Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Wi-Fi Router Charts

Click for Wi-Fi Router Charts

Mesh System Charts

Click for Wi-Fi Mesh System Charts

Installing and Configuring FreeRADIUS

Now it's time to install FreeRADIUS. Download FreeRADIUS and unpack.

~ $ tar xvzf freeradius-1.1.7.tar.gz 

Configure, install and update your dynamic linked libraries after the install. By default, FreeRADIUS installs in /usr/local and reads its configuration files from /usr/local/etc/raddb.

~ $ cd freeradius-1.1.7
~/freeradius-1.1.7 $ ./configure
~/freeradius-1.1.7 $ make
~/freeradius-1.1.7 $ su -c "make install"
Password: pA55w0rD
~/freeradius-1.1.7 $ su -c ldconfig
Password: pA55w0rD

FreeRADIUS comes packaged with a pretty monstrous, but well documented set of config files. Setting up WPA2 authentication really only scratches the surface of what FreeRADIUS is capable of. Since the default settings get us pretty close, we just need to make a few minor changes to some config files to get RADIUS authentication up and running.

Open up radiusd.conf with your favorite text editor and adjust the directory pointers (lines 23 through 40) to suit your system.

23  prefix = /usr/local
24  exec_prefix = ${prefix}
25  sysconfdir = ${prefix}/etc
26  localstatedir = ${prefix}/var
27  sbindir = ${exec_prefix}/sbin
28  logdir = ${localstatedir}/log/radius
29  raddbdir = ${sysconfdir}/raddb
30  radacctdir = ${logdir}/radacct
32  #  Location of config and logfiles.
33  confdir = ${raddbdir}
34  run_dir = ${localstatedir}/run/radiusd
36  #
37  #  The logging messages for the server are appended to the
38  #  tail of this file.
39  #
40  log_file = ${logdir}/radius.log

The location of the log file on line 40 is especially important. FreeRADIUS usually isn't very informative about runtime errors, instead writing everything the log. So if you have any problems with FreeRADIUS, take a look at the log.

The rest of this config file is huge—2149 lines huge. The good news is we don't need 90% of the options FreeRADIUS has for WPA2. So we can distill the whole config file down to around 200 lines.

You can safely comment out (or delete) just about anything that doesn't have to do with TLS or EAP (such as the module sections dealing with PEAP, CHAP, MSCHAP, etc.). Instead of walking you through every change, here is a copy of what I use (this is likely more than the absolute minimum even with all the comments removed).

One big change that needs to be made is changing to an unprivileged user and group on lines 109 and 110:

109  user = nobody
110  group = nobody

Next, open up clients.conf and add a section for your router. The router is the only true "client" to the RADIUS server; the computers that connect are called users. Use the IP address of your router and a strong secret (this is the "password" that the router will use to talk to the RADIUS server).

The "shortname" variable is used only for logging, so it can be whatever makes the most sense for you. Unless your NAS (Network Access Server) type is explicitly listed above in the clients.conf file, use "other" for the NAS type.

client {
        secret          =       smallnetbuilder
        shortname       =       wireless_ap
        nastype         =       other

Next, edit the users file. Add the default line and lines for each of the client keys we created using the common name supplied for the key as the user name. Have some fun with the default rejection message.

# users file for FreeRADIUS

winxp_laptop    Auth-type := EAP

linux_laptop    Auth-type := EAP

DEFAULT         Auth-type := Reject
                Reply-Message := "Your Computer Ain't Welcome Here!"

Now we'll need to edit eap.conf. Change default_eap_type to TLS on line 23:

default_eap_type = tls

Adjust the TLS configuration to suit your set up:

123    tls {
124       private_key_password = pA55w0rD
125       private_key_file = /etc/wireless/server_key.pem
127       #  If Private key & Certificate are located in
128       #  the same file, then private_key_file &
129       #  certificate_file must contain the same file
130       #  name.
131       certificate_file = /etc/wireless/server_cert.pem
133       #  Trusted Root CA list
134       CA_file = /etc/wireless/cacert.pem
137       #
138       #  For DH cipher suites to work, you have to
139       #  run OpenSSL to create the DH file first:
140       #
141       #       openssl dhparam -out certs/dh 1024
142       #
143       dh_file = /etc/wireless/dh
144       random_file = /etc/wireless/random

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Don't Miss These

  • 1
  • 2