Professional Documents
Culture Documents
Introduction
The Linux distribution chosen to setup the FreeRADIUS server was SuSE 9.3 Professional.
Several distributions were tried; the location of the files varies a bit from the distribution. You
can download the ISO for CD 1, and if you have a fast network connection, you can point the
installation to be performed from SuSE's FTP server. In our case we downloaded all the ISO
images and performed a "regular" OS installation in a PII machine with 512MB RAM.
Hardware needed:
• 1 PC with at least 256MB RAM; for the NIC use 3COM or Intel (suggested)
This PC will be used to install SuSE 9.3
• 1 AP/Router configured to have access to the Internet on the WAN port.
A Linksys WRT54GL was used
• 1 Windows NT Client + (1) Ethernet port + (1) wireless port with WPA support.
Screenshot 1
1. Click on Installation, then I agree, then Accept, then Details
The YaST installer window displays
Screenshot 2
2. In the Installation Settings pane scroll down a bit and click on Software
Screenshot 3
3. The radio button for Standard system with KDE should be selected by default
4. Click the Detailed selection… button
The Installation Settings window displays
Screenshot 4
5. In the left Selection pane click on Network/Server (no need for a checkmark)
Screenshot 5
8. Click the Continue button
a. The Installation Settings window displays (Screenshot 4)
b. Click the Accept button.
9. On the license for the Flash Player screen, confirm all.
10. On the Confirm Install screen, choose Install.
11. Your hard disk will be partitioned, and the requested packages will be copied onto it
12. For the root user, the password is toor.
a. Confirm the password settings twice
Screenshot 6
13. Click the Change… button
14. Choose Network interfaces
15. On the section of Already Configured Network devices, choose Change
• Your NIC should be listed there
Screenshot 7
16. Click the Edit button
The Network Address Setup window displays
Screenshot 8
17. Click the Advanced button.
Screenshot 9
18. Click the Hostname and Name Server button
19. To the domain section, add “.com” to site, so it displays site.com
Note: So far the domain linux.site.com is not registered in the WWW
20. Click the OK button.
21. Click the Advanced button, then choose Detailed Settings.
Screenshot 10
22. Change the Firewall Zone to Internal Zone (unprotected), then click OK, then click Next,
then click Finish, then click Next.
23. Skip the Online Update, click Skip This Test, then click Next.
24. For the Authentication Method, use Local
25. On the Add New User screen enter the username “user” and assign the password “toor’
26. Click Next, then click Yes, then click Yes. Disable the Auto login option.
27. Click Next on the release notes
28. For the Hardware configuration click Next.
29. On the Installation Completed screen click Finish.
30. Allow the computer to reboot
• You will be greeted by a series of requests about updates, etc.
• Cancel them all; we will manually update specific areas after RADIUS works.
Screenshot 11
Notes:
• We are now ready to start. The overall recommendation is to be working as the
regular user “user”, but for developmental purposes, we will work as super-user
“root”.
• From here on, every step more or less constitutes a test; each item has been made as
granular as possible to allow for easy troubleshooting.
• In Linux, commands are case-sensitive.
Connectivity Testing
Before we start to configure anything, we must test for connectivity, internal and external.
The server will report all that it sees, at this point we want to see activity, it does not matter if
it denies or accepts requests for any of these tests.
Internal connectivity quick test (localhost):
9. Start the server in one shell window as shown in step 3 above.
10. In the second shell window, enter the command:
radtest test test localhost 0 testing123
• What matters is the last line that displays rad_recv: Rejected
- This indicates the server is sending/receiving info. So far, so good.
11. Stop the server as shown in steps 7 and 9 above.
• Now try the same command and see the difference (The PID will be different, find
out the new one, running the kill command blindly can cause problems).
External connectivity quick test:
12. Start the FreeRADIUS server.
13. Download the NTRadPing utility.
• Simply open Google, search for NTRadPing. The Novell site should be at the top.
