How to: Use FreeRADIUS for Wi-Fi Authentication (Part 1)

By Eric Geier

August 14, 2009

Wireless networks for businesses, including smaller ones, should always be protected with the enterprise mode of Wi-Fi Protected Access (WPA or WPA2), but it requires a RADIUS server. Learn how to set one up.

Wireless networks for businesses, including smaller ones, should always be protected with the enterprise mode of Wi-Fi Protected Access (WPA or WPA2). It provides stronger encryption to protect against Wi-Fi hackers. It also hides the encryption keys from your users, so they are more difficult to compromise, unlike the personal or pre-shared key (PSK) mode of WPA or WPA2, which distributes the encryption keys making it more vulnerable to cracking because users can simply reveal the keys, either for malicious purposes or unwittingly.

The enterprise version, however, requires the use of a RADIUS server. This server provides a way for the users to authenticate themselves, so they can access the network. Instead of having to input the encryption key, users log onto the network with a username and password. The actual keys are exchanged without the user even knowing and each user's key is different and regularly updated.

One possible authentication server is FreeRADIUS, an open source project, developed under the GNU General Public License Version 2 (GPLv2). It is actually the most widely used RADIUS server in the world. In addition to doing 802.1X/PEAP authentication, which is what we're going to set up, it supports many other authentication types for a variety of network types. It also features fail-over and load balancing, and supports numerous backend databases.

First you need to install a Linux distribution. This tutorial is based on using CentOS, a free open source operating system. Mac OS X and Windows are also supported, as well as other Linux distributions.

Tip: If you didn't do a default fresh install of CentOS 5.3, you might want to make sure you still have the OpenSSL package installed before starting the server.

You should be able to install FreeRADIUS on any regular old PC. Just make sure the FreeRADIUS machine has a wired connection to the network. Also make sure it has a static IP address rather than a dynamic one. Assign one to the network adapter in CentOS or reserve one via your router's DHCP settings.

Note: The installation instructions are based upon the current CentOS version 5.3 and FreeRADIUS version 2.1.6. Right now the current FreeRADIUS packages aren't available via the regular CentOS repositories; only the outdated version 1.x.x packages are. Therefore we will use a third-party location. However, in the future, you may be able to install a current (2.x.x) version of FreeRADIUS using the packages via the Package Manager or by running "yum install freeradius".

  1. Using CentOS, download the freeradius2.repo file and save it to your desktop.
  2. Open a Terminal and type "su" and enter your root password. Then type "cp /home/yourusername/Desktop/freeradius2.repo /etc/yum.repos.d".
  3. Now type "yum install freeradius2", and when prompted, enter "y" to start the installation.
  4. If dependencies are required, choose to install them.

Tip: If you get the "Package is not signed" error, type "gedit" and use the text editor to change "gpgcheck=1" to "gpgcheck=0" in the /etc/yum.conf file, and then save and close the editor. After the install is complete, reverse this setting. Now type the install line again in the existing terminal window.

Now you'll probably want to install additional FreeRADIUS packages, such as for database backend support. For a listing of packages type "yum info freeradius2*" In this tutorial, we'll cover MySQL, so we'll install it: "yum install freeradius2-mysql". Again, elect to install the dependencies by typing "y".

Warming up to file-based configuration

If you haven't worked with Unix/Linux servers or command-line driven applications before, FreeRADIUS may seem hard to understand at first. Though there are some GUI utilities available, it's typically configured via only configuration text files.

However, as you'll see, FreeRADIUS is fairly straightforward to set up. Understand that it "just works," meaning the default configuration files are preconfigured to run most authentication protocols without many or any additional changes.

Don't change or delete any settings without understanding what it is and what it will do. A simple mistake can break the configuration and it can take hours to troubleshoot. If you make any modifications outside of this tutorial, try to take it step-by-step. Change one setting or a section of settings, then test to see if it works and to make sure you haven't broken the configuration.

Creating the self-signed certificates for PEAP

Though the SSL certificates that are required for PEAP and TLS are now created automatically by FreeRADIUS, you must customize the password and identification attributes. Do this before running the server for the first time. Here's how to make the changes:

  1. Open a terminal, type "su" for root mode, and run "gedit" to open the text editor. Then open the ca, client, and server cnf files from /etc/raddb/certs. In each conf file, edit the following:
    • Change "default_days" in the CA Default section to something longer than one year, so you don't have to create and update the certificate so soon.
    • Change the "input_password" and "output_password" in the Req section, so the certificates are protected by something other than the default password.
    • Change the six values for the last set of identification fields in the Certificate Authority, Client, and Server sections.
  2. Save the files, but do not close the text editor yet.
  3. Now you need to update the password in the etc/raddb/eap.conf file by changing the "private_key_password" value in the TLS section.
  4. Save the file and close the Text Editor.

In the existing root terminal, type "/usr/sbin/radiusd -X". This will create your self-signed certificates and start the server in debugging mode so you can see what's happening. If everything goes as planned you'll see "Ready to process requests" at the end.

Though the server is now installed and able to run, the next sections will take you through configuring several more settings before it's ready to authenticate your Wi-Fi users.

Setting the EAP settings

There are many types of EAP, so you must specify which one you want to use. We're discussing the use of PEAP, which doesn't require you to create security certificates for each user. They connect to the network using their username and password.

When you're ready, make a simple modification to the EAP configuration file:

  1. Open a Terminal, type "su" for root mode, and run "gedit" to open the Text Editor. Then open etc/raddb/eap.conf.
  2. In the first part of the EAP section, change the "default_eap_type" from "md5" to "peap".
  3. Save and close the file, but leave the Text Editor open.

Creating user accounts

Next you need to create the usernames and passwords users will enter when connecting to the Wi-Fi network. First we'll create at least one user account in the configuration file to test the server. Later we'll discuss using a MySQL database to store the user information, which is great if you have a lot of users or need to regularly change the user credentials.

In the existing root text editor, open etc/raddb/users. Then somewhere type a username, hit Tab, and type Cleartext-Password := "thepassword".

Here's an example:

egeier Cleartext-Password := "pass123"

Save and close the file, but leave the text editor open.

Inputing the AP (client) details

Now you must enter the IP address and shared secret (password) of at least one wireless access point (AP), which is called a client by FreeRADIUS. Again, as we'll discuss later, you can optionally store the client details in a database, such as MySQL. However, if you're working on a small network, it's probably easier to use the text file method.

On the existing root text editor, open etc/raddb/clients.conf and enter the details somewhere for each AP following this example:

client 192.168.0.1 {

secret = testing123

shortname = private-network-1

}

Modify the IP address as needed, enter a unique secret for each AP, and optionally enter a descriptive name. The secret and shortname are tabbed over one, and the values are also aligned with tabs. Don't forget to save the file when you're done.

Read Part 2.

Eric Geier is the author of many networking and computing books, including Home Networking All-in-One Desk Reference For Dummies (Wiley 2008) and 100 Things You Need to Know about Microsoft Windows Vista (Que 2007). Article courtesy of EnterpriseNetworkingPlanet.com.



Comment and Contribute
(Maximum characters: 1200). You have
characters left.