Use FreeRADIUS for Wi-Fi Authentication
It's Free Software, it runs on Linux, and it's the most widely used RADIUS server on the planet. Here's how to deploy FreeRADIUS for Wi-Fi authentication on your network using CentOS.
Wireless networks for businesses, including smaller ones, should always be protected with the enterprise mode of Wi-Fi Protected Access (WPA or WPA2). It provides stronger encryption to protect against Wi-Fi hackers. Plus it hides the encryption keys from your users, so employees can't find them stored on their computer and use them maliciously or give them out. The way the personal or pre-shared key (PSK) mode of WPA or WPA2 distributes the encryption keys makes it more vulnerable to cracking.
The enterprise version, however, requires the use of a RADIUS server. This server provides a way for the users to authenticate themselves, so they can access the network. So instead of having to input the encryption key, users log onto the network with a username and password. The actual keys are exchanged without the user even knowing. Plus each user's key is different and regularly updated.
One authentication server you could use is called FreeRADIUS, an open source project, developed under the GNU General Public License Version 2 (GPLv2). It is actually the most widely used RADIUS server in the world. In addition to doing 802.1X/PEAP authentication, which is what we're going to set up, it supports many other authentication types for a variety of network types. It also features fail-over and load balancing, and supports numerous backend databases.
Installing Linux (Centos) and FreeRADIUS
First you need to install a Linux distribution. This tutorial is based on using CentOS, a free open source operating system. Mac OS X and Windows are also supported, as well as other Linux distributions.
Tip:If you didn't do a default fresh install of CentOS 5.3, you might want to make sure you still have the OpenSSL package installed before starting the server.
You should be able to install FreeRADIUS on any regular old PC. Just make sure the FreeRADIUS machine has a wired connection to the network. Also make sure it has a static IP address rather than a dynamic one. Assign one to the network adapter in CentOS or reserve one via your router's DHCP settings.
Note: The installation instructions are based upon the current CentOS version 5.3 and FreeRADIUS version 2.1.6. Right now the current FreeRADIUS packages aren't available via the regular CentOS repositories; only the out-dated version 1.x.x packages are. Therefore we will use a third-party location. However, in the future, you may be able to install a current (2.x.x) version of FreeRADIUS using the packages via the Package Manager or by running "yum install freeradius".
- Using CentOS, download the freeradius2.repo file and save it to your desktop.
- Open a Terminal and type "su" and enter your root password. Then type "cp /home/yourusername/Desktop/freeradius2.repo /etc/yum.repos.d".
- Now type "yum install freeradius2", and when prompted, enter "y" to start the installation.
- If dependencies are required, choose to install them.
Tip: If you get the "Package is not signed" error, type "gedit" and use the text editor to change "gpgcheck=1" to "gpgcheck=0" in the /etc/yum.conf file, and then save and close the editor. After the install is complete, reverse this setting. Now type the install line again in the existing terminal window.
Now you'll probably want to install additional FreeRADIUS packages, such as for database backend support. For a listing of packages type "yum info freeradius2*" In this tutorial, we'll cover MySQL, so we'll install it: "yum install freeradius2-mysql". Again, elect to install the dependencies by typing "y".
Warming Up to File-based Configuration
If you haven't worked with Unix/Linux servers or command-line driven applications before, FreeRADIUS may seem hard to understand at first. Though there are some GUI utilities available, it's typically configured via only configuration text files.
However, as you'll see, FreeRADIUS is fairly straightforward to set up. Understand that it "just works", meaning the default configuration files are preconfigured to run most authentication protocols without many or any additional changes.
Don't change or delete any settings without understanding what it is and what it will do. A simple mistake can break the configuration and it can take hours to troubleshoot. If you make any modifications outside of this tutorial, try to take it step-by-step. Change one setting or a section of settings, then test to see if it works and to make sure you haven't broken the configuration.
Creating the Self-signed Certificates for PEAP
Though the SSL certificates that are required for PEAP and TLS are now created automatically by FreeRADIUS, you must customize the password and identification attributes. Do this before running the server for the first time. Here's how to make the changes:
- Open a terminal, type "su" for root mode, and run "gedit" to open the text editor. Then open the ca, client, and server cnf files from /etc/raddb/certs. In each conf file, edit the following:
- Change "default_days" in the CA Default section to something longer than one year, so you don't have to create and update the certificate so soon.
- Change the "input_password" and "output_password" in the Req section, so the certificates are protected by something other than the default password.
- Change the six values for the last set of identification fields in the Certificate Authority, Client, and Server sections.
- Save the files, but do not close the text editor yet.
- Now you need to update the password in the etc/raddb/eap.conf file by changing the "private_key_password" value in the TLS section.
- Save the file and close the Text Editor.
In the existing root terminal, type "/usr/sbin/radiusd -X". This will create your self-signed certificates and start the server in debugging mode so you can see what's happening. If everything goes as planned you'll see "Ready to process requests" at the end.
Though the server is now installed and able to run, the next sections will take you through configuring several more settings before it's ready to authenticate your Wi-Fi users.