Providing 802.1X authentication with FreeRADIUS and PEAPv0/EAP-MSCHAPv2 support over a Raspberry Pi

This article covers a step by step how-to dealing with the right orchestration of some software components that can help to secure for example a guest network at your home. Because of the lightweight software usually an older Raspberry Pi model will be fine for the job. Most of the following steps will just be the same on other Debian based Linux distributions.

The goal

The goal is to provide

• RADIUS based AAA mechanisms in your local network with the help of FreeRADIUS over a secure tunnel (PEAP in conjunction with MS-CHAPv2, what in reality is PEAPv0/EAP-MSCHAPv2)
• an browser based administration interface in form of daloRADIUS
• MySQL support for the above points

Prerequisites

• Running Raspian
• The RasPi is listening on a static IP address in your local network

How-to

First of all install the mostly obvious parts and some further dependencies:

sudo apt-get install freeradius freeradius-mysql apache2 php5 libapache2-mod-php5 mysql-server mysql-client php5-mysql php-pear php5-gd php-db

During this installation you will be asked for a root password to access your MySQL system, so be careful for a moment.

FreeRADIUS

As the default mode FreeRADIUS looks up its users in a plain file. As a first test you may edit it and run FreeRADIUS in debug mode. But that’s not my scope here.

In order to instruct FreeRADIUS to administrate its users in a mysql database you have to change the config

sudo vi /etc/freeradius/radiusd.conf

where you uncomment two lines

# $INCLUDE sql.conf
# $INCLUDE sql/mysql/counter.conf

as well as you have to change

sudo vi /etc/freeradius/sql.conf

where you change those values to your needs:

server = "localhost"
#port = 3306
login = "radiususer"
password = "radius_password"
# Database table configuration for everything except Oracle
radius_db = "radiusdb"

Now enable SQL for authorization, accounting, sessions and post-authentication in FreeRADIUS. Therefore edit

sudo vi /etc/freeradius/sites-enabled/default

by uncommenting the sql keyword in these lines:

# See "Authorization Queries" in sql.conf
sql
# See "Accounting queries" in sql.conf
sql
# See "Simultaneous Use Checking Queries" in sql.conf
sql
# See "Authentication Logging Queries" in sql.conf
sql

To restrict access to the RADIUS instance edit

sudo vi /etc/freeradius/clients.conf

where you add rules like

client 192.168.2.0/29 {
 secret = somesecret
 shortname = radius_wlan_guest
}

to allow access only to hosts of the network 192.168.2.0/24.

Restart FreeRADIUS:

sudo /etc/init.d/freeradius restart

MySQL and daloRADIUS

Next step is to configure MySQL. Do it together with the setup of daloRADIUS so you don’t have to open a MySQL prompt multiple times.

Download daloRADIUS (a web based frontend for FreeRADIUS) and extract it to a location in your web-root:

cd ~/downloads
wget http://downloads.sourceforge.net/project/daloradius/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gz
sudo tar zxvf daloradius-0.9-9.tar.gz -C /var/www/
sudo mv /var/www/daloradius-0.9-9/ /var/www/daloradius
cd /var/www/daloradius

Now open a mysql prompt, add a new user and execute a script provided by daloRADIUS:

mysql -uroot -p
mysql>create database radiusdb;
mysql>exit
mysql -u root -p radiusdb < /var/www/daloradius/contrib/db/fr2-mysql-daloradius-and-freeradius.sql
mysql -u root -p
mysql>CREATE USER 'radiususer'@'localhost';
mysql>SET PASSWORD FOR 'radiususer'@'localhost' = PASSWORD('radius_password');
mysql>GRANT ALL ON radiusdb.* to 'radiususer'@'localhost';
mysql>exit

Afterwards edit those two files:

sudo vi /var/www/daloradius/library/daloradius.conf.php
sudo vi /var/www/daloradius/daloradius-users/library/daloradius.conf.php

For some reasons daloRADIUS provides separated configurations for the system administration frontend and for the user frontend. You have to change the following:

$configValues['CONFIG_DB_ENGINE'] = 'mysql';
$configValues['CONFIG_DB_HOST'] = 'localhost';
$configValues['CONFIG_DB_PORT'] = '3306';
$configValues['CONFIG_DB_USER'] = 'radiusuder';
$configValues['CONFIG_DB_PASS'] = 'radius_password';
$configValues['CONFIG_DB_NAME'] = 'radiusdb';

From now on daloRADIUS is accessible via:

• http://your_server/daloradius/
• http://your_server/daloradius/daloradius-users/

Log in to the system administration GUI with default credentials username = administrator, password = radius. Change the password for administrator under configuration -> operator.

Create an additional testuser and allow him to access the user frontend under edit user -> user info -> check: “Enable User Portal Login”, set a “User Portal Login Password”. Be careful with the passwords. Our combination PEAPv0/EAP-MSCHAPv2 only allows the usage of NT password hashes or cleartext passwords (info).

PEAPv0/EAP-MSCHAPv2

This combination is a wide spread one and will be usable nearly out of the box by most clients. With the default EAP type MD5 you will not get lucky if you try to authenticate a Microsoft Client. They stopped to support MD5. For this reason and because it is not very secure you may change it.

In

sudo vi /etc/freeradius/eap.conf

take a look at the section “eap” and change

default-eap-type = md5

to

default-eap-type = peap

Create certificates

The required files are under /usr/share/doc/freeradius/example/certs. Take them to another folder an start certificate creation:

cd /usr/share/doc/freeradius/examples/certs
sudo cp Makefile ca.cnf server.cnf xpextensions /etc/freeradius/certs
cd /etc/freeradius/certs

Edit ca.cnf and server.cnf the thame way as follows:

[ CA_default ]
default_days = 1826 # 5 years
[ req ]
input_password = your_inputoutput_password
output_password = your_inputoutput_password
[certificate_authority]
countryName = DE
stateOrProvinceName = somestate
localityName = yourtown
organizationName = yourorg
emailAddress = mail@yourdomain.com
commonName = "some cool short desription"

Make them:

sudo make all

Because the certificate you just generated is not signed by a trusted root ca, you have to provide it (the “ca.der”) at least to all the Windows clients (need to import it).

In the section “tls” of

sudo vi /etc/freeradius/eap.conf

change the private key password

private_key_password = your_inputoutput_password

Enable and configurate MSCHAPv2

In

sudo vi /etc/freeradius/modules/mschap

change

use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes

To tell FreeRADIUS that it has to use SQL in the inner CHAP tunnel edit

sudo vi /etc/freeradius/sites-enabled/inner-tunnel

where you uncomment “sql”:

# See "Authorization Queries" in sql.conf
sql
# See "Simultaneous Use Checking Queries" in sql.conf
sql
# See "Authentication Logging Queries" in sql.conf
sql

Then reload new libraries and restart service:

sudo ldconfig
sudo /etc/init.d/freeradius restart

To go beyond

Secure access to daloRADIUS

Without applying any changes daloRADIUS will be accessable via unsecure HTTP connection. A good idea would be to create a redirection to HTTPS channel.

FreeRadius logging behavior

You may want to change the logging behavior of FreeRADIUS. If so, change the values in

sudo vi /etc/freeradius/radiusd.conf

to fit your needs:

auth = yes
auth_badpass = yes
auth_goodpass = yes

If you recognize problems when daloRADIUS should show up several log file entries (e.g. it says “permission denied”) it is because the user www-data has no right to read the content. If you really wish to see the log content of for example syslog you have to make it readable for www-data.