How to FreeRadius ================= 1. Radius implements AAA, authentication, authorization, and accounting functionality. It was developed by Livingston Enterprises (they made terminal servers) back in '91, see: https://en.wikipedia.org/wiki/RADIUS Authentication and authorization are defined in RFC 2865 while accounting is described by RFC 2866. Use cases include PPP over dial-up, DSL, or, as in our case, granting access to a wireless access point or router. Radius defines communication between the access point and the authentication server. Another standard involved in AAA is IEEE 802.1X, an IEEE Standard for port-based network access control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. IEEE 802.1X defines the encapsulation of the Extensible Authentication Protocol (EAP) over wired IEEE 802 networks[1] and over 802.11 wireless networks: https://en.wikipedia.org/wiki/IEEE_802.1X 2. To determine if your WiFi router (referred in this document as AP, Access Point) has Radius capability, find the selection of authentication mechanisms. Choices are typically something like "None" or "Open", "WEP", "WPA/WPA2/PSK", "WPA/WPA2/Radius" aka "WPA2/Enterprise", or maybe even "WPA3". We want something refering to Radius, Enterprise, or 802.1x, so nothing mentioning PSK. Be wary of firmware updates. There's for instance one Tenda firmware, which, while seriously improving the web interface, removed WPA2-Radius functionality. 3. Setup On your Linux system, run, as root: - apt update - apt upgrade -y - apt install -y freeradius Check if Radius is running: root@pi1b00:/home/pi# systemctl | grep freeradius freeradius.service loaded active running FreeRADIUS multi-protocol policy server root@pi1b00:/home/pi# - The Linux server running FreeRadius needs to use a static IP address, so that the WiFi router can contact it, so either configure the server to use a static IP address, or configure the router to reserve an address for the Radius server. 4. Configuration FreeRadius may use various back-ends for account configuration and credentials. Using a database might be discussed at a later time. For now we'll use plain text files, requiring a service restart to activate changes. - the AP needs to authenticate itself to the Radius server, by providing a password. The AP's configuration screen prompts for the Radius server's IP address or name (IP address preferred, because that avoids a DNS lookup) and the shared secret, When chosing a secret, use the same rules as for a password. Add the AP's IP address and the secret to /etc/freeradius/3.0/clients.conf: client livingroom { ipaddr = 10.0.0.1 secret = Bl4h!Bl4h!B1ah!O0ps. ... } For many APs within the same network, one might want to specify one and the same password: client private-network-1 { ipaddr = 192.0.1.0/24 secret = testing123-1 } client private-network-2 { ipaddr = 192.0.2.0/24 secret = testing123-2 } - users and their passwords get configured in /etc/freeradius/3.0/users, which symlinks to mods-config/files/authorize, so all in all /etc/freeradius/3.0/mods-config/files/authorize. At a minimum, one wants entries of the form: username Cleartext-Password := "somepassword" such as: pinebook Cleartext-Password := "12341234" Reply-Message := "Hello, %{User-Name}" All these changes need to be applied by root. Files containing credentials must not be read-accessible by users other than root, or (on RaspberryPi-OS) the freerad-user. - Create a server side certificate. The server-side certificate identifies the server towards the client. At least Windows warns if an AP's certificate has changed, asks if one wants to connect, and offers to display the certificate. Make sure that the certificate is the one you expect to see. Linux TBD, MacOS, IWatch no idea. Chances are that the FreeRadius installation includes a well-known standard certificate, including a very public private key, so that needs replacing. To get started, take a look at /etc/freeradius/3.0/certs, where you'll find a couple of .cnf files: root@pi1b00:/etc/freeradius/3.0/certs# ls -ls *.cnf 4 -rw-r----- 1 freerad freerad 1423 Jan 30 13:04 ca.cnf 4 -rw-r----- 1 freerad freerad 1093 Jan 31 11:50 client.cnf 4 -rw-r----- 1 freerad freerad 1122 Jan 31 11:52 inner-server.cnf 4 -rw-r----- 1 freerad freerad 1618 Jan 31 11:51 server.cnf root@pi1b00:/etc/freeradius/3.0/certs# The first one to tweak is ca.cnf, ca as in certificate authority. For Radius, we'll use a self-signed certificate. To set that up, edit ca.cnf to modify the req and certificate_authority as needed: [ req ] prompt = no distinguished_name = certificate_authority default_bits = 2048 input_password = aReallySecretPassword output_password = anotherVerySecretPassword x509_extensions = v3_ca [certificate_authority] countryName = US stateOrProvinceName = Texas localityName = your.domain.com organizationName = your.domain.com emailAddress = some.user@your.domain.com commonName = "YourDomain Certificate Authority" Apply the same change to server.cnf, client.cnf and inner-server.cnf. client.cnf is for client certificates, which we'll ignore for now. Next, actually create certificates. The /çerts/ directory