, an MS-CHAPv2 authentication mechanism is used.
</P
><OL
CLASS="SUBSTEPS"
TYPE="a"
><LI
><P
> MPPE [<A
HREF="http://www.ietf.org/rfc/rfc3078.txt"
TARGET="_top"
>RFC3078</A
>] is
responsible for sending the PMK to the AP. Make sure the following
settings are set:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> # under MODULES, make sure mschap is uncommented!
mschap {
# authtype value, if present, will be used
# to overwrite (or add) Auth-Type during
# authorization. Normally, should be MS-CHAP
authtype = MS-CHAP
# if use_mppe is not set to no, mschap will
# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
#
use_mppe = yes
# if mppe is enabled, require_encryption makes
# encryption moderate
#
require_encryption = yes
# require_strong always requires 128 bit key
# encryption
#
require_strong = yes
authtype = MS-CHAP
# The module can perform authentication itself, OR
# use a Windows Domain Controller. See the radius.conf file
# for how to do this.
}
</PRE
></FONT
></TD
></TR
></TABLE
></LI
><LI
><P
> Also make sure the <SPAN
CLASS="QUOTE"
>"authorize"</SPAN
> and
<SPAN
CLASS="QUOTE"
>"authenticate"</SPAN
> contains:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> authorize {
preprocess
mschap
suffix
eap
files
}
authenticate {
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
#
# Allow EAP authentication.
eap
}
</PRE
></FONT
></TD
></TR
></TABLE
></LI
></OL
></LI
><LI
><P
> Then, change the <TT
CLASS="filename"
>clients.conf</TT
> file to specify
what network it's serving:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> # Here, we specify which network we're serving
client 192.168.0.0/16 {
# This is the shared secret between the Authenticator (the
# access point) and the Authentication Server (RADIUS).
secret = SharedSecret99
shortname = testnet
}
</PRE
></FONT
></TD
></TR
></TABLE
></LI
><LI
><P
> The <TT
CLASS="filename"
>eap.conf</TT
> should also be pretty
straightforward.
</P
><OL
CLASS="SUBSTEPS"
TYPE="a"
><LI
><P
> Set <SPAN
CLASS="QUOTE"
>"default_eap_type"</SPAN
> to <SPAN
CLASS="QUOTE"
>"peap"</SPAN
>:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> default_eap_type = peap
</PRE
></FONT
></TD
></TR
></TABLE
></LI
><LI
><P
> Since PEAP is using TLS, the TLS section must contain:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> tls {
# The private key password
private_key_password = SecretKeyPass77
# The private key
private_key_file = ${raddbdir}/certs/cert-srv.pem
# Trusted Root CA list
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = /dev/urandom
}
</PRE
></FONT
></TD
></TR
></TABLE
></LI
><LI
><P
> Find the <SPAN
CLASS="QUOTE"
>"peap"</SPAN
> section, and make sure it contain
the following:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> peap {
# The tunneled EAP session needs a default
# EAP type, which is separate from the one for
# the non-tunneled EAP module. Inside of the
# PEAP tunnel, we recommend using MS-CHAPv2,
# as that is the default type supported by
# Windows clients.
default_eap_type = mschapv2
}
</PRE
></FONT
></TD
></TR
></TABLE
></LI
></OL
></LI
><LI
><P
> The user information is stored in a plain text file
<TT
CLASS="filename"
>users</TT
>. A more sophisticated solution to store
user information may be preferred (SQL, LDAP, PDC, etc.).
</P
><P
> Make sure the <TT
CLASS="filename"
>users</TT
> file contains the
following entry:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
> "testuser" User-Password == "Secret149"
</PRE
></FONT
></TD
></TR
></TABLE
></LI
></OL
></DIV
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="cert.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="xsupplicant.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Obtaining Certificates</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
> </TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Supplicant: Setting up Xsupplicant</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
