Construct WPA2 Enterprise encryption method with freeradius3 on OpenWrt 18.06

Authentication and authorization of WiFi and Samba users using PEAP-EAP-MSCHAPV2.

Freeradius3 is the RADIUS server used.

Install packages

opkg install freeradius3 freeradius3-common

Install Demo certificates

opkg install freeradius3-democerts

Install tunnels

opkg install freeradius3-mod-eap freeradius3-mod-eap-peap freeradius3-mod-eap-mschapv2 freeradius3-mod-eap-tls freeradius3-mod-pap

Install modules

opkg install freeradius3-mod-preprocess freeradius3-mod-files freeradius3-mod-radutmp

Install Samba passwd file support

opkg install freeradius3-mod-passwd

Replace mini-wpad with wpad

opkg remove wpad-mini; opkg intall wpad

Configure FreeRadius

sites-enabled/lede

server lede {
    listen {
        type = auth
        ipaddr = *
        port = 1812
        limit {
                max_connections = 16
                lifetime = 0
                idle_timeout = 30
        }
    }
    listen {
        type = auth
        ipv6addr = ::	# any.  ::1 == localhost
        port = 0
        limit {
            max_connections = 16
            lifetime = 0
            idle_timeout = 30
        }
    }
    authorize {
        preprocess
        mschap
        eap
        files
        smbpasswd

    }
    authenticate {
        Auth-Type MS-CHAP {
            mschap
        }
        eap
    }
}

sites-enabled/lede-inner-tunnel

server inner-tunnel {
    listen {
        ipaddr = 127.0.0.1
        port = 18120
        type = auth
    }
    authorize {
        mschap
        eap
        files
        smbpasswd
        pap
    }
    authenticate {
        Auth-Type MS-CHAP {
            mschap
        }
        eap
    }
    session {
        radutmp
    }
    post-auth {
        Post-Auth-Type REJECT {
            attr_filter.access_reject
        }
    }
}

Debug configurations

Now you can debug your server configuration in verbose mode, radiusd -X

fix service startup

However the /etc/init.d/radiusd is not configured correctly, the fix is simple.

Change procd_set_param command $PROG -f to procd_set_param command $PROG -f -l var/log/radius.log because the original command writes log to /usr/var/log/radius.log which does not exist on LEDE devices.

Copy certificates from a public facing server for PEAP

ideas

rsync --rsync-path="sudo rsync" -e "ssh -i /etc/dropbear/dropbear_rsa_host_key" -a -L ${SRC_DIR} ${DST_DIR}

parameter explanation

--rsync-path specify the rsync to run on the remote machine

-e "ssh -i /etc/dropbear/dropbear_rsa_host_key" specify the remote shell to use. To prevent LEDE version of ssh not reading local private key.

-a -L archive mode, transform symlink to referent file/dir

Modify eap mod to use the copied certificate

…
tls-config tls-peap {
 private_key_file = ${certdir}/letsencrypt/privkey.pem
 certificate_file = ${certdir}/letsencrypt/fullchain.pem
…

Available LEDE packages

freeradius3 - release_3_0_11-1 - A flexible RADIUS server (version 3)
freeradius3-common - release_3_0_11-1 - common files
freeradius3-democerts - release_3_0_11-1 - Demo certificates to test the server
freeradius3-mod-always - release_3_0_11-1 - Always module
freeradius3-mod-attr-filter - release_3_0_11-1 - ATTR filter module
freeradius3-mod-chap - release_3_0_11-1 - CHAP module
freeradius3-mod-detail - release_3_0_11-1 - Detailed accounting module
freeradius3-mod-digest - release_3_0_11-1 - HTTP Digest Authentication
freeradius3-mod-eap - release_3_0_11-1 - Base EAP module
freeradius3-mod-eap-gtc - release_3_0_11-1 - EAP/GTC module
freeradius3-mod-eap-leap - release_3_0_11-1 - EAP/LEAP module
freeradius3-mod-eap-md5 - release_3_0_11-1 - EAP/MD5 module
freeradius3-mod-eap-mschapv2 - release_3_0_11-1 - EAP/MS-CHAPv2 module
freeradius3-mod-eap-peap - release_3_0_11-1 - EAP/PEAP module
freeradius3-mod-eap-tls - release_3_0_11-1 - EAP/TLS module
freeradius3-mod-eap-ttls - release_3_0_11-1 - EAP/TTLS module
freeradius3-mod-exec - release_3_0_11-1 - EXEC module
freeradius3-mod-expiration - release_3_0_11-1 - Expiration module
freeradius3-mod-expr - release_3_0_11-1 - EXPR module
freeradius3-mod-files - release_3_0_11-1 - Module using local files for authorization
freeradius3-mod-logintime - release_3_0_11-1 - Logintime module
freeradius3-mod-mschap - release_3_0_11-1 - MS-CHAP and MS-CHAPv2 module
freeradius3-mod-pap - release_3_0_11-1 - PAP module
freeradius3-mod-passwd - release_3_0_11-1 - Rlm passwd module
freeradius3-mod-preprocess - release_3_0_11-1 - Request pre-processing module
freeradius3-mod-radutmp - release_3_0_11-1 - Radius UTMP module
freeradius3-mod-realm - release_3_0_11-1 - Realms handling module
freeradius3-mod-unix - release_3_0_11-1 - System Authentication
freeradius3-utils - release_3_0_11-1 - Misc. client utilities