FreeRadius3, 802.1x, security and installation guides

Hello guys.
Today I tried installing freeradius with tls but sadly I couldn't get it running. I don't need to have tls but it would have been nice. There were a lot of tutorials but i wasnt able to get it running with any of them. I find the documentation also a bit.. not helpful from freeradius themselves. so first question, has someone a good guide for that?
I wondered if I go back to user based authentification with freeradius without certificates using the pap module if it would have any benefit in comparison to wpa2+aes? Is it more secure or just a waste of time without certificates?
Thanks for all answers I will recieve.

For many people the compelling advantage of 802.1X is that you have by-user credentials, not just a single key.

What problem did you have? Were you able to create the required certificates and keys, or was it something else?

I was able to generate the certificates and keys. when running with debug mode it would only show me the configuration and tell me that debugger was not attached and stop somewhere in between my configuration files. it also didn't seem to run at all. i used the tutorial on the alpine linux wiki for the most part just fyi.

By "debug mode" do you mean that you ran 'radiusd -X' (and that this worked in non-TLS mode, but failed with TLS enabled)?

If so, post the output both with and without TLS configured somewhere.

(You may want to use a "test user" of some sort for this, so that you don't end up posting any actual passwords in the output.)


You do it like this:
#LD_LIBRARY_PATH=/usr/lib/freeradius3 radiusd -X
(this option is added to /etc/init.d/radiusd to make it work). Pretty standard linux hack for non-standard placed libraries.

Yes, you get guides at and at other places. Google for freeradius eap-tls. Here is one link. Actually, I'm using now freeradius3 on openwrt based AP. In addition to what the tutorial says about setting up eap-tls, the modules you need to install on openwrt are:
freeradius3-common, (freeradius3)-mod-always, -mod-attr-filter, -mod-detail, -mod-eap, -mod-eap-tls, -mod-exec, -mod-expiration, -mod-logintime, -mod-preprocess, -mod-radutmp
Created my own certificates on my computer (google for it), also used working configuration from my computer (based on an online guide) because config files installed from packages for some reason didn't work. Except that you will have radius-server right on your AP, (which is not VERY secure, because the certificates etc. must be on a remote and unreachable server) you'll have a working configuration and tightly secured WiFi network. Secure in that it can't be broken like they break WPA-PSK etc ciphers.