Install FreeRadius2 on a OpenWRT router for EAP authentication

Posted: January 8th, 2015 | Author: | Filed under: freeRADIUS, OpenWRT | Tags: , , , , , , , , , | No Comments »

This tutorial requires an OpenWRT based router (obviously). It is based from my experience installing FreeRadius2 on a Netgear WNDR3800. At the end of this, you get a router with built in FreeRADIUS server, PEAP encryption over wifi and user storage. I have had good experience with routers that are based on the Atheros AR7161 chip set. They are plenty quick and have plenty of RAM and Flash (usually at least 64MB – 128MB) and have 8 – 16MB of flash memory.
Prerequisites:
I recommend you do a few things first before you install FreeRADIUS2 and start configuring:

  • Login to the web interface of OpenWRT, go under System -> Startup and disable telnet. It is just good practice.
  • Unless you like to edit files using vi OpenWRT, install a text editor.
  • Install openssh-sftp-server, so you can transfer the key certificates and related files easily via sftp
  • ssh into your router and install OpenSSL utility by issuing:
    > opkg install openssl-util
  • Stay in the shell and create the CA & server certificates you are going use with freeRADIUS, skip this step if you already have an authenticated certificate. Just upload it to a directory you can remember in the router
  • Create the OpenSSL ca.cert and server.pem certificates:
    1. Create the directory structure: (if you store it in your etc directory, it will get backed up by the stock backup utility)

      > mkdir ~/CA && chmod 700 ~/CA && cd ~/CA
      > mkdir certs
      > mkdir newcerts
      > mkdir private
      > mkdir crl
      > touch index.txt
      > echo "01" > serial
      > echo "00" > crlnumber
    2. Copy openssl.cnf from the /etc/ssl/openssl.cnf to the /CA directory above. Also edit it to your satisfaction (note the directory name). Directory variables should match the ones above.
    3. Create a file called xpextensions with the following content and leave it in the directory where you put openssl.cnf.

      [xpclient_ext]
      extendedKeyUsage = 1.3.6.1.5.5.7.3.2
      [xpserver_ext]
      extendedKeyUsage = 1.3.6.1.5.5.7.3.1
    4. Create the CA key and link it symbolically to the private dir:

      > openssl req -new -x509 -days 7300 -keyout cakey.pem -out cacert.pem -config openssl.cnf
      > ln -s cakey.pem /CA/private/cakey.pem
    5. Create the certificates (make sure you keep track of all the passwords! especially the in/out passwords at the last step, you need that for freeRADIUS’s config.)

      > openssl req -config openssl.cnf -newkey rsa:4096 -keyout serverkey.pem -out servercert.req
      > openssl ca -config openssl.cnf -out servercert.pem -extensions xpserver_ext -extfile xpextensions -keyfile cakey.pem -infiles servercert.req
      > openssl pkcs12 -export -in servercert.pem -inkey serverkey.pem -out server.p12 -clcerts
      > openssl pkcs12 -in server.p12 -out server.pem
    6. Create the Certificate Revocation List, DH and Random

      > openssl ca -config openssl.cnf -gencrl -out crl.pem
      > openssl dhparam -text -5 1024 -out dh
      > dd if=/dev/random of=random bs=1M count=2
  • The default wpa drivers (wpad-mini) doesn’t support 802.1x enterprise encryption, so we need to install the full version of wpad.
    The step below is specific to routers that are based on the Atheros chip set. So consult OpenWRT Hardware list to make sure.
    Uninstall wpad-mini and install the full wpad. Some older instructions will say install hostpadap but that has been deprecated since OpenWRT 7.0.3 (see here)

    > opkg remove wpad-mini
    > opkg install wpad
  • Optionally install SQLite3, in case you have quite a few users and want to do accounting etc.

    > opkg install sqlite3-cli libsqlite3

Installation:
Copy and paste the following into the ssh shell.

> opkg install freeradius2 freeradius2-common freeradius2-mod-chap freeradius2-mod-detail freeradius2-mod-eap freeradius2-mod-eap-md5 freeradius2-mod-eap-mschapv2 freeradius2-mod-eap-peap freeradius2-mod-eap-tls freeradius2-mod-eap-ttls freeradius2-mod-exec freeradius2-mod-files freeradius2-mod-logintime freeradius2-mod-mschap freeradius2-mod-pap freeradius2-mod-passwd freeradius2-mod-preprocess freeradius2-mod-radutmp freeradius2-utils

Also the following if you want to use SQLite (I recommend this for test purposes for now).

