Thursday, October 27, 2011

Installing Freeradius on Ubuntu 11.10 server for 802.1x wireless authentication

A Practical Approach to Freeradius Installation.                                                       
By Glenn Weber

This setup is for a home users or small organizations with limited funds.  For home networks it is overkill, but for those interested in experimenting with freeradius under Ubuntu server this is a perfect how-to.  In my many explorations, attempts and failures regarding Freeradius, I have finally compiled enough information to help others that wish to experiment with wireless authentication. The idea, motivation and determination that I had for putting this tutorial together was due to the lack of accurate information available regarding this topic. My intention is to give a detailed process of the installation for both System Administrators and for anyone that has a desire to learn more complicated procedures.

This setup will require very little configuration for the administrator.  It will also cover how to create the self-signed certificates that contain the XP extensions that are required for use with Windows operating systems.  Although this tutorial is based on installing Ubuntu in Virtual box, the same method can be used to implement these steps on a dedicated machine. The procedures used will work with all Windows versions that support 802.1x wireless authentication.

For many of you, this will cover some elementary subjects, but I wanted to include them so that less experienced users could also understand this tutorial.

Conventions used in this tutorial:

Commands that need to be entered at the command line will be bold and italicized.

Text that needs to be entered into files will be in red.

Clickable menu items will be highlighted.

File names will be in green.



Virtual-box Installation and setup

If not already installed download and install Virtual box from


Download the newest version of Ubuntu server and save it to your desktop. Be sure to download the 32bit version.


 Now that Virtual-box is installed you will need to create a new machine to hold your Ubuntu server.

Open Virtual-box and click new:

Name your new machine, example Ubuntu.

OS Type should be set to Linux and the version should be Ubuntu then click next.

Set the amount of RAM you would like to allow the guest machine to use. Note that this will take from your available RAM on your host machine.  The amount of RAM depends solely on your overall memory. For my setup I set it at 512MB. That should be adequate for most setups.

Click Next 3 times.

Set the amount of harddrive you would like to give the Ubuntu server. For my setup I used 20GB, but again this depends on how much room you have available on your machine. 

Click Next and then click create 2 times.

Make sure that the new machine is listed and highlighted.

Click the settings menu, and then click on storage.

You need to add a IDE controller by clicking on the green plus sign at the top of the Storage tree window.  You will be prompted to choose a disk. Click choose disk and browse to the Ubuntu ISO that you have saved on your desktop.

Next select Network and for Network adapter change Attached To: drop down item to Bridged Adapter.

Click ok and you are ready to start the machine and begin the Ubuntu Server Installation.


Installing Ubuntu Server

Start the machine and you will begin Ubuntu server installation. I chose to install LAMP, Openssh server, and Samba server during the install to make things easier on me later.

The installation is self-explanatory, but if you have questions there are many sites that explain how to install Ubuntu Server. If you still have questions feel free to email me.


Openssh and Remote Login

Once you have installed the server and it has restarted you will login. From here I usually like to start by setting up ssh so I can access the server from my laptop, again this is probably for more experienced users. It is simple to get working so don’t panic if it is your first time. Login and then type the following command:

nano /etc/ssh/sshd_config

There are only two things we will need to change in this file, they are as follows:

PermitRootLogin yes needs to be changed to PermitRootLogin no

And at the end of the file add a line that says:

AllowUsers username (Note: The username should be the same as your login.) Then hit Ctrl+x, then y and then press enter.

Restart ssh by typing the following command:

/etc/init.d/ssh restart


Setting a Static IP

 It is a good idea to set the server with a static IP address. This prevents you from having issues with the server IP continually changing. You can do this by entering the following command:

nano /etc/network/interfaces

Change the file to read as follows:

The primary network interface

auto eth0

iface eth0 inet static

address 192.168.1.100 (or whatever IP address you want to set corresponding with your network IP range)

netmask 255.255.255.0

broadcast 192.168.1.255

gateway 192.168.1.1

Hit Ctrl+x then y and then press enter.

 Restart the server and login.

Once logged in enter the following command:

ifconfig (you should now see that you are using the assigned static IP address)

I also like to create a root password so I can log into the root account instead of having to type sudo in front of my commands.

Create a root password by typing the command:

sudo passwd

Enter the new root password twice and you are good to go, next login to the root account by typing the command:

su –

 Enter the root password


Using Putty for remote login

You can use putty to access the ssh server from your laptop. You can get putty.exe from


 Download Putty.exe and save it on the Desktop of your laptop.

Double click the Putty.exe icon to start Putty.

In the Host Name (or IP Address) block type the IP address for your Ubuntu server and then click open.

You will have to login with your regular Ubuntu user and then login to the root account.

You now are connected to the server and can administrate it remotely. The only time you will have to manage the server on the computer you installed it on is when you have to restart the server or if you have a misconfiguration problem.



 Freeradius Installation and Configuration

At this point I am assuming that you are logged onto the server using putty on your laptop. The first thing you will need to do now is to install Freeradius. You can do this by entering the following command:

apt-get install freeradius –y



Testing FreeRadius with radtest

I would open a second putty terminal and login to the server for this step as it makes it easier.

After opening another putty terminal, you will need to add a user to the users file.

Run the following command:

nano /etc/freeradius/users

At the end of the users file add the following line:

testuser      Cleartext-Password := “whatever”

Save and close the file by hitting Ctrl+x, then y and then press enter.

On one of the putty terminals type the following command to start Freeradius in debug mode.

freeradius –X

Go back to the other putty terminal and type the following command:

radtest {username} {password} 127.0.0.1 1812 testing123 (Do not use the curly braces just enter the username and password that you included in the users file).

If everything went well you should see Access-Accept. If it is Access-Reject then there is a problem. You will need to check the other terminal and read the debug log.


Creating the correct Certificates

When the installation completes you will switch to the directory that holds the files needed for certificate creation. Type the following command:

cd /usr/share/doc/freeradius/examples/certs

Next you need to open the README file by entering the following command:

cat README

The readme file will walk you through the complete process of creating the required certificates, just follow the instructions. There is however a few exceptions. You will need to create two files in the current working directory; serial and index.txt.  Be sure to create these two files before creating the certificates.  You can create each file by entering the following command:

nano serial

Inside of the serial file enter 01 and then hit Ctrl + X, then y and then press enter

Next create the index.txt file by entering the following command:

nano index.txt

For index.txt before closing file be sure to hit Ctrl +o to writeout the file.

After you have successfully created certificates you will need to copy three files to the /etc/freeradius/certs directory. They are ca.pem, server.key, and server.pem

You can copy the files by entering the following command while still in the following directory

/usr/ share/doc/freeradius/examples/certs

cp ca.pem server.key server.pem /etc/freeradius/certs

 With all of that in place (hopefully you’re still with me). You only have a few more things to configure before you will have a working system.


Modifying the Freeradius Configuration

You will need to edit eap.conf. To do so enter the following command:

cd /etc/freeradius

nano eap.conf

Under the eap{      } section you need to change default_eap_type = md5 to default_eap_type = peap

Under the tls {  } section you need to change private_key_password = (whatever) to

private_key_password = (whatever you set as your certificate key password when you created your certificates) You don’t need to put the parentheses around your password.

 Under the peap {     } section you need to verify that it says default_eap_type = mschapv2

After you have made those changes to eap.conf hit Ctrl+x then y then press enter.

Next you need to edit clients.conf by entering the following command:

nano clients.conf

Go to the end of the file and add the following lines:

client 192.168.1.1/16 { (this is IP address of your router)

       secret          = AnyThingYou Want        (Don’t use spaces or special characters. You will have to add this secret as shared secret in your router a little further ahead.)

       shortname       = linksys (this is the ssid of your router)

}

 Save the clients.conf file the same way as you have the others.

Now you need to edit the users file by entering the following command:

nano users

Go to the end of the file and add a user as:

Joesmoe       Cleartext-Password: =”whatever” (Be sure to enclose the password inside of double quotes)

Save and exit the users file the same way as before.

That is all the configuration changes needed for Freeradius.


Setting up Samba to Share files with Windows

The next step is setting up your samba share so that you can easily transfer the ca.der file to your Windows machine.

Enter the following commands:

cd /etc/samba

nano smb.conf

Add the following lines to the end of the file.

[share]

comment = Share Directory

path = /home/someuser/share

browseable = yes

writeable = yes

Save and exit the smb.conf file the same way as you have saved the other files.

Next you need to edit the smbusers file by issuing the following command:

nano smbusers

Inside of the smbusers  file enter someuser = “someuser”

Save and exit the file the same way as before

Now you need to create the share folder by entering the following command:

mkdir /home/someuser/share

You need to restart the samba server to activate the changes by issuing the following command:

/etc/init.d/smbd restart

Next you need to move the ca.der file into the share folder so that you can transfer it to your Windows laptop and install it.

 Enter the following command:

cd /usr/ share/doc/freeradius/examples/certs

Then enter the command:

cp ca.der /home/someuser/share


Installing the CA in Windows

At this point you can open Windows Explorer and then network and you should see the share folder you created. Double click the folder and you should see the ca.der file.

Double click the ca.der file and it will open up a certificate window, click install certificate.

The certificate import wizard will open, click next then check place all certificates in the following store.

Click browse and then select Trusted Root Certification Authorities, click ok and then it will tell you that the certificate has been installed successfully.


Router Configuration

Next you need to configure your router to work with wpa2-enterprise.

Open your browser and enter 192.168.1.1 or whatever the IP address is for your router. Log into it and go to wireless, then wireless security.

Change your security mode to wpa2-enterprise. In radius server input the IP address for your Linux server, the port is 1812, and shared secret is the secret that you input into your clients.conf file. Save your settings. This completes the configuration for your router.


Choosing the correct Network Connection Setting

The final step is to configure your wireless connection to work with the radius server.

Click on your network connection applet on your taskbar and then right click the wireless connection for your network, select properties.

Make sure security type is set to wpa2-enterprise, encryption type is AES.

Under choose a network authentication method select Microsoft: Protected EAP (PEAP), click settings

Place a check in Validate server certificate and a check in Connect to these servers. Enter the IP address for your Linux server. In the Trusted Root Certification Authorities select the CA that you installed.( Mine is My_CA).  Under Select Authentication Method make sure Secured password (EAP-MSCHAP v2) is selected, click configure.

Uncheck Automatically use my Windows logon name and password (and domain if any) and then click ok.

Click ok again, on the wireless network properties screen click advanced settings, put a check in Specify authentication mode and in the drop down menu select user authentication then click ok.


Testing Freeradius

Now go back to putty and run the following command:

freeradius –X 

It will start your radius server in debug mode. If there are any problems it will tell you what they are.

Hopefully if you have followed the directions and I haven’t left anything out, there shouldn’t be any issues.

At this point you should be prompted for a username and password on your Windows laptop. Enter the username and password that you put into your users file. If everything is running correctly you will connect and your debug screen should give you a access-accept notification.

Final Thoughts
These are the steps that I used to get this working on my system.  Most of the information regarding the installation and configuration of Freeradius is outdated or is not suited for Ubuntu. I know for some of you this may seem trivial. As an avid Linux user I wanted to provide and make available some useful information for aspiring network admins and Linux users.

Good luck and hope you enjoyed this tutorial.

If I missed something or you come up with errors at the end let me know and I will do my best to help you resolve any issues you may have.

Be Sure to check back in. My next installment will cover integrating MySQL into this setup. 


Leave comments about this article.