14. Install it on the PC with the Ethernet and Wireless cards.
Screenshot 12
15. Once you have it running, enter 172.16.1.10:1812 in the RADIUS Server/port box.
16. For the request type, choose Authentication Request.
17. Click the Send button.
18. On the server shell, you will see activity. The IP of the computer running the ping must
show up somewhere in the debug info from the server. If so, move on to the next step.
19. At this point, we have now tested the connectivity of the server.
20. Shutdown FreeRADIUS
Testing the OpenSSL compilation and configurations.
Notes:
• One time consuming part in any Linux distro is finding where all files are. The Linux file
system is a huge tree, and all starts at the root, or / .
• On Wintel platforms, the root for a particular storage unit is located at \ plus the letter of
the unit as a prefix (a colon in the middle of course). In Linux, / serves the same purpose
as \ in Wintel systems.
• In Linux, hardware devices are treated as folders located or mounted in the file system
Screenshot 13
22. Search for a file named eap.conf, and look in / as shown.
23. After a while, only one entry will show up.
24. Click on the name itself, and a text file editor will automatically open the file.
Screenshot 14
25. Look for the entry that begins with #tls {.
26. Remove the # before it, and carefully find the closing } below it. It should be located
below the line #check_cert_cn. Also remove the preceding # from here.
• We now have enabled the EAP-TLS module. We will temporarily be using the demo
certs to test it.
27. Below the line tls{ you will see 6 # (pound symbols), up to the line #random_file.
• Remove them.
• Close the editor, click Yes to save.
• The above Screenshot 14 shows the detail. Keep this in mind, we will be changing
those lines again later on.
28. Start the server. For SuSE 9.3, an error message will be displayed, that is no problem.
• The error relates to being unable to open the root CA. What matters is that somewhere in
the displayed lines it says that the module rml_eap did initialize.
• Notice how the password <whatever> is shown in the listing. The error will be related to
not having the correct permissions to open a file.
We are done with the setup testing; now we move on to setting up RADIUS to work with our
system.
cd /etc/ssl
vi openssl.cnf
[i]
2. Change the CA root path in the CA_default section to reflect the CA we're about to create.
[ CA_default ]
dir = ./luisCA # Where everything is kept
# The following lines are further down in openssl.cnf:
countryName_default = US
stateOrProvinceName_default = Texas
0.organizationName_default = Industrial Wiremonkeys of the World
commonName = linux.site.com
[ESC]
[Z][Z]
3. Keep this in mind: As we go through this process, the common name linux.site.com will be
changed twice from the default setting. If this is not done, the setup will fail.
4. The file xpextensions must be created in the same folder (/etc/ssl), so you can either use vi
or find the application KWRITE.
vi xpextensions
i
[ xpclient_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[ xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
[ESC]
[Z][Z]
5. We now create the CA authority, SuSE93CA, by modifying the script that is responsible for
creating one. It will also create the luisCA folder for us.
6. Find the CA.sh file. It should be located in the /usr/share/ssl/misc folder, and
make the changes marked in blue.
cd /usr/share/ssl/misc
vi CA.sh
i
CATOP=./luisCA
[esc]
[Z][Z]
11. We are now creating a server certificate, the Common Name is linux.site.com.
• The -nodes option is not recommended, in a production environment, but for now we
will use it. The server is running in our Linux box, the Common Name will be
linux.site.com
13. Enter the command below. The CA is used to sign the server certificate request:
openssl ca -config ./openssl.cnf -policy policy_anything -out server_cert.pem
-extensions xpserver_ext -extfile ./xpextensions \-infiles ./server_req.pem
• vi server_cert.pem
• delete by pressing the d key as needed until the line
--Begin CERTIFICATE---
is left at the top
• [Z][Z]
15. We now concatenate these two files files:
cat server_key.pem server_cert.pem > \server_keycert.pem
16. We now start the same process for the clients.
17. First we request a certificate for the client.
• In our case, the NetBIOS name of the client is LIFEBOOK.
• In the shell, you can press the up arrow key to go back to the previous command and
only make the needed changes. The -nodes option is left out.