contains both a Makefile and a bootstrap script. For the very first time round, just run bootstrap, which invokes "make" against the Makefile, and, should that fail, executes the commands needed for a complete setup one by one. This will take quite some time. To delete all generated certificates and other files, invoke make destroycerts Then run the bootstrap script. Which takes time. - finally, tell FreeRadius where to find the certificates. By default, it uses a well-known dummy. Certificate locations are set in /etc/freeradius/3.0/mods-enabled/eap, which may be a symlink pointing to /etc/freeradius/3.0/mods-available/eap. In there, find the string "whatever": tls-config tls-common { private_key_password = whatever Replace that with your password chosen earlier. Then look for the string "snakeoil": tls-config tls-common { private_key_password = whatever # private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key private_key_file = /etc/freeradius/3.0/certs/server.key Replace that snakeoil with the full path to your server key file. Same here: # certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem certificate_file = /etc/freeradius/3.0/certs/server.pem Finally, tell Radius about your own certificate authority: # ca_file = /etc/ssl/certs/ca-certificates.crt ca_file = /etc/freeradius/3.0/certs/server.crt 5. Testing Find out if FreeRadius is already running: ps -ef | grep freeradius If so, stop it: systemctl stop freeradius.service Invoke freeradius manually for debugging: /usr/sbin/freeradius -x -X Now try to connect to the Radius-controlled AP. Under Windows, there should be a prompt for username and passport, not just the AP's passphrase, also a line offering to display the certificate. WiFi Client Setup, Raspbian with NetworkManager: - set up a new connection, set profile name, device and SSID: +----------------------------¦ Edit Connection +-----------------------------+ ¦ ?¦ ¦ Profile name 802.1x__________________________________ ?¦ ¦ Device wlan0___________________________________ ¦¦ ¦ ¦¦ ¦ - WI-FI ¦¦ ¦ ¦ SSID 802.1x__________________________________ ¦¦ ¦ ¦ Mode ¦¦ ¦ ¦ ¦¦ ¦ ¦ Security ¦¦ ¦ ¦ ¦¦ ¦ ¦ BSSID ________________________________________ ¦¦ ¦ ¦ Cloned MAC address ________________________________________ ¦¦ ¦ ¦ MTU __________ (default) ¦¦ ¦ + ¦¦ ¦ ¦¦ ¦ - IPv4 CONFIGURATION ¦¦ ¦ - IPv6 CONFIGURATION ¦¦ ¦ ¦¦ ¦ [X] Automatically connect ¦¦ ¦ ?¦ +----------------------------------------------------------------------------+ - from the security list, pick WPA & WPA2 Enterprise: +----------------------------¦ Edit Connection +-----------------------------+ ¦ ?¦ ¦ Profile name 802.1x__________________________________ ?¦ ¦ Device wlan0___________________________________ ¦¦ ¦ ¦¦ ¦ - WI-FI ¦¦ ¦ ¦ SSID 802.1x__________________________________ ¦¦ ¦ ¦ Mode ¦¦ ¦ ¦ +-----------------------+ ¦¦ ¦ ¦ Security¦ None ¦ ¦¦ ¦ ¦ ¦ WPA & WPA2 Personal ¦ ¦¦ ¦ ¦ BSSID¦ WPA3 Personal ¦ _______________ ¦¦ ¦ ¦ Cloned MAC address¦ WPA & WPA2 Enterprise ¦ _______________ ¦¦ ¦ ¦ MTU¦ LEAP ¦ ¦¦ ¦ + ¦ Enhanced Open (OWE) ¦ ¦¦ ¦ +-----------------------+ ¦¦ ¦ - IPv4 CONFIGURATION ¦¦ ¦ - IPv6 CONFIGURATION ¦¦ ¦ ¦¦ ¦ [X] Automatically connect ¦¦ ¦ ?¦ +----------------------------------------------------------------------------+ - from the authentication list, pick PEAP: +----------------------------¦ Edit Connection +-----------------------------+ ¦ ?¦ ¦ Profile name 802.1x__________________________________ ?¦ ¦ Device wlan0 (B8:27:EB:A0:79:72)_______________ ¦¦ ¦ ¦¦ ¦ - WI-FI ¦¦ ¦ ¦ SSID+-------+________________________________ ¦¦ ¦ ¦ Mode¦ PWD ¦ ¦¦ ¦ ¦ ¦ TLS ¦ ¦¦ ¦ ¦ Security¦ TTLS ¦ A2 Enterprise> ¦¦ ¦ ¦ Authentication¦ PEAP ¦ ¦¦ ¦ ¦ Anonymous identity+-------+ _______________________________ ¦¦ ¦ ¦ Domain _______________________________ ¦¦ ¦ ¦ CA cert ________________________________________ ¦¦ ¦ ¦ CA cert password ________________________________________ ¦¦ ¦ ¦ [ ] Show password ¦¦ ¦ ¦ PEAP version ¦¦ ¦ ¦ Inner authentication ¦¦ ¦ ¦ Username ________________________________________ ¦¦ ¦ ¦ Password ________________________________________ ¦¦ ¦ ?¦ +----------------------------------------------------------------------------+ - Leave PEAP version and inner authentication as Automatic and MSCHAPv2. Provide username and password. +----------------------------¦ Edit Connection +-----------------------------+ ¦ ?¦ ¦ - WI-FI ¦¦ ¦ ¦ SSID 802.1x__________________________________ ¦¦ ¦ ¦ Mode ¦¦ ¦ ¦ ?¦ ¦ ¦ Security ¦¦ ¦ ¦ Authentication ¦¦ ¦ ¦ Anonymous identity anonymous_______________________________ ¦¦ ¦ ¦ Domain ________________________________________ ¦¦ ¦ ¦ CA cert ________________________________________ ¦¦ ¦ ¦ CA cert password ________________________________________ ¦¦ ¦ ¦ [ ] Show password ¦¦ ¦ ¦ PEAP version ¦¦ ¦ ¦ Inner authentication ¦¦ ¦ ¦ Username blahblah________________________________ ¦¦ ¦ ¦ Password ********________________________________ ¦¦ ¦ ¦ [ ] Show password ¦¦ ¦ ¦ ¦¦ ¦ ¦ ¦¦ ¦ ?¦ +----------------------------------------------------------------------------+ - That's it. OK out of this dialog, exit to nmtui's top level, activate this new connection.