Welcome to Linux Knowledge Base and Tutorial
"The place where you learn linux"
Traveller''s Lunchbox

 Create an AccountHome | Submit News | Your Account  

Tutorial Menu
Linux Tutorial Home
Table of Contents

· Introduction to Operating Systems
· Linux Basics
· Working with the System
· Shells and Utilities
· Editing Files
· Basic Administration
· The Operating System
· The X Windowing System
· The Computer Itself
· Networking
· System Monitoring
· Solving Problems
· Security
· Installing and Upgrading
· Linux and Windows

Glossary
MoreInfo
Man Pages
Linux Topics
Test Your Knowledge

Site Menu
Site Map
FAQ
Copyright Info
Terms of Use
Privacy Info
Disclaimer
WorkBoard
Thanks
Donations
Advertising
Masthead / Impressum
Your Account

Communication
Feedback
Forums
Private Messages
Surveys

Features
HOWTOs
News Archive
Submit News
Topics
User Articles
Web Links

Google
Google


The Web
linux-tutorial.info

Who's Online
There are currently, 216 guest(s) and 0 member(s) that are online.

You are an Anonymous user. You can register for free by clicking here

  

HOWTO Home

Current HOWTO: 8021X-HOWTO


Authentication Server: Setting up FreeRADIUS

3. Authentication Server: Setting up FreeRADIUS

FreeRADIUS is a fully GPLed RADIUS server implementation. It supports a wide range of authentication mechanisms, but PEAP is used for the example in this document.

3.1. Installing FreeRADIUS

Installing FreeRADIUS

  1. Head over to the FreeRADIUS site, http://www.freeradius.org/, and download the latest release.

    
   # cd /usr/local/src
       # wget ftp://ftp.freeradius.org/pub/radius/freeradius-1.0.0.tar.gz
       # tar zxfv freeradius-1.0.0.tar.gz
       # cd freeradius-1.0.0
      
  2. Configure, make and install:

    
    # ./configure
        # make
        # make install
       

    You can pass options to configure. Use ./configure --help or read the README file, for more information.

The binaries are installed in /usr/local/bin and /usr/local/sbin. The configuration files are found under /usr/local/etc/raddb.

If something went wrong, check the INSTALL and README included with the source. The RADIUS FAQ also contains valuable information.

3.2. Configuring FreeRADIUS

FreeRADIUS has a big and mighty configuration file. It's so big, it has been split into several smaller files that are just "included" into the main radius.conf file.

There is numerous ways of using and setting up FreeRADIUS to do what you want: i.e., fetch user information from LDAP, SQL, PDC, Kerberos, etc. In this document, user information from a plain text file, users, is used.

Tip

The configuration files are thoroughly commented, and, if that is not enough, the doc/ folder that comes with the source contains additional information.

Configuring FreeRADIUS

  1. The configuration files can be found under /usr/local/etc/raddb/

    
    # cd /usr/local/etc/raddb/
       
  2. Open the main configuration file radiusd.conf, and read the comments! Inside the encrypted PEAP tunnel, an MS-CHAPv2 authentication mechanism is used.

    1. MPPE [RFC3078] is responsible for sending the PMK to the AP. Make sure the following settings are set:

      
    # under MODULES, make sure mschap is uncommented!
          mschap {
            # authtype value, if present, will be used
            # to overwrite (or add) Auth-Type during
            # authorization. Normally, should be MS-CHAP
            authtype = MS-CHAP
      
            # if use_mppe is not set to no, mschap will
            # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
            # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
            #
            use_mppe = yes
      
            # if mppe is enabled, require_encryption makes
            # encryption moderate
            #
            require_encryption = yes
      
            # require_strong always requires 128 bit key
            # encryption
            #
            require_strong = yes
      
            authtype = MS-CHAP
            # The module can perform authentication itself, OR
            # use a Windows Domain Controller. See the radius.conf file
            # for how to do this.
          }
          