• cp /etc/ssl/luisCA/cacert.pem /etc/raddb/certs
• chmod 0444 /etc/raddb/certs/cacert.pem
• cp /etc/ssl/server_keycert.pem /etc/raddb/certs
• chmod 0400 /etc/raddb/certs/server_keycert.pem
24. In SuSE 9.3 the user user was created during the setup process. Enter:
chown radiusd:users /raddb/certs/server_keycert.pem
25. If all is fine, no error messages will show for any of the commands above
26. We need random numbers, always use the internal random number generator. Enter
• cd /etc/raddb/certs
• openssl dhparam -check -text -5 512 -out dh
27. At this point we are done with setting up the CA, we have partially configured RADIUS by
setting up the CA files and setting ownerships.
28. We now modify the eap.conf file again, change to the values shown below,
vi eap.conf [i]
default_eap_type = tls
private_key_password = qwerty
private_key_file = ${raddbdir}/certs/server_keycert.pem
certificate_file = ${raddbdir}/certs/server_keycert.pem
CA_file = ${raddbdir}/certs/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
[ESC][Z][Z]
vi client.conf [i]
client 172.16.1.0/24{
secret = qaz123
shortname = linksys
nastype = other
}
[ESC][Z][Z]
30. Another file to be modified would be radiusd.conf. Since SuSE does not create a user
for FreeRadius, for now it is best not to make any changes.
31. Later on, the files must be secured, for example:
chown root:root eap.conf
chmod 0600 eap.conf
32. We are done with the Linux system, start the RADIUS server. Watch carefully all the
messages.
Quick reminder:
Wireless Security window
Screenshot 15
Configuring XP
1. In order to manually import the files, there are two files that must be copied into XP:
client_cert.p12 and cacert.pem. These files must be imported using the
certificates snap-in.
Screenshot 16
2. The .p12 file goes into Certificate –current user/personal/certificates
Screenshot 16
4. The Wireless NIC has to be configured as follows:
5. Then:
Troubleshooting.
1. If all goes ok, you will see something similar to the following output once connected:
State = 0x98bb72e5259b893d9048b63f08918889
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0202006a0d8000000060160301005b01000057030144a0b189d7d493b3b398a78a05be64894
e89e0408557c428d930eefb2b1db10f00003000390038003500160013000a00330032002f0066
000500040065006400630062006000150012000900140011000800030100
Message-Authenticator = 0x1bd4f459c5c46dd9ef95192e791f7a0a
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "LIFEBOOK", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: EAP packet type response id 2 length 106
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched entry DEFAULT at line 152
modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 005b], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0529], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 010d], ServerKeyExchange
TLS_accept: SSLv3 write key exchange A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0066], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 1
modcall: group authenticate returns handled for request 1
Sending Access-Challenge of id 0 to 172.16.1.1:2048
EAP-Message =
0x0103040a0dc0000006fa160301004a02000046030144a0b20210c68653fbb1925194ce4e811
644421c87a5e5cb88c1e1f57447a94820242eae1d7eab56ba07b3e1b021f9d774e0e8000a2921
305b23ee21098fcc1f8a00390016030105290b00052500052200023d30820239308201a2a0030
20102020101300d06092a864886f70d01010405003053310b3009060355040613025553310e30
0c0603550408130554657861733121301f060355040a1318496e7465726e65742057696467697
47320507479204c74643111300f060355040313085375736539334341301e170d303630363233
3030343330395a170d3037303632333030343330395a30
EAP-Message =
