This week, we are showcasing how you can deploy freeradius on your WLAN Pi. This is, yet, another way to take advantage of your WLAN Pi to do your work as a Wi-Fi Engineer.
Why would you want to deploy freeradius on a WLAN Pi? Here are a few reasons why:
- Start a quick radius server in your lab for 802.1X authentication
- Can be used to study 802.1X authentication (CWSP – CWAP)
- Can be used for PoC
- Get familiar with RADIUS & Linux (in general)
Configuration Steps
Step 1: Connect the WLAN Pi to your network
Power on the WLAN Pi and connect its ethernet interface to your local network.
Step 2: SSH to your WLAN Pi
From your computer, SSH into the WLAN Pi. The IP address should be displayed on the screen of the WLAN Pi. The credentials to SSH into the WLAN Pi are: wlanpi / wlanpi.
ssh wlanpi@<wlanpi-ip-address>
Step 3: Download freeradius
From the WLAN Pi, enter the following command to download freeradius and radtest:
sudo apt-get install freeradius freeradius-utils
Step 4: Configure freeradius
Configure your AP(s) or controller to be authorized to send RADIUS requests to the WLAN Pi. The configurations will be made in the /etc/freeradius/3.0/clients.conf file. Add the following configurations (replace the subnet by your own subnet):
client 192.168.120.0/24 {
secret = cleartosend123
}
Then, we need to configure PEAP to be the EAP method we are using here. The configurations will be made in the /etc/freeradius/3.0/mods-enabled/eap file. Modify the following configurations:
From this:
eap {
default_eap_type = md5
}
To this:
eap {
default_eap_type = peap
}
Then we need to configure the inner-EAP method to be MsCHAPv2. The configurations will be made in the nano /etc/freeradius/3.0/mods-enabled/mschap file. Modify the following configurations:
From this:
mschap {
# use_mppe = no
# require_encryption = yes
# require_strong = yes
}
To this:
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
}
Then, we need to configure a couple of users that will be allowed to connect. These configurations will be added to the /etc/freeradius/3.0/users file:
This is an example:
francois Cleartext-Password := "francoiscts123"
rowell Cleartext-Password := "rowellcts123"
Step 5: Configure the firewall
We now need to allow the RADIUS (UDP 1812) traffic to go through the WLAN Pi firewall:
sudo ufw allow radius
Step 6: Restart the freeradius server
In order to take your configurations into account, you now need to restart the freeradius server. Enter the following command to do so:
sudo service freeradius restart
Additional Information
If you want to start freeradius in a debug mode, enter the following command:
sudo freeradius -X
If you want to make sure that the RADIUS requests are arriving to the WLAN Pi, run the following command from the WLAN Pi:
sudo tcpdump -i eth0 -n udp port 1812
If you want to test the freeradius server configurations, you can use the radtest utility. Here is an example of how to use it:
radtest francois francoiscts123 localhost 0 testing123
Resources
- WLAN Pi home page: https://www.wlanpi.com
- Download image: https://github.com/WLAN-Pi/wlanpi/releases/
- WLAN Pi Documentation: docs.wlanpi.com
- WLAN Pi Git Hub: github.com/WLAN-Pi
- Introduction to WLAN Pi: http://wifinigel.blogspot.com/2020/05/the-wlan-pi-how-do-i-get-in-to-this.html
- Coffee Hour – Remote Troubleshooting w/ WLAN Pi, Python Scripting – https://youtu.be/CM0e3Dfsc_k
- Customize your WLAN pi – https://www.youtube.com/watch?v=QWjtpBVtwOA&t=15s
Under step 4, the line:
client 192.168/120.0/24
is that a typo for the network? Or maybe the slash character between 192.168 and 120.0 gets expanded out further?
It was a typo
Great article. I plan to use this in my home lab.
I think there is a typo on the last section related to radtest.
The command is radtest (not fastest).
Thanks for catching that. Just made the change.