Configuring EAP for FreeRADIUS

EAP Configuration: Article 1 of 5

Once FreeRADIUS has been configured to use PAP, it is straightforward to configure the server to use EAP for authentication. This article will walk through all the necessary steps.

Step 1: Install OpenSSL

In order to use EAP authentication with the server, you will need to install OpenSSL. This includes any development libraries and headers, such as libssl, and libssl-dev

If you do not have the required libraries and headers installed, then the server will still build, but many EAP types will not work.

If PEAP or TTLS do not work for you, then run the server in debugging mode with radiusd -X, and look for an error message such as:

Ignoring EAP-Type/PEAP because we do not have OpenSSL support.

If you see a similar error, then you will need to re-build the server with OpenSSL support.

If the above error does not appear in debug mode, then something else is wrong. The usual suspects are the server certificate (see the EAP problems page), or the user’s password is incorrect.

Step 2: Create dummy certificates

After installing OpenSSL, you need to create certificates. To get started with EAP configuration, we recommend creating dummy certificates for testing purposes. These certificates have the proper form, if not the proper content.

$ cd /etc/raddb/certs
$ make

These certificates can be used for testing authentication, but they cannot be used in a production environment. For the purpose of the simple tests in this document, they are good enough.

Step 3: Configure 802.1x authentication for this SSID

Next, configure 802.1X authentication for this SSID. On Windows, you will need to un-check the Validate Server Certificate option in the 802.1X supplicant (e.g. Windows laptop) strictly for testing. You will also need to specify the authentication mode to be User Authentication.

These options are a little bit buried in Windows 10 so we’ll walk you through how to get there.

1) On the supplicant desktop, click on the wireless icon at the bottom right corner. Select Open Network and Sharing Center.

menu showing open network and sharing center option

2) From the Network Settings screen, choose Network and Sharing Center.

Windows 10 Network Settings screen with Network and Sharing Center selected

3) From the Network Sharing Center, select Setup a new connection or network.

Network Sharing Center screen, with Setup new connection selected

4) Select Manually connect to a new network.

Network Sharing Center screen with Manually connect to a new network

5) Enter the information for the network you are trying to connect to.

  • Network ID: the SSID of the network you want to connect to
  • Security type: WPA2-Enterprise
  • Encryption type: AES (this will be automatically selected, as it is mandated by EAP standard)

Dialog window for Manually connect to a network

6) Select Change Connection Settings.

Change Connection Settings

7) Click on the Security tab at the top of the window.

Network Properties dialog

8) Change the Choose a network authentication method to be Microsoft: Protected EAP (PEAP) then click on Settings.

Network Properties dialog

9) Uncheck the Validate server certificate box. Then click Configure.

Protected EAP properties

10) Uncheck the Automatically user my Windows logon name and password and click OK.

EAP properties popup

11) Click OK again.

Protected EAP properties

12) Click the Advanced Settings button.

Protected EAP properties

13) On the 802.1x settings tab, check the Specify authentication mode box and set the mode to User authentication.

Protected EAP properties

Other supplicants (e.g. Mac OSX, or wpa_supplicant) use different methods for permitting the use of an unknown certificate. See their documentation for more information.

Step 4: Test it

Start the FreeRADIUS server using radiusd -X, and wait for the debugging text to stop scrolling by. The final line of text should be:

Ready to process requests.

Then, login using the user name and password from the PAP howto. (Which we assume you have already followed.) If all goes well, the server should send back an Access-Accept packet.

When the above method is used, the following authentication types should just work:

  • PEAPv0

    • EAP-GTC
    • EAP-MSCHAPv2

    • PAP
    • CHAP
    • MS-CHAP
    • EAP-MD5
    • EAP-MSCHAPv2

At this point, there are only a few things that can go wrong. See the EAP problems page for some common problems and solutions.

Step 5: Create production certificates

Once this step works, you can proceed to creating the production certificates.

Step 6: Import the root CA

The final step to configuring EAP for FreeRADIUS is to make sure the root CA (Certificate Authority) is added to every client performing EAP authentication in your system.

Need more help?

Network RADIUS has been helping clients around the world design and deploy their RADIUS infrastructure for 20 years. We specialize in complex systems and have seen pretty much every variation and problem out there. If you want help from the people who wrote FreeRADIUS, visit our quote page to contact us for a consultation.


EAP configuration articles

Getting started with FreeRADIUS

FreeRADIUS and Active Directory

Additional resources