airMAX - How to Set Up RADIUS Server Authentication on airOS Devices (FreeRadius)

Overview


Users will learn how to configure a minimal FreeRadius server and WPA2-PEAP (WPA-Enterprise) on airOS. There are several options for RADIUS servers such as FreeRadius, Radiator and Microsoft NPS. 

Table of Contents


  1. How to Install FreeRADIUS server on Ubuntu 16.04
    1. Install FreeRADIUS and Nano text editor
    2. Edit EAP Configuration
    3. Add Username and Password
    4. Enable and Configure
    5. Edit radiusd.conf
    6. Reload
    7. Add new RADIUS client
    8. Restart
  2. Access Point Configuration
  3. Station Configuration

How to Install FreeRADIUS server on Ubuntu 16.04


Back to Top

1. Install FreeRADIUS and Nano text editor

sudo apt-get install freeradius nano


2. Edit EAP configuration file and set default EAP type to PEAP

sudo nano /etc/freeradius/eap.conf
default_eap_type = peap

CTRL-O to Save

CTRL-X to Exit



3. Add Username and Password to be used on Station

sudo nano /etc/freeradius/users
<add the following line at the bottom>
customer Cleartext-Password := "password"

CTRL-O to Save

CTRL-X to Exit



4. Enable and Configure mschap-v2 protocol:

sudo  nano /etc/freeradius/modules/mschap
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes

CTRL-O to Save

CTRL-X to Exit

5. Edit radiusd.conf to enable logging of auth success/fails. You can check /var/log/radius.log for successful/failed authentication attempts. This step is optional, but useful when troubleshooting.

Under "log" section:

auth = yes
auth_badpass = yes
auth_goodpass = yes

CTRL-O to Save

CTRL-X to exit

6. Reload libraries:

ldconfig

7. Add new RADIUS client <Access Point>

sudo nano /etc/freeradius/clients.conf

Add the IP address and shared secret for AP config

client 192.168.1.41 {
secret          = testing123
shortname       = airMAX-AP-2
}



8. Restart RADIUS service and test authentication

sudo service freeradius restart

Usage:

radtest {username} {password} {hostname} 10 {radius_secret}

Example:

radtest customer password localhost 10 testing123

You should see something like this:

Access Point Configuration


Back to Top

Make sure the AP is configured with the IP address used when configuring clients.conf in the section above.  

1. Navigate to the Wireless tab and fill out the Wireless Security section as follows:

Security:  WPA2-AES

WPA Authentication: EAP

Auth Server IP/Port: IP.OF.RADIUS.SERVER  (Default port is 1812)

Auth Server Secret: secret configured in clients.conf. (For this example “testing123”)

2. Click Change > Apply



Station Configuration


Back to Top

1. Navigate to the Wireless tab.

Configure the SSID either manually or via Site Survey.  If you don’t see the AP, confirm the channel width matches AP.

Edit as follows under the Wireless Security section:

Security: WPA2-AES

WPA Authentication: EAP EAP-PEAP MSCHAPV2

WPA User Name: This should match the user added in /etc/freeradius/users. (In this example "customer").

WPA User Password: This should match the password for the user "customer". (In this example "password").

2. Click Change > Apply