PEAP (Protected Extensible Authentication Protocol) is an authentication method based in two simple steps:

  1. The client establishes a TLS session with the server.
  2. The server authenticates the client over the same digital certified with a RADIUS server.

This allows EAP use insecure authentication protocols like MS-CHAP v2 (Microsoft version of CHAP used in this tutorial because is the default type supported by windows clients) with a secure tunnel.

RADIUS (Remote Authentication Dial In User Service) is a network protocol that provides Authentication, Authorization and Accounting to connect network services.

I’ll configure a simple scenario with an access point authenticating the wireless access with FreeRADIUS:


 Configuring FreeRADIUS

1.- Install freeradius:

# apt-get install freeradius

2.- Edit EAP method:

# vi /etc/freeradius/eap.conf:
default_eap_type = peap

3.- Adding new users :

# vi /etc/freeradius/users

tuxuser Cleartext-Password := "P@sswd4Tux"
tuxadmin Cleartext-Password := "P@sswrd4Admin"

4.- Enabling and configuring mschap-v2 protocol:

# vi /etc/freeradius/modules/mschap

use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes

5.- Reloading new libraries:

# ldconfig

6.- Add new radius clients (Access point):

# vi /etc/freeradius/clients.conf

client {
secret = 0peN2d0!
shortname = Linksys WRT160NL

7.- Restarting service and testing radius authentication:

# service freeradius restart
# radtest tuxuser P@sswd4Tux 1812 0peN2d0!

Configuring Access Point:


Configuring the client (Android based phone):


Official page of FreeRADIUS project:

Configuring PEAP authentication with FreeRADIUS
Tagged on:                     

4 thoughts on “Configuring PEAP authentication with FreeRADIUS

  • June 12, 2013 at 11:16

    Doesn’t work for me for some reason (CentOS 6):
    I do this:
    [root@alex-test raddb]# radtest test test localhost 1812 lhmtnetwork
    Sending Access-Request of id 251 to port 1812
    User-Name = “test”
    User-Password = “test”
    NAS-IP-Address =
    NAS-Port = 1812
    Message-Authenticator = 0x00000000000000000000000000000000
    And it doesn’t ever receive a reply back… Did everything just like written

  • June 12, 2013 at 11:23

    I’m sorry my bad. Just did not specify the network mask in clients.conf. Thank you for this great material!

  • September 15, 2013 at 21:58


    I tried to install the freeradius server. After I set everything, i connected with my phone, i got an ip address, but after that i look the wlan settings and the phone delete mschapv2 options. Any idea?


  • June 18, 2014 at 18:09

    Perfect, good job, blesses


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Get every new post delivered to your Inbox

Join other followers: