Enabling peap authentication with freeRADIUS server

From Notes_Wiki
Revision as of 18:05, 17 August 2018 by Saurabh (talk | contribs)

<yambe:breadcrumb self="Enabling PEAP">Freeradius configuration|Freeradius configuration</yambe:breadcrumb>

Enabling peap with freeRADIUS

Note that below steps just work upto enabling peap without causing any startup problems. The settings could not be tested with any NAS client as LinkSYS switch was not available.

  1. Open '/etc/raddb/radiusd.conf file.
    1. In modules, go to mschap sub-section and do following changes:
      • Add 'use_mppe=yes'
      • Uncomment 'require_encryption=yes'
      • Uncomment 'require_strong=yes'
    2. Verify that 'authorize' section has line 'mschap'
    3. Verify that authenticate section has lines
      Auth_Type MS-CHAP {
          mschap
      }
  2. Edit '/etc/raddb/eap.conf' file and do following modifications:
    1. Change 'default_eap_type' from 'md5' to 'peap'.
    2. Uncomment
      peap {
          default_eap_type=mschapv2
      }
  3. Configure yum and install/update 'openssl'
  4. Search for file with name 'ssl.conf' or 'openssl.conf' using locate command. Sometimes the file is named '/etc/ssl/ssl.conf'. In CentOS 5.4 the file is named '/etc/pki/tls/openssl.conf'
    1. Edit the file in following manner
      • In '[CA_default]' section change to
        dir = certificates #Where everything is kept
        default_days = 3650
      • In 'req_distinguished_name' section
        countryName_default = IN
        stateOrProvinceName_default = AP
        localityName_default = Hyderabad
        0.organizationName_default = IIIT Hyderabad
        commonName=Common Name (Uncomment this line)
        emailAddress_default = saurabh.barjatiya@iiit.ac.in
  5. Search for file with name 'CA' or 'CA.sh'. In Cent OS 5.4 the file is located in folder '/etc/pki/tls/misc'. Change value for 'CATOP' defined in this file to 'certificates'.
  6. Go to folder '/etc/pki/tls' and run command './misc/CA -newca'. (Here it is important to come to folder '/etc/pki/tls' before we run the shell script as the name of folder 'certificates' that we entered during earlier modifications is relative and we want the folder certificates to be created in '/etc/pki/tls')
    1. Enter PEM passphrase as 'iiit123' during testing. Let other things have default value as we entered in SSL configuration file. For common name we can use something like 'ca.barjatiya.com'. Optional challenge password can also be 'iiit123' and company name 'IIIT Hyderabad'. Enter the first passphrase again and the certificate will get generated.
  7. Use commands
    openssl req -new -nodes -keyout radiuskey.pem -out radiusreq.pem
    openssl ca -out radius_cert.pem -infiles ./radiusreq.pem
    Enter passphrase used while creating CA and we will get a files 'radius_cert.pem' and 'radiuskey.pem' to be used in freeRADIUS server.
  8. Run following commands (most of them are self explanatory)
    cd /etc/pki/tls
    cp radius_cert.pem radiuskey.pem /etc/raddb
    cp certificates/cacert.pem /etc/raddb
    cd /etc/raddb
    openssl dhparam -check -text -5 512 -out dh
    dd if=/dev/random of=random count=2
    chown radiusd:radiusd dh random radiuskey.prem radius_cert.pem
    chmod 0400 dh random radiuskey.prem radius_cert.pem
    chown root:radiusd cacert.pem
    chmod 0444 cacert.pem
  9. Edit file '/etc/raddb/eap.conf'. In section modules -> eap -> tls add/uncomment following entries
    private_key_file = ${raddbdir}/radiuskey.pem
    certificate_file = ${raddbdir}/radius_cert.pem
    CA_file = ${raddbdir}/cacert.pem
    dh_file = ${raddbdir}/dh
    random_file = ${raddbdir}/random
  10. Start radiusd using '/usr/sbin/radiusd -X' and ensure that it is working. If it is not working check every ssmall detail from start to this sstep. In case you do not find the problem search for error message on web search engines and try to resolve the problem. Document steps and error message you receive here.


<yambe:breadcrumb self="Enabling PEAP">Freeradius configuration|Freeradius configuration</yambe:breadcrumb>