Thursday, 25 July 2013

Freeradius configuration for PEAP/TLS and TTLS

Free Radius Server can be downloaded from http://sourceforge.net/projects/freeradius/

Some of the common commands are :

1) To run RADIUS service :

radiusd –X


2) To kill RADIUS service, search for the process-id

ps –ax

kill 9 <pid>


3) Configure Clients:

/usr/local/etc/raddb/clients.conf

client 10.0.0.1/16 {

secret = test123

shortname = private-network-2

}


4) Configure users:

/usr/local/etc/raddb/users

"user1" Cleartext-Password: = "test1"

5) PEAP :To authenticate a client using PEAP, the following configurations are needed for the PEAP module in the eap.conf file

peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}


6) To authenticate a client by validating the server certificate, "ca.der " certificate needs to be installed in the client

7) TLS: To authenticate a client using TLS ,the following configurations are needed for the TLS module in the eap.conf file
 tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh

random_file = ${certdir}/random
CA_path = ${cadir}
cipher_list = "DEFAULT"
make_cert_command = "${certdir}/bootstrap"
cache {
enable = no
lifetime = 24 # hours
max_entries = 255
}

}


8) TTLS: To authenticate a client using TTLS ,the following configurations are needed for the TTLS module in the eap.conf file

ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}


How to generate the certificates

1) To generate the certificates for ca and server use command "./bootstrap" in the below folder

/usr/local/etc/raddb/certs

2) To generate certificates for client

Use command, "make client.pem" and copy the certificate "client.p12" to client and install

*** while installing the client.p12 in windows client, config password same as in certificate i,e "whatever" as per in client.cnf


Radius VLAN assignment

"user1" Cleartext-Password := "test1"

Tunnel-type = VLAN,

Tunnel-medium-type = IEEE-802,

Tunnel-Private-Group-Id = "10"




Note: "use_tunneled_reply" is to be enabled for authentication to work. To enable, need to configure, "use_tunneled_reply = yes" in the eap.conf file




No comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...