In some cases it is useful to have a RADIUS server set up on the router. This is particularly useful for 802.1x authentication. In this case we aren't setting up anything too fancy: just a flat-file with username and password combinations. I imagine this setup could be extended to apply to a more complicated setup that would use an LDAP back end, but that is out of scope for this article.
Note that I'm new to setting up FreeRadius, and I can make no claims about the security of setting up and using FreeRadius in the fashion described below. As I become aware of any security issues I'll update this file.
The first few steps are from the article "Add other Debian packages to EdgeOS".
configure
set system package repository wheezy components 'main contrib non-free'
set system package repository wheezy distribution wheezy
set system package repository wheezy url http://http.us.debian.org/debian
set system package repository wheezy-security components main
set system package repository wheezy-security distribution wheezy/updates
set system package repository wheezy-security url http://security.debian.org
commit
save
exit
sudo apt-get update
sudo apt-get -y install freeradius
sudo mv /etc/freeradius /config/freeradius
sudo ln -s /config/freeradius /etc/freeradius
You may want to use a different server certificate/key here. We are aiming for a flat-file configuration, so this is only really important if you want to do TLS.
TODO: Check to make sure that doing the following yields a secure setup.
sudo cp /etc/ssl/private/ssl-cert-snakeoil.key /config/freeradius/certs/server.key
sudo cp /etc/ssl/certs/ssl-cert-snakeoil.pem /config/freeradius/certs/server.pem
sudo cp /etc/ssl/certs/ssl-cert-snakeoil.pem /config/freeradius/certs/ca.pem
sudo openssl dhparam -out /config/freeradius/certs/dh 2048
This will take a very long time. If you don't want to wait, feel free to generate the parameters on a faster local computer and copy the file over. Or you can use the dh.pem file attached to this gist.
This is optional, but you may want to change the address that the radius server is listening on. This is around line 270 and 313.
First, you will need to pick a new client secret. This should be a strong password. Don't skimp on this, add as much entropy as you can. Use something like this tool to generate a strong password for you.
You should then open up /config/freeradius/clients.conf in vi. Around line 98 will be where you set the shared secret for clients connecting from localhost. Go ahead and change this secret to the secret you generated above.
Then add something like this to the end of the file:
client 192.168.0.0/24 {
secret = JK9Y-KYNH-HCPX-4MWQ-QXQ7
shortname = local-private-network
}
Set the network to be where your WAPs will connect from.
This file is where you can add individual users. Simply add lines like this to the file to add new users:
bob Cleartext-Password := "hello"
This adds a new user, bob, who has the password hello.
sudo /etc/init.d/freeradius start
radtest bob hello localhost 0 JK9Y-KYNH-HCPX-4MWQ-QXQ7
This is all great, but if you install a router firmware update then freeradius will stop working. The following trick helps re-establish freeradius after an update.
Create a file named /config/scripts/post-config.d/freeradius.sh and set the contents to the following:
#!/bin/bash
die() {
exit 1
}
[ -e /etc/freeradius ] || {
apt-get update || die
apt-get install -y freeradius
rm -r /etc/freeradius || die
ln -s /config/freeradius /etc/freeradius || die
chown -R freerad:freerad /config/freeradius || die
sudo /etc/init.d/freeradius start
}
[ -d /var/log/freeradius ] || {
mkdir -p /var/log/freeradius || die
chown -R freerad:freerad /var/log/freeradius || die
}
[ -d /var/run/freeradius ] || {
mkdir -p /var/run/freeradius || die
chown -R freerad:freerad /var/run/freeradius || die
}
Don't forget to mark it as executable with chmod +x /config/scripts/post-config.d/freeradius.sh.