1. install freeradius
apt-get install freeradius
2. start freeradius in debug mode
freeradius –X
Lots of output will scroll by, and it will eventually say:
Read to process requests.
If error appears like: FreeRadius - Failed binding to authentication address ,
Run 'service freeradius restart' and 'service freeradius stop' commands Then run the command,'freeradius -X' you will not face binding issue anymore.
If that doesn`t work, use /etc/init.d/freeradius stop instead.
3. define a user
add a line at the bottom of the file /etc/freeradius/users
testuser Cleartext-Password := "password"
4. simple test: Local authentication without EAP
$ radtest testuser password 127.0.0.1 1812 testing123
Note: first run freeradius –X , then open another terminal run the command above.
You will see a message like:
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=108, length=20
5. Authenticate via a remote authenticator
Regard this vm host as client, the IP for example is 192.168.254.131.
Installed freeradius on another vm as server, the IP for example is 192.168.254.130.
Add the test authenticator host (server) at the end of /etc/freeradius/clients.conf and assign a shared-secret.
client 192.168.254.131 {
secret = testing123
shortname = 192.168.254.131
}
Start the freeradius on the server(130): freeradius –X
On the client vm host(131) use this command: radtest testuser password 192.168.254.130 1812 testing123
Again, it succeeds only if an Access-Accept is received.
6. Getting the simplest EAP method into the picture: EAP-MD5
Use this command:
( echo "User-Name = \"testuser\""; \
echo "Cleartext-Password = \"password\""; \
echo "EAP-Code = Response"; \
echo "EAP-Id = 210"; \
echo "EAP-Type-Identity = \"testuser\""; \
echo "Message-Authenticator = 0x00"; ) | \
radeapclient -x 127.0.0.1 auth testing123
It is a command the accepts input from standard input which is generated from a series of echo commands printing RADIUS attributes.
The command succeeds if you see an Access-Accept packet with EAP-Code = Success.
Then change the address 127.0.0.1 to 192.168.243.130(the server).
Note: Remember to add user in the users file on server vm, I, e ,add the line below in the /etc/freeradius/users:
testuser Cleartext-Password := "password"
7. full swing with eap-ttls and peap
Use the default certificate file in /etc/freeradius/certs. So the eap.conf file is not changed.
Install wpa_supplicant and the eapol_test tool:
wget http://hostap.epitest.fi/releases/wpa_supplicant-0.5.10.tar.gz
tar xvf wpa_supplicant-0.5.10.tar.gz
cd wpa_supplicant-0.5.10/
cp defconfig .config
make eapol_test
If error occurs, try : apt-get install libssl-dev
A binary eapol_test will be generated if the build was successful, and I'd copy it to /usr/local/bin:
ls eapol_test
cp eapol_test /usr/local/bin/
(1) PEAP testing:
$ cat eapol_test.conf.peap
network={
eap=PEAP
eapol_flags=0
key_mgmt=IEEE8021X
identity="testuser"
password="password"
ca_cert="/etc/freeradius/certs/cacert.pem" // change it to server.pem when //testing localhost
phase2="auth=MSCHAPV2"
anonymous_identity="anonymous"
}
Use this command:
eapol_test -c eapol_test.conf.peap -a127.0.0.1 -p1812 -stesting123 -r1
format:
eapol_test -c <eapol_test config file> -a127.0.0.1 -p1812 -stesting123 -r1
(2) EAP-TTLS testing
8. android-AP-vm
(1) the eth0 on vm should be bridged.
(2) ping AP on the vm: ping 192.168.3.111
(3) open the AP configuration gui, and set the AP to radius:
Add a radius profile in Authentication-Profiles,for example, ubuntu_freeradius. the secret should be “testing123”, the same as the configure in vm`s freeradius.
Then in VSC, open” wimax”, check the Wireless protection option(WPA), the Mode is WPA2(AES/CCMP), Key source is RADIUS, and the RADIUS profile choose your new configure profile:ubuntu_freeradius.
(4) Now the vm is freeradius server, remember to add client in the client.conf. The IP is AP, name is 192.168.3.111
(5) Connect “wimax” on android device. EAP: choose PEAP. The user name and password is in freeradius`s users file. If cannot connect the network, try to set static ip for the android device.
9. bugs: errors were encountered while processing freeradius-mysql, sub-process /usr/bin/dpkg returned error code
There is some bugs in default config and init.d service of freeradius3
You must change the field name=radiusd in the /etc/freeradius/radius.conf to name=freeradius
Then restart the service
If service couldn't be start , you must see the log , maybe the problem is from allow_vulnerable_openssl = no and change it to yes , run service freeradius restart
If it's ok, run dpkg --configure -a