Versions Compared

Version Old Version 1 New Version 2
Changes made by

Jane

Saleh Mohamad

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Add RADIUS support to E220 router

...

The RADIUS server (Remote Authentication Dial-In User Service) is a service that allows to authenticate users in an centralised manner. In our case, we will give to each user an username and password so they can get access to the WiFi network.

Install Freeradius server

On the virtual machine, install freeradius:
Background Color
colorblack

sudo

apt-get

install

freeradius


Check the default configuration:
Background Color
colorblack

sudo

freeradius

-CX


Last line should be Configuration appears to be OK. Add your router as a new client that can request a user to be authenticated:
Background Color
colorblack

sudo

vim

/etc/freeradius/clients.conf


Search for the line client localhost { and add the following content just above it (then save and quit):
Background Color
colorblack

client

openwrt

{

   

ipaddr

=

192.168.1.1

   

secret

=

hackathon

}


Edit the users files:
Background Color
colorblack

sudo

vim

/etc/freeradius/users


and a new user at the end of the file:
Background Color
colorblack

maestro

Cleartext-Password

:=

"wireless"


Now it is time to test the server setup:
Background Color
colorblack

//

Stop

the

freeradius

service

sudo

service

freeradius

stop

//

Open

a

terminal

and

start

the

server

in

debug

mode

sudo

freeradius

-X

//

Open

a

new

terminal

and

try

to

authenticate

your

user

radtest

maestro

wireless

127.0.0.1

0

testing123

//

If

you

receive

this

line,

it

means

that

your

authentication

has

been

accepted

rad_recv:

Access-Accept

packet

from

host

127.0.0.1

port

1812,

id=11,

length=20


Close both terminals and open a new one. Execute following command so the freeradius service is started:
Background Color
colorblack

sudo

service

freeradius

start


Add support for 802.1x in the router

Once the RADIUS server is working and allows us to authenticate our users, it is time to configure our router to forward the authentication requests to the server when a new user tries to connect to the WiFi network. Get SSH access to your router and execute following command:
Background Color
colorblack

opkg

remove

wpad-mini


Go to the GUI and from System > Software > Configuration configure the default OpenWrt repositories. Click Submit at the bottom of the page:
Go back to the SSH console and execute the following commands:


Background Color
colorblack

opkg

updateopkg

install

wpad


Create the WiFi network

Go to Network > Wifi and click on Add to create a new wireless SSID as Access Point:
  • Mode has to be Access Point
  • ESSID can be anything that identifies your AP
  • Tick lan on Network
  • All other fields may be left with the default values


Click on the Wireless Security tab and set following settings:
  • Encryption has to be WPA2-EAP
  • Cipher can be auto
  • Radius-Authentication-Server is the IP of the virtual machine (192.168.1.125 in this case)
  • Radius-Authentication-Port is 1812 as we are using the default one
  • Radius-Authentication-Secret is hackathon as configured when adding the client openwrt to the configuration file
  • All other fields can be empty
  • Click Save & Apply at the bottom of the page

Test the RADIUS authentication

The configuration is all done and it is time to test that it works. From your smartphone, search for the wireless network Hackathon and connect to it:
  • EAP method is PEAP 
  • CA certificate set it to Do not validate
  • Identity is maestro (the username added to the users file)
  • Anonymous identity is left blank
  •  Image Added
  • Password is wireless Image Removed wireles
After pressing on Connect, the smartphone will send the authentication request to the router which will forward it to the RADIUS server. If the username is authorised to have wireless connectivity, you will see that in the Status > Overview tab of your router there is a new DHCP lease:

...