CTS 248: Deploy FreeRADIUS on your WLAN Pi
Clear To Send: Wireless Network Engineering - A podcast by Rowell Dionicio and François Vergès
Categorie:
This week, we are showcasing how you can deploy freeradius on your WLAN Pi. This is, yet, another way to take advantage of your WLAN Pi to do your work as a Wi-Fi Engineer. Why would you want to deploy freeradius on a WLAN Pi? Here are a few reasons why: * Start a quick radius server in your lab for 802.1X authentication* Can be used to study 802.1X authentication (CWSP – CWAP)* Can be used for PoC* Get familiar with RADIUS & Linux (in general) Configuration Steps Step 1: Connect the WLAN Pi to your network Power on the WLAN Pi and connect its ethernet interface to your local network. Step 2: SSH to your WLAN Pi From your computer, SSH into the WLAN Pi. The IP address should be displayed on the screen of the WLAN Pi. The credentials to SSH into the WLAN Pi are: wlanpi / wlanpi. ssh wlanpi@<wlanpi-ip-address> Step 3: Download freeradius From the WLAN Pi, enter the following command to download freeradius and radtest: sudo apt-get install freeradius freeradius-utils Step 4: Configure freeradius Configure your AP(s) or controller to be authorized to send RADIUS requests to the WLAN Pi. The configurations will be made in the /etc/freeradius/3.0/clients.conf file. Add the following configurations (replace the subnet by your own subnet): client 192.168.120.0/24 { secret = cleartosend123 } Then, we need to configure PEAP to be the EAP method we are using here. The configurations will be made in the /etc/freeradius/3.0/mods-enabled/eap file. Modify the following configurations: From this: eap { default_eap_type = md5 } To this: eap { default_eap_type = peap } Then we need to configure the inner-EAP method to be MsCHAPv2. The configurations will be made in the nano /etc/freeradius/3.0/mods-enabled/mschap file. Modify the following configurations: From this: mschap { # use_mppe = no # require_encryption = yes # require_strong = yes } To this: mschap { use_mppe = yes require_encryption = yes require_strong = yes } Then, we need to configure a couple of users that will be allowed to connect. These configurations will be added to the /etc/freeradius/3.0/users file: This is an example: francois Cleartext-Password := "francoiscts123" rowell Cleartext-Password := "rowellcts123" Step 5: Configure the firewall We now need to allow the RADIUS (UDP 1812) traffic to go through the WLAN Pi firewall: sudo ufw allow radius Step 6: Restart the freeradius server In order to take your configurations into account, you now need to restart the freeradius server. Enter the following command to do so: sudo service freeradius restart Additional Information If you want to start freeradius in a debug mode, enter the following command: sudo freeradius -X If you want to make sure that the RADIUS requests are arriving to the WLAN Pi, run the following command from the WLAN Pi: sudo tcpdump -i eth0 -n udp port 1812 If you want to test the freeradius server configurations,