Enabling peap authentication with freeRADIUS server
From Notes_Wiki
Enabling peap with freeRADIUS
Note that below steps just work upto enabling peap without causing any startup problems. The settings could not be tested with any NAS client as LinkSYS switch was not available.
- Open '/etc/raddb/radiusd.conf file.
- In modules, go to mschap sub-section and do following changes:
- Add 'use_mppe=yes'
- Uncomment 'require_encryption=yes'
- Uncomment 'require_strong=yes'
- Verify that 'authorize' section has line 'mschap'
- Verify that authenticate section has lines
- Auth_Type MS-CHAP {
- mschap
- }
- In modules, go to mschap sub-section and do following changes:
- Edit '/etc/raddb/eap.conf' file and do following modifications:
- Change 'default_eap_type' from 'md5' to 'peap'.
- Uncomment
- peap {
- default_eap_type=mschapv2
- }
- Configure yum and install/update 'openssl'
- Search for file with name 'ssl.conf' or 'openssl.conf' using locate command. Sometimes the file is named '/etc/ssl/ssl.conf'. In CentOS 5.4 the file is named '/etc/pki/tls/openssl.conf'
- Edit the file in following manner
- In '[CA_default]' section change to
- dir = certificates #Where everything is kept
- default_days = 3650
- In 'req_distinguished_name' section
- countryName_default = IN
- stateOrProvinceName_default = AP
- localityName_default = Hyderabad
- 0.organizationName_default = IIIT Hyderabad
- commonName=Common Name (Uncomment this line)
- emailAddress_default = saurabh.barjatiya@iiit.ac.in
- In '[CA_default]' section change to
- Edit the file in following manner
- Search for file with name 'CA' or 'CA.sh'. In Cent OS 5.4 the file is located in folder '/etc/pki/tls/misc'. Change value for 'CATOP' defined in this file to 'certificates'.
- Go to folder '/etc/pki/tls' and run command './misc/CA -newca'. (Here it is important to come to folder '/etc/pki/tls' before we run the shell script as the name of folder 'certificates' that we entered during earlier modifications is relative and we want the folder certificates to be created in '/etc/pki/tls')
- Enter PEM passphrase as 'iiit123' during testing. Let other things have default value as we entered in SSL configuration file. For common name we can use something like 'ca.barjatiya.com'. Optional challenge password can also be 'iiit123' and company name 'IIIT Hyderabad'. Enter the first passphrase again and the certificate will get generated.
- Use commands
- openssl req -new -nodes -keyout radiuskey.pem -out radiusreq.pem
- openssl ca -out radius_cert.pem -infiles ./radiusreq.pem
- Enter passphrase used while creating CA and we will get a files 'radius_cert.pem' and 'radiuskey.pem' to be used in freeRADIUS server.
- Run following commands (most of them are self explanatory)
- cd /etc/pki/tls
- cp radius_cert.pem radiuskey.pem /etc/raddb
- cp certificates/cacert.pem /etc/raddb
- cd /etc/raddb
- openssl dhparam -check -text -5 512 -out dh
- dd if=/dev/random of=random count=2
- chown radiusd:radiusd dh random radiuskey.prem radius_cert.pem
- chmod 0400 dh random radiuskey.prem radius_cert.pem
- chown root:radiusd cacert.pem
- chmod 0444 cacert.pem
- Edit file '/etc/raddb/eap.conf'. In section modules -> eap -> tls add/uncomment following entries
- private_key_file = ${raddbdir}/radiuskey.pem
- certificate_file = ${raddbdir}/radius_cert.pem
- CA_file = ${raddbdir}/cacert.pem
- dh_file = ${raddbdir}/dh
- random_file = ${raddbdir}/random
- Start radiusd using '/usr/sbin/radiusd -X' and ensure that it is working. If it is not working check every ssmall detail from start to this sstep. In case you do not find the problem search for error message on web search engines and try to resolve the problem. Document steps and error message you receive here.