Follow me:

Deploy FreeRADIUS on your WLAN Pi

This week, we are showcasing how you can deploy freeradius on your WLAN Pi. This is, yet, another way to take advantage of your WLAN Pi to do your work as a Wi-Fi Engineer.

Why would you want to deploy freeradius on a WLAN Pi? Here are a few reasons why:

  • Start a quick radius server in your lab for 802.1X authentication
  • Can be used to study 802.1X authentication (CWSP – CWAP)
  • Can be used for PoC
  • Get familiar with RADIUS & Linux (in general)

Configuration Steps

Step 1: Connect the WLAN Pi to your network

Power on the WLAN Pi and connect its ethernet interface to your local network.

Step 2: SSH to your WLAN Pi

From your computer, SSH into the WLAN Pi. The IP address should be displayed on the screen of the WLAN Pi. The credentials to SSH into the WLAN Pi are: wlanpi / wlanpi.

ssh wlanpi@<wlanpi-ip-address>

Step 3: Download freeradius

From the WLAN Pi, enter the following command to download freeradius and radtest:

sudo apt-get install freeradius freeradius-utils

Step 4: Configure freeradius

Configure your AP(s) or controller to be authorized to send RADIUS requests to the WLAN Pi. The configurations will be made in the /etc/freeradius/3.0/clients.conf file. Add the following configurations (replace the subnet by your own subnet):

client 192.168/120.0/24 {
	secret = cleartosend123
}	

Then, we need to configure PEAP to be the EAP method we are using here. The configurations will be made in the /etc/freeradius/3.0/mods-enabled/eap file. Modify the following configurations:

From this:
eap {
	default_eap_type = md5
}	

To this:
eap {
	default_eap_type = peap
}

Then we need to configure the inner-EAP method to be MsCHAPv2. The configurations will be made in the nano /etc/freeradius/3.0/mods-enabled/mschap file. Modify the following configurations:

From this:
mschap {
#		use_mppe = no
#		require_encryption = yes
#		require_strong = yes
}

To this:
mschap {
		use_mppe = yes
		require_encryption = yes
		require_strong = yes
}

Then, we need to configure a couple of users that will be allowed to connect. These configurations will be added to the /etc/freeradius/3.0/users file:

This is an example:
francois	Cleartext-Password := "francoiscts123"
rowell	        Cleartext-Password := "rowellcts123"

Step 5: Configure the firewall

We now need to allow the RADIUS (UDP 1812) traffic to go through the WLAN Pi firewall:

sudo ufw allow radius

Step 6: Restart the freeradius server

In order to take your configurations into account, you now need to restart the freeradius server. Enter the following command to do so:

sudo service freeradius restart

Additional Information

If you want to start freeradius in a debug mode, enter the following command:

sudo freeradius -X

If you want to make sure that the RADIUS requests are arriving to the WLAN Pi, run the following command from the WLAN Pi:

sudo tcpdump -i eth0 -n udp port 1812

If you want to test the freeradius server configurations, you can use the radtest utility. Here is an example of how to use it:

fastest francois francoiscts123 localhost 0 testing123

Resources

Join Clear To Send

Come join the Clear To Send community.

Powered by ConvertKit

Wireless Network Engineer and Owner at SemFio Networks. CWNE #180. Living in London ON Canada, born and raised in Dijon, France.

Join the discussion

This site uses Akismet to reduce spam. Learn how your comment data is processed.

1 comment
  • Under step 4, the line:

    client 192.168/120.0/24

    is that a typo for the network? Or maybe the slash character between 192.168 and 120.0 gets expanded out further?

More from this show

Episode 248