Setup FreeRADIUS 3 - Issues and some feedback

@ahmar16
Hi All, Just flashed the old router with the latest OpenWrt and all is well. Tried installing FreeRADIUS with the help of this document: https://openwrt.org/docs/guide-user/network/wifi/freeradius

Some feedback: -

  1. has to breakup the following into two lots while installing: -opkg install freeradius3 freeradius3-common freeradius3-democerts freeradius3-mod-always freeradius3-mod-attr-filter freeradius3-mod-chap freeradius3-mod-detail freeradius3-mod-digest freeradius3-mod-eap freeradius3-mod-eap-gtc freeradius3-mod-eap-leap freeradius3-mod-eap-md5 freeradius3-mod-eap-mschapv2 freeradius3-mod-eap-peap freeradius3-mod-eap-tls freeradius3-mod-eap-ttls freeradius3-mod-exec freeradius3-mod-expiration freeradius3-mod-expr freeradius3-mod-files freeradius3-mod-ldap freeradius3-mod-logintime freeradius3-mod-mschap freeradius3-mod-pap freeradius3-mod-passwd freeradius3-mod-preprocess freeradius3-mod-radutmp freeradius3-mod-realm freeradius3-mod-unix freeradius3-utils

  2. Found a RADIUS server testing tool that seems to work for me: - https://ntradping.apponic.com/

  3. I went all the way through Step 5 without further issues, but can't get step 6 to work. Any elaboration would be much appreciated. Thanks

Hi,

I'm pretty new to freeradius too, but I'll try.
If you use LuCi it will probably more clear to you. I'm also quite new with uci.

Can you tell us exactly what you did for step 6?

Also you don't have to install all the modules you will not be using (might save some space).
BUT you have to disable it by commenting it out in authorize/authentication section of your enabled site.
If you don't install all the module It might be annoying to find out what to disable
but you can always run freeradius in debug mode 'radiusd -X' and it will usually tells you
if there something wrong and sometimes it can also be ignored.

On step 6, you setup your wifi the usual way then use encryption.

option auth_server '127.0.0.1' 		#[1]
option auth_secret '**********'		#[2]

[1] If your freeradius is installed on the router then you can keep it as is,
otherwise put the IP address of your radius server and you probably have to
specify the NAS id (Network Access Server NOT Network Attached Storage).
If your freeradius is installed on a separate server, you cand add something like this
in your clients.conf:

  	client GLiNET_ARM300 {
        ipaddr          = 192.168.10.1		# Your NAS IP here (if you haven't done any fancy stuff yet with Openwrt it's the router's IP)
        secret = your_secret_here		# 'testing123' it just have to be the same in your NAS
    }

[2] For testing you can put 'testing123' here, the important thing is, whatever
you put here must be the same as what is in your clients.conf.

There's a lot more to it and depends on the authentication type you choose and
if some form of database is used.
I'm sure some smarties whill chime in for more info.
If nothing else you're going to have to learn google-fu :slight_smile:

@syying
Hello, I have a Radius 3 Server running, but not on my Router, its running on a MacBookPro with Ubuntu on it with Daloradius Webinterface. Looking your config, the NAS IP is the adress of the device that sends authentication request to your FreeRadius3 server IP, in my case, its my Routers IP (the NAS client), that sends then the request to the IP that is "asking" the IP where the Radiusserver is running on. I use it for WLAN IEEE 802.1x Autentication .... with Daloradius Webinteface for managing Users!
Good Luck, took me also some days to figure it out and some reading, till everything worked fine... :joy::joy:

Hi everyone, I am not at home at the moment so I can't really provide any details on what to do but I'll be sure to provide you more info in a couple of days. Although I have tried to explain as much as I could in the documentation.

Thanks to everyone for helping out.

My router has two wifi radios (2.4/5GHz) and I added 2 lines under radio1 (5GHz) for testing (edited file: /etc/config/wireless)
option auth_server '127.0.0.1'
option auth_secret 'testing123'

I also added bob/hello test user/pwd. Rebooted router and saw /usr/sbin/radiusd -f running.

Current obstacles:

  1. Do not see Radius* choices in the LuCI Wireless Security screen.
  2. May I know if there is a suggested setting on the client-side? WPA2-Enterprise + MS PEAP does not seem to work.

With best regards

The full wpad package must be installed to support Enterprise as either an AP or a client.

In your wifi configuration, set `option encryption wpa2'

To debug freeradius, disable it as a service, then run it in foreground debug mode in a separate terminal window. radiusd -X

The default configuration of freeradius is very bloated. A minimal configuration would include PEAP with inner MSCHAPV2. This is the only method supported by Windows clients.

It works now!

For those dummies unfamiliar with Windows client setup like me, pls also refer to - https://documentation.meraki.com/MR/Encryption_and_Authentication/Enabling_WPA2-Enterprise_in_Windows_Vista_and_Windows_7

Thanks!

2 Likes