Freeradius with EAP-PEAP (TLS)

Note this requires Debian Squeeze, or never, since OpenSSL libaries where included in Debian version 2.1.8.
More info here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=266229

If you are running lenny, or an freeradius version on Debian older than 2.1.8, you must compile freeradius from source, to include TLS.

It is possible to use EAP-TLS instead of EAP-PEAP. This method requires each client that needs to connect, a personal certificate installed on the client, instead of using the user // password option, the howto will most likely be upgraded to support this at a later time, I hope. :)

Here it is "just" used for my wireless connections, so I can create an "guest" account for peple when they should join my network, since I rather not give out my wireless password. It is also very useful if you want someone to have temporary access to a network.

Installation

Installing the freeradius package will include other packages as well, which comes in handy, like freeradius-utils

apt-get install freeradius

When the installation is running for the first time, you will notice that it will create dh parameters file, for use with freeradius. This could take a little while, så just be patient. It will also create certificates to use. If not, starting the server in debugging mode should create these if their do not exists.

freeradius -X

Create the certificates

It is possible to use test/demo certificates to test the setup and have a quick running radius server. After you have tested that your freeradius setup is working, it is highly recommended to use your own CA on the freeradius server, and create your own certificate(s).

To get started quickly, we will use use the demo certificates we have in hand when we installed freeradius.

Using the Test / Demo CA

When installing freeradius, it automatically creates certificates to use with freeradius. We will use this, in this setup.

Now make sure that the default password for the key file is the same in both the eap.conf file and the demos CA key file.
The default password is "whatever" in both eap.conf and the CA key file, but please check this.

For the certificate check the cnf.conf file.

cat /usr/share/doc/freeradius/examples/certs/ca.cnf |grep pass
input_password		= whatever
output_password		= whatever

For the freeradius server, check the eap.conf file.
Note: If you use your own CA, which means you must use the CAs keyfile, remember to change the password in the eap.conf.

cat /etc/freeradius/eap.conf |grep passw
#  the users password will go over the wire in plain-text,
	#  or crypt'd passwords.
	private_key_password = whatever

This looks OK, let us continue.

Using your own CA - Optional

After everything is working, you can go back to this step, and see how to use your own CA together with freeradius.

I asume, you already have an working CA up and running.

First we will need to create the dh cipher suite file.

openssl dhparam -out /etc/freeradius/certs/dh 1024

Copy certificates and set permissions so that freeradius can read the files.
I asume an ca.key and ca.crt file is previously created, if not you must create them prior to this step

cd /etc/freeradius/certs
cat /root/ssl/ca.key /root/ssl/ca.crt > server.pem
cp /root/ssl/ca.key server.key
cp /root/ssl/ca.crt ca.pem
chown root:freerad *
chmod 640 *

Configuration

The main config file, is the eap.conf file and the radiusd.conf file, but there is no need to make any changes in these files. The defaults is working fine, but special setups, and tweaks can be done here.

In example, it is possible to change the default eap type in eap.conf.
Find the eap section in the file, and change the string, to.

 eap {
           default_eap_type = peap

Configuring access for our RADIUS clients, in example a Access Point

Use a strong password, since this is the key for the security level for your WPA/WPA2 connection between your RADIUS client and the server.

Lets add our AP to the clients.conf file.

/etc/freeradius/clients.conf
client 192.168.10.50 {
       secret          = my_Sup4r_SeCret_Pa$
       shortname       = Access-Point_Office
}

Remember to add the RADIUS server afterwards inside the AP's config

Create your users, like shown below, by adding them to the end of the users file. The password is in cleartext, but this is OK, since we are running an encryptet connection with WPA or WPA2. WPA2 is highly recommended.
Unless ofcourse the server gets comprimited.

So as said ealier, use a strong password for the RADIUS connection, when storing them as clear-text passwords.

Add your users to the end of the users file like shown below, again use some strong passwords. (Note like these).

/etc/freeradius/users
testuser1       Cleartext-Password := "mysecretpassword"
testuser 2       Cleartext-Password := "anothersecretpassword"
"test user3"    Cleartext-Password := "logmein"

Example with an encryptet password, please see the list of compatibility here: http://deployingradius.com/documents/protocols/compatibility.html

Generating an encryptet password with SHA.

echo -n "test" |shasum
a94a8fe5ccb19ba61c4c0873d391e987982fbbd3  -

Generating an encryptet password with NT. We are going to use the "NT Hash" value, only.

smbencrypt test
LM Hash                         	NT Hash
--------------------------------	--------------------------------
01FC5A6BE7BC6929AAD3B435B51404EE	0CB6948805F797BF2A82807973B89537

/etc/freeradius/users
testuser4	NT-Password := "0CB6948805F797BF2A82807973B89537"
testuser5	SHA-Password := "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3"

Now we are ready to start/restart freeradius.

service freeradius restart

If something fail, I would recommend that you start freeradius in debugging, because it will show you a very detailed output of what is happening.

freeradius -X

Testing

Use radtest to test that everything is working.
I found this to be very useful since I had so much trouble to get the authentication working as I would like it to.

Note the password at the end, this can, and should be changed in the clients.conf file. For now we will just leave it to defaults, while testing.
It should give an Access-Accept packet, if you get an reject, go through the configuration, and make sure that the users is created correctly!

radtest testuser1 "myscretpassword" localhost 1812 testing123

Sending Access-Request of id 83 to 127.0.0.1 port 1812
	User-Name = "testuser1"
	User-Password = "mysecretpassword"
	NAS-IP-Address = 192.168.1.2
	NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=83, length=20

Testing mschap.
If this fails, it will not be possible to connect WIFI users, with PEAP. Note that ONLY clear-text and NT passwords are supported here

For a list of compatible Password, Protocol, Encryption options.
http://deployingradius.com/documents/protocols/compatibility.html

radtest -t mschap testuser1 myscretpassword 127.0.0.1:18120 0 testing123
Sending Access-Request of id 153 to 127.0.0.1 port 18120
	User-Name = "testuser1"
	NAS-IP-Address = 192.168.1.2
	NAS-Port = 0
	Message-Authenticator = 0x00000000000000000000000000000000
	MS-CHAP-Challenge = 0xc2a8201acde6b00f
	MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000004cd7d72c9d83adc8dc0f772e0e59e5bfab11d412b7e88e7e
rad_recv: Access-Accept packet from host 127.0.0.1 port 18120, id=153, length=84
	MS-CHAP-MPPE-Keys = 0x00000000000000002066656e05c22f3a995ad9ecfed913d60000000000000000
	MS-MPPE-Encryption-Policy = 0x00000001
	MS-MPPE-Encryption-Types = 0x00000006

Now you are done with this VERY basic setup of FreeRadius, and you should be ready to connect clients with TLS to your Wifi network.

Connecting the clients

I did some test with an Windows XP PRO client, and discovered that some default settings need some changes before it can connect.

First of all make sure that EAP-Type is Protected EAP (PEAP), next go to the properties and press the config button on the Authentication Method, and remove the checkmark for "Use automatically logonname and password for Windows. If this is checked it will use the local user credentials logged on to the workstation, and most likely this is not what you have.

If the Root CA certificate is not installed on the clients, you will get a certificate warning, so please accept this, or better install the Root CA certificate on the client.