EE Turunen

EE Turunen

Exploring tech and security

Setting up RADIUS on a Raspberry Pi

WPA2 Personal used with a strong keyphrase is sufficiently secure for most home networks where all devices and users can be trusted, but utilizing 802.1X with WPA2 Enterprise makes a wireless network practically impenetrable. You also don’t have to worry about the single passphrase ending up in wrong hands. With RADIUS you can have a centralized access management for your home network, and when using RADIUS to authenticate Wi-Fi users, each user gets their own encrypted tunnel between their device and the access point.

This guide shows you the process I went through to set up a RADIUS server on a Raspberry Pi to use with my UniFi AP. While this guide has been tested on Raspbian, it should work on basically any Debian system.

Install FreeRADIUS 3.0

Installing FreeRADIUS using the package manager is as easy as it gets.

$ sudo apt update
$ sudo apt install freeradius

Generate DH Parameters

$ sudo openssl dhparam -out /etc/freeradius/3.0/certs/dh 2048

This will take some time. You may want to do this on a desktop computer and then copy the result over to the Pi.

Generate Certificates

First modify the ca.cnf file. If you are missing any of the default config files, they can be copied from the FreeRADIUS GitHub.

$ sudo vim /etc/freeradius/3.0/certs/ca.cnf

Add two unique passphrases to the input_password and output_password fields and edit the certificate_authority section to have the correct values for your country, state, etc.

Generate the CA certificate:

$ sudo /etc/freeradius/3.0/certs/make ca.pem

Then modify the server.cnf file

$ sudo vim /etc/freeradius/3.0/certs/server.cnf

Add two unique passphrases to the input_password and output_password fields and edit the certificate_authority section to have the correct values for your country, state, etc.

Generate the certificates

$ sudo /etc/freeradius/3.0/certs/make server.pem

Modify the EAP Configuration

Open up the config

$ sudo vim /etc/freeradius/3.0/mods-enabled/eap

In the “eap” section, change the “default_eap_type” from md5 to tls.

default_eap_type = tls

Then scroll down and set the private_key_password in the tls-config section to the output_password you set in the server.cnf file. The following should be set in the file:

tls-config tls-common {
    private_key_password    = output_password from server.cnf
    private_key_file        = ${certdir}/server.key
    certificate_file        = ${certdir}/server.crt
    ca_file                 = ${certdir}/ca.pem
    dh_file                 = ${certdir}/dh
    ecdh_curve              = "secp384r1"
}

Add a Client

The clients can be found in the following file:

$ sudo vim /etc/freeradius/3.0/clients.conf

Feel free to remove the localhost entry after our first test at the end of this guide.

Add your client to the file. This example is for a Wi-Fi AP

client unifi {
    secret    = your_unique_client_secret
    ipaddr    = your client ip, e.g. 10.10.10.2
    shortname = for example your Wi-Fi SSID
}

Add Users

Open up the users file

$ sudo vim /etc/freeradius/3.0/users

Add your users to the file, e.g:

john    Cleartext-Password := "johns_passphrase"

Start and Test the Server

Start the server

$ sudo /etc/init.d/freeradius start

Test the connection

$ radtest john johns_passphrase localhost 0 testing123

If this results in an error, modify the localhost section in the clients.conf file and add the correct IP address to “ipaddr”.

Done

That’s it. You now have a working RADIUS server which you can use with any service. Securing your Wi-Fi with WPA2 Enterprise couldn’t be much easier.

More from EE Turunen