FreeRadius3 as a RADIUS server.wpad-openssl,wpad-openssl, run hostapd as a RADIUS server.wapd-openssl or hostapd-openssl,hostapd-radius as a RADIUS server.Detailed information can be found in the following post.
The RADIUS service is used for EAP authentication for WiFi.
Related topics: Using wpad as radius server
wpad-openssl or hostapd-openssl,wolfssl. Dealing with certificates containing non English characters, there are bugs that can cause hostapd authentication to fail or exit abnormally.## 18.06
package/network/services/hostapd/files/hostapd-full.config
## 19.07, 21.02, 22.03, 23.05, 24.10
feeds/base/package/network/services/hostapd/files/hostapd-full.config
CONFIG_DRIVER_NONE=y
CONFIG_RADIUS_SERVER=y
make package/hostapd/compile -j 2wpad-openssl in openwrt.mkdir -p /etc/hostapd/certs
touch /etc/hostapd/hostapd.{conf,eap_user,radius_clients}
## /etc/hostapd/hostapd.conf
# logger set -1 == all
# bit 0 (1) = IEEE 802.11
# bit 1 (2) = IEEE 802.1X
# bit 2 (4) = RADIUS
# bit 3 (8) = WPA
# bit 4 (16) = driver interface
# bit 5 (32) = IAPP
# bit 6 (64) = MLME
logger_syslog=0
logger_syslog_level=2
logger_stdout=0
#logger_stdout=-1
logger_stdout_level=2
driver=none
ieee8021x=1
eap_server=1
server_cert=/etc/hostapd/certs/eap.crt
private_key=/etc/hostapd/certs/eap.key
ca_cert=/etc/hostapd/certs/ca_chain.pem
# 0 = do not verify CRLs (default)
# 1 = check the CRL of the user certificate
# 2 = check all CRLs in the certificate path
check_crl=1
eap_user_file=/etc/hostapd/hostapd.eap_user
radius_server_clients=/etc/hostapd/hostapd.radius_clients
radius_server_auth_port=1812
/etc/hostapd/certs/ca_chain.pem ,/etc/hostapd/certs/eap.crt ,/etc/hostapd/certs/eap.key## /etc/hostapd/hostapd.eap_user
# Phase 1
* PEAP,TLS
# Phase 2 users
# MSCHAPV2 for PEAP
"user1" MSCHAPV2 "pass1" [2]
"user2" MSCHAPV2 "pass2" [2]
## /etc/hostapd/hostapd.radius_clients
127.0.0.1 key1234
192.168.0.0/16 key1234
/usr/sbin/hostapd -s -B -P /var/run/hostapd-radius.pid /etc/hostapd/hostapd.conf
/etc/rc.local.wpad-openssl or hostapd-opensslradius config file: /etc/config/radius/etc/radius//etc/radius/ca.pem ,/etc/radius/cert.pem ,/etc/radius/key.pem/etc/radius/client, After modifying this file, service radius restart is required to take effect. (Reload not working).192.168.0.0/16 key12345
# 0.0.0.0/0 key12345
/etc/radio/user (JSON format), takes effect immediately after modification, no need to restart or reload.{
"phase1": {
"users": { //optional, if not needed, delete "users" section
"gst3": { //username
//It seems invalid to specify vlan-id here
"methods":["TLS"]
}
},
"wildcard": [
{
"name": "*",
"methods": [ "PEAP","TLS" ]
}
]
},
"phase2": {
"users": {
"gst7": { //username1
"methods":["MSCHAPV2"],
//"radius":["test"], //unknown
//"vlan-id": 20, //Optional, effective, requires coordination with other network configurations
//"max-rate-up":1001, //Optional, effective, I don't know how to use it
//"max-rate-down":1002, //Optional, effective, I don't know how to use it
"password": "def123"
//Or use "hash" and "salt" as passwords, both containing hex strings (untested, not sure how to use)
},
"gst9": { //username2
... //"methods","password",configuration
}
}
}
}
option disabled '0' in file /etc/config/radius to enable the service,uci set radius.@radius[0].disabled='0'; uci commit radius; to enable the service.service radius restart starts the service. Or restart the entire OpenWRT system.eapol-test command, PEAP authentication test OK.eapol-test command, TLS authentication test OK.The RADIUS service is used for EAP authentication for WiFi.
This is kind of a complete instructions to do it? If yes,why do you not provide some details? On a first glance the instructions look good. Thanks for your effort but please add a little bit of context 
What details do you need? Please let me know.
I was using Freeradius3 previously.
Consider I just need simple enterprise wifi authentication,
it would be good just use hostapd/wpad without install a little bulky freeradius.
What is the difference between WPAD and HostAPD in this case ?
Actually after I have installed wpad or hostapd I found radius service also added.
So no need wpad-openssl ?
Is there any documentation about the config files ?
For EAP-PEAP, MS-CHAPv2, is there any additional packages is needed ?
hostapd-radius command & the RADIUS service.hostapd, hostapd-openssl, hostapd-mbedtls, hostapd-wolfssl, wpad, wpad-openssl, wpad-mbedtls, wpad-wolfsslhostapd-radius command & radius service.hostapd,hostapd-openssl,wpad,wpad-openssl, the RADIUS service works OK./etc/radius/users, I couldn't find the document either, it's all my guess and testing.{
"phase1": {
"wildcard": [
{
"name": "*",
"methods": [ "PEAP" ]
}
]
},
"phase2": {
"users": {
"u001": {
"method": ["MSCHAPV2"],
"password": "pass01"
},
"u002": {
"method": ["MSCHAPV2"],
"password": "pass02"
}
}
}
}
{
"phase1": {
"wildcard": [
{
"name": "*",
"methods": [ "TLS" ]
}
]
},
"phase2": {
"users": {
}
}
}
{
"phase1": {
"wildcard": [
{
"name": "*",
"methods": [ "PEAP","TLS" ]
}
]
},
"phase2": {
"users": {
"u001": {
"method": ["MSCHAPV2"],
"password": "pass01"
},
"u002": {
"method": ["MSCHAPV2"],
"password": "pass02"
}
}
}
}
opkg install openssl-util
mkdir -p /root/certs/
cd /root/certs/
## create CA certificate
openssl ecparam -name prime256v1 -out ec_param
openssl req -nodes -newkey ec:ec_param -days 3650 -x509 -sha256 -keyout ecca.key -out ecca.crt
## Create server certificate
openssl req -nodes -newkey rsa:2048 -days 3650 -sha256 -keyout server.key -out server.csr
mkdir ./demoCA/
mkdir ./demoCA/newcerts
touch ./demoCA/index.txt
echo 01 > ./demoCA/serial
openssl ca -extensions v3_ca -days 3650 -out server.crt -in server.csr -cert ecca.crt -keyfile ecca.key -policy policy_anything
ecca.crt, server.crt, server.keycd /root/certs/
openssl req -nodes -newkey ec:ec_param -days 3650 -sha256 -keyout userec.key -out userec.csr
openssl ca -extensions v3_ca -days 3650 -out userec.crt -in userec.csr -cert ecca.crt -keyfile ecca.key
userec.crt, userec.key