802.1X/EAP User Authentication

This blog will how to configure FreeRADIUS to authenticate wireless users via 802.1X/EAP.  MySQL will be used an user store.
Wireless AP will be a MikroTik (MT) router. RADIUS server will be FreeRADIUS 2.2.5 running on Linux Mint Debian. This tutorial is only an instruction to setup a 802.1X/EAP wireless network. It will not explain how 802.1X/EAP wireless network works.

Radius Terminologies:
Clients: A client refers to a NAS, like an access point (AP). In this tutorial, it is the MT router.
NAS: Network access server.

Change Ownership:
Default FreeRADIUS configuration files are in /etc/freeradius. To work in this folder easier change the folder ownership.
$ sudo chown -R jake:freerad /etc/freeradius
Configure NAS:
For clients to work probably, NAS requires to have a static ip address. To enable dynamic clients with no static ip address, please see this post. This tutorial will assume all the clients have a static ip address. Client configuration can be stored in a file or MySQL. Below show how to configure the client file.
$ cd /etc/freeradius
Open the client file with an editor.
$ sudo vi clients.conf
This file is well documented. Read through it for your own understanding. Add a new client by copy and paste the following to the end of the clients.conf. Client's ip address is the ip that the RADIUS have to communicate with. If RADIUS is within the same local network, client's ip address is its local ip address. If RADIUS have to speak the client via the internet, client's ip address is the public ip address.
client 127.313.28.15{
 secret    = radius
 shortname = client_home
 nas_type  = mikrotik
 limit {
  max_connections = 0
  lifetime = 0
  idle_timeout = 30
 }
}
MySQL Configuration:
Setting up the MySQL database: Username: radius. Password: radpass.
 mysql -uroot -p
   CREATE DATABASE radius;
   GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radpass";
   exit
Create the tables.
$sudo  mysql -u root -p radius < /etc/freeradius/sql/mysql/schema.sql
$sudo mysql -u root -p radius < /etc/freeradius/sql/mysql/nas.sql
Configuration:
Add the radius database information. 
$vi sql.conf
    driver = "rlm_sql_mysql"
    # Connection info:
    server = "localhost"
    port = 3306
    login = "radius"
    password = "radpass"
    read_groups = yes    
    read_clients = yes
Uncomment all sql in  /sites-enabled/default and /sites-enabled/inner-tunnel.
$ sudo sed -i s/^#.*sql$/sql/g sites-enabled/default
$ sudo sed -i s/^#.*sql$/sql/g /etc/freeradius/sites-enabled/inner-tunnel 
Add $INCLUDE sql.conf below $INCLUDE sites-enabled/ in /radiusd.conf.
Link sql.conf to modules.
$ cd modules 
$ ln -s sql.conf modules/sql
Disable Proxy:
sudo vi radiusd.conf
proxy_requests  = no
Configure EAP:
$ cd /etc/freeradius
$ sed -i s/use_tunneled_reply\ =\ no/use_tunneled_reply\ =\ yes/g  eap.conf
Disable PAP:
$ sed -i s/pap$/#pap/g  sites-enabled/default 
Run it:
$ sudo radiusd -X
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Ready to process requests.
Setup Test Environment:
Add Radius Client to Mk Router:
Setup MK Router to authenticate wireless network via EAP.
Add test username and password to MySQL. Try it.

1 comments:

This is a great inspiring article.I am pretty much pleased with your good work.You put really very helpful information..

123.hp.com/oj4650

Reply

Post a Comment