0x59310b3009060355040613025553310e300c0603550408130554657861733121301f0603550
40a1318496e7465726e6574205769646769747320507479204c7464311730150603550403130e
6c696e75782e736974652e636f6d30819f300d06092a864886f70d010101050003818d0030818
902818100b28d45af30e2dd0733a4c0b01bcbaf59e2d3dc72daa28becb2eaab87951f4bcef29e
389f42ca16b572ed75ea6a4858b1db6b5d69d0c0d76c776a1a0022c700bdc12e3331b83a740f7
d54354afcc95df484201db372b0814e904b5a40f8373f00e9864647ba3a8e465dfbd63468beed
15ac2dde3134c8336ad1086dd023dc40fd0203010001a3
EAP-Message =
0x17301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040
5000381810077bc1b07fd241b45066b3033a44ebe48cc4599008542a669f3a1f2e691fbf0e11c
d5696d9c18cf9580d6443b90ced2a66f24a81ef4751b0cd38d799c3820efd2a1bdb9e1b8ff083
8d7685532ccb441fe459d7f723ce83c2889406ccdaa34f8884a7b2e8435ec87a24a22379eeb5b
f60bbea51bb66a4d684d61f58b478b8ccdec0002df308202db30820244a003020102020900fad
f8685a1337da4300d06092a864886f70d01010405003053310b3009060355040613025553310e
300c0603550408130554657861733121301f060355040a
EAP-Message =
0x1318496e7465726e6574205769646769747320507479204c74643111300f060355040313085
375736539334341301e170d3036303632333030343134365a170d303730363233303034313436
5a3053310b3009060355040613025553310e300c0603550408130554657861733121301f06035
5040a1318496e7465726e6574205769646769747320507479204c74643111300f060355040313
08537573653933434130819f300d06092a864886f70d010101050003818d0030818902818100c
14faa1ea6e09568ec8ed722d4b10b2a61c3230190fb3c00467380a7adb3bb68c9e43cb8524673
31be7aebf0fd391113bab1b94d10f985a30d02c244cba5
EAP-Message = 0x3da49ba0cfb8c8d5d68f029ec94fc94c0aaf9e8ac6e9
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd0fa6a5ad055c6ad336cb8af99beb64a
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 172.16.1.1:2048, id=0, length=140
User-Name = "LIFEBOOK"
NAS-IP-Address = 172.16.1.1
Called-Station-Id = "0014bf18fbd1"
Calling-Station-Id = "000e35e93319"
NAS-Identifier = "0014bf18fbd1"
NAS-Port = 3
Framed-MTU = 1400
State = 0xd0fa6a5ad055c6ad336cb8af99beb64a
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020300060d00
Message-Authenticator = 0x5330a137852ce3a28af6629bd1067b6d
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
modcall[authorize]: module "chap" returns noop for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: No '@' in User-Name = "LIFEBOOK", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 2
rlm_eap: EAP packet type response id 3 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
users: Matched entry DEFAULT at line 152
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x020405d80dc00000063916030105230b00051f00051c000237308202333082019ca00302010
2020102300d06092a864886f70d01010405003053310b3009060355040613025553310e300c06
03550408130554657861733121301f060355040a1318496e7465726e657420576964676974732
0507479204c74643111300f060355040313085375736539334341301e170d3036303632333030
343535385a170d3037303632333030343535385a3053310b3009060355040613025553310e300
c0603550408130554657861733121301f060355040a1318496e7465726e657420576964676974
7320507479204c74643111300f060355040313084c4946
EAP-Message =
0x45424f4f4b30819f300d06092a864886f70d010101050003818d0030818902818100e132acb
5baef33b65eb1531239067c7d63f022b4e178797f86ca37dc246f17dfede8c3ff70689c642492
3f771251bbc8e8ccfb2fa3fc1ca5fa0e093c9b37e2a95789c32ea49e84cc09d581645fe9a93de
027670cf8021c3a999d51d1f63f1377cc02748643bff9968df9cabbaff0b84f9af839132316dc
b24b529a5c1682771b0203010001a317301530130603551d25040c300a06082b0601050507030
2300d06092a864886f70d0101040500038181006e7fa09d749f54d9a210baf23e21a4be82dd19
b3e712f5d90ec6bf161ab903ce75823a75c06fe66b7065
EAP-Message =
