<yambe:breadcrumb self="Enabling PEAP">Freeradius configuration|Freeradius configuration</yambe:breadcrumb>

Enabling peap with freeRADIUS

Note that below steps just work upto enabling peap without causing any startup problems. The settings could not be tested with any NAS client as LinkSYS switch was not available.

1. Open '/etc/raddb/radiusd.conf file.
   1. In modules, go to mschap sub-section and do following changes:
      • Add 'use_mppe=yes'
      • Uncomment 'require_encryption=yes'
      • Uncomment 'require_strong=yes'
   2. Verify that 'authorize' section has line 'mschap'
   3. Verify that authenticate section has lines

      Auth_Type MS-CHAP {
          mschap
      }

2. Edit '/etc/raddb/eap.conf' file and do following modifications:
   1. Change 'default_eap_type' from 'md5' to 'peap'.
   2. Uncomment

      peap {
          default_eap_type=mschapv2
      }

3. Configure yum and install/update 'openssl'
4. Search for file with name 'ssl.conf' or 'openssl.conf' using locate command. Sometimes the file is named '/etc/ssl/ssl.conf'. In CentOS 5.4 the file is named '/etc/pki/tls/openssl.conf'
   1. Edit the file in following manner
      • In '[CA_default]' section change to

        dir = certificates      #Where everything is kept
        default_days = 3650

      • In 'req_distinguished_name' section

        countryName_default = IN
        stateOrProvinceName_default = AP
        localityName_default = Hyderabad
        0.organizationName_default = Rekall Software
        commonName=Common Name    (Uncomment this line)
        emailAddress_default = saurabh@example.com

5. Search for file with name 'CA' or 'CA.sh'. In Cent OS 5.4 the file is located in folder '/etc/pki/tls/misc'. Change value for 'CATOP' defined in this file to 'certificates'.
6. Go to folder '/etc/pki/tls' and run command './misc/CA -newca'. (Here it is important to come to folder '/etc/pki/tls' before we run the shell script as the name of folder 'certificates' that we entered during earlier modifications is relative and we want the folder certificates to be created in '/etc/pki/tls')
   1. Enter PEM passphrase as 'rekall123' during testing. Let other things have default value as we entered in SSL configuration file. For common name we can use something like 'ca.barjatiya.com'. Optional challenge password can also be 'rekall123' and company name 'Rekall Software'. Enter the first passphrase again and the certificate will get generated.
7. Use commands

   openssl req -new -nodes -keyout radiuskey.pem -out radiusreq.pem
   openssl ca -out radius_cert.pem -infiles ./radiusreq.pem

   Enter passphrase used while creating CA and we will get a files 'radius_cert.pem' and 'radiuskey.pem' to be used in freeRADIUS server.

8. Run following commands (most of them are self explanatory)

   cd /etc/pki/tls
   cp radius_cert.pem radiuskey.pem /etc/raddb
   cp certificates/cacert.pem /etc/raddb
   cd /etc/raddb
   openssl dhparam -check -text -5 512 -out dh
   dd if=/dev/random of=random count=2
   chown radiusd:radiusd dh random radiuskey.prem radius_cert.pem
   chmod 0400 dh random radiuskey.prem radius_cert.pem
   chown root:radiusd cacert.pem
   chmod 0444 cacert.pem

9. Edit file '/etc/raddb/eap.conf'. In section modules -> eap -> tls add/uncomment following entries

   private_key_file = ${raddbdir}/radiuskey.pem
   certificate_file = ${raddbdir}/radius_cert.pem
   CA_file = ${raddbdir}/cacert.pem
   dh_file = ${raddbdir}/dh
   random_file = ${raddbdir}/random

10. Start radiusd using '/usr/sbin/radiusd -X' and ensure that it is working. If it is not working check every ssmall detail from start to this sstep. In case you do not find the problem search for error message on web search engines and try to resolve the problem. Document steps and error message you receive here.

<yambe:breadcrumb self="Enabling PEAP">Freeradius configuration|Freeradius configuration</yambe:breadcrumb>