airMAX - How to Set Up RADIUS Server Authentication on airOS Devices (FreeRadius)


Overview


Users will learn how to configure a minimal FreeRadius server and WPA2-PEAP (WPA-Enterprise) on airOS. There are several options for RADIUS servers such as FreeRadius, Radiator and Microsoft NPS. 


Table of Contents


  1. How to Install FreeRADIUS Server on Ubuntu 16.04
  2. Access Point Configuration
  3. Station Configuration

How to Install FreeRADIUS Server on Ubuntu 16.04


Back to Top

1. Install FreeRADIUS and Nano text editor with the following command:

sudo apt-get install freeradius nano

2. Edit EAP configuration file and set default EAP type to PEAP with:

sudo nano /etc/freeradius/eap.conf
default_eap_type = peap

Click CTRL-O to save or CTRL-X to exit.



3. Add Username and Password to be used on Station:

sudo nano /etc/freeradius/users
<add the following line at the bottom>
customer Cleartext-Password := "password"

Click CTRL-O to save or CTRL-X to exit.

4. Enable and Configure mschap-v2 protocol:

sudo  nano /etc/freeradius/modules/mschap
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes

Click CTRL-O to save or CTRL-X to exit.

 5. Edit radiusd.conf to enable logging of auth success/fails. You can check /var/log/radius.log for successful/failed authentication attempts. This step is optional, but useful when troubleshooting.

Under "log" section:

auth = yes
auth_badpass = yes
auth_goodpass = yes

Click CTRL-O to save or CTRL-X to exit.

6. Reload libraries:

ldconfig

7. Add new RADIUS client <Access Point>:

sudo nano /etc/freeradius/clients.conf

Add the IP address and shared secret for AP config:

client 192.168.1.41 {
secret          = testing123
shortname       = airMAX-AP-2
}

8. Restart RADIUS service and test authentication:

sudo service freeradius restart

Usage:

radtest {username} {password} {hostname} 10 {radius_secret}

Example:

radtest customer password localhost 10 testing123

You should see something like this:


Access Point Configuration


Back to Top

Make sure the AP is configured with the IP address used when configuring clients.conf in the section above.  

1. Navigate to the Wireless tab and fill out the Wireless Security section as follows:

  • Security: WPA2-AES
  • WPA Authentication: EAP
  • Auth Server IP/Port: IP.OF.RADIUS.SERVER  (Default port is 1812)
  • Auth Server Secret: secret configured in clients.conf. (For this example “testing123”)

2. Click Change > Apply


Station Configuration


Back to Top

1. Navigate to the Wireless tab. Configure the SSID either manually or via Site Survey.  If you don’t see the AP, confirm the channel width matches AP. Edit as follows under the Wireless Security section:

  • Security: WPA2-AES
  • WPA Authentication: EAP EAP-PEAP MSCHAPV2
  • WPA User Name: This should match the user added in /etc/freeradius/users. (In this example "customer").
  • WPA User Password: This should match the password for the user "customer". (In this example "password").

2. Click Change > Apply