This documents describes how to set up a Wireless Local Area Network (WLAN) with 802.1x security and Protected Extensible Authentication Protocol (PEAP) as Extensible Authentication Protocol (EAP). FreeRADIUS is used as the external Remote Authentication Dial-In User Service (RADIUS) server.
Cisco recommends that you have basic knowledge of these topics:
AireOS Wireless LAN Controllers (WLCs)
Note: This document is intended to give the readers an example on the configuration required on a freeRADIUS server for PEAP-MS-CHAPv2 authentication. The freeRADIUS server configuration presented in this document has been tested in the lab and found to work as expected. The Cisco Technical Assistance Center (TAC) does not support freeRADIUS server configuration.
The information in this document is based on these software and hardware versions:
CentOS7 or Red Hat Enterprise Linux 7 (RHEL7) (Recommended 1 GB RAM and at least 20 GB HDD)
WLC 5508 v8.3
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Install httpd Server and MariaDB
Step 1. Run these commands to install httpd server and MariaDB.
Step 3. Configure initial MariaDB settings to secure it.
Note: Run all parts of this script. It is recommended for All MariaDB Servers in production use. Read each step carefully.
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n] Y
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
Remove anonymous users? [Y/n] y
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] y
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] y
- Dropping test database...
- Removing privileges on test database...
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] y
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
Step 4. Configure Database for freeRADIUS (use same password configured in Step 3).
[root@tac-mxwireless ~]# mysql -u root -p -e "CREATE DATABASE radius" [root@tac-mxwireless ~]# mysql -u root -p -e "show databases" [root@tac-mxwireless ~]# mysql -u root -p MariaDB [(none)]> GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radiuspassword";
MariaDB [(none)]> FLUSH PRIVILEGES;
MariaDB [(none)]> \q Bye
Install PHP 7 on CentOS 7
Step 1. Run these commands to install PHP 7 on CentOS7.
Step 3. Configure SQL module /raddb/mods-available/sql and change the database connection parameters to suite your environment.
[root@tac-mxwireless ~]# vim /etc/raddb/mods-available/sql
SQL section must look similar to this.
driver = "rlm_sql_mysql"
dialect = "mysql"
# Connection info:
server = "localhost"
port = 3306 login = "radius" password = "radpass"
# Database table configuration for everything except Oracle
radius_db = "radius"
# Set to ‘yes’ to read radius clients from the database (‘nas’ table)
# Clients will ONLY be read on server startup.
read_clients = yes
# Table to keep radius client info
client_table = “nas”
Step 4. Change group right of /etc/raddb/mods-enabled/sql to radiusd.
FreeRADIUS comes with a default Certification Authoritiy (CA) certificate and a device certificate which are stored in the path /etc/raddb/certs. The name of these certificates are ca.pem and server.pem. server.pem is the certificate that clients receive while they go through the authentication process. If you need to assign a different certificate for EAP authentication you can simply delete them and save the new ones in the same path with that exact same name.
End Device Configuration
Configure a laptop Windows machine to connect to an SSID with 802.1x Authentication and PEAP/MS-CHAP (Microsoft version of the Challenge-Handshake Authentication Protocol) version 2.
In order to create the WLAN profile on the windows machine there are two options:
Install the self-signed certificate on the machine to validate and trust freeRADIUS server in order to complete the authentication
Bypass the validation of the RADIUS server and trust any RADIUS server used to perform the authentication (not recommended, as it can become a security issue). The configuration for these options are explained on End device configuration - Create the WLAN Profile.
Import FreeRADIUS Certificate
If you use the default certificates installed on freeRADIUS, follow these steps in order to import the EAP certificate from the freeRADIUS server into the end device.
Step 2. Copy and paste the output of the previous step into a text file and change extension to .crt
Step 3. Double click the file and select Install Certificate... as shown in the image.
Step 4. Install the certificate into the Trusted Root Certification Authorities store as shown in the image.
Create WLAN Profile
Step 1. Right click on Start icon and select Control panel as shown in the image.
Step 2. Navigate to Network and Internet > Network and Sharing Center> click Set up a new connection or network as shown in the image.
Step 3. Select Manually connect to a wireless network and click Nextas shown in the image.
Step 4. Enter the information with the name of the SSID and security type WPA2-Enterprise and click Next as shown in the image.
Step 5. Select Change connection settings in order to customize the configuration of the WLAN profile as shown in the image.
Step 6. Navigate to Security tab and click Settings as shown in the image.
Step 7. Choose if RADIUS server is validated or not.
If yes, enable Verify the server's identity by validating the certificate and from Trusted Root Certification Authorities: list select the self-signed certificate of freeRADIUS.
After that select Configure and disable Automatically use my Windows logon name and password..., then click OK as shown in the images.
Step 8. Configure the user credentials.
Once back to Security tab, select Advanced settings, specify authentication mode as User authentication and save the credentials that were configured on freeRADIUS in order to authenticate the user, as shown in the images.
Use this section in order to confirm that your configuration works properly.
Authentication Process on WLC
Run the next commands in order to monitor the authentication process for a specific user: