This file store on my homepage: 

Build Freeradius server based on ubuntu 10.04

 

Get freeradius software

Solution1: failure

download openssl from ftp://ftp.openssl.org/snapshot/  version1.0.2

#./config shared --prefix=/usr/local/openssl

#make

#make install

download freeradius from version 2.1.12

#./configure --with-openssl-includes=/usr/local/openssl/include \

#--with-openssl-libraries=/usr/local/openssl/lib

#make

#make install

Sync library cache

#ldconfig

Change to raddb/certs/ directory

#dd if=/dev/urandom of=random count=2

#openssl dhparam -out ./dh 1024   (this command origin:  eap.conf)

 

Solution2: better

Download freeradius from ubuntu software center.

OS version: ubuntu 10.04

You should check random and dh file is exist by manual! In general,

Those file auto create in first time running

 

Add client

Add client info to client.conf file, and set nastype = cisco

client 192.168.5.200/24 {

       secret = dongnianac

       shortname = dn5600

       nastype = cisco

}

 

 

 

Configure 802.1X authentication(eap-peap-mschapv2)

 

Via freeradius

STEP1: add a user

Solution1: using local user file

    "123456789" Cleartext-Password := "123456789"

Solution2: using mysql DB

 

STPE2: modify sites-enable/default file (optional)

Authroize {

    preprocess

#Offload

+    mschap     #this module handle peap offload authentication model

#Passthough

-   mschap        #no chap module

    eap {

        Ok = return

    }

    files              #this file hold username and pssword

}

HOW-TO: when client attach to network, client need enter username and password created above

 

STPE3: add radius server to AC

    via webui

 

Offload & Via InternalDB

STEP1: add a user

    use webui add a user to internaldb

 

STEP2: add internaldb server to AC

    via webui

 

 

 

Configure MAC authentication Via freeradius 

Radius server MAC authentication reference  

 

 

 

Configure 802.1X authentication(eap-tls)   

Authroize {

    preprocess

 -/+   mschap   #this module handle peap offload authentication model

    eap {

        Ok = return

    }

    files              #this file hold username and pssword

}

Passthrougth & Via RADIUS server

STEP1: make certification

a. Get freeradius source, extract /freeradius-server-2.1.12/raddb/certs. 

b. Modify ca.cnf, server.cnf and client.cnf File(only modify location, nor policy etc. README), exec make all

     and make client, verify certification(make Server.vrfy; make client.vrfy)

Usefull Cartification: ca.pem(for server), ca.der(for client), server.pem(for server), client.p12(for xp client)

 

STEP2: install certification to xp client

Reference: doc/EAPTLS.pdf 

ca.der install trusted root directory, client.p12 using default install configuration(password = in_password field of client.cnf file)

 

STEP3: configure radius server and install certification in radius server

a. Copy certification to radius server directory

b. Modify eap.conf. Make sure certifcation file name is effective!!!

     default_eap_type =tls

     private_key_password = in_password (in_password = out_password, in server.cnf file)

     private_key_file = ${certdir}/server.pem

     certificate_file = ${certdir}/server.pem

     CA_file = ${cadir}/ca.pem

c. Add a user in different authentication mode

     Add a username for passthrough mode. Formalt: username

     Add a user for offload mode. Formalt: username Service-type Auth-Type := Accept

Warnning: username is the commonName field of client.cnf

我们对offload with eap-tls认证过程进行自定义操作，思路来自mac认证过程。具体思路是当AC在offload认证

信息会后重新发送message到radius，针对message type手动作认证。向user文件加入以下格式的内容

username(“commonName” in file client.cnf)

Service-type = Authorize-Only(等于AC转发的消息的service type), 这里有逗号

Auth-Type := Accept(直接认证成功，不用作其余认证)

例如：

Test                                                 #for 802.1x passthrough with eap-tls

Test Service-type = Authorize-Only, Auth-Type := Accept             #for 802.1x offload with eap-tls

 

STEP4: set default server group point radius server.(termination: eap-tls, eap-mschapv2)

 

Offload & Via internalDB/freeradius server

STEP1: install certification to AC（webui配置-管理-证书）

用到的证书是ca.pem(跟证书)，server.p12(服务器证书，需要输入密码=in_password in server.cnf file)，同时CSR

也可能需要输入必要的server信息后由ac生成

 

STEP2: add username and password to inernalDB

Username is commonName field of client.cnf, and password is in_password field of client.cnf

 

STEP3: set default server group point internalDB server(termination: eap-tls, eap-mschapv2

 

 

 

Eap-peap下的passthough和offload的区别

Passthough的message类型是eap，offload的message的类型是mschapv2

Eap-tls下的passthrough和offload的区别

Passthough的message类型是eap，offload只有service-type的类型是Authorize-Only，针对offload的情况