0x61f8fc747f3de445e32e1fcc34bfda04c05defb8afe5624712a88de62cc37d7aa1cabb3108e
b8f5f5b42cabf8e197a8303d2cb83a64fbc6d4f30c9a4165a429941cb01d5a0584591e91d115a
93ec086c5c102a8559160002df308202db30820244a003020102020900fadf8685a1337da4300
d06092a864886f70d01010405003053310b3009060355040613025553310e300c060355040813
0554657861733121301f060355040a1318496e7465726e6574205769646769747320507479204
c74643111300f060355040313085375736539334341301e170d3036303632333030343134365a
170d3037303632333030343134365a3053310b30090603
EAP-Message =
0x55040613025553310e300c0603550408130554657861733121301f060355040a1318496e746
5726e6574205769646769747320507479204c74643111300f0603550403130853757365393343
4130819f300d06092a864886f70d010101050003818d0030818902818100c14faa1ea6e09568e
c8ed722d4b10b2a61c3230190fb3c00467380a7adb3bb68c9e43cb852467331be7aebf0fd3911
13bab1b94d10f985a30d02c244cba53da49ba0cfb8c8d5d68f029ec94fc94c0aaf9e8ac6e919b
cb492be041c164db2caf555e07364ffe37736e104d46dd3ffcaa435249a53648741f8e9bf2c2c
f81e17610203010001a381b63081b3301d0603551d0e04
EAP-Message =
0x160414dc0a7a63e7c2df866f01aff0b4609c1a32b966403081830603551d23047c307a8014d
c0a7a63e7c2df866f01aff0b4609c1a32b96640a157a4553053310b3009060355040613025553
310e300c0603550408130554657861733121301f060355040a1318496e7465726e65742057696
46769747320507479204c74643111300f060355040313085375736539334341820900fadf8685
a1337da4300c0603551d13040530030101ff300d06092a864886f70d0101040500038181007be
bc67e9bb290e997ac42b4be73fea306bc22d2b876ca78d8c53cf69807b81d871357512cb2e832
65cd73a7b329bc17f3269c6ed0b699002eaa3816cbf724
EAP-Message =
0xee6e79677a66fe13dad6e63aef3786054d7f4958543a95e060596eb32e0630d6e8b1fb92bee
54429d0f4eb1aace90ccde7baaecd3fec520f15c2952a6ce739d6f01603010046100000420040
68159e7556e242d4f9a923bb949cdbc6399cf3cef8fb5b15dac5a95dc858b28ab15a136ea0594
3ada87a37f1b22afc116c755e902ae76d04002dde24f949febe16030100860f00008200806797
ba15c43c566668c0691043147bedbf9cdecc530edd93691fdd5a437fbbddc5cf5cc051ae2af10
7a635bf1d9cb22414144effca8d50916e07fef23cad79f6f2824729719a6148593272c3d9dc3f
06
Message-Authenticator = 0x5deaef240bde7b5ddf0ec8f82cfb238c
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
modcall[authorize]: module "chap" returns noop for request 3
modcall[authorize]: module "mschap" returns noop for request 3
rlm_realm: No '@' in User-Name = "LIFEBOOK", looking up realm NULL
rlm_realm: No such realm "NULL"
Calling-Station-Id = "000e35e93319"
NAS-Identifier = "0014bf18fbd1"
NAS-Port = 3
Framed-MTU = 1400
State = 0x686fc26dc863eae98add41589a941fde
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020600060d00
Message-Authenticator = 0x9b18f0f66649b6c99513a0a457d5ac3b
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
modcall[authorize]: module "chap" returns noop for request 5
modcall[authorize]: module "mschap" returns noop for request 5
rlm_realm: No '@' in User-Name = "LIFEBOOK", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 5
rlm_eap: EAP packet type response id 6 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
users: Matched entry DEFAULT at line 152
modcall[authorize]: module "files" returns ok for request 5
modcall: group authorize returns updated for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake is finished
eaptls_verify returned 3
eaptls_process returned 3
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 5
modcall: group authenticate returns ok for request 5
Login OK: [LIFEBOOK/<no User-Password attribute>] (from client linksys port 3
cli 000e35e93319)
Sending Access-Accept of id 0 to 172.16.1.1:2048
MS-MPPE-Recv-Key =
0xcf735d5779fd012c96f4245e2e55f39c14764742ef8d772e3b2688064bb8b63c
