Search:  
Gentoo Wiki

Freeradius

FreeRadius

This is a server implementation that permits a variety of authentication methods. It is useful for dial-up authentication but is also very useful if you want to have a flexible authentication arrangement for network authentication and encryption. It is particularly useful in wireless networks.

The Freeradius website has some very useful links for setting up the freeradius server. I personally use the TLS-EAP and TLS-PEAP setups.

The more secure of these is likely to be TLS-EAP. It is worked around client certificates that are signed by a certificate server implemented into your radius daemon. Using this method, any client can authenticate (through asymmetric encryption) with the radius server if it has a certificate that has been signed by the root certificate used by the radius server.

Passwords (passphrases) can be implemented into client authentication by requiring a password for the private key on the client machine.

In addition to client authentication, the TLS system also requires that the server authenticate with the client. This is achieved by copying the server public certificate to the client. The client checks that the server has this root certificate before permitting authentication. This is useful because it prevents a cracker from spoofing a server and getting clients to authenticate to the spoofed server.

Another nice feature of EAP-TLS is if a client certificate is stolen or compromised, it can be added to a revocation list on the server that will prevent authentication against the server from taking place.

The other advantage of freeradius is that the authentication is supported by linux clients (with WPA_supplicant) and MS Windows clients out of the box. Almost all wireless APs support 802.1x authentication using a radius (freeradius) server. Therefore, if the server is configured correctly, very little needs to be done.

Links

Rather than re-hashing the details of installation, here are the links I used to set up freeradius on the server and the clients (linux and MS Windows):

Another good resource is the article of Mick Bauer on linuxjournal.com: "Securing Your WLAN with WPA and FreeRADIUS". It consists of three parts:

Obviously, the server software can be installed using: emerge net-dialup/freeradius

Troubleshooting

I found that when I installed a MS Windows client with a client certificate, it would fail with "Windows was unable to find a certificate to log you on to the network". I pulled my hair out for some time before I realised that the P12 certificate is being placed into the computer store and this is not searched when a user connects to the network. The user certificate needs to be put into the user's personal certificate store. This is selected when adding the certificate snap-in in mmc. The root certificate can be added to the computer account, but the P12 user certificate must be added to "My user account" for it to be used correctly by Windows. I have not found any documents on the Internet that reference the solution to this problem so include it here (probably because no one else has been a dunce enough to do what I did!)

Retrieved from "http://www.gentoo-wiki.info/Freeradius"

Last modified: Sun, 07 Sep 2008 23:44:00 +0000 Hits: 18,578