<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML ><HEAD ><TITLE >Authentication Server: Setting up FreeRADIUS</TITLE ><META NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK REL="HOME" TITLE="802.1X Port-Based Authentication HOWTO" HREF="index.html"><LINK REL="PREVIOUS" TITLE="Obtaining Certificates" HREF="cert.html"><LINK REL="NEXT" TITLE="Supplicant: Setting up Xsupplicant" HREF="xsupplicant.html"></HEAD ><BODY CLASS="sect1" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#840084" ALINK="#0000FF" ><DIV CLASS="NAVHEADER" ><TABLE SUMMARY="Header navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TH COLSPAN="3" ALIGN="center" >802.1X Port-Based Authentication HOWTO</TH ></TR ><TR ><TD WIDTH="10%" ALIGN="left" VALIGN="bottom" ><A HREF="cert.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="80%" ALIGN="center" VALIGN="bottom" ></TD ><TD WIDTH="10%" ALIGN="right" VALIGN="bottom" ><A HREF="xsupplicant.html" ACCESSKEY="N" >Next</A ></TD ></TR ></TABLE ><HR ALIGN="LEFT" WIDTH="100%"></DIV ><DIV CLASS="sect1" ><H1 CLASS="sect1" ><A NAME="FreeRADIUS" ></A >3. Authentication Server: Setting up FreeRADIUS</H1 ><P > <SPAN CLASS="application" >FreeRADIUS</SPAN > is a fully GPLed RADIUS server implementation. It supports a wide range of authentication mechanisms, but PEAP is used for the example in this document. </P ><DIV CLASS="sect2" ><H2 CLASS="sect2" ><A NAME="instradius" ></A >3.1. Installing FreeRADIUS</H2 ><DIV CLASS="procedure" ><P ><B >Installing FreeRADIUS</B ></P ><OL TYPE="1" ><LI ><P > Head over to the <SPAN CLASS="application" >FreeRADIUS</SPAN > site, <A HREF="http://www.freeradius.org/" TARGET="_top" >http://www.freeradius.org/</A >, and download the latest release. </P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="screen" > <TT CLASS="prompt" ># </TT ><TT CLASS="userinput" ><B ><B CLASS="command" >cd </B >/usr/local/src</B ></TT > <TT CLASS="prompt" ># </TT ><TT CLASS="userinput" ><B ><B CLASS="command" >wget </B >ftp://ftp.freeradius.org/pub/radius/freeradius-1.0.0.tar.gz</B ></TT > <TT CLASS="prompt" ># </TT ><TT CLASS="userinput" ><B ><B CLASS="command" >tar </B >zxfv freeradius-1.0.0.tar.gz</B ></TT > <TT CLASS="prompt" ># </TT ><TT CLASS="userinput" ><B ><B CLASS="command" >cd </B >freeradius-1.0.0</B ></TT > </PRE ></FONT ></TD ></TR ></TABLE ></LI ><LI ><P > Configure, make and install: </P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="screen" > <TT CLASS="prompt" ># </TT ><TT CLASS="userinput" ><B ><B CLASS="command" >./configure</B ></B ></TT > <TT CLASS="prompt" ># </TT ><TT CLASS="userinput" ><B ><B CLASS="command" >make</B ></B ></TT > <TT CLASS="prompt" ># </TT ><TT CLASS="userinput" ><B ><B CLASS="command" >make install</B ></B ></TT > </PRE ></FONT ></TD ></TR ></TABLE ><P > <EM >You can pass options to <B CLASS="command" >configure</B >. Use <B CLASS="command" >./configure --help</B > or read the README file, for more information.</EM > </P ></LI ></OL ></DIV ><P > The binaries are installed in <TT CLASS="filename" >/usr/local/bin</TT > and <TT CLASS="filename" >/usr/local/sbin</TT >. The configuration files are found under <TT CLASS="filename" >/usr/local/etc/raddb</TT >. </P ><P > If something went wrong, check the <TT CLASS="filename" >INSTALL</TT > and <TT CLASS="filename" >README</TT > included with the source. The <A HREF="http://www.freeradius.org/faq/" TARGET="_top" >RADIUS FAQ</A > also contains valuable information. </P ></DIV ><DIV CLASS="sect2" ><H2 CLASS="sect2" ><A NAME="confradius" ></A >3.2. Configuring FreeRADIUS</H2 ><P > <SPAN CLASS="application" >FreeRADIUS</SPAN > has a big and mighty configuration file. It's so big, it has been split into several smaller files that are just <SPAN CLASS="QUOTE" >"included"</SPAN > into the main <TT CLASS="filename" >radius.conf</TT > file. </P ><P > There is numerous ways of using and setting up FreeRADIUS to do what you want: i.e., fetch user information from LDAP, SQL, PDC, Kerberos, etc. In this document, user information from a plain text file, <TT CLASS="filename" >users</TT >, is used. </P ><DIV CLASS="tip" ><P ></P ><TABLE CLASS="tip" WIDTH="100%" BORDER="0" ><TR ><TD WIDTH="25" ALIGN="CENTER" VALIGN="TOP" ><IMG SRC="../images/tip.gif" HSPACE="5" ALT="Tip"></TD ><TD ALIGN="LEFT" VALIGN="TOP" ><P > The configuration files are thoroughly commented, and, if that is not enough, the <TT CLASS="filename" >doc/</TT > folder that comes with the source contains additional information. </P ></TD ></TR ></TABLE ></DIV ><DIV CLASS="procedure" ><P ><B >Configuring FreeRADIUS</B ></P ><OL TYPE="1" ><LI ><P > The configuration files can be found under <TT CLASS="filename" >/usr/local/etc/raddb/</TT > </P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="screen" > <TT CLASS="prompt" ># </TT ><TT CLASS="userinput" ><B ><B CLASS="command" >cd </B >/usr/local/etc/raddb/</B ></TT > </PRE ></FONT ></TD ></TR ></TABLE ></LI ><LI ><P > Open the main configuration file <TT CLASS="filename" >radiusd.conf</TT >, <EM >and read the comments!