Home arrow BrainDump arrow Page 2 - Securing a Linux Wireless Access Point

4.8 Enterprise Authentication with a RADIUS Server - BrainDump

In this third part of a five-part series on building a Linux wireless access point, you'll learn several different ways to secure your servers, so you can choose the level of security that best suits your needs. This article is excerpted from chapter four of the Linux Networking Cookbook, written by Carla Schroder (O'Reilly; ISBN: 0596102488). Copyright © 2008 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.

  1. Securing a Linux Wireless Access Point
  2. 4.8 Enterprise Authentication with a RADIUS Server
  3. 4.9 Configuring Your Wireless Access Point to Use FreeRADIUS
  4. 4.10 Authenticating Clients to FreeRADIUS
By: O'Reilly Media
Rating: starstarstarstarstar / 1
February 04, 2010

print this article




The previous recipe is a slick hack for giving your wireless clients individual keys, but itís still not a proper Public Key Infrastructure (PKI), which is better for larger deployments, and better for security. You have decided itís worth running a standalone RADIUS server for your wireless authentication because it offers more security and more flexibility. Youíll be able to use it for all network authentication if you want to, not just wireless, and you can scale up at your own pace. So, how do you use a RADIUS server for wireless authentication?


Use FreeRADIUS together with OpenSSL. There are four steps to this:

  1. Install and configure the FreeRADIUS server
  2. Create and distribute OpenSSL server and client certificates
  3. Configure your wireless access point
  4. Configure client supplicants

Your WAP becomes a Network Access Server (NAS) because it passes along the job of user authentication to the FreeRADIUS server.

To ensure the least hair loss and lowest blood pressure, use your distributionís package manager to install FreeRADIUS. If you prefer a source installation, refer to the INSTALL document in the source tarball.

This recipe requires a PKI using Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentication, which means the server and client must authenticate to each other with X.509 certificates. So, youíll need:

  1. Your own certificate authority
  2. Server private key and CA-signed certificate
  3. A unique private key and a CA-signed certificate for each client

This is the strongest authentication you can use. See Recipe 9.5 to learn how to do this the easy way, with OpenVPNís excellent helper scripts. If you donít have OpenVPN, you can get the scripts from OpenVPN.net (http://openvpn.net/).

There are two things you will do differently. First, use password-protected client certificates:

  # ./build-key-pass [client hostname]

And, you will have to create PK12 certificates for Windows clients:

  # ./build-key-pkcs12 [client hostname]

In this recipe, the certificate authority, private server key, and public server key are kept in /etc/raddb/keys. This directory should be mode 0750, and owned by root and the FreeRADIUS group created by your Linux distribution. On Debian, this is root:freerad. On Fedora, root:radiusd. Youíll be editing these FreeRADIUS files:


Debian users, look in /etc/freeradius instead of /etc/raddb.

First, tell FreeRADIUS about your wireless access point or points in clients.conf, using one section per WAP. You can start over with a clean new file instead of adding to the default file:

         secret = superstrongpassword
         shortname = wap1
         nastype = other

Then, make a list of authorized usersí login names in the users file, and a nice reject message for users who are not in this file. The usernames are the Common Names on their client certificates. Add them to the existing users file:

  "alrac sysadmin" Auth-Type := EAP
  "terry rockstar" Auth-Type := EAP
  "pinball wizard" Auth-Type := EAP

  DEFAULT Auth-Type := Reject
          Reply-Message = "I hear you knocking, but you can't come in"

Now, create two files containing random data, which EAP needs to do its job. These must be owned by root and the FreeRADIUS group, and readable only to the file owners:

  # openssl dhparam -check -text -5 512 -out /etc/raddb/dh
  # dd if=/dev/random of=/etc/raddb/random count=1 bs=128
  # chown root:radiusd /etc/raddb/dh
  # chown root:radiusd /etc/raddb/random
  # chmod 0640 /etc/raddb/dh
  # chmod 0640 /etc/raddb/random

Make sure you use the correct RADIUS group for your distribution.

eap.conf is where you configure the EAP module. Find and edit these lines in your existing file, using your own filenames:

  default_eap_type = tls
  ls {
      private_key_password = [your password]
      private_key_file = /etc/raddb/keys/xena.crt
      certificate_file = /etc/raddb/keys/xena.key
      CA_file = /etc/raddb/keys/ca.crt

      dh_file = /etc/raddb/keys/dh2048.pem
      random_file = /etc/raddb/keys/random
      fragment_size = 1024
      include_length = yes

radiusd.conf is huge and replete with helpful comments, so I will show just the bits you may need to change. In the Authorization module, make sure theeapline is uncommented:

  # Authorization. First preprocess (hints and huntgroups files),
  authorize {

Then, in the Authentication module, make sure theeap line is uncommented:

  # Authentication.
  authenticate {

Finally, make sure these lines are uncommented and the correct user and group are entered. These vary, so check your own distribution:

  user = radiusd
  group = radiusd

Shut down FreeRADIUS if it is running, then run these commands to test it:

  # freeradius -X
  "Ready to process requests"
  # radtest test test localhost 0 testing123

The first command starts it in debugging mode. The second command sends it a fake authentication test, which should fail. What you want to see is FreeRADIUS responding to the test. Debugging mode emits reams of useful output, so if there are any errors in your configurations, youíll be able to track them down.


The trickiest bit is getting your certificates right, but fortunately, the Easy-RSA scripts make the process easy. A good alternative is the excellent graphical PKI manager TinyCA (http://tinyca.sm-zone.net/).

A slick FreeRADIUS feature is that you donít need to use a Certification Revocation List (CRL), though nothingís stopping you if you want to because revoking a user is as simple as removing them from the users file.

The various Linux distributions handle the FreeRADIUS user and group in different ways. Some use nobody. Debian creates a freerad user and group. Itís important to run FreeRADIUS as an unprivileged user, so make sure that the user and group lines in radiusd.conf are configured correctly.

If you have several WAPs, you may control access by subnet instead of individual WAP:

     secret = superstrongpassword
     shortname  = wap_herd
     nastype  = other

This is less secure because it uses the same secret for all access points, but itís easier to manage.

See Also

  1. man 1 openssl
  2. man dhparam
  3. The default eap.conf, radiusd.conf, clients.conf, and users files are excellent help references
  4. RADIUS, by Jonathan Hassell (OíReilly) for a good in-depth tour of running a RADIUS server
  5. The FreeRADIUS Wiki: http://wiki.freeradius.org/
  6. TinyCA (http://tinyca.sm-zone.net/) is a nice graphical tool for creating and managing PKIs, and for importing and exporting certificates and keys
  7. Recipe 9.5

>>> More BrainDump Articles          >>> More By O'Reilly Media

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Apple Founder Steve Jobs Dies
- Steve Jobs` Era at Apple Ends
- Google's Chrome Developer Tool Updated
- Google's Chrome 6 Browser Brings Speed to th...
- New Open Source Update Fedora 13 is Released...
- Install Linux with Knoppix
- iPad Developers Flock To SDK 3.2
- Managing a Linux Wireless Access Point
- Maintaining a Linux Wireless Access Point
- Securing a Linux Wireless Access Point
- Configuring a Linux Wireless Access Point
- Building a Linux Wireless Access Point
- Migrating Oracle to PostgreSQL with Enterpri...
- Demystifying SELinux on Kernel 2.6
- Yahoo and Microsoft Create Ad Partnership

Developer Shed Affiliates


Dev Shed Tutorial Topics: