By Glenn Weber
This setup is for a home users or small organizations with limited funds. For home networks it is overkill, but for those interested in experimenting with freeradius under Ubuntu server this is a perfect how-to. In my many explorations, attempts and failures regarding Freeradius, I have finally compiled enough information to help others that wish to experiment with wireless authentication. The idea, motivation and determination that I had for putting this tutorial together was due to the lack of accurate information available regarding this topic. My intention is to give a detailed process of the installation for both System Administrators and for anyone that has a desire to learn more complicated procedures.
This setup will require very little configuration for the administrator. It will also cover how to create the self-signed certificates that contain the XP extensions that are required for use with Windows operating systems. Although this tutorial is based on installing Ubuntu in Virtual box, the same method can be used to implement these steps on a dedicated machine. The procedures used will work with all Windows versions that support 802.1x wireless authentication.
For many of you, this will cover some elementary subjects, but I wanted to include them so that less experienced users could also understand this tutorial.
Conventions used in this tutorial:
Commands that need to be entered at the command line will be bold and italicized.
Text that needs to be entered into files will be in red.
Clickable menu items will be highlighted.
File names will be in green.
Virtual-box Installation and setup
If not already installed download and install Virtual box from
Download the newest version of Ubuntu server and save it to your desktop. Be sure to download the 32bit version.
Open Virtual-box and click new:
Name your new machine, example Ubuntu.
OS Type should be set to Linux and the version should be Ubuntu then click next.
Set the amount of RAM you would like to allow the guest machine to use. Note that this will take from your available RAM on your host machine. The amount of RAM depends solely on your overall memory. For my setup I set it at 512MB. That should be adequate for most setups.
Click Next 3 times.
Set the amount of harddrive you would like to give the Ubuntu server. For my setup I used 20GB, but again this depends on how much room you have available on your machine.
Click Next and then click create 2 times.
Make sure that the new machine is listed and highlighted.
Click the settings menu, and then click on storage.
You need to add a IDE controller by clicking on the green plus sign at the top of the Storage tree window. You will be prompted to choose a disk. Click choose disk and browse to the Ubuntu ISO that you have saved on your desktop.
Next select Network and for Network adapter change Attached To: drop down item to Bridged Adapter.
Click ok and you are ready to start the machine and begin the Ubuntu Server Installation.
Start the machine and you will begin Ubuntu server installation. I chose to install LAMP, Openssh server, and Samba server during the install to make things easier on me later.
The installation is self-explanatory, but if you have questions there are many sites that explain how to install Ubuntu Server. If you still have questions feel free to email me.
Once you have installed the server and it has restarted you will login. From here I usually like to start by setting up ssh so I can access the server from my laptop, again this is probably for more experienced users. It is simple to get working so don’t panic if it is your first time. Login and then type the following command:
nano /etc/ssh/sshd_config
There are only two things we will need to change in this file, they are as follows:
PermitRootLogin yes needs to be changed to PermitRootLogin no
And at the end of the file add a line that says:
AllowUsers username (Note: The username should be the same as your login.) Then hit Ctrl+x, then y and then press enter.
Restart ssh by typing the following command:
/etc/init.d/ssh restart
Setting a Static IP
It is a good idea to set the server with a static IP address. This prevents you from having issues with the server IP continually changing. You can do this by entering the following command:
nano /etc/network/interfaces
Change the file to read as follows:
The primary network interface
auto eth0
iface eth0 inet static
address 192.168.1.100 (or whatever IP address you want to set corresponding with your network IP range)
netmask 255.255.255.0
broadcast 192.168.1.255
gateway 192.168.1.1
Hit Ctrl+x then y and then press enter.
Restart the server and login.
Once logged in enter the following command:
ifconfig (you should now see that you are using the assigned static IP address)
I also like to create a root password so I can log into the root account instead of having to type sudo in front of my commands.
Create a root password by typing the command:
sudo passwd
Enter the new root password twice and you are good to go, next login to the root account by typing the command:
su –
Enter the root password
Using Putty for remote login
You can use putty to access the ssh server from your laptop. You can get putty.exe from
Double click the Putty.exe icon to start Putty.
In the Host Name (or IP Address) block type the IP address for your Ubuntu server and then click open.
You will have to login with your regular Ubuntu user and then login to the root account.
You now are connected to the server and can administrate it remotely. The only time you will have to manage the server on the computer you installed it on is when you have to restart the server or if you have a misconfiguration problem.
At this point I am assuming that you are logged onto the server using putty on your laptop. The first thing you will need to do now is to install Freeradius. You can do this by entering the following command:
apt-get install freeradius –y
Testing FreeRadius with radtest
I would open a second putty terminal and login to the server for this step as it makes it easier.
After opening another putty terminal, you will need to add a user to the users file.
Run the following command:
nano /etc/freeradius/users
At the end of the users file add the following line:
testuser Cleartext-Password := “whatever”
Save and close the file by hitting Ctrl+x, then y and then press enter.
On one of the putty terminals type the following command to start Freeradius in debug mode.
freeradius –X
Go back to the other putty terminal and type the following command:
radtest {username} {password} 127.0.0.1 1812 testing123 (Do not use the curly braces just enter the username and password that you included in the users file).
If everything went well you should see Access-Accept. If it is Access-Reject then there is a problem. You will need to check the other terminal and read the debug log.
Creating the correct Certificates
When the installation completes you will switch to the directory that holds the files needed for certificate creation. Type the following command:
cd /usr/share/doc/freeradius/examples/certs
Next you need to open the README file by entering the following command:
cat README
The readme file will walk you through the complete process of creating the required certificates, just follow the instructions. There is however a few exceptions. You will need to create two files in the current working directory; serial and index.txt. Be sure to create these two files before creating the certificates. You can create each file by entering the following command:
nano serial
Inside of the serial file enter 01 and then hit Ctrl + X, then y and then press enter
Next create the index.txt file by entering the following command:
nano index.txt
For index.txt before closing file be sure to hit Ctrl +o to writeout the file.
After you have successfully created certificates you will need to copy three files to the /etc/freeradius/certs directory. They are ca.pem, server.key, and server.pem
You can copy the files by entering the following command while still in the following directory
/usr/ share/doc/freeradius/examples/certs
cp ca.pem server.key server.pem /etc/freeradius/certs
Modifying the Freeradius Configuration
You will need to edit eap.conf. To do so enter the following command:
cd /etc/freeradius
nano eap.conf
Under the eap{ } section you need to change default_eap_type = md5 to default_eap_type = peap
Under the tls { } section you need to change private_key_password = (whatever) to
private_key_password = (whatever you set as your certificate key password when you created your certificates) You don’t need to put the parentheses around your password.
After you have made those changes to eap.conf hit Ctrl+x then y then press enter.
Next you need to edit clients.conf by entering the following command:
nano clients.conf
Go to the end of the file and add the following lines:
client 192.168.1.1/16 { (this is IP address of your router)
secret = AnyThingYou Want (Don’t use spaces or special characters. You will have to add this secret as shared secret in your router a little further ahead.)
shortname = linksys (this is the ssid of your router)
}
Now you need to edit the users file by entering the following command:
nano users
Go to the end of the file and add a user as:
Joesmoe Cleartext-Password: =”whatever” (Be sure to enclose the password inside of double quotes)
Save and exit the users file the same way as before.
That is all the configuration changes needed for Freeradius.
Setting up Samba to Share files with Windows
The next step is setting up your samba share so that you can easily transfer the ca.der file to your Windows machine.
Enter the following commands:
cd /etc/samba
nano smb.conf
Add the following lines to the end of the file.
[share]
comment = Share Directory
path = /home/someuser/share
browseable = yes
writeable = yes
Save and exit the smb.conf file the same way as you have saved the other files.
Next you need to edit the smbusers file by issuing the following command:
nano smbusers
Inside of the smbusers file enter someuser = “someuser”
Save and exit the file the same way as before
Now you need to create the share folder by entering the following command:
mkdir /home/someuser/share
You need to restart the samba server to activate the changes by issuing the following command:
/etc/init.d/smbd restart
Next you need to move the ca.der file into the share folder so that you can transfer it to your Windows laptop and install it.
cd /usr/ share/doc/freeradius/examples/certs
Then enter the command:
cp ca.der /home/someuser/share
Installing the CA in Windows
At this point you can open Windows Explorer and then network and you should see the share folder you created. Double click the folder and you should see the ca.der file.
Double click the ca.der file and it will open up a certificate window, click install certificate.
The certificate import wizard will open, click next then check place all certificates in the following store.
Click browse and then select Trusted Root Certification Authorities, click ok and then it will tell you that the certificate has been installed successfully.
Router Configuration
Next you need to configure your router to work with wpa2-enterprise.
Open your browser and enter 192.168.1.1 or whatever the IP address is for your router. Log into it and go to wireless, then wireless security.
Change your security mode to wpa2-enterprise. In radius server input the IP address for your Linux server, the port is 1812, and shared secret is the secret that you input into your clients.conf file. Save your settings. This completes the configuration for your router.
Choosing the correct Network Connection Setting
The final step is to configure your wireless connection to work with the radius server.
Click on your network connection applet on your taskbar and then right click the wireless connection for your network, select properties.
Make sure security type is set to wpa2-enterprise, encryption type is AES.
Under choose a network authentication method select Microsoft: Protected EAP (PEAP), click settings
Place a check in Validate server certificate and a check in Connect to these servers. Enter the IP address for your Linux server. In the Trusted Root Certification Authorities select the CA that you installed.( Mine is My_CA). Under Select Authentication Method make sure Secured password (EAP-MSCHAP v2) is selected, click configure.
Uncheck Automatically use my Windows logon name and password (and domain if any) and then click ok.
Click ok again, on the wireless network properties screen click advanced settings, put a check in Specify authentication mode and in the drop down menu select user authentication then click ok.
Testing Freeradius
Now go back to putty and run the following command:
freeradius –X
It will start your radius server in debug mode. If there are any problems it will tell you what they are.
Hopefully if you have followed the directions and I haven’t left anything out, there shouldn’t be any issues.
At this point you should be prompted for a username and password on your Windows laptop. Enter the username and password that you put into your users file. If everything is running correctly you will connect and your debug screen should give you a access-accept notification.
Good luck and hope you enjoyed this tutorial.
If I missed something or you come up with errors at the end let me know and I will do my best to help you resolve any issues you may have.
Be Sure to check back in. My next installment will cover integrating MySQL into this setup.
Leave comments about this article.
Be Sure to check back in. My next installment will cover integrating MySQL into this setup.
Leave comments about this article.
Sir
ReplyDeleteI have gone through your tutorials for freeradius configuration with ubuntu server but i am getting some error while exchanging the certficates between client and server.
Error are as follows:
Tls error :bad certificate
When you created your certificates did you create a client certificate and a server certificate. With TLS you have you use both client and server certificate.
ReplyDeleteDo you have guide on setting up mysql with freeradius on Ubuntu.
ReplyDeleteI'm new to freeRadius, I cannot create server certificates when I issue this command on Ubuntu11.04 terminal $sudo make server.pem, it cannot open/find 'index.txt',I already change the permission of index.txt using the command $sudo chmod 777 index.txt but still has no use. I'm so confused w/ this, hope you can help me.. Thanks in Advance..
ReplyDeleteBTW freerad version is 2.1.10+dfsg-2ubuntu2 (freeradius-common)
Here's the error:
ubox@ubox-VirtualBox:/usr/share/doc/freeradius/examples/certs$ sudo make server.pem
openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf
Using configuration from ./server.cnf
.//index.txt: No such file or directory
unable to open './/index.txt'
1730:error:02001002:system library:fopen:No such file or directory:bss_file.c:356:fopen('.//index.txt','r')
1730:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:358:
make: *** [server.crt] Error 1
Hi,
ReplyDeleteThis is Sunoj & am new to freeradius .I just followed your instruction & I got the result.I just confused in the samba session that the "Someuser" is not worked for me ,thus I created a user with the "smbpasswd" & installed the certificate .Thanks....
Hey Glenn,
ReplyDeleteGreat tutorial! I have been combing the web for days trying to find a walk-through that actually makes sense. I am going to go post this link on every other site that I have been looking at hoping that some people's frustration will be alleviated by reading this.
Quick question though, what version of windows was your client machine running. I am trying it on a XP SP3 laptop that was lying around and I was a little unsure when it came to setting up the Windows Network Settings. The final step in particular has me scratching my head wondering where the "Specify Authentication Mode" check box is.
Appreciate the work!
-Chris
Hey Glenn,
ReplyDeletethanks you very much for this outstanding Tutorial!
-Ben
hey glen
ReplyDeletei would like to ask you why the client can't login with another account on my radius server?
I have 3 accounts and 3 clients to access the server but when the first client access it with the first account it was succesfull but when the second and the third clients want to access the server they did't login so they can access the server directly. could you tell me why please??
-krisna
Thanks for the tutorial. I get an error when I go to install Freeradius. I downloaded it as part of the setup as you mentioned. I get a couple lines saying err and failed (a link is below). I configured it to install updates automatically during the set up. What could the problem be? What can I do to fix it ?
ReplyDeletehttp://goo.gl/yIuRw
Thanks for the help!
Amru
Hi
ReplyDeleteThanks for the tutorial. There is something that i would like to ask. When I am creating the new certficates after vi ca.cnf
i cant get out of there. I try to save the changes and type Ctrl+x but nothing happens.Is there a comand to type to save that??
Tahnks