This blog will take you through the basics of 802.11X authentication and steps on how to configure FreeRadius using raspberry pi. Quite recently, I got the opportunity to work on the FreeRadius server for one of the customer requirements to test their product (access points) for the 802.11X standard. And to achieve this, I had to set up my radius server.
What is 802.1X and How Does it Work?
In a wireless network, 802.1X is used by an access point to authenticate client request to connect to the Wi-Fi. Whenever a wireless client tries to connect to a WLAN, the client passes user information (username/password) to access point, and these access points carry forward this information to the designated RADIUS server. RADIUS servers receive user connection requests, authenticate the user, and then return the configuration information required for the client to connect to the Wi-Fi.
802.1X Authentication comprises of three main parts:
1) Supplicant – Supplicant is a client or end-user who is waiting for authentication
2) Authentication Server (usually a RADIUS server): This server decides whether to accept the end user’s request for full network access.
3) Authenticator – It is an access point or a switch that sits between the supplicant and the authentication server. It acts as a proxy for the end-user and restricts the end-user’s communication with the authentication server.
To implement 802.11X, we need an external server called a Remote Authentication Dial-in User Service (RADIUS) or Authentication, Authorization, and Accounting (AAA) server, which is used for a variety of network protocols and environments including ISPs.
It is a client-server protocol that enables remote servers (Network Access Server-NAS) to communicate with the central servers (Active Directory) to authenticate and authorize dial-in users (WIFI/wired clients) to provide them access to the requested resources.
It provides security and helps companies to maintain a central location for managing client credentials and give easy-to-execute policies that can be applied to a vast range of users from the single administered network point.
It helps companies to have the privacy and security of the system and individual users. There many RADIUS servers available in the market for free which you can configure on your machine. One of them is FreeRadius- a daemon for Unix and Unix-like operating systems which allows one to set up a radius protocol server- which can be used for authenticating and accounting various types of network access.
Installation and Configuration of FreeRADIUS Server Using Terminal in Raspberry
Given below are the steps to install FreeRADIUS:
Open a terminal window. To get into the root directory, type the command given below:
sudo su –
You will get into the root.
To start the installation of FreeRADIUS:
apt-get install freeradius -y
The steps to configure FreeRADIUS:
To add users that need to be authenticated by the server, you need to edit/etc/freeradius/3.0/users file.
The command is “üser name” Cleartext-Password := “”Password”
For example, ”John Doe” Cleartext-Password := “hello”
To add Clients (client is the access point IP/Subnet which needs to direct messages to RADIUS server for authentication):
You need to edit/etc/freeradius/3.0/clients.conf.
In the example given below, I am allowing access points having IP in subnet 192.168.0.0/16
# Allow any address that starts with 192.168
client 192.168.0.0/16 {
secret = helloworld
shortname = office-network
}
or to allow any device with any IP:
client 0.0.0.0/0 {
secret = helloworld
shortname = office-network
}
Quick Steps to Test FreeRADIUS
Now make sure that FreeRADIUS initializes successfully using the following commands. You should see “Info: Ready to process requests” at the end of the initialization process.
#service freeradius stop
# freeradius -XXX
If FreeRADIUS starts with no hassle, you can then you can type Ctrl-C to exit the program and restart it with:
#service freeradius start
There is a command-line tool called radtest that is used to exercise the RADIUS server. Type:
radtest “username” “password” localhost 1812 testing123
Example,
radtest John Doe hello localhost 1812 testing123
You should receive a response that says “Access-Accept”.
By using the steps mentioned above, you will be able to setup freeRADIUS server. Also, we learned the method of adding a subnet range that will be able to send out access requests to the server. Please note that if the AP subnet is not inserted correctly, the server will surely be pingable, but access requests will never reach the server. In the current example, we added only one user information in the user file; however, there is immense scope to add multiple users as per our needs.
Whenever a wireless client tries to connect to a WLAN, the client will pass user information (username/password) to access points. Then, the access points forward info to the FreeRADIUS server, which then authenticates the users and returns configuration information essential for the client to connect to WiFi. In cases wherein the credentials don’t match the database created on the server, the server sends across ‘Access-Reject’ to the access point and the client’s request is declined.
We can also configure MAC-based authentication on the server, where the server authenticates the user based on a configured list of allowed mac addresses. If the MAC address matches, the server will send a message of ‘Access-Accept’. In case of any suspicious machine, whose MAC is not configured, tries to connect to the network, a message of ‘Access-Reject’ is sent.
To configure MAC address authentication, on the FreeRadius you need to edit etc/freeradius.3.0/users file.
To add users, use the command given below:
“üser name” Cleartext-Password := “Password”
In the same command for MAC authentication, you need to write MAC address of the device all in small letters and without colon (:), which you want to be authenticated by RADIUS server in place of user name and Password,
Eg- “453a345e56ed” Cleartext-Password := “453a345e56ed”
Summary-
This can go a long way in helping companies implement security protocols and only allow verified devices to connect to the network. I hope this article helps you with the easy setup of FreeRADIUS Server Using Raspberry Pi3.
