[Radius] Installation of FreeRADIUS ~ Notepad

[Radius] Installation of FreeRADIUS

#############################################

Installation of FreeRADIUS

Download first the latest source of Openssl (0.9.7f was used for this HOWTO).

Extract the source files from tarball

tar –zxvf openssl-1.0.1e.tar.gz

Install openssl in /usr/local/openssl/

./config --prefix=/usr/local/openssl shared

make

make install

Download the latest version of FreeRADIUS (freeradius-server-2.2.2.tar.gz) from www.freeradius.org.

This document refers to version 3.0.0 of FreeRADIUS.

Install FreeRADIUS with the following option

./configure --with-openssl-includes=/usr/local/openssl/include --with-openssl-libraries=/usr/local/openssl/lib

make

make install

In order to get FreeRADIUS working, the following files must be configured:

radiusd.conf

clients.conf

eap.conf

users

After install freeradius

Go to /usr/local/sbin/

Excute "radiusd -X" can work

#############################################

radiusd.conf

prefix = /usr/local

exec_prefix = ${prefix}

sysconfdir = ${prefix}/etc

localstatedir = ${prefix}/var

sbindir = ${exec_prefix}/sbin

logdir = ${localstatedir}/log/radius

raddbdir = ${sysconfdir}/raddb

radacctdir = ${logdir}/radacct

name = radiusd

confdir = ${raddbdir}

run_dir = ${localstatedir}/run/${name}

db_dir = ${raddbdir}

libdir = ${exec_prefix}/lib

pidfile = ${run_dir}/${name}.pid

max_request_time = 30

cleanup_delay = 5

max_requests = 1024

listen {

   type = auth

   ipaddr = *

   port = 0

}

listen {

   ipaddr = *

   port = 0

   type = acct

}

hostname_lookups = no

allow_core_dumps = no

regular_expressions   = yes

extended_expressions   = yes

log {

   destination = files

   file = ${logdir}/radius.log

   syslog_facility = daemon

   stripped_names = no

   auth = no

   auth_badpass = no

   auth_goodpass = no

}

checkrad = ${sbindir}/checkrad

security {

   max_attributes = 200

   reject_delay = 1

   status_server = yes

}

proxy_requests = yes

$INCLUDE proxy.conf

$INCLUDE clients.conf

thread pool {

   start_servers = 5

   max_servers = 32

   min_spare_servers = 3

   max_spare_servers = 10

   max_requests_per_server = 0

}

modules {

   $INCLUDE ${confdir}/modules/

   $INCLUDE eap.conf

}

instantiate {

   exec

   expr

   expiration

   logintime

}

$INCLUDE policy.conf

$INCLUDE sites-enabled/

## Add following string ##

mschap {

        use_mppe = yes

        require_encryption = yes

        require_strong = yes

}

authorize {

        preprocess



        chap

        mschap

        suffix

        eap{

            ok = return

        }

        files

}

authenticate {

        Auth-Type PAP {

                pap

        }

        Auth-Type CHAP {

                chap

        }

        Auth-Type MS-CHAP {

                mschap

        }

        unix

        eap

}

#############################################

clients.conf

client localhost {

   ipaddr = 127.0.0.1

   secret       = testing123

   require_message_authenticator = no

}

## Add which Domain will allow to authorize

client 192.168.0.0/24 {

        secret = secret

        shortname = authenticator

}

client 10.15.0.0/16 {

        secret = secret

        shortname = authenticator

}

#############################################

Before modify this conf.

Please go to /usr/local/etc/raddb/certs.

Edit ca.cnf , client.cnf , server.cnf.

Each file have the string was called "whatever".

Change whatever to what you like.

input_password       = whatever

output_password       = whatever

Type make to create key

#############################################

eap.conf

eap {

        default_eap_type = peap

        timer_expire     = 60

        ignore_unknown_eap_types = no

        cisco_accounting_username_bug = no

        md5 {

        }

        leap {

        }

        gtc {

                auth_type = PAP

        }

        tls {

                private_key_file = ${raddbdir}/certs/server.key

                certificate_file = ${raddbdir}/certs/server.pem

                CA_file = ${raddbdir}/certs/ca.pem

                dh_file = ${raddbdir}/certs/dh

                random_file = ${raddbdir}/certs/random

        }

         peap {

                default_eap_type = mschapv2

        }

        mschapv2 {

        }

}

#############################################

users

user600 Cleartext-Password := user600

#############################################

Start radius server

/usr/local/sbin/radiusd -X

#############################################

cd /usr/local/bin

radtest test test 127.0.0.1 1812 testing123

./radtest test test 127.0.0.1 1812 testing123

Sending Access-Request of id 2 to 127.0.0.1 port 1812

   User-Name = "test"

   User-Password = "test"

   NAS-IP-Address = 127.0.1.1

   NAS-Port = 1812

   Message-Authenticator = 0x00000000000000000000000000000000

rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=2, length=20

#############################################

Q:

./radiusd: error while loading shared libraries: libfreeradius-radius-020201.so: cannot open shared object file: No such file or directory

A:

vim /etc/ld.so.conf.d/openssl.conf

/usr/local/openssl/lib/

save it.

Type

sudo ldconfig


#############################################
Q:
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x6097435463935ad2 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

A:

Reset all your connection.

#############################################

Client :

Wireless security : WPA & WPA2 Enterprise

Authentication : Protected EAP (PEAP)

Anonymous identity : (Empty)

CA certificate : (None)

PEAP version : Automatic

Inner authentication : MSCHAPv2

Username : (Depend)

Password : (Depend)

Press Connect --> Go to next --> choose ignore

#############################################

Reference :