Don’t let Wi-Fi be the weakest link in security. Securing user credentials via Wi-Fi shouldn’t be taken lightly. In my Wi-Fi lab I use FreeRADIUS for authenticating Wi-Fi users with 802.1X.
FreeRADIUS is an open source RADIUS server used by many organizations. It performs AAA functions, supporting many authentication protocols and is widely popular because it is modular and scalable.
In 802.1X, and in my lab, FreeRADIUS will play the role of the authentication server. FreeRADIUS can be the proxy to another authentication server such as Active Directory.
Without going into too much detail, 802.1X has three components:
- Supplicant (mobile device)
- Authenticator (AP)
- Authentication Server (FreeRADIUS)
The supplicant will request to join an SSID, the authenticator will request an identity from the mobile device, the authenticator forwards the identity to the authentication server which will reply back with a success or deny.
This guide will get you up and running quickly with FreeRADIUS on Ubuntu server using EAP-TTLS.
My FreeRADIUS deployment was done on Ubuntu 16.04.1 LTS which I have running as a VM on my Intel NUC.
1. Install FreeRADIUS
Installing FreeRADIUS is the easiest part of this guide. It can be done with apt-get. Installing FreeRADIUS will also install dependencies and additional packages required for operation.
$ sudo apt-get install freeradius
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
freeradius-common freeradius-utils libdbi-perl libfreeradius2 libltdl7 libpython2.7 libpython2.7-minimal libpython2.7-stdlib ssl-cert
Suggested packages:
freeradius-ldap freeradius-postgresql freeradius-mysql freeradius-krb5 libclone-perl libmldbm-perl libnet-daemon-perl libsql-statement-perl
openssl-blacklist
The following NEW packages will be installed:
freeradius freeradius-common freeradius-utils libdbi-perl libfreeradius2 libltdl7 libpython2.7 libpython2.7-minimal libpython2.7-stdlib ssl-cert
0 upgraded, 10 newly installed, 0 to remove and 5 not upgraded.
Need to get 4,966 kB of archives.
After this operation, 21.4 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y
2. Verify FreeRADIUS version
Verify it was installed by checking the version.
$ freeradius -v
freeradius: FreeRADIUS Version 2.2.8, for host x86_64-pc-linux-gnu, built on Apr 5 2016 at 13:40:43
3. Run a quick config check.
FreeRADIUS should be able to run successfully with all the defaults.
$ sudo freeradius -CX
Output at the bottom will display:
Configuration appears to be OK.
4. Review the Configuration Files
The FreeRADIUS files are located in /etc:
cd /etc/freeradius
sudo vi /etc/freeradius/radiusd.conf
Max number of requests:
Increase the default value of 1024 if you’re planning on having more than 4 clients authenticating at a time.
# max_requests: The maximum number of requests which the server keeps # track of. This should be 256 multiplied by the number of clients. # e.g. With 4 clients, this number should be 1024. # # If this number is too low, then when the server becomes busy, # it will not respond to any new requests, until the 'cleanup_delay' # time has passed, and it has removed the old requests. # # If this number is set too high, then the server will use a bit more # memory for no real benefit. # # If you aren't sure what it should be set to, it's better to set it # too high than too low. Setting it to 1000 per client is probably # the highest it should be. # # Useful range of values: 256 to infinity # max_requests = 1024
Here is where we tell FreeRADIUS to look for authorized clients (authenticators).
Configuration file for your clients (access points or controllers)
# CLIENTS CONFIGURATION # # Client configuration is defined in "clients.conf". # # The 'clients.conf' file contains all of the information from the old # 'clients' and 'naslist' configuration files. We recommend that you # do NOT use 'client's or 'naslist', although they are still # supported. # # Anything listed in 'clients.conf' will take precedence over the # information from the old-style configuration files. # $INCLUDE clients.conf
Further down in the radiusd.conf file is where defined EAP methods are located, which is the eap.conf file.
