PEAP (Protected Extensible Authentication Protocol) is an authentication method based in two simple steps:
- The client establishes a TLS session with the server.
- The server authenticates the client over the same digital certified with a RADIUS server.
This allows EAP use insecure authentication protocols like MS-CHAP v2 (Microsoft version of CHAP used in this tutorial because is the default type supported by windows clients) with a secure tunnel.
RADIUS (Remote Authentication Dial In User Service) is a network protocol that provides Authentication, Authorization and Accounting to connect network services.
I’ll configure a simple scenario with an access point authenticating the wireless access with FreeRADIUS:
Configuring FreeRADIUS
1.- Install freeradius:
# apt-get install freeradius
2.- Edit EAP method:
# vi /etc/freeradius/eap.conf: default_eap_type = peap
3.- Adding new users :
# vi /etc/freeradius/users tuxuser Cleartext-Password := "P@sswd4Tux" tuxadmin Cleartext-Password := "P@sswrd4Admin"
4.- Enabling and configuring mschap-v2 protocol:
# vi /etc/freeradius/modules/mschap use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes
5.- Reloading new libraries:
# ldconfig
6.- Add new radius clients (Access point):
# vi /etc/freeradius/clients.conf client 192.168.1.2/24 { secret = 0peN2d0! shortname = Linksys WRT160NL }
7.- Restarting service and testing radius authentication:
# service freeradius restart
# radtest tuxuser P@sswd4Tux 192.168.1.10 1812 0peN2d0!
Configuring the client (Android based phone):
Official page of FreeRADIUS project:
Doesn’t work for me for some reason (CentOS 6):
I do this:
[root@alex-test raddb]# radtest test test localhost 1812 lhmtnetwork
Sending Access-Request of id 251 to 127.0.0.1 port 1812
User-Name = “test”
User-Password = “test”
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Message-Authenticator = 0x00000000000000000000000000000000
And it doesn’t ever receive a reply back… Did everything just like written
I’m sorry my bad. Just did not specify the network mask in clients.conf. Thank you for this great material!
Hello!
I tried to install the freeradius server. After I set everything, i connected with my phone, i got an ip address, but after that i look the wlan settings and the phone delete mschapv2 options. Any idea?
Thanks.
Zolee
Perfect, good job, blesses