802.1X/EAP User Authentication

This blog will how to configure FreeRADIUS to authenticate wireless users via 802.1X/EAP.  MySQL will be used an user store.

Wireless AP will be a MikroTik (MT) router. RADIUS server will be FreeRADIUS 2.2.5 running on Linux Mint Debian. This tutorial is only an instruction to setup a 802.1X/EAP wireless network. It will not explain how 802.1X/EAP wireless network works.

Radius Terminologies:
Clients: A client refers to a NAS, like an access point (AP). In this tutorial, it is the MT router.
NAS: Network access server.

Change Ownership:
Default FreeRADIUS configuration files are in /etc/freeradius. To work in this folder easier change the folder ownership.

?

1	$ sudo chown -R jake:freerad /etc/freeradius

Configure NAS:
For clients to work probably, NAS requires to have a static ip address. To enable dynamic clients with no static ip address, please see this post. This tutorial will assume all the clients have a static ip address. Client configuration can be stored in a file or MySQL. Below show how to configure the client file.

?

1	$ cd /etc/freeradius

Open the client file with an editor.

?

1	$ sudo vi clients.conf

This file is well documented. Read through it for your own understanding. Add a new client by copy and paste the following to the end of the clients.conf. Client's ip address is the ip that the RADIUS have to communicate with. If RADIUS is within the same local network, client's ip address is its local ip address. If RADIUS have to speak the client via the internet, client's ip address is the public ip address.

?

1 2 3 4 5 6 7 8 9 10

client 127.313.28.15{  secret    = radius  shortname = client_home  nas_type  = mikrotik  limit {   max_connections = 0   lifetime = 0   idle_timeout = 30  } }

MySQL Configuration:
Setting up the MySQL database: Username: radius. Password: radpass.

?

1 2 3 4

mysql -uroot -p   CREATE DATABASE radius;   GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radpass";   exit

Create the tables.

?

1 2	$sudo  mysql -u root -p radius < /etc/freeradius/sql/mysql/schema.sql $sudo mysql -u root -p radius < /etc/freeradius/sql/mysql/nas.sql

Configuration:
Add the radius database information. 

?

1 2 3 4 5 6 7 8 9

$vi sql.conf     driver = "rlm_sql_mysql"     # Connection info:     server = "localhost"     port = 3306     login = "radius"     password = "radpass"     read_groups = yes         read_clients = yes

Uncomment all sql in  /sites-enabled/default and /sites-enabled/inner-tunnel.

?

1	$ sudo sed -i s/^#.*sql$/sql/g sites-enabled/default

?

1	$ sudo sed -i s/^#.*sql$/sql/g /etc/freeradius/sites-enabled/inner-tunnel

Add $INCLUDE sql.conf below $INCLUDE sites-enabled/ in /radiusd.conf.
Link sql.conf to modules.

?

1	$ cd modules

?

1	$ ln -s sql.conf modules/sql

Disable Proxy:

?

1 2	sudo vi radiusd.conf proxy_requests  = no

Configure EAP:

?

1 2	$ cd /etc/freeradius $ sed -i s/use_tunneled_reply\ =\ no/use_tunneled_reply\ =\ yes/g  eap.conf

Disable PAP:

?

1	$ sed -i s/pap$/#pap/g  sites-enabled/default

Run it:

?

1 2 3 4 5

$ sudo radiusd -X Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Ready to process requests.

Setup Test Environment:
Add Radius Client to Mk Router:
Setup MK Router to authenticate wireless network via EAP.
Add test username and password to MySQL. Try it.