</EM > Inside the encrypted PEAP tunnel, an MS-CHAPv2 authentication mechanism is used. </P ><OL CLASS="SUBSTEPS" TYPE="a" ><LI ><P > MPPE [<A HREF="http://www.ietf.org/rfc/rfc3078.txt" TARGET="_top" >RFC3078</A >] is responsible for sending the PMK to the AP. Make sure the following settings are set: </P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > # under MODULES, make sure mschap is uncommented! mschap { # authtype value, if present, will be used # to overwrite (or add) Auth-Type during # authorization. Normally, should be MS-CHAP authtype = MS-CHAP # if use_mppe is not set to no, mschap will # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2 # use_mppe = yes # if mppe is enabled, require_encryption makes # encryption moderate # require_encryption = yes # require_strong always requires 128 bit key # encryption # require_strong = yes authtype = MS-CHAP # The module can perform authentication itself, OR # use a Windows Domain Controller. See the radius.conf file # for how to do this. } </PRE ></FONT ></TD ></TR ></TABLE ></LI ><LI ><P > Also make sure the <SPAN CLASS="QUOTE" >"authorize"</SPAN > and <SPAN CLASS="QUOTE" >"authenticate"</SPAN > contains: </P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > authorize { preprocess mschap suffix eap files } authenticate { # # MSCHAP authentication. Auth-Type MS-CHAP { mschap } # # Allow EAP authentication. eap } </PRE ></FONT ></TD ></TR ></TABLE ></LI ></OL ></LI ><LI ><P > Then, change the <TT CLASS="filename" >clients.conf</TT > file to specify what network it's serving: </P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > # Here, we specify which network we're serving client 192.168.0.0/16 { # This is the shared secret between the Authenticator (the # access point) and the Authentication Server (RADIUS). secret = SharedSecret99 shortname = testnet } </PRE ></FONT ></TD ></TR ></TABLE ></LI ><LI ><P > The <TT CLASS="filename" >eap.conf</TT > should also be pretty straightforward. </P ><OL CLASS="SUBSTEPS" TYPE="a" ><LI ><P > Set <SPAN CLASS="QUOTE" >"default_eap_type"</SPAN > to <SPAN CLASS="QUOTE" >"peap"</SPAN >: </P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > default_eap_type = peap </PRE ></FONT ></TD ></TR ></TABLE ></LI ><LI ><P > Since PEAP is using TLS, the TLS section must contain: </P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > tls { # The private key password private_key_password = SecretKeyPass77 # The private key private_key_file = ${raddbdir}/certs/cert-srv.pem # Trusted Root CA list CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = /dev/urandom } </PRE ></FONT ></TD ></TR ></TABLE ></LI ><LI ><P > Find the <SPAN CLASS="QUOTE" >"peap"</SPAN > section, and make sure it contain the following: </P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > peap { # The tunneled EAP session needs a default # EAP type, which is separate from the one for # the non-tunneled EAP module. Inside of the # PEAP tunnel, we recommend using MS-CHAPv2, # as that is the default type supported by # Windows clients. default_eap_type = mschapv2 } </PRE ></FONT ></TD ></TR ></TABLE ></LI ></OL ></LI ><LI ><P > The user information is stored in a plain text file <TT CLASS="filename" >users</TT >. A more sophisticated solution to store user information may be preferred (SQL, LDAP, PDC, etc.). </P ><P > Make sure the <TT CLASS="filename" >users</TT > file contains the following entry: </P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="screen" > "testuser" User-Password == "Secret149" </PRE ></FONT ></TD ></TR ></TABLE ></LI ></OL ></DIV ></DIV ></DIV ><DIV CLASS="NAVFOOTER" ><HR ALIGN="LEFT" WIDTH="100%"><TABLE SUMMARY="Footer navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" ><A HREF="cert.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="index.html" ACCESSKEY="H" >Home</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" ><A HREF="xsupplicant.html" ACCESSKEY="N" >Next</A ></TD ></TR ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" >Obtaining Certificates</TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" > </TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" >Supplicant: Setting up Xsupplicant</TD ></TR ></TABLE ></DIV ></BODY ></HTML >