Wifi Authentication/Accounting With FreeRadius On CentOS 5 - Page 3

Step 6 ******************** Configure end wifi clients ********************

Install certificates

Certification authority CA.der (according to above certificate method it should be cacert.der).

Server certificate with keys sever.p12 (according to above certificate method, it should be server_keycert.p12).

Note: The following screenshots are from Windows 2003 server. But it shouldn't be very different for Windows XP.

Go to “start”, select “run”& type “mmc”.

Follow the same procedure for importing server.p12 certificate into “trusted Root” section.

That is it for EAP/PEAP (TTLS), but for TLS you also need to import/install the client certificate. (You would also need to modify your eap.conf file for TLS.)


Configuring the wifi interface

View the “My network neighborhood”, choose your Access point, in this case “AP3200” (not really its named mydlink here).

  • Press “ok”, “ok,and “ok”. Your done configuring the wifi.
  • Immediately “disable”the wifi interface. Righ click & choose “disable”.
  • After a second or two , re-enable the wifi interface. You should be prompted for username/password/Logindomain.
  • Simply supply the username/password & press”ok”.
  • You should connect in less than a second.

Congratulations you have configured a WPA1/2 enterprise wifi network.

Possible problems/Solutions:

  • Freeradius not compiled with openssl support. (Google.)
  • Certificates not installed correctly. (Use demo certificates/use some automating script.)
  • End client XP is not supporting protocol. (Install possibly the latest service pack.)
  • Client/AP not communicating. (Turn off the firewall or open the ports.)
  • AP not communicating. (Reset/restart or update the firmware.)
  • Client not getting authenticated. (Check logs/ run the freeradius server in debug mode e.g radiusd -X -z.)



Note: Many thanks to freeradius.org developers, forum members & the people who wrote some of the mentioned below articles/howtos.













Share this page:

10 Comment(s)

Add comment


From: T at: 2009-07-17 16:28:05

Just wanted to point out that for the openssl options:

-extensions xpclient_ext -extfile /etc/ssl/xpextensions

to work, you will need the xpextensions file itself, and cp it to /etc/ssl or change the path to where it is

The file is included with freeradius in the $RADHOME/certs directory and can just be cp'd to /etc/ssl from there or change the option to $RADHOME/certs/xpextensions (ie: -extfile /usr/local/raddb/certs/xpextensions)

From: at: 2009-07-28 04:48:06

Yeah I missed that one out. In case nobody has it in his folder/directories. Here is the content of the file. just create the file with the said name with the following entries

In the tutorial´s context, it ought to be at /etc/ssl

[root@mycentos /etc/ssl]# cat xpextensions
[ xpclient_ext]
extendedKeyUsage =

[ xpserver_ext ]
extendedKeyUsage =
[root@mycentos /etc/ssl]#





From: Eric Geier at: 2009-11-16 17:10:07

If you don't want to setup your own server, consider an outsourced RADIUS/802.1X service like from NoWiresSecurity: http://www.nowiressecurity.com/

From: at: 2010-06-22 05:14:03

Even better try CIITIX-WiFi, a turn-key secure wifi solution, can set it under 5 minutes, even for a AAA newbie.

Check out this nifty howto





From: Anonymous at: 2011-10-27 14:50:01

Why showing this error ? 


TLS_accept: SSLv3 write certificate request A
    TLS_accept: SSLv3 flush data
    TLS_accept:error in SSLv3 read client certificate A
rlm_eap: SSL error error

From: Anonymous at: 2009-03-06 04:47:50

Just wanted to point out that using PEAP/MSCHAP with any RADIUS server requires that you store passwords in clear or in NT-hash format. Since most of back-end user databases do not support NT-hash, one is left with few alternatives. Accepting the risk or having a windows AD.


This is an article that clarifies this point :

Securing your wireless network with PEAP/MSCHAP requires Windows AD


From: at: 2008-07-23 09:16:01

Thanks for the tutorial!

A question: as long as you know, does this work with smartphones? I mean, do they accept the selfsigned certificate?

I heard it is impossible to make smartphones to connect to wpa enterprise class networks without a CA signed certificate..

From: at: 2008-09-05 04:02:45

hmm. sorry never tried that. but theoretically it should work since, in this context, u are creating ur own CA & signing & dishing ur own client certificates. Let me know if it worked for smartphones. Im guess it will work otherwise it'll be hard to change their names( phones i.e).



From: hada at: 2008-10-16 23:17:25

Works on Nokia N95 and the latest firmware. OS: Symbian s60 v.3

From: bwiechman at: 2009-07-23 02:28:55

Freeradius v2.x rpms are now available for RHEL 5/CentOS 5 as well. See http://wiki.freeradius.org/Red_Hat_FAQ#Current_Pre-built_RPM.27s_for_RHEL_5_and_CentOS_5