Freeradius On Debian 7
Freeradius On Debian 7
Authentication test:
radtest testuser testpassword localhost 0 testing123
Add the end of the precedent command there is a passphrase (“testing123”). This parameter is
defined in /etc/freeradius/clients.conf. In this file you need to add all the clients that are allowed to
request user authentication, typically the access points. By default localhost il allowed with
“testing123” as passphrase.
EAP-TTLS
By default, EAP-TTLS is well configured. In this part we will just check if the authentication is fine
with the eapol_test tool.
eapol_test installation:
apt-get install build-essential libssl-dev
wget http://w1.fi/releases/wpa_supplicant-0.7.3.tar.gz
tar -xvf wpa_supplicant-0.7.3.tar.gz
cd wpa_supplicant-0.7.3/wpa_supplicant
cp defconfig .config
make eapol_test
cp eapol_test /usr/local/bin
If
everything is fine, “SUCCESS” will appear at the end of the standard output. You can follow the
logs in the log file located in /var/log/freeradius/radius.log. If you have an error, you will see
something like this:
tail -f /var/log/freeradius/radius.log
Logs configuration
I wanted that the logs are more verbose and specially show the users authentication. These changes
are made in /etc/freeradius/radiusd.conf.
vim /etc/freeradius/radiusd.conf
auth = yes #print authentication in logs
auth_badpass = yes #print bad passwords
auth_goodpass = yes #print good passwords
LD
AP association
Now the basic server works well. It’s time to associate the freeradius server to the central LDAP
server.
Basic installation
apt-get install freeradius-ldap
vim /etc/freeradius/modules/ldap
server = "192.168.10.1"
identity = "cn=admin,dc=mydomain,dc=com"
password = ldappassword
basedn = "dc=mydomain,dc=com"
vim /etc/freeradius/sites-available/inner-tunnel
ldap
Auth-Type LDAP {
ldap
}
Do the same test than before with a user in the LDAP database.
Group filter:
We wanted that only the persons in the “wifi” group can connect to the wifi.
vim /etc/freeradius/modules/ldap
groupname_attribute = cn
groupmembership_filter = "(&(objectClass=posixGroup)(memberUid=%{User-Name}))"
client 192.168.10.101 {
secret = sharedsecret
shortname = ap-2
}
The last point is to configure your acces points to communicate with you freeradius server.
Have Fun =)