This is one of those things where I was way over my head. I’ve been
trying to set up an 802.1x-protected access point at home with support
for EAP, PEAP, and EAP-TTLS. Why? So I could connect to it from Mac OS
X and Windows XP and know what it feels like. (it’s one thing to write
“Windows XP supports 802.1x”, it’s another thing to know it).
Wolf’s FreeRADIUS packages worked great for me on Mac OS X. I
didn’t need MySQL, so I uncommented the sql entries in
/usr/local/freeradius/etc/raddb/radiusd.conf and added a user to
/usr/local/freeradius/etc/raddb/users:
"bjepson" Auth-Type := Local, User-Password == "bjepson"
Reply-Message = "Hello, %u"
Next, I connected my D-Link 900AP+ and my Mac to the same hub my
router’s plugged into. My network is 192.168.254.0, but I set up the Mac
and the 900AP+ as 192.168.0.1 and 192.168.0.50, respectively. I told
the 900AP+ that the RADIUS server was on 192.168.0.1, set the shared
secret to “testing123″, and added an entry for the 900AP+ in
/usr/local/freeradius/etc/raddb/clients.conf:
client 192.168.0.50 {
secret = testing123
shortname = wifi
nastype = other
}
Then, I started FreeRADIUS with sudo and tried to connect from a Mac using
/usr/local/freeradius/sbin/radiusd -X
802.1x. That worked OK, but it wasn’t as easy from Windows XP. Windows
XP wanted to use PEAP, and for that, I had to set up a few certificates.
I followed the FreeRADIUS
EAP/TLS – WinXP HOWTO, but didn’t bother with the CA.clt, since I
wanted to authenticate the client using a username and password. I
goofed up at first and got this error when I tried to launch FreeRADIUS:
908:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: CERTIFICATE 908:error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:evp_enc.c:438: 908:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:421: 908:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:707:
It turns out that I had the wrong private key password in
radiusd.conf; I had second-guessed the instructions, and when the
CA.svr script asked me for a challenge password (A challenge), I had made one up and figured I was supposed to
password []:
replace “whatever” with what I actually used. So, the next time
through, I didn’t supply a challenge password, and set the private key
password to exactly what it said in the HOWTO:
private_key_password = whatever
Connecting
So, to connect from Windows XP, I right-clicked on the Wireless network
connection and selected View Available Wireless Networks. I clicked
Advanced, selected the network in the list, and then clicked Configure. Then
I selected the Authentication tab, made sure “Enable IEEE 802.1x
authentication” was selected, and chose PEAP from EAP type. I clicked
Properties and:
- Deselected “Validate server certificate,” since my certificate was
self-signed. - Clicked the Configure next to the authentication method
(which was set to EAP-MSCHAP v2), and deselected “Automatically use my
Windows logon name…”
Next, I clicked OK to dismiss the remaining windows, and a notification
bubble appeared telling me to “select a certificate or other credentials
for connection.” I clicked it, supplied the user name and password
(bjepson/bjepson) I had
specified in the /usr/local/freeradius/etc/raddb/users file, and
that got me in!