How to configure WPA2 enterprise on linux LEDE

Created:

Introduction

In this tutorial we will configure a router using linux LEDE to add authentication to the network (802.1x). In particular we will use Free-RADIUS. We will use "WPA2 Enterprise" encryption on the router.

Step 1: Install required software

First we will update packages information. Since enterprise WPA is not supported by the wpad-mini package, we will remove it and install full wpad. Hostapd will be used to provide our access point (it should be alreayd installed).

opkg update
opkg remove wpad-mini
opkg install hostapd wpad

Step 2: Install and configure Free-Radius

With the following commands we will install Free radius 2 with SQL support. SQL will allow us to will make us easy to manage users.

opkg install freeradius2 freeradius2-common freeradius2-mod-chap freeradius2-mod-detail freeradius2-mod-eap freeradius2-mod-eap-md5 freeradius2-mod-eap-mschapv2 freeradius2-mod-eap-peap freeradius2-mod-eap-tls freeradius2-mod-eap-ttls freeradius2-mod-exec freeradius2-mod-files freeradius2-mod-logintime freeradius2-mod-mschap freeradius2-mod-pap freeradius2-mod-passwd freeradius2-mod-preprocess freeradius2-mod-radutmp freeradius2-utils

For SQLite support install the following dependencies:

opkg install sqlite3-cli libsqlite3 freeradius2-mod-sql freeradius2-mod-sql-sqlite freeradius2-mod-sqlcounter freeradius2-mod-sqllog

Now we want to disable the process to test the configuration that we will setup on the next step:

  • Go under LuCi under System -> Startup click on the Enabled button to disable radiusd, if radiusd is running click on Stop

$ Step 3: FREE Radius configuration on linux LEDE

Open the file /etc/freeradius2/radiusd.conf and add the following configuration:

listen {
        type = auth
        ipaddr = 127.0.0.1
        port = 0
        interface = br-lan
}

Remeber to check for any other listen in the radiusd.conf file. We recommend to remove all of them with comments.

Details on the configuration below:

  • type: can be auth or acct, stands for authentication and accounting.
  • ipaddr: bind address
  • port: port number to listen. 0 means the system default will be used.
  • interface: br-lan is the bridged lan virtual interface where radiusd to listen to.

You can add multiple listen in the file.

Now we need to create certificates, since we will use PEAP. First we need to install openssh util package to create certificates.

opkg install openssl-util

Create the directory structure in your home directory, we will move it later.

mkdir ~/CA && chmod 700 ~/CA && cd ~/CA
mkdir certs
mkdir newcerts
mkdir private
mkdir crl
touch index.txt
echo "01" > serial
echo "00" > crlnumber
cp /etc/ssl/openssl.cnf ~/CA

Note that we will use the openssl.cnf with the openssl command later, check that file to make it fit you your desired configuration settings. In particular you probably need to change the dir configuration like this:

dir             = ~/CA          # Where everything is kept

If you get an error like :

bash Enter pass phrase for cakey.pem: Error opening CA certificate ./demoCA/cacert.pem 2011565240:error:02001002:lib(2):func(1):reason(2):NA:0:fopen('./demoCA/cacert.pem','r') 2011565240:error:20074002:lib(32):func(116):reason(2):NA:0: unable to load certificate

Make sure you changed all the dir paths in the openssl.cnd file.

Create a file xpextensions with the following content:

[xpclient_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[xpserver_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1

Create the CA key and link it symbolically to the private dir:

openssl req -new -x509 -days 7300 -keyout cakey.pem -out cacert.pem -config openssl.cnf
ln -s cakey.pem ~/CA/private/cakey.pem

Next step is to create certificates:

openssl req -config openssl.cnf -newkey rsa:4096 -keyout serverkey.pem -out servercert.req
openssl ca -config openssl.cnf -out servercert.pem -extensions xpserver_ext -extfile xpextensions -keyfile cakey.pem -infiles servercert.req
openssl pkcs12 -export -in servercert.pem -inkey serverkey.pem -out server.p12 -clcerts
openssl pkcs12 -in server.p12 -out server.pem

Create the Certificate Revocation List, DH and Random

openssl ca -config openssl.cnf -gencrl -out crl.pem
openssl dhparam -text -5 1024 -out dh
dd if=/dev/random of=random bs=1M count=2

Now we are ready to confire PEAP, open the file /etc/freeradius2/eap.conf and edit:

Remeber you can now move the CA directory in your home to /etc/ssl

  • certdir: directory where the server certificate lives.
  • cadir: directory where the ca certificate lives.
  • private_key_password: password used in the last step of the server.pem generation..
  • private_key_file: location of server.pem.

Since this tutorial uses sqlite for user management now we need to open the /etc/freeradius2/sql.conf and add the following:

sql {
  database = 'sqlite'
}

Open the file /etc/freeradius2/sqlite_radius_client_database with the command sqlite3 and paste the free radius schema.

Un command the line in the radiusd.conf file:

$INCLUDE sql.conf

Also uncommand all "sql" lines in /etc/freeradius2/sites/default to enable sql in freeradius.

Finally configure /etc/freeradius2/clients.conf to allow the AP to access it:

client localhost {
        ipaddr = 127.0.0.1
        secret          = SomeSecretPhrase
        require_message_authenticator = no
        nastype     = other
}

Test configuration with the command : radiusd -XX

If everything goes well you should see the message:

Info: Ready to process requests.

Step 3: Configure the the access point (/etc/config/wireless)

  • Go under Network -> Wireless in LuCi.
  • Select Wireless Network that you want to edit.
  • Click in Advanced Settings -> Wireless Security.
  • Select WPA2-EAP.
  • Enter 127.0.0.1 (or the corresponding one) in the Radius-Authentication-Server.
  • Enter the secret (clients.conf step) in the Radius-Authentication-Secret.

Click on Save and Apply.

Step 4: Add users to free radius on linux LEDE

If you need more details check the SQL HOWTO of freeradius.

insert into radcheck (username, attribute, op, value) values ('testuser', 'Cleartext-Password', ':=', 'SecurePassword'); insert into radreply (username, attribute, op, value) values ('testuser', 'Fall-Through', '=', 'Yes');

For testing the radius server use the following command:

echo "User-Name = testuser, User-Password = SecurePassword" | radclient -x 192.168.1.1 auth client_key