Prerequisite
- Modding series 9 – Setup an OpenLDAP Server
- Modding series 21 – Install FreeRadius Server and integrate with OpenLDAP Server
Setup FreeRadius to support EAP-PEAP-TLS
- SSH to DS as root
- Edit /opt/etc/raddb/radiusd.conf, add following line to the config file
$INCLUDE ${confdir}/sites-enabled/
# vi /opt/etc/raddb/radiusd.conf# add sites-enabled to the config
$INCLUDE ${confdir}/sites-enabled/ - Edit /opt/etc/raddb/radiusd.conf again, looks for the authenticate section and then add mschap within the section.
# vi /opt/etc/raddb/radiusd.conf authenticate { . . . # add mschap mschap }Looks for modules section and add three lines within modules section as below
# vi /opt/etc/raddb/radiusd.conf modules { # add expiration, logintime and attr_filter modules $INCLUDE ${confdir}/modules/expiration $INCLUDE ${confdir}/modules/logintime $INCLUDE ${confdir}/modules/attr_filter } - Edit /opt/etc/raddb/eap.conf, change default_eap_type to peap.
# vi /opt/etc/raddb/eap.conf . . default_eap_type = peap . . - Edit /opt/etc/raddb/sites-enabled/default, looks for authorize section and un-comment the ldap line.
# vi /opt/etc/raddb/sites-enabled/default authorize { . . # un-comment the ldap ldap . . }Then looks for authenticate section and uncomment Auth-Type LDAP as well.
# vi /opt/etc/raddb/sites-enabled/default authenticate { . . # un-comment the ldap Auth-Type LDAP{ ldap } . . } - Edit /opt/etc/raddb/sites-enabled/inner-tunnel, looks for authorize section and un-comment the ldap line.
# vi /opt/etc/raddb/sites-enabled/inner-tunnel authorize { . . # un-comment the ldap ldap . . }Then looks for authenticate section and uncomment Auth-Type LDAP as well.
# vi /opt/etc/raddb/sites-enabled/inner-tunnel authenticate { . . # un-comment the ldap Auth-Type LDAP{ ldap } . . } - Edit /opt/etc/raddb/clients.conf, add the Wifi Access Point to the config file.
# vi /opt/etc/raddb/clients.conf# add access point details here, 192.168.0.1 is the ip of the access point
client 192.168.0.1 { secret = [shared secret password of radius server] shortname = [SSID of the access point] nastype = other } - If you have firewall activate on your diskstation, make sure to add a firewall rule to allow the wifi access point to access the udp port 1812, 1813 and 1814.
For now the radius server is already able to perform authentication for wpa/wpa2 enterprise!
Generate client certificate
If you do not plan to perform authorization using client certificate, you can skip this part.
- SSH to DS as root
- Edit /opt/etc/raddb/certs/client.cnf, refer to modding series 21 for details about this client certificate config file.
** IMPORTANT The Country Name, State and Organization Name MUST match the value of the CA.
- Before we generate the client certificate, we MUST backup the original certificate first.
# cd /opt/etc/raddb
# cp -r certs certs.b4genclient
- Generate a client certificate
# cd /opt/etc/raddb/certs
# make client.pem - If you want to generate another client certificate for other wifi client. Edit the client.cnf and run make client.pem again. If make failed and said it couldn’t load a certificate, just copy the server.crt from backup directory and try again.
# cp /opt/etc/raddb/certs.b4genclient/server.crt /opt/etc/raddb/certs
# make client.pem
Recent Comments