If you wish to apply for a top level delegation for your country, you must make sure that you sign up at least 5 hackerspaces in your country and estabilish a website where your local hackerspaces can apply for realms in your delegated space.
When doing PAP authentication or MSCHAPv1 it is important to install the server.pem from the freeradius certs directory as CA on the clients to prevent a man in the middle attack
# -*- text -*- eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = private_key_file = ${certdir}/server.key certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = /dev/urandom CA_path = ${cadir} } ttls { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } mschapv2 { } }
# -*- text -*- authorize { preprocess suffix if (Realm == NULL) { update reply { Reply-Message := "Please specify a realm to authenticate with." } reject } eap } authenticate { eap } preacct { preprocess acct_unique suffix } accounting { detail radutmp exec attr_filter.accounting_response } session { radutmp }
# -*- text -*- server inner-tunnel { listen { ipaddr = 127.0.0.1 port = 18120 type = auth } authorize { suffix if (Realm != "your-realm.tld") { reject } pap mschap eap ldap expiration logintime } authenticate { Auth-Type PAP { pap } Auth-Type MS-CHAP { mschap } eap ldap } session { radutmp } post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } }
# -*- text -*- proxy server { default_fallback = no } home_server nlnode1.spacefed.net { type = auth+acct ipaddr = 192.42.117.138 port = 1812 secret = YOUR_SUPPLIED_SECRET require_message_authenticator = yes response_window = 5 zombie_period = 60 revive_interval = 120 status_check = status-server check_interval = 30 num_answers_to_alive = 3 coa { # Initial retransmit interval: 1..5 irt = 2 # Maximum Retransmit Timeout: 1..30 (0 == no maximum) mrt = 16 # Maximum Retransmit Count: 1..20 (0 == retransmit forever) mrc = 5 # Maximum Retransmit Duration: 5..60 mrd = 30 } } home_server_pool root_pool { type = client-balance # The members of the root delegation pool home_server = nlnode1.spacefed.net # home_server = ... } # Your realm should be local realm your-realm.tld { } # These realms should always be handled locally realm LOCAL { } realm NULL { } realm DEFAULT { nostrip auth_pool = root_pool }
# -*- text -*- client localhost { ipaddr = 127.0.0.1 secret = CHOOSE_YOUR_OWN require_message_authenticator = no nastype = other } client nlnode1.spacefed.net { secret = YOUR_SUPPLIED_SECRET shortname = nlnode1 } client 1.2.3.4 { secret = CHOOSE_YOUR_OWN shortname = my_access_point }
# -*- text -*- ldap { server = "127.0.0.1" identity = "cn=user_with_read_access,dc=your-realm,dc=tld" password = YOUR_SECRET basedn = "dc=your-realm,dc=tld" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" #base_filter = "(objectclass=radiusprofile)" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no # cacertfile = /path/to/cacert.pem # cacertdir = /path/to/ca/dir/ # certfile = /path/to/radius.crt # keyfile = /path/to/radius.key # randfile = /dev/urandom } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no }
You can use it like:
./eapol_test -c auth.conf -s CHOOSE_YOUR_OWN
The auth.conf should contain something like:
network={ ssid="spacenet" key_mgmt=WPA-EAP eap=PEAP identity="username@your-realm.tld" anonymous_identity="anonymous@your-realm.tld" password="MY_SUPER_SECRET_PASSWORD" phase2="auth=EAP-MSCHAPv2" }