Wifi Authentication/Accounting With FreeRadius On CentOS 5 - Page 3

Want to support HowtoForge? Become a subscriber!
 
Submitted by awan (Contact Author) (Forums) on Wed, 2008-07-09 15:53. ::

Step 6 ******************** Configure end wifi clients ********************

Install certificates

Certification authority CA.der (according to above certificate method it should be cacert.der).

Server certificate with keys sever.p12 (according to above certificate method, it should be server_keycert.p12).

Note: The following screenshots are from Windows 2003 server. But it shouldn't be very different for Windows XP.

Go to “start”, select “run”& type “mmc”.

Follow the same procedure for importing server.p12 certificate into “trusted Root” section.

That is it for EAP/PEAP (TTLS), but for TLS you also need to import/install the client certificate. (You would also need to modify your eap.conf file for TLS.)

 

Configuring the wifi interface

View the “My network neighborhood”, choose your Access point, in this case “AP3200” (not really its named mydlink here).

  • Press “ok”, “ok,and “ok”. Your done configuring the wifi.
  • Immediately “disable”the wifi interface. Righ click & choose “disable”.
  • After a second or two , re-enable the wifi interface. You should be prompted for username/password/Logindomain.
  • Simply supply the username/password & press”ok”.
  • You should connect in less than a second.

Congratulations you have configured a WPA1/2 enterprise wifi network.

Possible problems/Solutions:

  • Freeradius not compiled with openssl support. (Google.)
  • Certificates not installed correctly. (Use demo certificates/use some automating script.)
  • End client XP is not supporting protocol. (Install possibly the latest service pack.)
  • Client/AP not communicating. (Turn off the firewall or open the ports.)
  • AP not communicating. (Reset/restart or update the firmware.)
  • Client not getting authenticated. (Check logs/ run the freeradius server in debug mode e.g radiusd -X -z.)

 

Reference:

Note: Many thanks to freeradius.org developers, forum members & the people who wrote some of the mentioned below articles/howtos.

http://support.microsoft.com/kb/814394/en-us

http://wiki.freeradius.org/Main_Page

http://www.linux.com/base/ldp/howto/8021X-HOWTO/freeradius.htmlt#confradius

http://www.freesoftwaremagazine.com/community_posts/howto_incremental_setup_freeradius_server_eap_authentications

http://www.linuxjournal.com/article/8151

http://www.linuxjournal.com/article/8095

http://davenjudy.org/wordpress/?p=22

http://wiki.freeradius.org/HOWTO

http://www.wi-fiplanet.com/tutorials/article.php/3557251

http://www.wi-fiplanet.com/tutorials/article.php/3555556

http://www.smallnetbuilder.com/content/view/30213/98/

http://sophie.zarb.org/srpm/Fedora,development,/freeradius

up

Copyright © 2008 osman
All Rights Reserved.
add comment | view as pdf view as pdf | print: this | all page(s)
Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Freeradius v2.x rpms
Submitted by bwiechman (not registered) on Thu, 2009-07-23 03:28.
Freeradius v2.x rpms are now available for RHEL 5/CentOS 5 as well. See http://wiki.freeradius.org/Red_Hat_FAQ#Current_Pre-built_RPM.27s_for_RHEL_5_and_CentOS_5
reply | view as pdf view as pdf
Thanks for the tutorial!A
Submitted by korovamilk (registered user) on Wed, 2008-07-23 10:16.

Thanks for the tutorial!

A question: as long as you know, does this work with smartphones? I mean, do they accept the selfsigned certificate?

I heard it is impossible to make smartphones to connect to wpa enterprise class networks without a CA signed certificate..

reply | view as pdf view as pdf
Re: Thanks for the tutorial!A
Submitted by hada (not registered) on Fri, 2008-10-17 00:17.
Works on Nokia N95 and the latest firmware. OS: Symbian s60 v.3
reply | view as pdf view as pdf
smartphones !
Submitted by awan (registered user) on Fri, 2008-09-05 05:02.

hmm. sorry never tried that. but theoretically it should work since, in this context, u are creating ur own CA & signing & dishing ur own client certificates. Let me know if it worked for smartphones. Im guess it will work otherwise it'll be hard to change their names( phones i.e).

--

Osman

reply | view as pdf view as pdf