Freeradius Eduroam
Configuring PEAP / LDAP based authentication using FreeRADIUS on Debian Sarge and Cisco AP1200, with WPA2 AES encryption
Ivan Klimek Computer Networks Laboratory Technical University Kosice, Slovakia http://www.cnl.tuke.sk
1. Introduction
This document describes the configuration steps needed to set up and use 802.1X: Port-Based Network Access Control using PEAP (PEAP/MSCHAPv2) as authentication method and FreeRADIUS as back-end authentication server running on Debian Sarge. Cisco AP1200 series as the authenticator. And Windows XP default build-in supplicant.
2. FreeRadius 2.1 Before the installation apt-get install libssl-dev apt-get build-dep freeradius
2.2 Working with the source
- getting the source code: apt-get source freeradius - unpacking, compile, make, make install (the filename can be different) tar zxfv freeradius-1.0.4.tar.gz cd freeradius-1.0.4 ./configure --disable-shared make make install
2.3 Configuring FreeRADIUS
- the binaries are installed in /usr/local/bin and /usr/local/sbin. The configuration files are found under /usr/local/etc/raddb. cd /usr/local/etc/raddb
- Open the main configuration file radiusd.conf. Inside the encrypted PEAP tunnel, an MS-CHAPv2 authentication mechanism is used. - it should look like this: mschap { # # # # # #
As of 0.9, the mschap module does NOT support reading from /etc/smbpasswd. If you are using /etc/smbpasswd, see the 'passwd' module for an example of how to use /etc/smbpasswd
# authtype value, if present, will be used # to overwrite (or add) Auth-Type during # authorization. Normally should be MS-CHAP authtype = MS-CHAP # if use_mppe is not set to no mschap will # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2 # use_mppe = yes # if mppe is enabled require_encryption makes # encryption moderate # require_encryption = yes # require_strong always requires 128 bit key # encryption # require_strong = yes # Windows sends us a username in the form of # DOMAIN\user,
Ivan Klimek Computer Networks Laboratory Technical University Kosice, Slovakia http://www.cnl.tuke.sk
1. Introduction
This document describes the configuration steps needed to set up and use 802.1X: Port-Based Network Access Control using PEAP (PEAP/MSCHAPv2) as authentication method and FreeRADIUS as back-end authentication server running on Debian Sarge. Cisco AP1200 series as the authenticator. And Windows XP default build-in supplicant.
2. FreeRadius 2.1 Before the installation apt-get install libssl-dev apt-get build-dep freeradius
2.2 Working with the source
- getting the source code: apt-get source freeradius - unpacking, compile, make, make install (the filename can be different) tar zxfv freeradius-1.0.4.tar.gz cd freeradius-1.0.4 ./configure --disable-shared make make install
2.3 Configuring FreeRADIUS
- the binaries are installed in /usr/local/bin and /usr/local/sbin. The configuration files are found under /usr/local/etc/raddb. cd /usr/local/etc/raddb
- Open the main configuration file radiusd.conf. Inside the encrypted PEAP tunnel, an MS-CHAPv2 authentication mechanism is used. - it should look like this: mschap { # # # # # #
As of 0.9, the mschap module does NOT support reading from /etc/smbpasswd. If you are using /etc/smbpasswd, see the 'passwd' module for an example of how to use /etc/smbpasswd
# authtype value, if present, will be used # to overwrite (or add) Auth-Type during # authorization. Normally should be MS-CHAP authtype = MS-CHAP # if use_mppe is not set to no mschap will # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2 # use_mppe = yes # if mppe is enabled require_encryption makes # encryption moderate # require_encryption = yes # require_strong always requires 128 bit key # encryption # require_strong = yes # Windows sends us a username in the form of # DOMAIN\user,