Wifi Authentication/Accounting With FreeRadius On CentOS 5 - Page 2

Step 4 (*********** Freeradius Setup ***********)

4.1 Fetch freeradius rpm

rpm -Uvh freeradius....

If it asks for dependencies do the following:

yum install net-snmp-utils perl-DBI libtool-ltdl -y

Note: The freeradius available with CentOS 5.1 repos is freeradius-1.1.3... which comes with openssl support, which is not supported by freeradius.org, but support is only availabe for 1.1.7.x version. Latest version 2.0.5 has newer features but does not have rpm binaries for CentOS 5.x although .src.rpms of 2.0.3 of Fedora 9 do exist. FR 2.x differs from 1.x version under the hood (paths/files of various protocols).

 

4.2 Remove the FreeRadius default certificate files etc:

rm -Rf /etc/raddb/demoCA

This is actually /etc/raddb/certs/demoCA; I back up (mv'ed) the /etc/raddb/certsfolder to /etc/raddb/bkup_certs.

 

4.3 Create the appropriate directories in /etc/raddb in which to keep the certificate information:

I back up (mv'ed) the /etc/raddb/certs folder to /etc/raddb/bkup_certs & created another one named /etc/raddb/certs.

mkdir /etc/raddb/certs

 

4.4 Move the server certificate and the root certificate to the FreeRadius folder:

cp /etc/ssl/cacert.pem /etc/raddb/certs/ -v
cp /etc/ssl/server_keycert.pem /etc/raddb/certs/ -v

 

4.5 Create the Diffie-Hellman parameters file for TLS:

openssl dhparam -check -text -5 512 -out dh

Output:

[root@ciitwifi ssl]# pwd
/etc/ssl
[root@ciitwifi ssl]# openssl dhparam -check -text -5 512 -out dh
Generating DH parameters, 512 bit long safe prime, generator 5
This is going to take a long time
.+.........................................................................+
................+......+.............................+...........+.........+.............
..........+..............................................................................
......+........................................+...........................+.............
.................+........................+..............................................
...+...........................+..........................+..........+.+.......+.........
....................................+...+...........................................+....
...............................+.....................+.........+.........................
.......+.......+.........+.....+......................+............................+.....
.........+.........+............................................................++*++*++*
++*++*++*
DH parameters appear to be ok.
[root@ciitwifi ssl]#
===========================================================================

Copy this "dh" file to /etc/raddb/certs folder:

cp /etc/ssl/dh /etc/raddb/certs -v

 

4.6 Create the random bitstream file for TLS, & change ownership of the certificate & stuff for the freeradius to be able to read them.

dd if=/dev/urandom of=random count=2

Output (in the /etc/raddb/certs folder i.e.):

===========================================================================
[root@ciitwifi certs]# dd if=/dev/urandom of=random count=2
2+0 records in
2+0 records out
1024 bytes (1.0 kB) copied, 0.000545195 seconds, 1.9 MB/s
chown -R radiusd /etc/raddb/certs

 

4.7 Modify /etc/raddb/eap.conf (full listing):

(Note: "lettheserverin" is the private keypassword of the certificate.)

(Yes, it can be tuned further. i.e dropping/adding support for some other protocols . That's up to you.)

eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
private_key_password = lettheserverin
private_key_file = ${raddbdir}/certs/server_keycert.pem
certificate_file = ${raddbdir}/certs/server_keycert.pem
CA_file = ${raddbdir}/certs/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
}



ttls {
default_eap_type = mschapv2
use_tunneled_reply = yes
}


peap {
default_eap_type = mschapv2
}


mschapv2 {
}
}

 

4.8 Add a radius client for the wireless access point in /etc/raddb/clients.conf:

For the dlink AP3200:

client 192.168.0.53 {
secret = <dlink secret phrase>
shortname = AP3200
nastype = other
}

 

4.9 Modify /etc/raddb/radiusd.conf:

I didn't modify the radiusd.conf but make sure followings are uncommented. (Yes, it can be tuned further. i.e dropping/adding support for some other protocols. Unloading useless modules, increasing performance etc. That's up to you.)

log_auth = yes


authorize {
preprocess
chap
mschap
suffix
pap
eap
files
}


authenticate{


Auth-Type PAP {
pap
}


Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}


# unix
eap
}

 

4.10 Modify /etc/raddb/users & start the server.

Create a user at the top of the file:

faheem Cleartext-Password := "khan"

Now start the radius server:

/etc/init.d/radiusd start

 

Step 5 ****************** Configuring the Access Point *********************

Now set the the AP setting to use "WPA enterprise auto" or WPA 2 enterprise” & point to the radius servers ip address/port. The secret field would be same as mentioned in /etc/raddb/clients.conf . (i.e. in our case “dlinksecret” phrase)

Share this page:

1 Comment(s)