Wifi Authentication/Accounting With FreeRadius On CentOS 5 - Page 2

Want to support HowtoForge? Become a subscriber!
 
Submitted by awan (Contact Author) (Forums) on Wed, 2008-07-09 15:50. ::

Step 4 (*********** Freeradius Setup ***********)

4.1 Fetch freeradius rpm

rpm -Uvh freeradius....

If it asks for dependencies do the following:

yum install net-snmp-utils perl-DBI libtool-ltdl -y

Note: The freeradius available with CentOS 5.1 repos is freeradius-1.1.3... which comes with openssl support, which is not supported by freeradius.org, but support is only availabe for 1.1.7.x version. Latest version 2.0.5 has newer features but does not have rpm binaries for CentOS 5.x although .src.rpms of 2.0.3 of Fedora 9 do exist. FR 2.x differs from 1.x version under the hood (paths/files of various protocols).

 

4.2 Remove the FreeRadius default certificate files etc:

rm -Rf /etc/raddb/demoCA

This is actually /etc/raddb/certs/demoCA; I back up (mv'ed) the /etc/raddb/certsfolder to /etc/raddb/bkup_certs.

 

4.3 Create the appropriate directories in /etc/raddb in which to keep the certificate information:

I back up (mv'ed) the /etc/raddb/certs folder to /etc/raddb/bkup_certs & created another one named /etc/raddb/certs.

mkdir /etc/raddb/certs

 

4.4 Move the server certificate and the root certificate to the FreeRadius folder:

cp /etc/ssl/cacert.pem /etc/raddb/certs/ -v

cp /etc/ssl/server_keycert.pem /etc/raddb/certs/ -v

 

4.5 Create the Diffie-Hellman parameters file for TLS:

openssl dhparam -check -text -5 512 -out dh

Output:

[root@ciitwifi ssl]# pwd

/etc/ssl

[root@ciitwifi ssl]# openssl dhparam -check -text -5 512 -out dh

Generating DH parameters, 512 bit long safe prime, generator 5

This is going to take a long time

.+.........................................................................+
................+......+.............................+...........+.........+.............
..........+..............................................................................
......+........................................+...........................+.............
.................+........................+..............................................
...+...........................+..........................+..........+.+.......+.........
....................................+...+...........................................+....
...............................+.....................+.........+.........................
.......+.......+.........+.....+......................+............................+.....
.........+.........+............................................................++*++*++*
++*++*++*

DH parameters appear to be ok.

[root@ciitwifi ssl]#

===========================================================================

Copy this "dh" file to /etc/raddb/certs folder:

cp /etc/ssl/dh /etc/raddb/certs -v

 

4.6 Create the random bitstream file for TLS, & change ownership of the certificate & stuff for the freeradius to be able to read them.

dd if=/dev/urandom of=random count=2

Output (in the /etc/raddb/certs folder i.e.):

===========================================================================

[root@ciitwifi certs]# dd if=/dev/urandom of=random count=2

2+0 records in

2+0 records out

1024 bytes (1.0 kB) copied, 0.000545195 seconds, 1.9 MB/s

chown -R radiusd /etc/raddb/certs

 

4.7 Modify /etc/raddb/eap.conf (full listing):

(Note: "lettheserverin" is the private keypassword of the certificate.)

(Yes, it can be tuned further. i.e dropping/adding support for some other protocols . That's up to you.)

eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
private_key_password = lettheserverin
private_key_file = ${raddbdir}/certs/server_keycert.pem
certificate_file = ${raddbdir}/certs/server_keycert.pem
CA_file = ${raddbdir}/certs/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
}



ttls {
default_eap_type = mschapv2
use_tunneled_reply = yes
}


peap {
default_eap_type = mschapv2
}


mschapv2 {
}
}

 

4.8 Add a radius client for the wireless access point in /etc/raddb/clients.conf:

For the dlink AP3200:

client 192.168.0.53 {
secret = <dlink secret phrase>
shortname = AP3200
nastype = other
}

 

4.9 Modify /etc/raddb/radiusd.conf:

I didn't modify the radiusd.conf but make sure followings are uncommented. (Yes, it can be tuned further. i.e dropping/adding support for some other protocols. Unloading useless modules, increasing performance etc. That's up to you.)

log_auth = yes


authorize {
preprocess
chap
mschap
suffix
pap
eap
files
}


authenticate{


Auth-Type PAP {
pap
}


Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}


# unix
eap
}

 

4.10 Modify /etc/raddb/users & start the server.

Create a user at the top of the file:

faheem Cleartext-Password := "khan"

Now start the radius server:

/etc/init.d/radiusd start

 

Step 5 ****************** Configuring the Access Point *********************

Now set the the AP setting to use "WPA enterprise auto" or WPA 2 enterprise” & point to the radius servers ip address/port. The secret field would be same as mentioned in /etc/raddb/clients.conf . (i.e. in our case “dlinksecret” phrase)


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Anonymous (not registered) on Fri, 2009-03-06 05:47.

Just wanted to point out that using PEAP/MSCHAP with any RADIUS server requires that you store passwords in clear or in NT-hash format. Since most of back-end user databases do not support NT-hash, one is left with few alternatives. Accepting the risk or having a windows AD.

 

This is an article that clarifies this point :

Securing your wireless network with PEAP/MSCHAP requires Windows AD