FreeRADIUS PEAP Authentication + Cisco AP + Windows XP + Windows AD Authentication
I could not find a decent guide on how to setup a Cisco AP (1200 series, specifically) with PEAP authentication.
I would have liked to use IAS (we are a microsoft company), but it didn't work out.
My next choice was Funk Steel-Belted radius. The debugging was minimalistic at best (all i remember was i was sending EAP type 26 and it told me i needed 25....go figure!)
My last choice, which I knew would work if it could be done, was FreeRADIUS....
Boy...was I in for a suprise. Here's the drilldown....
FreeRADIUS Configuration
NOTE: This guide was quickly thrown together, i may be missing pieces
Fetch FreeRADIUS from here. At the time of writing, I was using 2006.08.22, or 1.1.3
bunzip2 freeradius-1.1.3.tar.bz2
tar xvf freeradius-1.1.3.tar
cd freeradius-1.1.3
./configure
make install
You should now have FreeRADIUS installed. In my case, the programs are located in /usr/local/bin and /usr/local/sbin.
Configuration was located in /usr/local/etc/raddb
cd /usr/local/etc/raddb
cp radiusd.conf.sample radius.conf
nano radiusd.conf
(nano is my choice of editor, use any suitable editor here)
First make sure that prefix = /usr/local is pointed to the correct place.
Leave all the variables alone.
If you wish, you can set a different user/group to run radiusd as by uncommenting out user and group, but for testing it's easier to just run as launching user.
Most of the rest of the file can be left alone for the time being.
Look for the line $INCLUDE ${confdir}/eap.conf. This MUST be present!!!
Please make sure, at a minimum, that these lines are present below:
mschap {
authtype = MS-CHAP
use_mppe = yes
#require_encryption = yes
#require_strong = yes
#ntlm_auth = "/usr/local/samba/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
}
The require lines are commented out, as you can tell. We want to eliminate as many possiblities for "oops" as possible. Once your all setup, uncomment those lines!!!
the ntlm_auth points to the Samba ntlm_auth file (more on this in the Configuring Samba section) which will authenticate the user against active directory. It's commented out so that you can start the server and test it.
Now scroll down and look for authorize {. Make sure that these lines are present:
authorize {
preprocess
mschap
ntdomain
eap
files
}
Right below that should be...
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
You're done! Well..at least with that file....
Generate the certificates.
Most people get tripped up by the certificates. Easiest way I can recommend is to use CA.pl, or to download OpenVPN and use their easy-rsa scripts. You only have to go as far as to generate the server cert.
Now you need to make the certs dir
mkdir certs
and copy the certs to the folder. Name them as follows:
Server Certificate - server.crt
Server Key - server.key
CA Certificate - ca.crt
Diffie-Hellman file - dh
For the Random file, i chose to use /dev/urandom. If your OS has this, use it.
Now to configure EAP/PEAP:
touch eap.conf
nano eap.conf
Now create this file as follows:
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = yes
tls {
private_key_password = password
private_key_file = /usr/local/etc/raddb/certs/server.key
certificate_file = /usr/local/etc/raddb/certs/server.crt
CA_file = /usr/local/etc/raddb/certs/ca.crt
dh_file = /usr/local/etc/raddb/certs/dh
random_file = /dev/urandom
include_length = yes
fragment_size = 600
}
peap {
use_tunneled_reply = no
default_eap_type = mschapv2
copy_request_to_tunnel = no
}
mschapv2 {
}
}
IF YOU REMOVE THE mschapv2 {}, it WILL NOT WORK!
I tried everything for default_eap_type...nothing worked. mschapv2 would tell me "UNKNOWN". Once i added it here, it worked like a charm. go figure...
Now come the random files...i'm SURE you could eliminate the use for these, but i wanted as bone dry of a config as i could
touch acct_users
touch clients.conf
cp naslist.sample naslist
cp naspasswd.sample naspasswd
touch preproxy_users
cp proxy.conf.sample proxy.conf
touch realms
touch users
Setup your client(s):
nano clients.conf
client 127.0.0.1 {
secret = password
shortname = anything
}
Add appropriate entries for your other devices.
nano users
DEFAULT Auth-Type = System
That's it for the users file.
Now try starting the server
/usr/local/sbin/radiusd -X -A
The -X specified full debugging, the -A specifies Log Auth Detail
If all went well, you should see ALOT of output. The last lines should say:
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
Samba Configuration
In order to authenticate against Active Directory, you will need Samba and the suite of programs it provides.
First, download Samba here. At the time of writing, it was 3.0.23c.
tar xzvf samba-3.0.23c.tar.gz
cd samba-3.0.23c/source
./configure --with-ads --with-krb5 --with-winbind --with-winbind-auth-challenge
make
make install
Hopefully all went well. In my case, all files were installed to /usr/local/samba. Adjust these values accordingly.
Edit your smb.conf. I put mine at /usr/local/etc/smb.conf and symlink wherever the program happens to be looking.
cp smb.conf.sample /usr/local/etc/smb.conf
nano /usr/local/etc/smb.conf
Change and/or add these values. Anything enclosed with %, change your specific environment!
[global]
winbind separator = +
winbind cache time = 10
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes
workgroup = %YOURDOMAIN.ORGE%
server string = %This is the radius server%
encrypt passwords = yes
security = ADS
encrypt passwords = yes
password server = * #alternatively, you can specify a domain controller in place of *
realm = %YOURDOMAIN.ORG%
If you are also going to be using smbd, edit to your liking.
