A few days ago, I came to the conclusion that having a single wifi password for a growing startup just isn't a viable solution. Shared passwords in general are not a very good idea, and the very large number of devices connected make changing the wireless password a cumbersome task. So, I decided to implement WPA2 Enterprise.

WPA2 Enterprise is a protocol for wireless authentication. It passes authentication requests to a radius server. Radius is a very large open ended protocol for authentication. The end goal from this is to have individual usernames and passwords for each user of the wifi network.

While there certainly are easier to configure commercial solutions, I wanted to go with Freeradius. The biggest challenge setting up Freeradius is getting a solid process for setting it up. There are guides out there, but a lot of them are outdated or don't deal with specific setups. After digging through numerous forum posts and mailing list archives, I got it working. Here's how I set it up.

Installation

To start you'll want an Ubuntu 14.04 server. This will probably work on other Ubuntu versions, but the some things may change.

Install Freeradius and easy-rsa. We'll borrow the Openvpn project's easy-rsa scripts to make the Openssl configuration easier.

apt-get install freeradius easy-rsa samba winbind

The server starts automatically, so we'll stop it for now.

service freeradius stop

The first thing we'll do is configure the server certificates. Copy the easy-rsa scripts into your certificate directory

cp -R /usr/share/easy-rsa /etc/freeradius/certs/

Now generate the certificate authority

cd /etc/freeradius/certs/easy-rsa

source vars

./clean-all

./build-ca

The build-ca command will ask you for some information. I highly recommend you enter a password for your CA. Make sure you keep this password as you will need it for creating certificates. Note: do not make the common name of the CA your server's fully qualified domain name or FQDN. Common names should be unique and you will use your server's FQDN for its certificate, which we will generate next.

./build-key-server server

You'll have to enter your information again. This time put the server's FQDN as the common name. I.E. freerad.practichem.com. Answer yes to sign the certificate with the CA.

Now we will copy the needed files for Freeradius.

cp keys/ca.crt /etc/freeradius/certs/

I will leave a copy of the CA in the easy-rsa directory so we can generate client keys with it later.

mv keys/radius\* /etc/freeradius/certs/

Now we need to change the owner of the server certificates to the freerad user

chown freerad /etc/freeradius/certs/server*

At this point you should have a working radius server setup. You can test it by adding this line to the users file. Just remember to remove it when you are finished testing.

testuser Cleartext-Password := "testpassword"

Now, start your radius server in debugging mode, and in another terminal run the radtest command.

freeradius -X

radtest testuser testpassword localhost 0 testing123

You should see an access accepted response. If you see access rejected, something on your server has been incorrectly setup. The output of the freeradius -X command should have more information.

Active Directory Integration

This active directory integration method uses MSCHAP and MSCHAPv2. The two main authentication methods that will work with this are PEAP with MSCHAP or TTLS with MSCHAP. Both are equally secure, but PEAP works on a wider range of devices, so I decided to have users use PEAP.

First you will want to edit your smb.conf

nano /etc/samba/smb.conf

Make sure the following parameters are set. Workgroup was the only one that was in my smb.conf by default.

workgroup = ADDomain  
security = ads  
password server = domain-controller.domain.tld  
realm = domain.tld  
1234

The realm will generally be just the domain. In my case it was practichem.com.

Now edit your kerberos configuration

nano /etc/krb5.conf

Under the [realms] heading add the following. Again, the default in active directory is to set the realm to the domain.

domain.tld = {

>kdc = **domain-controller.domain.tld**

>}
12345

Start samba

service samba start

Now join the active directory domain. You will need a domain admin's credentials to do this.

net join -u Administrator

Verify that the domain is connected. Note that you can add a space before a command to prevent it from being added to the history. This is useful when dealing with cleartext passwords.

ntlm_auth --request-nt-key --domain=ADDomain --username=user --password=password

You should see an NTSTATUSOK message.

Before Freeradius can connect to winbind, it will need access to it's socket. While the socket itself has 777 permissions, the surrounding directory is root:root 750. The freerad user needs read and execute access. There are a couple of ways to do this; I added the freerad user to the winbindd_priv group, and gave that group access to the socket directory.

usermod -a -G winbindd_priv freerad

chmod :winbindd_priv /var/lib/samba/winbindd_privileged/

Now we will configure Freeradius to use the ntlm_auth for MSCHAP. Edit /etc/freeradius/modules/ntlm_auth. Replace /path/to/ntlm_auth with /usr/bin/ntlm_auth. Replace MYDOMAIN as your active directory domain.

Open /etc/freeradius/modules/mschap. Replace /path/to/ntlm_auth with /usr/bin/ntlm_auth. Replace MYDOMAIN as your active directory domain.

Edit /etc/freeradius/sites-enabled/default and /etc/freeradius/sites-enabled/inner-tunnel. Under the authenticate section add ntlm_auth.

>authenticate {

>...

>ntlm_auth

>...

>}
123456789

Now you can test the MSCHAP authentication with radtest.

radtest -t mschap **aduser** **adpassword** localhost 0 testing123

If you see an access-accept message, active directory is integrating with Freeradius.

Configure Clients

Now we will configure FreeRadius to allow an AP to connect. Edit /etc/freeradius/clients.conf Add a client config.

>client **client IP** {
    >secret = **client-shared-secret**
    >shortname = wirelessAP
    >nastype = other
>}
12345

Finally start freeradius in service mode.

service freeradius start

You should now be able to connect your wireless access point to your Freeradius server. Clients will be able to authenticate with their AD credentials with PEAP MSCHAP or TTLS MSCHAP. This will get you support on pretty much every single platform. If you have clients that you want to just authenticate with certificates, you can use easy-rsa to generate client certificates. The Arch Linux wiki has a good guide on this. I also strongly recommend that you have the clients validate the server with the ca.crt file. For more information on why this is needed see this video.

For more information on Freeradius check out the wiki, and Alan DeKok’s site deployingradius.com.

Sources

deployingradius.com/documents/configuration/active_directory.html

wiki.archlinux.org/index.php/CreateaPublicKeyInfrastructureUsingtheeasy-rsaScripts