freeradius for authenticating over EAPOL

In this configuration i use a 2950 Catalyst switch and i’m setting up a Radius server for testing purposes. Just to find out how it works together. A quick google search showed, that i should work together.

802.1x Authentication

I’m using a SuSE 10.0 distribution. I know certainly there are probably many other distributions out there and many of them are better. For me and my purpous it’s good enough, of course i have some things, that cold do better, but i‘ using this distribution already since 1996 and i’m just to lazy to change to another one. So please don’t bother me, with this is better than that or that is better than this. In my opinion it does not matter that much which distribution you chooos. But to get further on i will keep up with the topics.

I installed the actual freeradiu package named: freeradius-1.0.4-4.

So now, i can start to configure the Radius server. Here is the setup, i added this to /etc/raddb/radiusd.conf

modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}
eap {
default_eap_type = md5
timer_expire = 60

md5 {
}
leap {
}
}
mschap {
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
}

And in the authorize section you should add „eap“ as type in /etc/raddb/radiusd.conf:

authorize {
preprocess
chap
mschap
suffix
eap
files
}

That’s all for the first time. You can add a user now, who should authenticate himself.

A line in /etc/raddb/users:

peter User-Password == „passwd“

You can now try to authenticate your client. Just make sure you have set up your switch to proxy the clients request to the right server. Look here http://blog.sazza.de/?p=126 how to setup your switch to answer these requests.
Source:

http://security.fi.infn.it/TRIP/802.1x-wired/802.1x-wired.html

Leave a Reply