MS-MPPE-Send-Key =
0x2962bb710502043ca21d199bf97d3477042dc37f1529d9086c0b9603cd66b183
EAP-Message = 0x03060004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "LIFEBOOK"
Finished request 5
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 172.16.1.1:2048, id=0, length=247
User-Name = "LIFEBOOK"
NAS-IP-Address = 172.16.1.1
Called-Station-Id = "0014bf18fbd1"
Calling-Station-Id = "000e35e93319"
NAS-Identifier = "0014bf18fbd1"
NAS-Port = 3
Framed-MTU = 1400
State = 0xb3776a248e752a5b898b3a09d7f53563
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x020500710d002607d5d30cd4bd2a712b22788615156a932768e07111935e7d1645e2b21eb2e
bd9f945a3453a87acb2b4d7aa9d3d77d214030100010116030100301e7de961308a03425adf52
86655c082dfdb3aac03f9d66c2f033144a64a0153c1f6b5677908e0270c442f6ccc0acf06f
Message-Authenticator = 0x1ed3f4beeeb8aa26b78949f1766b932a
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
modcall[authorize]: module "chap" returns noop for request 4
modcall[authorize]: module "mschap" returns noop for request 4
rlm_realm: No '@' in User-Name = "LIFEBOOK", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 4
rlm_eap: EAP packet type response id 5 length 113
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
users: Matched entry DEFAULT at line 152
modcall[authorize]: module "files" returns ok for request 4
modcall: group authorize returns updated for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0523], Certificate
chain-depth=1,
error=0
--> User-Name = LIFEBOOK
--> BUF-Name = Suse93CA
--> subject = /C=US/ST=Texas/O=Internet Widgits Pty Ltd/CN=Suse93CA
--> issuer = /C=US/ST=Texas/O=Internet Widgits Pty Ltd/CN=Suse93CA
--> verify return:1
chain-depth=0,
error=0
--> User-Name = LIFEBOOK
--> BUF-Name = LIFEBOOK
--> subject = /C=US/ST=Texas/O=Internet Widgits Pty Ltd/CN=LIFEBOOK
--> issuer = /C=US/ST=Texas/O=Internet Widgits Pty Ltd/CN=Suse93CA
--> verify return:1
TLS_accept: SSLv3 read client certificate A
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], CertificateVerify
TLS_accept: SSLv3 read certificate verify A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
eaptls_process returned 3
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 5
modcall: group authenticate returns ok for request 5
Login OK: [LIFEBOOK/<no User-Password attribute>] (from client linksys port 3
cli 000e35e93319)
Sending Access-Accept of id 0 to 172.16.1.1:2048
MS-MPPE-Recv-Key =
0xcf735d5779fd012c96f4245e2e55f39c14764742ef8d772e3b2688064bb8b63c
MS-MPPE-Send-Key =
0x2962bb710502043ca21d199bf97d3477042dc37f1529d9086c0b9603cd66b183
EAP-Message = 0x03060004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "LIFEBOOK"
Finished request 5
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 5 ID 0 with timestamp 44a0b203
Nothing to do. Sleeping until we see a request.
2. The listing below shows a problem. Do not be misguided; this has nothing to do with the
MTU size. The Linux virtual NIC adapter had to be manually assigned to the physical
Ethernet port to correct it.
Student Activities
• The setup shows how to use TLS, the student should now configure MS-CHAPv2.
Questions:
1. Is it advisable to store passwords in a certificate?
2. What are the options that control this in openssl?
RESOURCES:
• www.freeradius.org
The links software itself, and links to other articles
• www.aspisos.org/wiki/index.php?n=Guides.EAP-TLS#toc1
Provides the information to setup EAP-TLS, the procedure is not centered in a particular
Linux distribution, it shows how to create a script for setting multiple users
• www.urbanwireless.co.nz/?p=3
This document was based on the Urban Wireless Information site