Setting up RADIUS on a Raspberry Pi
WPA2 Personal used with a strong keyphrase is sufficiently secure for most home networks where all devices and users can be trusted, but utilizing 802.1X with WPA2 Enterprise makes a wireless network practically impenetrable. You also don’t have to worry about the single passphrase ending up in wrong hands. With RADIUS you can have a centralized access management for your home network, and when using RADIUS to authenticate Wi-Fi users, each user gets their own encrypted tunnel between their device and the access point.
This guide shows you the process I went through to set up a RADIUS server on a Raspberry Pi to use with my UniFi AP. While this guide has been tested on Raspbian, it should work on basically any Debian system.
Install FreeRADIUS 3.0
Installing FreeRADIUS using the package manager is as easy as it gets.
$ sudo apt update
$ sudo apt install freeradius
Generate DH Parameters
$ sudo openssl dhparam -out /etc/freeradius/3.0/certs/dh 2048
This will take some time. You may want to do this on a desktop computer and then copy the result over to the Pi.
Generate Certificates
First modify the ca.cnf file. If you are missing any of the default config files, they can be copied from the FreeRADIUS GitHub.
$ sudo vim /etc/freeradius/3.0/certs/ca.cnf
Add two unique passphrases to the input_password and output_password fields and edit the certificate_authority section to have the correct values for your country, state, etc.
Generate the CA certificate:
$ sudo /etc/freeradius/3.0/certs/make ca.pem
Then modify the server.cnf file
$ sudo vim /etc/freeradius/3.0/certs/server.cnf
Add two unique passphrases to the input_password and output_password fields and edit the certificate_authority section to have the correct values for your country, state, etc.
Generate the certificates
$ sudo /etc/freeradius/3.0/certs/make server.pem
Modify the EAP Configuration
Open up the config
$ sudo vim /etc/freeradius/3.0/mods-enabled/eap
In the “eap” section, change the “default_eap_type” from md5 to tls.
default_eap_type = tls
Then scroll down and set the private_key_password in the tls-config section to the output_password you set in the server.cnf file. The following should be set in the file:
tls-config tls-common {
private_key_password = output_password from server.cnf
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.crt
ca_file = ${certdir}/ca.pem
dh_file = ${certdir}/dh
ecdh_curve = "secp384r1"
}
Add a Client
The clients can be found in the following file:
$ sudo vim /etc/freeradius/3.0/clients.conf
Feel free to remove the localhost entry after our first test at the end of this guide.
Add your client to the file. This example is for a Wi-Fi AP
client unifi {
secret = your_unique_client_secret
ipaddr = your client ip, e.g. 10.10.10.2
shortname = for example your Wi-Fi SSID
}
Add Users
Open up the users file
$ sudo vim /etc/freeradius/3.0/users
Add your users to the file, e.g:
john Cleartext-Password := "johns_passphrase"
Start and Test the Server
Start the server
$ sudo /etc/init.d/freeradius start
Test the connection
$ radtest john johns_passphrase localhost 0 testing123
If this results in an error, modify the localhost section in the clients.conf file and add the correct IP address to “ipaddr”.
Done
That’s it. You now have a working RADIUS server which you can use with any service. Securing your Wi-Fi with WPA2 Enterprise couldn’t be much easier.