PEAP (Protected Extensible Authentication Protocol) is an authentication method based in two simple steps:

  1. The client establishes a TLS session with the server.
  2. The server authenticates the client over the same digital certified with a RADIUS server.

This allows EAP use insecure authentication protocols like MS-CHAP v2 (Microsoft version of CHAP used in this tutorial because is the default type supported by windows clients) with a secure tunnel.

RADIUS (Remote Authentication Dial In User Service) is a network protocol that provides Authentication, Authorization and Accounting to connect network services.

I’ll configure a simple scenario with an access point authenticating the wireless access with FreeRADIUS:

Image

 Configuring FreeRADIUS

1.- Install freeradius:

# apt-get install freeradius

2.- Edit EAP method:

# vi /etc/freeradius/eap.conf:
default_eap_type = peap

3.- Adding new users :

# vi /etc/freeradius/users

tuxuser Cleartext-Password := "[email protected]"
tuxadmin Cleartext-Password := "[email protected]"

4.- Enabling and configuring mschap-v2 protocol:

# vi /etc/freeradius/modules/mschap

use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes

5.- Reloading new libraries:

# ldconfig

6.- Add new radius clients (Access point):

# vi /etc/freeradius/clients.conf

client 192.168.1.2/24 {
secret = 0peN2d0!
shortname = Linksys WRT160NL
}

7.- Restarting service and testing radius authentication:

# service freeradius restart
# radtest tuxuser [email protected] 192.168.1.10 1812 0peN2d0!


Configuring Access Point:

Image

Configuring the client (Android based phone):

ImageImage

Official page of FreeRADIUS project:

http://freeradius.org/

Configuring PEAP authentication with FreeRADIUS
Tagged on:                     

4 thoughts on “Configuring PEAP authentication with FreeRADIUS

  • June 12, 2013 at 11:16
    Permalink

    Doesn’t work for me for some reason (CentOS 6):
    I do this:
    [[email protected] raddb]# radtest test test localhost 1812 lhmtnetwork
    Sending Access-Request of id 251 to 127.0.0.1 port 1812
    User-Name = “test”
    User-Password = “test”
    NAS-IP-Address = 127.0.0.1
    NAS-Port = 1812
    Message-Authenticator = 0x00000000000000000000000000000000
    And it doesn’t ever receive a reply back… Did everything just like written

    Reply
  • June 12, 2013 at 11:23
    Permalink

    I’m sorry my bad. Just did not specify the network mask in clients.conf. Thank you for this great material!

    Reply
  • September 15, 2013 at 21:58
    Permalink

    Hello!

    I tried to install the freeradius server. After I set everything, i connected with my phone, i got an ip address, but after that i look the wlan settings and the phone delete mschapv2 options. Any idea?

    Thanks.
    Zolee

    Reply
  • June 18, 2014 at 18:09
    Permalink

    Perfect, good job, blesses

    Reply

Leave a Reply

Follow

Get every new post delivered to your Inbox

Join other followers: