jtang/ blog/ posts/ Setting up a FreeRADIUS server on Scientificlinux

The following notes are a summary of HOWTO: Incremental Setup of FreeRADIUS Server for EAP Authentications

Prerequisites

  • Scientificlinux 5.x
  • A working LDAP directory - I'm pointing to a LDAP directory that I already have on our network.
  • FreeRADIUS - I just installed this from the SL5.x repositories

Testing

Step 1 - test on the localhost

Debugging the server

/usr/sbin/radiusd -X

Testing the setup, first add this to your /etc/raddb/users file

dummyuser User-Password := "dummypasswd"

Note that I am using version 1.1.x, in newer FreeRADIUS versions you will need to use Cleartext-Password

Then do

radtest dummyuser dummypasswd 127.0.0.1 1812 testing123

The testing123 part is a default shared secret password. The above steps are just used to see if the basic setup works or not.

Step 2 - test from a remote host

Now edit /etc/raddb/clients.conf and add in your host

client 226.134.191.112 {
secret = testing123
shortname = 226.134.191.112
}

Restart the radiusd process then do this from 226.134.191.112

radtest dummyuser dummypasswd 226.134.191.113 1812 testing123

where 226.134.191.113 is the radius server. It should complete sucessfully

Step 3 - EAP (with TLS) and PEAP configuration

Prerequisites

  • SSL keys and certs for the radius server, see the eap.conf for comments.
  • Step 1 and Step 2 works.

at minimum you will want to have this type of configuration in your eap.conf file.

eap {
    default_eap_type = md5
    timer_expire     = 60
    ignore_unknown_eap_types = no
    cisco_accounting_username_bug = no
    md5 {
    }
    leap {
    }
    gtc {
        auth_type = PAP
    }
    tls {
        private_key_password = whatever
        private_key_file = ${raddbdir}/certs/cert-srv.pem
        certificate_file = ${raddbdir}/certs/cert-srv.pem
        CA_file = ${raddbdir}/certs/demoCA/cacert.pem
        dh_file = ${raddbdir}/certs/dh
        random_file = ${raddbdir}/certs/random
    }
    peap {
        default_eap_type = mschapv2
    }
    mschapv2 {
    }
}

For testing you may want to just comment out the group=radiusd and user=radiusd options in radiusd.conf

Step 4 - test with WPA Supplicant or similar tool

I used the eapol_test program from wpa_supplicant with this configuration file

network={
    eap=PEAP
    eapol_flags=0
    key_mgmt=IEEE8021X
    identity="dummyuser"
    password="dummypasswd"
    #ca_cert="/home/jtang/ca.crt"
    phase2="auth=MSCHAPV2"
    anonymous_identity="anonymous"
}

run like this

eapol_test -c radeap.conf  -a226.134.191.113 -p1812 -stesting123 -r1

eapol_test was built with

wget http://hostap.epitest.fi/releases/wpa_supplicant-0.5.10.tar.gz
tar xvf wpa_supplicant-0.5.10.tar.gz
cd wpa_supplicant-0.5.10/
cp defconfig .config
make eapol_test

Making FreeRADIUS look up LDAP

Add this to your /etc/raddb/dictionary file

VALUE           Auth-Type               Local                   0
VALUE           Auth-Type               System                  1
VALUE           Auth-Type               SecurID                 2
VALUE           Auth-Type               Crypt-Local             3
VALUE           Auth-Type               Reject                  4
VALUE           Auth-Type               LDAP                    5

In eap.conf in the PEAP section set

default_eap_type = peap

In radiusd.conf in the LDAP section set at least this

server = "ldap.tchpc.tcd.ie"
identity = "cn=admin,dc=tchpc,dc=tcd,dc=ie"
password = myadminpassword
basedn = "ou=people,dc=tchpc,dc=tcd,dc=ie"
#filter = "(posixAccount)(uid=%u))"
filter = "(uid=%u)"
# access_attr = "dialupAccess"
password_attribute = userPassword
set_auth_type = yes

then in the authorize section uncomment the ldap option and comment out the files module.

Add a comment
Bookmark and Share