EAP configuration file to define EAP methods used:
# Extensible Authentication Protocol
#
# For all EAP related authentications.
# Now in another file, because it is very large.
#
$INCLUDE eap.conf
5. Add Clients
The word “clients” can be deceiving but in FreeRADIUS terms this means the authenticators such as the APs or WLAN controllers. We want to verify that only authorized authenticators are used on our network. The authenticators and the authentication server will use shared secrets to verify each other.
Open the clients.conf file to add your authenticator(s).
If your APs or controllers are on a specific network, you can define the whole network or you can specify a secret for individual clients.
Here’s where I add my access point, which is a Mojo Networks C-120.
client P6-MOJO-1 {
ipaddr = 192.168.130.20
secret = strong-passphrase-here
}
Then just save the file and exit.
6. Define EAP Methods
Now the fun part is knowing which EAP methods you want to use. I won’t do an in-depth EAP tutorial on this thread. Just know that in this lab I am using EAP-TTLS because it requires the use of a server-side certificate but client certificates are optional.
By default, FreeRadius will use MD5 which is not very strong.
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received.
#
# The incoming EAP messages DO NOT specify which EAP
# type they will be using, so it MUST be set here.
#
# For now, only one default EAP type may be used at a time.
#
# If the EAP-Type attribute is set by another module,
# then that EAP type takes precedence over the
# default type configured here.
#
default_eap_type = md5
Comment out default_eap_type = md5 string and add in:
default_eap_type = ttls
FreeRadius comes with a server certificate by default which we will use for initial testing.
Comment out the Supported EAP types of MD5, LEAP, GTC
Under ttls, change default_eap_type to mschapv2
ttls {
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# TTLS tunnel, we recommend using EAP-MD5.
# If the request does not contain an EAP
# conversation, then this configuration entry
# is ignored.
default_eap_type = mschapv2
7. Add Users
Let’s add users which will authenticate to this RADIUS server. Edit the users file with this command:
sudo vi users
Add an account to the file:
rowell Cleartext-Password := “Password123”
rowell = my username.
Cleartext-Password = statement indicating we are going to assign a clear text password to this username. Notice that “:=“ is used for assignment.
Password123 = My super strong password inside quotes.
In this scenario, users are defined in a file using clear text passwords. Not the smartest thing to do in production. If you do go this route, you must secure this server very well.
8. Test Authentication
Run a quick test to see if FreeRADIUS will accept the newly created username and password. Running this from the server means you will have to use the secret configured for the localhost which is defined in the clients.conf file:
$ radtest rowell Password123 127.0.0.1 0 testing123 Sending Access-Request of id 156 to 127.0.0.1 port 1812 User-Name = "rowell" User-Password = "Password123" NAS-IP-Address = 192.168.x.x NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=156, length=20
9. Start FreeRadius
service freeradius start
$ service freeradius status ● freeradius.service - LSB: Radius Daemon Loaded: loaded (/etc/init.d/freeradius; bad; vendor preset: enabled) Active: active (exited) since Thu 2016-12-01 09:49:53 PST; 59min ago Docs: man:systemd-sysv-generator(8) Dec 01 09:49:53 auth-01 systemd[1]: Starting LSB: Radius Daemon... Dec 01 09:49:53 auth-01 freeradius[30269]: * Starting FreeRADIUS daemon freeradius Dec 01 09:49:53 auth-01 freeradius[30269]: ...done. Dec 01 09:49:53 auth-01 systemd[1]: Started LSB: Radius Daemon. Dec 01 10:48:24 auth-01 systemd[1]: Started LSB: Radius Daemon.
Now you have a FreeRADIUS server ready to authenticate users on your Wi-Fi network. Next step is to configure an access point or controller to point to your RADIUS server. Keep in mind that these authenticators are listed in the clients.conf file with their passwords. The password will be configured on the AP or controller.