Overview
Users will learn how to configure a minimal FreeRadius server and WPA2-PEAP (WPA-Enterprise) on airOS. There are several options for RADIUS servers such as FreeRadius, Radiator and Microsoft NPS.
Table of Contents
How to Install FreeRADIUS Server on Ubuntu 18.04
1. Install FreeRADIUS and Nano text editor with the following command:
sudo apt-get install freeradius nano
2. Edit EAP configuration file and set default EAP type to PEAP with:
sudo nano /etc/freeradius/eap.conf
default_eap_type = peap
Click CTRL-O
to save or CTRL-X
to exit.
3. Add Username and Password to be used on Station:
sudo nano /etc/freeradius/users
<add the following line at the bottom>
customer Cleartext-Password := "password"
Click CTRL-O
to save or CTRL-X
to exit.
4. Enable and Configure mschap-v2 protocol:
sudo nano /etc/freeradius/modules/mschap
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
Click CTRL-O
to save or CTRL-X
to exit.
5. Edit radiusd.conf to enable logging of auth success/fails. You can check /var/log/radius.log for successful/failed authentication attempts. This step is optional, but useful when troubleshooting.
Under "log" section:
auth = yes
auth_badpass = yes
auth_goodpass = yes
Click CTRL-O
to save or CTRL-X
to exit.
6. Reload libraries:
ldconfig
7. Add new RADIUS client <Access Point>:
sudo nano /etc/freeradius/clients.conf
Add the IP address and shared secret for AP config:
client 192.168.1.41 {
secret = testing123
shortname = airMAX-AP-2
}
8. Restart RADIUS service and test authentication:
sudo service freeradius restart
Usage:
radtest {username} {password} {hostname} 10 {radius_secret}
Example:
radtest customer password localhost 10 testing123
You should see something like this:
Access Point Configuration
Make sure the AP is configured with the IP address used when configuring clients.conf in the section above.
1. Navigate to the Wireless tab and fill out the Wireless Security section as follows:
- Security: WPA2-AES
- WPA Authentication: EAP
- Auth Server IP/Port: IP.OF.RADIUS.SERVER (Default port is 1812)
- Auth Server Secret: secret configured in clients.conf. (For this example “testing123”)
2. Click Change > Apply
Station Configuration
1. Navigate to the Wireless tab. Configure the SSID either manually or via Site Survey. If you don’t see the AP, confirm the channel width matches AP. Edit as follows under the Wireless Security section:
- Security: WPA2-AES
- WPA Authentication: EAP EAP-PEAP MSCHAPV2
- WPA User Name: This should match the user added in /etc/freeradius/users. (In this example "customer").
- WPA User Password: This should match the password for the user "customer". (In this example "password").
2. Click Change > Apply