Implementing 802.1x with EAP/TLS using FreeRadius

One common application of client side PKI certificates is 802.1x network authentication using EAP/TLS to present the client's identity to the server. Unlike many other EAP types, EAP/TLS does not transmit a password from the supplicant to the server, which is better network security.

This page explains how to build the FreeRadius server (v1.0.4 was current at the time) and configure it to be used for 802.1x network authentication and EAP/TLS.


This procedure should work for servers running most Linux distributions. The machine we used for testing had RedHat version 9 installed. 802.1x authentication worked using clients on Windows XP, Mac OS X and Linux.

Cisco and Aruba wireless access points were used in the network.

Note that FreeRadius requires OpenSSL 0.9.7 or later. If the base system needs to be upgraded, It's easiest do that first. The FreeRadius documentation suggests that it is possible to build another copy of OpenSSL for FreeRadius when a system upgrade isn't possible. We did not use that technique.

The rlm_eap_tls module was improved after version 0.9.2 which had not worked with the supplicant in Windows XP. Versions starting with 1.0.2 of FreeRadius did work successfully.

Build FreeRadius

Get the "freeradius-1.0.4.tar" file from:
Expand the tar file in /usr/local/src/freeradius (you'll need root privileges to work there).

Build freeradius as follows:

cd /usr/local/src/freeradius/
./configure --with-rlm-eap-tls-include-dir=/usr/kerberos/include/
make install

[Note:the configure switch is needed because of the unusual location of the kerberos include files on Red Hat Linux. Kerberos is referenced by openssl, which is referenced by rlm_eap_tls. If configure doesn't find kerberos (which includes openssl/ssl.h) it skips building rlm_eap_tls. This switch should not be necessary if kerberos is in the usual location]

The binaries and libraries are installed in /usr/local by default.

To build FreeRadius in another directory eg. "usrrad/local/", set the prefix option when running "configure":

./configure --prefix=/usrrad/local --with-rlm-eap-tls-include-dir=/usr/kerberos/include
make install

Configure FreeRadius

The configuration files are by default at: /usr/local/etc/raddb/
The main config file is radiusd.conf. No modifications to it are needed.

To configure the RADIUS server to use EAP-TLS authentication, modify "eap.conf" as follows:

Sample diff output:
<                       default_eap_type = md5
>                       default_eap_type = eap
<		#tls {
<               #       private_key_password = password
<               #       private_key_file = /path/filename
>		tls {
>                       private_key_password = my-password
>                       private_key_file = /usr/local/radius/certs/my-radius-cert.pem

<               #       certificate_file = /path/filename
>                       certificate_file = /usr/local/radius/certs/my-radius-cert.pem

<               #       CA_file = /path/filename
>                       CA_file = /usr/local/radius/certs/DartCA1.crt

<               #       dh_file = /path/filename
<               #       random_file = /path/filename
<		#}
>                       dh_file = /dev/null
>                       random_file = /dev/urandom
>               #               fragment_size = 1024
                #               include_length = yes

>                               fragment_size = 1024
                                include_length = yes
>		}

The "clients.conf" file tells the RADIUS server what NAS are allowed to contact the RADIUS server. There are default entries commented out to use as a guide. For example you could set it to expect connections from NAS in the local IP range x.y.0.0/16. You need to provide a secret that the RADIUS server and the NAS share. You need to set up the access point to use this secret.

#  You can now specify one secret for a network of clients.
#  When a client request comes in, the BEST match is chosen.
#  i.e. The entry from the smallest possible network.

client x.y.0.0/16 {
        secret          = your-secret-here
        shortname       = Your-University

The "users" file includes the user accounts. Since with EAP-TLS, we don't need to know the name of the supplicant, a DEFAULT entry that catches everyone is added:

DEFAULT Auth-Type := EAP
        Tunnel-Type = 13,
        Tunnel-Medium-Type = 6,
        Tunnel-Private-Group-Id = 1
#DEFAULT        Auth-Type = System
#       Fall-Through = 1

This example entry expects users to use EAP, and sets the tunneling RADIUS attributes that puts the user onto VLAN 1. The values for Tunnel-Type and Tunnel-Medium-Type mean that we are using VLANs, where the Tunnel-Private-Group-Id is the VLAN ID #.

Create the /usr/local/radius/certs directory and copy the root cert and the server cert requested for the radius server there.

Back to PKI Lab Home

Dartmouth College PKI Lab
Written by: Robert Brentrup
Last update: 23 August 2005