Compiling in WPA2 Enterprise Support in FreeRADIUS version 2.x for Ubuntu Linux
A search through this site will discover a couple of articles on WPA2 Enterprise including some links to how-to's on how to configure the network equipment and RADIUS server to support it. The information needs a bit of freshening up since FreeRADIUS is now into version 2.x (current version 2.1.9) and it still doesn't support EAP/TLS out of the box because of some licensing SNAFU with Ubuntu/Debian Linux. Despite the lack of support in the Debian packages and Ubuntu repositories, it doesn't mean that you can't support WPA2 Enterprise with your favourite flavour of Linux...Ubuntu of course! What you need to do is download the latest version of the FreeRADIUS source code binaries from www.freeradius.org (where else?!) and then compile it for yourself with support for EAP/TLS. This will culminate in the very happy situation of a FreeRADIUS server which can authenticate users both using username/password (standard MS CHAP v2 challenge) or better yet the much more scalable (and thus enterprise-class) solution of using certificates that have been issued by a Certificate Authority in the context of a PKI (Public Key Infrastructure).
The certificates that need to be installed on the client (for example your Windows PC) and the server (ie: the FreeRADIUS server) require Extended Key Usage certificates per this posting here: http://www.breezy.ca/?q=node/221. This will not be discussed here.
The procedure that I followed was from this link here: http://www.linuxinsight.com/building-debian-freeradius-package-with-eap-.... The only part of the instructions that I followed to the letter were the instructions that involved the editing of the ./debian/rules file, which is found in path of where the tarball extracts. I didn't do any of the other changes but I did install the packages that were referred to a bit later in someone's comments to the original poster.
Anyway, it's working fine. I have a Linksys WAP610N wireless access point which I've configured as my NAS and it's connected into my internal VLAN. I installed an identity certificate on the Windows 7 Ultimate 64-bit client per my posting in the first paragraph. The radius server has a server certificate per that same posting.
Breezy! Site's logo obtained from http://exemplars.ysimste.ca/images/windy.gif
definition of the word "breezy" courtesy of dictionary.com http://dictionary.reference.com/browse/Breezy
The Breezy! Site is not affiliated in any way with my clients, associates or business partners thus the views expressed by the webmaster (me!) and others as may from time to time be posted on this site do not necessarily reflect those of my clients, business partners or work associates. Practice Safe Net!
Syndicate
New forum topics
- Upgrade from 8.10 to 9.04 Server, Removed Autodiscovery / PnP IP Address Packages
- Compiling in WPA2 Enterprise Support in FreeRADIUS version 2.x for Ubuntu Linux
- BESx: Troubleshooting inter-DC Secure Channel Issue in AD
- Modifying SquidGuard to Support Whitelisting of Certain Sites
- My Snort 2.8.6 config file
Active forum topics
- Ironport C10 in, then out! Now MailScanner Anti-spam/virus Mail Gateway is getting a trial
- Compiling in WPA2 Enterprise Support in FreeRADIUS version 2.x for Ubuntu Linux
- Upgrade from 8.10 to 9.04 Server, Removed Autodiscovery / PnP IP Address Packages
- Squid Proxy Server / WCCP Revisited
- BESx: Troubleshooting inter-DC Secure Channel Issue in AD
Who's online
Recent comments
- Setup MailScanner as Gateway to an Exchange (etc) Server
6 hours 8 min ago - MailScanner / Postfix Configuration Wiki
7 hours 13 min ago - Enhanced Key Usage Certificates required for TS over TLS
2 weeks 4 days ago - Had to add the modprobe
4 weeks 3 days ago - Upgrade to Ubuntu 9.04 Broke Squid
4 weeks 5 days ago - Link for Later versions of MS Windows Server
7 weeks 2 days ago - Oh,and I modified the
9 weeks 3 days ago - Well that site didn't last
17 weeks 2 days ago - Now have 5 total static IP addresses for $5/month extra!
25 weeks 6 days ago - Squid's WCCP2 Days are Over if you don't read this!
28 weeks 1 day ago
Linux Journal (offsite)
Broadband Reports (offsite)
- Friday Evening Links -
- Labor Day Weekend Open Thread - Have something to say?
- FCC To Vote On White Space Broadband - Will vote on rules governing unlicensed wireless devices in vacated TV spectrum
- Wi-Fi War Driving Drone Flying? - The WASP (Wi-Fi Aerial Surveillance Platform)
- Ripe FCC Data: Our Broadband Is Still Pretty Slow - Only 44% of subscribers meet FCC's new 4/1 Mbps benchmark
Recent blog posts
- Site OS Upgraded to 10.04 LTS Server
- Son of Best Friend Dies in Car Crash
- Impending Blackmarket for IPv4 Addresses
- RIP -- Sergeant Major Tripp, RMC
- Breezy! Site Users can Tweet!
- 2 New Static IP addresses. Now, what do do with them?!
- Breezy! Site is out of vacation mode...
- Chevy -- Built Like a Rock
- Another Review for CCNA Security Exam Cram!
- OutlookPower.com's Evaluation of the CCNA Security Exam Cram!
Enhanced Key Usage Certificates required for TS over TLS
I found that I needed to create Enhanced Key Usage certificates in order to configure certificates that could be used for Terminal Services (ie: RDP) over SSL. My guess is that when you use the Microsoft Certification Authority (CA) server that *it* automatically adds this attribute to server-side certificates whereas my TinyCA2 CA on my Ubuntu Linux box does not.
/Eric
____________________________________________
webmaster, enthusiast and site administrator
Ottawa, Canada