Overview
Users will learn how to configure a minimal FreeRadius server and WPA2-PEAP (WPA-Enterprise) on airOS. There are several options for RADIUS servers such as FreeRadius, Radiator and Microsoft NPS.
Table of Contents
- How to Install FreeRADIUS server on Ubuntu 16.04
- Install FreeRADIUS and Nano text editor
- Edit EAP Configuration
- Add Username and Password
- Enable and Configure
- Edit radiusd.conf
- Reload
- Add new RADIUS client
- Restart
- Access Point Configuration
- Station Configuration
How to Install FreeRADIUS server on Ubuntu 16.04
1. Install FreeRADIUS and Nano text editor
sudo apt-get install freeradius nano
2. Edit EAP configuration file and set default EAP type to PEAP
sudo nano /etc/freeradius/eap.conf default_eap_type = peap
CTRL-O to Save
CTRL-X to Exit
3. Add Username and Password to be used on Station
sudo nano /etc/freeradius/users <add the following line at the bottom> customer Cleartext-Password := "password"
CTRL-O to Save
CTRL-X to Exit
4. Enable and Configure mschap-v2 protocol:
sudo nano /etc/freeradius/modules/mschap use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes
CTRL-O to Save
CTRL-X to Exit
5. Edit radiusd.conf to enable logging of auth success/fails. You can check /var/log/radius.log for successful/failed authentication attempts. This step is optional, but useful when troubleshooting.
Under "log" section:
auth = yes auth_badpass = yes auth_goodpass = yes
CTRL-O to Save
CTRL-X to exit
6. Reload libraries:
ldconfig
7. Add new RADIUS client <Access Point>
sudo nano /etc/freeradius/clients.conf
Add the IP address and shared secret for AP config
client 192.168.1.41 {
secret = testing123
shortname = airMAX-AP-2
}
8. Restart RADIUS service and test authentication
sudo service freeradius restart
Usage:
radtest {username} {password} {hostname} 10 {radius_secret}
Example:
radtest customer password localhost 10 testing123
You should see something like this:
Access Point Configuration
Make sure the AP is configured with the IP address used when configuring clients.conf in the section above.
1. Navigate to the Wireless tab and fill out the Wireless Security section as follows:
Security: WPA2-AES
WPA Authentication: EAP
Auth Server IP/Port: IP.OF.RADIUS.SERVER (Default port is 1812)
Auth Server Secret: secret configured in clients.conf. (For this example “testing123”)
2. Click Change > Apply
Station Configuration
1. Navigate to the Wireless tab.
Configure the SSID either manually or via Site Survey. If you don’t see the AP, confirm the channel width matches AP.
Edit as follows under the Wireless Security section:
Security: WPA2-AES
WPA Authentication: EAP EAP-PEAP MSCHAPV2
WPA User Name: This should match the user added in /etc/freeradius/users. (In this example "customer").
WPA User Password: This should match the password for the user "customer". (In this example "password").
2. Click Change > Apply
source : ubnt
Blogger Comment
Facebook Comment