Now that samba is configured, you should be able to start nmbd:
/usr/local/samba/sbin/nmbd
Check that it is running...
ps ax | grep nmbd
If it's running, you should see something like:
359 ?? Ss 0:00.20 /usr/local/samba/sbin/nmbd
Now we have to join the PC to the domain:
cd /usr/local/samba/bin
./net rpc join -S DOMAINCONTROLLER -UAdministrator
replace DOMAINCONTROLLER with your DC, and administrator with your logon. It will prompt you for your password.
NOTE: In the Samba HOW-TO (located HERE it says "Where Active Directory is used....snip net ads join -UAdministrator. THIS WOULD NOT WORK FOR ME! I don't know why, but the NT one worked. Please refer to that documentation, as it's more knowledgable than me!
Now that3:46 PM 9/7/2006 your PC is joined to the domain, we can run winbindd
/usr/local/samba/sbin/winbindd
Check that it is running...
ps ax | grep winbindd
If it's running, you should see something like:
367 ?? Ss 0:00.20 /usr/local/samba/sbin/winbindd
Now we check that you can authenticate. There's more info in the Samba HOW-TO link above, but for our purpose we will try using ntlm_auth:
cd /usr/local/samba/bin
./ntlm_auth --domain=YOURDOMAIN.ORG --username=jdoe
It will prompt you for your password. Enter it. If all went well:
NT_STATUS_OK: Success (0x0)
Done with Samba!
Access Point Configuration
There are hundreds of ways to configure the AP. This is what worked for me
This is just a quick and dirty login and show run, important parts in italic:
ap>en
ap#show run
Current configuration : 3531 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
!
clock timezone GMT -5
ip subnet-zero
ip domain name yourdomain.org
ip name-server 1.2.3.4
ip name-server 4.3.2.1
!
!
aaa new-model
!
!
aaa group server radius rad_eap
server 1.2.3.6 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
!
aaa group server radius rad_admin
!
aaa group server radius rad_acct
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
!
dot11 ssid DATA
vlan 10
authentication open eap eap_methods
authentication key-management wpa optional
guest-mode
!
dot11 ssid VOICE
vlan 20
authentication open
authentication key-management wpa
wpa-psk ascii 7 11111111111111111111
!
!
!
username admin privilege 15 password 7 5646646464365325
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 10 mode ciphers aes-ccm tkip wep128
!
encryption vlan 20 mode ciphers tkip
!
ssid DATA
!
ssid VOICE
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
bridge-group 20 spanning-disabled
!
interface Dot11Radio0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
speed 100
full-duplex
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
hold-queue 160 in
!
interface FastEthernet0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
no bridge-group 20 source-learning
bridge-group 20 spanning-disabled
!
interface FastEthernet0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
no bridge-group 10 source-learning
bridge-group 10 spanning-disabled
!
interface BVI1
ip address 2.3.4.5
no ip route-cache
!
ip default-gateway 2.3.4.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
!
access-list 111 permit tcp any any neq telnet
radius-server attribute 32 include-in-access-req format %h
radius-server host 1.2.3.6 auth-port 1812 acct-port 1832 key 7 11111111111111111
radius-server vsa send accounting
radius-server vsa send authentication
!
control-plane
!
bridge 1 route ip
!
!
!
line con 0
access-class 111 in
transport preferred all
transport output all
line vty 0 4
access-class 111 in
transport preferred all
transport input all
transport output all
line vty 5 15
access-class 111 in
transport preferred all
transport input all
transport output all
!
end
NOTE: PLEASE do not just paste this into your config. Configure the AP in full open mode, do a show run, and then see the lines in ITALIC as to what you need
Now i'll be very honest...most of this config "just works", so it's what I use. Here's a quick rundown:
-Dual SSID and VLAN's. A "voice", strictly for our VoIP subnet, and "data", strictly for laptop's/pda's.
-sets the DATA to broadcast SSID
-Sets PEAP up ONLY on data. voice is setup for WPA-PSK (will be changed soon)
-uses RADIUS server at 1.2.3.6
-puts AP at 2.3.4.5, with a GW of 2.3.4.1
-puts the DATA on vlan 10
-puts the VOICE on vlan 20
-uses DNS servers at 1.2.3.4 and 4.3.2.1
This is a direct copy from my AP, with the passwords edited.
Windows Configuration
Quick and easy...ready?
Select the Wireless Adapter, properties.
Select "Wireless Networks"
Select or add the SSID. Hit ADVANCED.
For Authentication chose "WPA"
For Encryption chose "TKIP"
Select the next tab over (name escapes me)
Enable the first checkbox (802.11X)
Select Protected EAP (PEAP) as the method
Select "Advanced"
uncheck "Validate Server Certificate"
At the bottom chose "MS-CHAP-v2" as the protocol
OPTIONAL: Hit advanced. If you want to manually enter username and password, uncheck "Authenticate as user when info is....etc"
NOTE: I have came across problems (well...it just didn't work) when using Broadcom's Network Management Suite. I simply use Windows XP2's Wireless Zero Config and i've been fine
Final Notes
All I can say is that this worked for me. I could NOT find a decent guide, and knew I would forget how to do this.
I'm SURE that some parts are incomplete or wrong.
My HTML design sucks, so I made it simple
Edit out the # in front of #ntlm_auth in radius.conf
Start radiusd with -X -A while debugging to print out full output
If you are REALLY confused... radiusd -X -A > /radout, use a client to try and authenticate, and then ctrl + c the program and read /radout...it provides ALOT of information, and most errors are google-able
I wanted to make sure that ONLY users who were in the group "WiFi Access" would have access. Append --require-membership-of='WiFi Access' BUT using the group name would not work for me...i would up having to use the group's SID...YMMV...
Any Questions/Comments/Problems? FCISLER AT NOSPAMgmail.com .....remove NOSPAM
Good Luck!