> opkg install freeradius2-mod-sql freeradius2-mod-sql-sqlite freeradius2-mod-sqlcounter freeradius2-mod-sqllog

Small steps before configuration

  1. Go under LuCi under System -> Startup click on the Enabled button to disable radiusd, if radiusd is running click on Stop
  2. ssh and edit /etc/init.d/radiusd replace or comment out radiusd -i $IPADDR -p 1812,1813 $OPTIONS replace it with radiusd $OPTIONS

The reasoning for step 1 is you would want to run radiusd -XX (debug mode), while you are configuring and testing. We need step 2 because radiusd will also be listening to localhost, we want to stop radiusd from just listening to our network ip address.

Configuration:
Unlike in FreeRADIUS documentation, our configuration files are stored in /etc/freeradius2 directory instead of /etc/raddb or /etc/freeradius/ directories.

Here are the list of files you will need to modify:

  1. radiusd.conf
    In this section you configure the listening ports and ip address

    listen {
            type = auth
            ipaddr = 127.0.0.1
            port = 0
            interface = br-lan
    }

    In the above example
    type is required, ipaddr and interface are recommended. If they are not there, radiusd will try to best guess.

    • type can be auth or acct, stands for authentication and accounting.
    • ipaddr is the ip address, since we are running a server locally, localhost is a must.
    • port is the port to listen for, 0 will tell radiusd to see what the system default is.
    • interface is the name of which network interface, you want radiusd to listen for OpenWRT, br-lan is the bridged lan virtual interface.

    If you want other AP on your network to authenticate using this server, make another listen instance and listen to this server’s network address.

  2. eap.conf
    Since we are going to use PEAP, you just have to go to tls {} section and fill in the relevant information ie:

    • certdir that’s the directory where the server certificate lives (see above)
    • cadir that’s the directory where the ca certificate lives
    • private_key_password that’s the “out” password used in the last step of the server.pem generation.
    • private_key_file location of server.pem

    Make sure the files referenced in the lines after the above make sense.

  3. clients.conf
    This file stores the information of other AP or devices might use this server for authentication. For our purposes, we will need localhost.

    client localhost {
            secret          = SomeSecretPhrase
            require_message_authenticator = no
            nastype     = other
    }

    You will need to enter the secret in the WiFi Security setup page.

    You can add other APs by their particular ip addresses.

  4. users
    This is the text file which stores users’ names and passwords in cleartext.

    "User name in quotes"       Cleartext-Password := "Password in quotes"
                     Reply-Message = "Hello, %{User-Name}",
                     Fall-Through = Yes

    Enable the Fall-Through option if you have other users after this one.

  5. sql.conf

    The setup is quite simple:

    sql {
      database = 'sqlite'
    }

    The default database always resides in /etc/freeradius2 and is called sqlite_radius_client_database

    I don’t think SQLite is production ready yet for version 2 of freeRADIUS. You can grab the scheme and sql files from the 3.0.x source tree particularly under the feeradius-server/raddb/mods-config/sql directory.

    Put the SQL files in a directory that you can access on OpenWRT. Use the .read command to read and execute the SQL files.

    Reference to SQLite CLI interface.

Configuring the Wifi interface:

    Go under Network -> Wifi in LuCi

  1. Select Wireless Security tab underneath Interface Configuration
  2. Select WPA2-EAP
  3. Enter the radiusd’s ip address in the Radius-Authentication-Server field
  4. Enter the secret (as you typed in clients.conf) in the Radius-Authentication-Secret field
  5. Click on Save and Apply

Test and Debug:
Open a ssh shell and type in radiusd -XX, if the configuration is correct. A whole bunch of text will fly by and ends up saying radiusd is listening and now you can try to get some of your wireless devices to connect, using new WPA2-EAP or WPA2-Enterprise settings.

When you are happy with the setting go back to System -> Startup and enable radiusd.

Backup:
A note about the Backup function under System-> Backup/Flash command. It only backs up the /etc directory. So do keep in mind of that, do backup your certificate directory.


Comments are closed.