WPA Enterprise WiFi testing with freeradius


The following is a brain-dump of what I've been using to test all the
WPA Enterprise stuff using freeradius.

1) install freeradius 3.0 or higher

2) in /etc/raddb/certs there is a 'bootstrap' script.  You can use this
to generate testing certificates for the CA and the RADIUS server.  It
gives you ca.pem and server.pem.  The default files it writes out
should be automatically selected by the default configuration in

3) in /etc/raddb/certs you can 'make client.pem' to get a client
certificate for TLS configuration on your test machine.  Copy it to
your test machine (along with ca.pem) and use it for TLS

4) add an entry for your AP to the end of clients.conf, which will look
like this:

client {
        secret = testing123
        shortname = my-ap

5) on your AP set the authentication to WPA Enterprise or whatever, and
then in the RADIUS configuration enter the "secret" from step #4 and
the RADIUS server's IP.  You shouldn't need to touch port settings,
they are almost always correct with the default of 1812.

6) add a user to users.conf, looking something like this:

"Bill Smith" Cleartext-Password := "<some password you make up>"

The password is the same thing you'll enter in NetworkManager for any
of the PAP, CHAP, MSCHAP, PWD, GTC, etc inner eap methods that TTLS,
PEAP, and FAST use.

(side-note: if you happen to have a 3Com WXR-series you'll want to add
right below the user/password line:
        Egress-VLAN-Name:0 = "default",
        3Com-VLAN-Name:0 = "default"
or the client can't talk to anything else)

7) you might want to edit radiusd.conf to "auth", "auth_badpass", and
"auth_goodpass" in the "log" section for debugging.

8) make sure that 'default' and 'inner-tunnel' are symlinked from
/etc/raddb/sites-available into /etc/raddb/sites-enabled.  Make sure
'eap' is symlinked from mods-available/ into mods-enabled/

9) copy /etc/raddb/certs/client.pem and /etc/raddb/certs/ca.pem to your
test client.  ca.pem will be used whenever a CA certificate is
required, and client.pem should be used with TLS or TTLS/TLS

10) you may need to change /etc/raddb/mods-enabled/eap and set
"default_eap_type" to force a specific type of EAP while testing.


When things go wrong...

* add "-x" to the freeradius command-line in the systemd or initd
service files for more logging

* look at /var/log/radius*

* run the client's wpa_supplicant in full debug mode (-dddt) so you can see the output; all the radius stuff 
happens after the ASSOCIATING state and before the 4-way handshake

* make sure you have built wpa_supplicant with all the authentication options!!  eg, its going to fail if you 
try EAP-PWD but haven't built the supplicant with CONFIG_EAP_PWD

* double-check all your passwords

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]