FreeRADIUS
RADIUS is an Authentication and Authorization protocol and FreeRADIUS is the most widely deployed server. Others are quite good, but FreeRADIUS is, well, free.
Let’s install on Debian and test the EAP-PEAP protocols with MSCHAPv2 hashed passwords so we can integrate easily with Win/Mac. We’ll also include LDAP extensions for later.
Install
# Start with a clean slate
apt remove --purge freeradius*
rm -rf /etc/freeradius/
apt install freeradius freeradius-ldap
Edit the Users File
The users file is simply a config file that FreeRADIUS processes when it starts up. You can add users directly to it and they’ll be processed accordingly.
vim /etc/freeradius/3.0/users
# Uncomment the line below
bob Cleartext-Password := "hello"
Start The Service and Test Locally
systemctl stop freeradius.service
/etc/init.d/freeradius debug
# In another terminal on the server, test that you can authenticate
radtest -t mschap bob hello localhost 0 testing123
You’re looking for the message Received Access-Accept. Take a look at the debug in the server console if you need to dig into errors.
Hashed Password Testing
We prefer not store plain-text passwords, so let’s use the smbcrypt utility to generate a hash and store that instead. The RADIUS server will simply use that directly rather than hashing the plain-text password it has stored now.
smbencrypt hello
# a quick way to extract just the nt hash
smbencrypt hello 2> /dev/null | tail -1 | awk '{print $2}'
# Change the bob entry
vim /etc/freeradius/3.0/users
bob NT-Password := "066DDFD4EF0E9CD7C256FE77191EF43C"
# Test the same as above
radtest -t mschap bob hello localhost 0 testing123
Client Testing
The above testing worked because the localhost is allowed to connect by default. To use this with an actual access point and client (authenticator and supplicant), we’ll need to create a ‘site’ by creating a file with the AP details and the server process that will talk to them.
Add a RADIUS Client
You need access points that understand 802.1x. In our example we have some Unifi Access Points on a 10. network that can reach the RADIUS server.
Create a new ‘site’ named ‘wifi’ that describes our network.
vim /etc/freeradius/3.0/sites-available/wifi
#
# /etc/freeradius/3.0/sites-available/wifi
#
client UniFi-APs {
shortname = wifi
virtual_server = wifi
secret = someBigLongRandomString
# allow client connections from the 10.* range
ipaddr = 10.0.0.0/8
}
server wifi {
authorize {
# cleans up attributes, required
preprocess
# we use eap authentication, required
eap
}
authenticate {
# mschap authentication
Auth-Type MS-CHAP {
mschap
}
# eap, this is required
eap
}
}
Enable and Test
ln -s /etc/freeradius/3.0/sites-available/wifi /etc/freeradius/3.0/sites-enabled/wifi
systemctl stop freeradius.service
/etc/init.d/freeradius debug
# If you have a workstation in the 10. space you can test this before jumping to a WiFi supplicant
radtest -t mschap bob hello someServer 0 someBigLongRandomString
Support Realms
Sometimes, users will enter their email address as their login - i.e. [email protected]. This is pretty normal these days, but you’ll need to tell RADIUS about it.
vi /etc/freeradius/3.0/proxy.conf
# at the bottom, add
realm example.org {
}
Next Steps
Configure your access point and you should be good - as long as you’re Bob and don’t mind editing text files. A better approach is a user database, like OpenLDAP
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.