    2. Also make sure the "authorize" and "authenticate" contains:

      
    authorize {
              preprocess
              mschap
      	suffix
      	eap
      	files
          }
          
          authenticate {
               
               #
               #  MSCHAP authentication.    
               Auth-Type MS-CHAP {
                     mschap
                }
      	
      	 #
               #  Allow EAP authentication.
               eap
           }
          
  3. Then, change the clients.conf file to specify what network it's serving:

    
   # Here, we specify which network we're serving
       client 192.168.0.0/16 { 
            # This is the shared secret between the Authenticator (the 
    	# access point) and the Authentication Server (RADIUS).
            secret          = SharedSecret99
            shortname       = testnet
        }
       
  4. The eap.conf should also be pretty straightforward.

    1. Set "default_eap_type" to "peap":

      
      default_eap_type = peap
           
    2. Since PEAP is using TLS, the TLS section must contain:

      
    tls { 
              # The private key password
              private_key_password = SecretKeyPass77
      	# The private key
              private_key_file = ${raddbdir}/certs/cert-srv.pem
              #  Trusted Root CA list
              CA_file = ${raddbdir}/certs/demoCA/cacert.pem
              dh_file = ${raddbdir}/certs/dh
              random_file = /dev/urandom
      	}
          
    3. Find the "peap" section, and make sure it contain the following:

      
      peap {
              #  The tunneled EAP session needs a default
              #  EAP type, which is separate from the one for
              #  the non-tunneled EAP module.  Inside of the
              #  PEAP tunnel, we recommend using MS-CHAPv2,
              #  as that is the default type supported by
              #  Windows clients.
              default_eap_type = mschapv2
            }
            
  5. The user information is stored in a plain text file users. A more sophisticated solution to store user information may be preferred (SQL, LDAP, PDC, etc.).

    Make sure the users file contains the following entry:

    
   "testuser"      User-Password == "Secret149"
       

The Linux Tutorial completely respects the rights of authors and artists to decide for themselves if and how their works can be used, independent of any existing licenses. This means if you are the author of any document presented on this site and do no wish it to be displayed as it is on this site or do not wish it to be displayed at all, please contact us and we will do our very best to accommodate you. If we are unable to accommodate you, we will, at your request, remove your document as quickly as possible.

If you are the author of any document presented on this site and would like a share of the advertising revenue, please contact us using the standard Feedback Form.


  
Show your Support for the Linux Tutorial

Purchase one of the products from our new online shop. For each product you purchase, the Linux Tutorial gets a portion of the proceeds to help keep us going.


Login
Nickname

Password

Security Code
Security Code
Type Security Code


Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.

Help if you can!


Amazon Wish List

Did You Know?
The Linux Tutorial can use your help.


Friends



Tell a Friend About Us

Bookmark and Share



Web site powered by PHP-Nuke

Is this information useful? At the very least you can help by spreading the word to your favorite newsgroups, mailing lists and forums.
All logos and trademarks in this site are property of their respective owner. The comments are property of their posters. Articles are the property of their respective owners. Unless otherwise stated in the body of the article, article content (C) 1994-2013 by James Mohr. All rights reserved. The stylized page/paper, as well as the terms "The Linux Tutorial", "The Linux Server Tutorial", "The Linux Knowledge Base and Tutorial" and "The place where you learn Linux" are service marks of James Mohr. All rights reserved.
The Linux Knowledge Base and Tutorial may contain links to sites on the Internet, which are owned and operated by third parties. The Linux Tutorial is not responsible for the content of any such third-party site. By viewing/utilizing this web site, you have agreed to our disclaimer, terms of use and privacy policy. Use of automated download software ("harvesters") such as wget, httrack, etc. causes the site to quickly exceed its bandwidth limitation and are therefore expressly prohibited. For more details on this, take a look here

PHP-Nuke Copyright © 2004 by Francisco Burzi. This is free software, and you may redistribute it under the GPL. PHP-Nuke comes with absolutely no warranty, for details, see the license.
Page Generation: 0.13 Seconds