For thoses, who are interested by setting up PEAP/MSHCAP under Freeradius 2.14, I wrote a simple how-to. I hope it could help someone. :)
INSTALLATION PROCESS: FREERADIUS 2.14 (PEAP – MSCHAP) === OS : === - Ubuntu Server 8.10 ====== SWITCH: ====== - HP 2600 ========== Pre-requires : ========== - Samba installed (or sudo apt-get install samba smbfs) - Kerberos installed (or sudo apt-get install krb5-clients krb5-user) ============== Table of contents : ============== *Setting Procurve HP Switch *Installation of OpenSSL 0.9.8j *Installation of Freeradius 2.14 *Integrate the radius server to the domain *Testing to join the AD domain *Authenticate with NTLM using EAP – PEAP *Configuring Freeradius *Testing authentication process *Starting freeradius into background mode ===================== Setting Procurve HP Switch: ===================== ; J4900B Configuration Editor; Created on release #H.10.67 hostname "SWiTCH" no web-management web-management ssl no telnet-server ip ssh interface 1 no lacp ; see [1] at the bottom of the page exit [...] interface 26 no lacp exit vlan 1 name "XXXX" untagged 1-26 exit vlan 2 name "YYYYY" ip address 192.168.2.1 255.255.255.0 ip helper-address 192.168.0.2 exit aaa authentication port-access eap-radius radius-server key testing123 radius-server timeout 1 radius-server dead-time 1 radius-server host 172.28.32.16 aaa port-access authenticator 17-24 aaa port-access authenticator 17 auth-vid 2 aaa port-access authenticator 17 unauth-vid 3 [...] aaa port-access authenticator 24 auth-vid 2 aaa port-access authenticator 24 unauth-vid 3 aaa port-access authenticator active aaa port-access 17-24 ip routing gvrp ======================= Installation of OpenSSL 0.9.8j: ======================= $ wget http://www.openssl.org/source/openssl-0.9.8j.tar.gz $ tar xzf openssl-0.9.8j.tar.gz $ cd openssl-0.9.8j $ ./config --prefix=/usr/local/openssl shared $ make $ sudo make install ====================== Installation of Freeradius 2.14: ====================== $ wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.3.tar.gz $ tar xzf freeradius-server-2.1.3.tar.gz $ cd freeradius-server-2.1.3 $ ./configure --with-openssl --with-openssl-includes=/usr/local/openssl/include/ --with-openssl-libraries=/usr/local/openssl/lib/ $ make $ sudo make install PS: If needed, do a “sudo ldconfig”, and in case of error consult the file “config.log”. ==================== Configuration of Freeradius: ==================== The main configurations files are : - clients.conf (declaration of switchs and shared secrets) - radiusd.conf (listening ports) - users (create a local base of users, or select the method used for authenticate/authorization) - eap.conf (select the encoding method) * File /usr/local/etc/raddb/clients.conf : Declare your switch like that: client 192.168.1.1 { secret = testing123 } * File /usr/local/etc/raddb/users : Into the bottom of the file, just add (for purpose only) : DEFAULT Auth-Type = MS-CHAP * File /usr/local/etc/raddb/eap.conf : eap { default_eap_type = peap … } peap { default_eap_type = mschapv2 … } =============================== Integrate the radius server to the domain: =============================== * File /etc/samba/smb.conf : [global] # network name workgroup = DOMAINTEST # AD domain name (you have to create that, doesn’t exist into the config file) realm = DOMAINTEST.LOCAL # server’s name server string = Freeradius # security mode security = ADS * File /etc/krb5.conf : [libdefaults] default_realm = DOMAINTEST.LOCAL [realms] DOMAINTEST.LOCAL = { kdc = activedirectory.domaintest.local admin_server = IP_of_AD_Server default_domain = DOMAINTEST.LOCAL } [domain_realm] domaintest.local = DOMAINTEST.LOCAL * File /etc/resolv.conf : nameserver IP_of_AD_Server domain DOMAINTEST.LOCAL search DOMAINTEST.LOCAL * File /etc/nsswitch.conf : passwd: files winbind group: files winbind ====================== Testing to join the AD domain: ====================== $ sudo net ads join –U administrateur If it’s good, you will have : Joigned ‘FREERADIUS’ to realm ‘test.fr’ PS : If needed, you may syncronize time between the server running Freeradius and AD server. $ sudo ntpdate IP_of_AD_Server Authenticate with NTLM using EAP – PEAP: ============= Testing purpose : ============= $ sudo ntlm_auth --request-nt-key --domain=DOMAINTEST.LOCAL --username=existing_user password : ****** If all things are good, you must have : The command line returns NT_STATUS_OK : Success (0x0) ====================================== Configuring Freeradius to use NTLM authentication: ====================================== * File /usr/local/etc/raddb/modules/mschap : Uncomment the last line, and modify it like that: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{mschap:NT-Domain:-DOMAINTEST} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" ======================= Testing authentication process: ======================= Into a terminal do a: $ sudo radiusd –X –xx And into an another terminal: $ sudo radtest user password localhost 0 testing123 You will receive (if everything goes well): rad_recv : Access-Accept =============================== Starting freeradius into background mode: =============================== Just put this line into the /etc/rc.local file : /usr/local/sbin/rc.radiusd start [1] Link Aggregation Control Protocol (LACP) is part of an IEEE specification (802.3ad) that allows you to bundle several physical ports together to form a single logical channel. LACP allows a switch to negotiate an automatic bundle by sending LACP packets to the peer. -- View this message in context: http://www.nabble.com/-How-To--Freeradius-2.14-%28PEAP-%E2%80%93-MSCHAP%29-tp22433641p22433641.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
