Home > zMeraki Internal > Draft Articles > INTERNAL: DRAFT: Configuring FreeRADIUS for WPA2-Enterprise

INTERNAL: DRAFT: Configuring FreeRADIUS for WPA2-Enterprise

Example RADIUS Configuration (FreeRADIUS)

The following example configuration outlines how to set up FreeRADIUS:

  1. Download and install FreeRADIUS.
  2. Configure PEAP-MSCHAPv2.
  3. Add APs as RADIUS clients on the server.
  4. Add users to the FreeRADIUS user database.
  5. Create a certificate and configure FreeRADIUS to use it.
  6. Start the FreeRADIUS service.

Download and install FreeRADIUS

FreeRADIUS can be installed using the apt-get install command in Debian Linux:

 

root@kali:~# apt-get install Freeradius*

 

Verify the version in use. For this article we are going to be using FreeRADIUS version 3:

 

root@kali:~# freeradius -v
radiusd: FreeRADIUS Version 3.0.12, for host x86_64-pc-linux-gnu, built on May 30 2017 at 15:18:34
FreeRADIUS Version 3.0.12

Configure PEAP-MSCHAPv2

A RADIUS server must host a certificate that allows both network clients and Meraki APs to validate the server's identity.

 

root@kali:~# vim /etc/freeradius/3.0/mods-enabled/eap

 

Change the default_eap_type to say

 

default_eap_type = peap

 

Tell FreeRADIUS to use MSCHAPv2

 

root@kali:~# vim /etc/freeradius/3.0/mods-enabled/mschap

uncomment line 'use_mppe = no' and change it to yes
uncomment line 'require_encryption = yes'
uncomment line 'require_strong = yes'

 

Add APs as RADIUS clients on the server

In this scenario, APs communicate with clients and receive their domain credentials, which the AP then forwards to FreeRADIUS. In order for an AP's RADIUS Access-Request message to be processed by FreeRADIUS, it must first be added as a RADIUS client/authenticator by its IP address. Since only gateway APs have an IP address on the LAN, all gateway APs in the network must be added to FreeRADIUS as RADIUS clients.

To quickly gather all gateway APs' LAN IP addresses, navigate to Wireless > Monitor > Access points in Dashboard, ensure that the "LAN IP" column has been added to the table, and take note of all LAN IPs listed. APs with a LAN IP of "N/A" are repeaters, they do not need to be added as RADIUS clients:

 

Once a list of gateway APs' LAN IPs has been gathered, add each AP as a client in FreeRADIUS.

Note: To save time, entire subnets can also be added to NPS as RADIUS clients, and any requests coming from that subnet will be processed by FreeRADIUS. This is only recommended if all APs are on their own management VLAN and subnet, to reduce security risks.

 

root@kali:~# vim /etc/freeradius/3.0/clients.conf

 

Add lines for the AP management subnet and RADIUS shared secret:

 

client AP-management-subnet {
        ipaddr    = 172.16.0.0/24
        secret    = testing123
}

Add users to the FreeRADIUS user database

FreeRADIUS can store users in its database. To add a user, edit the users file.

 

root@kali:~# vim /etc/freeradius/3.0/users

 

Add lines for users:

 

merakiuser    Cleartext-Password := "meraki1234"

 

You can then test if FreeRADIUS is working using radtest.

 

Start FreeRADIUS. The -X enables debugging output in the console:

root@kali:~# freeradius -X

 

In a separate terminal use radtest to test that the user can be authenticated:

root@kali:~# radtest merakiuser meraki1234 localhost 0 testing123

 

You should get output indicating an Access-Accept was received:

 

Sent Access-Request Id 249 from 0.0.0.0:36003 to 127.0.0.1:1812 length 80
    User-Name = "merakiuser"
    User-Password = "meraki1234"
    NAS-IP-Address = 127.0.1.1
    NAS-Port = 0
    Message-Authenticator = 0x00
    Cleartext-Password = "meraki1234"
Received Access-Accept Id 249 from 127.0.0.1:1812 to 0.0.0.0:0 length 20

 

Create a certificate and configure FreeRADIUS to use it

In order for FreeRADIUS to authenticate users using PEAP-MSCHAPv2 we will need a certificate installed on the server. OpenSSL includes this capability in Linux so we can use this to create the certificate needed.

 

root@kali:~# vim /etc/ssl/openssl.cnf

 

Modify the line with the comment #where everything is kept

dir        = /etc/freeradius/3.0/eap/eapCA

 

Change the default certificate options (changes in bold):

 

# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName            = Country Name (2 letter code)
countryName_default        = AU
countryName_min            = 2
countryName_max            = 2
stateOrProvinceName        = State or Province Name (full name)
stateOrProvinceName_default    = NSW
localityName            = Sydney
0.organizationName        = Organization Name (eg, company)
0.organizationName_default    = Meraki
organizationalUnitName        = Organizational Unit Name (eg, section)
organizationalUnitName_default    = Support
commonName            = Cisco-Meraki-Support-CA
commonName_max            = 64
commonName_default        = Cisco-Meraki-Support-CA
emailAddress            = geoff@meraki.com
emailAddress_max        = 64

 

Create a new directory for the certificates to go:

root@kali:~# mkdir /etc/freeradius/3.0/eap

 

Copy the OpenSSL script to FreeRADIUS

root@kali:~# cp /usr/lib/ssl/misc/CA.pl /etc/freeradius/3.0/eap/CA.pl

 

Modify the CA.pl script, and change this line to have our FreeRADIUS directory:

my $CATOP = "/etc/freeradius/3.0/eap/eapCA";

 

Run the script and use a PEM passphrase. Hit enter through the prompts such as country, org name so the defaults we entered earlier are used. Don't use the optional challenge password:

root@kali:/etc/freeradius/3.0/eap# ./CA.pl -newca

 

There should be an eapCA directory now. Run the script again with new flags. Don't use the optional challenge password:

root@kali:/etc/freeradius/3.0/eap# ./CA.pl -newreq-nodes

 

There should be newkey.pem and newreq.pem files. Run the script again to sign the certificate:

root@kali:/etc/freeradius/3.0/eap# ./CA.pl -sign

Enter the PEM passphrase, choose 'y' to sign and 'y' to commit. This should generate newcert.pem.

 

Next we'll need to generate the dh and random files.

root@kali:/etc/freeradius/3.0/eap# openssl dhparam -check -text -5 512 > dh
root@kali:/etc/freeradius/3.0/eap# dd if=/dev/urandom of=random count=2
root@kali:/etc/freeradius/3.0/eap# chmod 640 random newcert.pem newkey.pem newreq.pem dh

 

The EAP file will need to be modified again.

root@kali:/etc/freeradius/3.0# vim mods-enabled/eap

 

Under the "tls-config tls-common" section, modify the parameters to reflect the new certificate files created.

 

private_key_file = /etc/freeradius/3.0/eap/newkey.pem
certificate_file = /etc/freeradius/3.0/eap/newcert.pem
ca_file = /etc/freeradius/3.0/eap/eapCA/cacert.pem
dh_file = /etc/freeradius/3.0/eap/dh
random_file = /etc/freeradius/3.0/eap/random

 

Also uncomment the line:

 

fragment_size = 1024

 

Start the FreeRADIUS service

Finally when ready to start the FreeRADIUS server, run the command below.

root@kali:/etc/freeradius/3.0# freeradius -X

 

You're now ready to connect wireless clients and authenticate against the RADIUS server using the credentials created earlier (Username: merakiuser / Password: meraki1234). 

You must to post a comment.
Last modified
22:08, 31 Jul 2017

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Article ID

ID: 6011

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case