Freeradius Eduroam

Only available on StudyMode
  • Topic: Authentication, AAA protocol, Extensible Authentication Protocol
  • Pages : 5 (1328 words )
  • Download(s) : 387
  • Published : June 10, 2012
Open Document
Text Preview
Configuring PEAP / LDAP based authentication using FreeRADIUS on Debian Sarge and Cisco AP1200, with WPA2 AES encryption

Ivan Klimek Computer Networks Laboratory Technical University Kosice, Slovakia http://www.cnl.tuke.sk

1. Introduction
This document describes the configuration steps needed to set up and use 802.1X: Port-Based Network Access Control using PEAP (PEAP/MSCHAPv2) as authentication method and FreeRADIUS as back-end authentication server running on Debian Sarge. Cisco AP1200 series as the authenticator. And Windows XP default build-in supplicant.

2. FreeRadius 2.1 Before the installation
apt-get install libssl-dev apt-get build-dep freeradius

2.2 Working with the source
- getting the source code: apt-get source freeradius - unpacking, compile, make, make install (the filename can be different) tar zxfv freeradius-1.0.4.tar.gz cd freeradius-1.0.4 ./configure --disable-shared make make install

2.3 Configuring FreeRADIUS
- the binaries are installed in /usr/local/bin and /usr/local/sbin. The configuration files are found under /usr/local/etc/raddb. cd /usr/local/etc/raddb

- Open the main configuration file radiusd.conf. Inside the encrypted PEAP tunnel, an MS-CHAPv2 authentication mechanism is used. - it should look like this: mschap { # # # # # #

As of 0.9, the mschap module does NOT support reading from /etc/smbpasswd. If you are using /etc/smbpasswd, see the 'passwd' module for an example of how to use /etc/smbpasswd

# authtype value, if present, will be used # to overwrite (or add) Auth-Type during # authorization. Normally should be MS-CHAP authtype = MS-CHAP # if use_mppe is not set to no mschap will # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2 # use_mppe = yes # if mppe is enabled require_encryption makes # encryption moderate # require_encryption = yes # require_strong always requires 128 bit key # encryption # require_strong = yes # Windows sends us a username in the form of # DOMAIN\user, but sends the challenge response # based on only the user portion. This hack # corrects for that incorrect behavior. # #with_ntdomain_hack = no # The module can perform authentication itself, OR # use a Windows Domain Controller. This configuration # directive tells the module to call the ntlm_auth # program, which will do the authentication, and return # the NT-Key. Note that you MUST have "winbindd" and

# "nmbd" running on the local machine for ntlm_auth # to work. See the ntlm_auth program documentation # for details. # # Be VERY careful when editing the following line! # #ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=% {Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:00} --nt-response=%{mschap:NT-Response:-00}" }

- configuring LDAP support:
# Lightweight Directory Access Protocol (LDAP) # # This module definition allows you to use LDAP for # authorization and authentication (Auth-Type := LDAP) # # See doc/rlm_ldap for description of configuration options # and sample authorize{} and authenticate{} blocks ldap { server = "10.0.0.4" identity = "cn=wifiadmin-ro,cn=ServiceAdmins,ou=LdapAdmins,dc=sk" password = "password" basedn = "dc=wifi.cnl.tuke.sk,ou=People,dc=sk" filter = "(eapLogin=%{Stripped-User-Name:-%{User-Name}})" start_tls = no tls_mode = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = eapUserPassword reply_attribute = eapUserPassword timeout = 4 timelimit = 3 net_timeout = 1 }

- Also make sure the "authorize" and "authenticate" contains: authorize { preprocess mschap suffix eap files ldap

}

authenticate { # # MSCHAP authentication. Auth-Type MS-CHAP { mschap } # # Allow EAP authentication. eap

}

- open the file clients.conf which speciefies the AP the authenticator server will be serving, a sample: client 10.0.0.1 { secret = secret shortname = test }

- this specifies the IP address of the AP. Secret stands for shared...
tracking img