Use FreeRADIUS for Wi-Fi Authentication (Part 2)
In part one of this article, we installed FreeRADIUS to do 802.1 X/PEAP authentication, so we can run WPA or WPA2 enterprise encryption on our Wi-Fi network. We loaded our PC with CentOS 5.3 and installed FreeRADIUS version 2.1.6. Plus we created certificates for PEAP, configured the EAP settings, created user accounts, and inputted the AP details.
Now we'll open the CentOS firewall and configure our access points (APs). Then we'll distribute the CA file to all the computers and configure them with the encryption and authentication settings. Plus we'll set up SQL so you can store your user and AP information in a database rather than text files.
Opening the Firewall
CentOS comes with a firewall enabled by default. So in order for RADIUS traffic to reach FreeRADIUS, you must open up the ports it uses. Click System > Administration > Security Level and Firewall. Then click the arrow to expand the Other Ports section. Add UDP ports 1812 and 1813 and click Apply.
Restarting the Server to Load New Settings
If you had FreeRADIUS running while you made the configuration changes you'll have to restart the server for them to take effect. To stop the server, go to the terminal window and hit Ctrl + C. Then type '/usr/sbin/radiusd -X' again (or press the up arrow key) to start it. If you're opening a new terminal window, you'll have to type 'su' first to run as root.
Now the server is running and ready to accept authentication requests from Wi-Fi users.
Once your encrypted-network is operational, you can omit the 'X' to start FreeRADIUS without the debugging. The server will work in the background and you can refer to log files and accounting data.
Configuring Your APs
Now you can get your APs ready to go. After setting them to use WPA (TKIP) or WPA2 (AES) enterprise encryption, you have to input the RADIUS settings. This includes the IP address of the FreeRADIUS machine, the port (1812), and the shared secret you defined for that particular AP. Most APs also support accounting to store session details. If you need accounting, you need to input similar server details with port 1813.
Installing the CA File on All the Computers
Though the PEAP authentication protocol doesn't require client certificates, you must install a certificate for the Certificate Authority (CA) on each computer. This is because we're using a self-signed certificate for the server rather than purchasing one signed from a CA that Windows will recognize, such as VeriSign or GoDaddy.
You need to get the etc/raddb/certs/ca.der file copied onto all the computers. You can copy it on a USB flash drive and take it around to each PC. To copy, open a new terminal and type "su" to get into root mode, or use an existing one, and run a copy command, such as "cp /etc/raddb/certs/ca.der /newlocation/certs".
Tip: To figure out the path to a device, such as a USB drive, click Places > Computer, open the device, and then right-click any file on the device and select Properties. Then refer to the Location value. For example my Cruzer flash drive shows "/media/Cruzer_".
Now on each Windows computer, right-click on the certificate file and select Install Certificate. Then place it in the Trusted Root Certification Authorities store. On the confirmation dialog, select Yes to install.
Configuring the Computers With the Authentication and Encryption Settings
On WEP and WPA/WPA2-personal networks, you just select the network and you're prompted for the key. However, connecting to enterprise encrypted networks takes a bit more configuration. But once configured, you simply connect to the network by entering your username and password, which can even be cached so you don't have to enter it again.
If a profile doesn't already exist for the network, you need to create one. Then configure the settings. Remember, you are using WPA (TKIP) or WPA2 (AES) Enterprise encryption with PEAP authentication. On the PEAP properties dialog, make sure you select to validate the server certificate and select the certificate you imported. Plus you can enter the server's IP address to use when validating. Then ensure you use the Secured Password (EAP-MSCHAP v2) method. Plus click the Configure button to ensure the setting (Automatically use my Windows logon name and password) on the dialog box is not checked.
Keep in mind, the first time you connect to the network, the Validate Server Certificate dialog box should appear; sometimes it can hide behind other windows. Click OK to accept the certificate and continue connecting.
Setting Up SQL for User and AP Lookups
If you have a large amount of users and/or APs, or you change their details often, you might want to use a database to store the information rather than the text files. You can either install and configure your own server or use a hosted one, such as from a website provider. Either way, you must install the FreeRADIUS MySQL package (freeradius2-mysql).
Now you need to load the default database structure onto your database server. If running your own server in CentOS, run "mysql -uroot -prootpass radius < /etc/raddb/sql/mysql/schema.sql" from a Terminal. If using a remote or hosted server, run "gedit" with a root Terminal and use a Text Editor to open etc/raddb/sql/mysql/schema.sql. Then copy and paste the SQL commands into the server to run them, which will create the structure.
If you want to also use SQL for the AP details, load the etc/raddb/sql/mysql/nas.sql file into your database.
Now you need to edit the FreeRADIUS configuration files to tell the server to use SQL. From a root Text Editor, open etc/raddb/radiusd.conf and uncomment the "$INCLUDE sql.conf" line. Now open etc/raddb/sites-enabled/inner-tunnel and uncomment "sql" from the Authorize section. Now FreeRADIUS will use the files and SQL.
Now you need to give FreeRADIUS the database connection and login details. From a root text editor, open etc/raddb/sql.conf. Then make sure database = 'mysql'. If using a remote/hosted database, enter the server address. Make sure you input the Username and Password for your server. For the radius_db value, enter the database name. If using SQL for AP details, uncomment "readclients = yes".
Finally, insert rows into the radcheck table to define the user accounts. The format is similar to the users file:
username attribute op value
egeier Cleartext-Password := pass123
Here's an example of what you can insert into the nas table for the AP details if you enabled it:
nasname shortname type secret
192.168.0.1 private-network-1 other testing123
Troubleshooting and Getting Help
Now you should have an enterprise-encrypted wireless network with FreeRADIUS providing the authentication. Remember, while setting up the server or after making changes, use the debugging mode to see the server activity. If you have connection or logon issues, carefully examine the debug and analyze any recent changes.
You can also check out the Frequently Asked Questions and the Wiki. After you've scrutinized your configuration and settings, and searched for existing discussions on the same issue, you can ask questions on the mailing list.
When posting to the list, make sure you include the FreeRADIUS version (we used 2.1.6) post debugs and related configuration sections, while masking any private information. Plus send e-mails in plain-text format.
Eric Geier is the author of many networking and computing books, including Home Networking All-in-One Desk Reference For Dummies (Wiley 2008) and 100 Things You Need to Know about Microsoft Windows Vista (Que 2007).