As part of the process of configuring EAP for FreeRADIUS, you will need to test whether or not it works. If you prefer to use a command line tool rather than clicking through windows, this article walks through the steps for testing your EAP configuration.
While FreeRADIUS comes with a command-line tool called radeapclient, by far and away the best EAP testing tool is the eapol_test program from wpa_supplicant.
The default build of wpa_supplicant does not build the eapol_test program, so you will have to do that yourself.
Building eapol_test
Download the latest version of wpa_supplicant, and un-tar it, then follow these instructions to build it (update <version> as approprite):
$ cd wpa_supplicant-<version>/wpa_supplicant $ cp defconfig .config $ vi .config
Find the line containing
#CONFIG_EAPOL_TEST=y
and change it to
CONFIG_EAPOL_TEST=y
Then, type
$ make eapol_test
Once it is done, copy the file to some where in your PATH. e.g. /usr/local/bin, or ~/bin. The following tests assume that the eapol_test file has been installed, such as via the following command:
$ cp eapol_test /usr/local/bin/
Testing
Run the eapol_test program from the command-line, with one of the following configuration files.
$ eapol_test -c <file> -s testing123
Where <file> is one of the configuration files below. We are also assuming that the RADIUS server is on localhost, and that the shared secret is testing123.
- PEAPv0
- EAP-GTC
- EAP-MSCHAPv2
- EAP-TTLS
These configuration files assume that you are using the test user bob, with password hello, as given in the PAP howto.
If the production certificates have been created, then the ca_cert entry in each configuration file can be un-commented. The eapol_test program will then verify the server certificate.
Session Resumption, or Fast Reauthentiction
Use eapol_test -r 1 ... in order to test session resumption. See the eapol_test documentation for more information.
Need more help?
InkBridge Networks has been at the forefront of network security for over two decades, tackling complex challenges across various protocols and infrastructures. Our team of seasoned experts has encountered and solved nearly every conceivable network security issue. If you're looking for insights from the architects behind some of the internet's most foundational authentication systems, you can request a quote for network security solutions here.
Related Articles
Importing the root CA
The final step to configuring EAP for FreeRADIUS is to add the CA (Certificate Authority) to every client machine that performs EAP authentication.
The FreeRADIUS Auth-Type attribute
The FreeRADIUS Auth-Type attribute is often misunderstood and misused. There are actually very few situations where this attribute should be manipulated at all.