Recently I decided to upgrade my wireless network at home. My current setup is a pfsense firewall and a airport extreme accesspoint.
For my new Wireless LAN I decided to implement WPA2 Enterprise with EAP-TTLS and a radius backend.
From the wiki entry of EAP-TTLS:
"EAP-TTLS offers very good security. The client does not need be authenticated via a CA-signed PKI certificate to the server, but only the server to the client. This greatly simplifies the setup procedure as a certificate does not need to be installed on every client."
First I describe the installation of the freeRADIUS server and the configuration of the Airport Extreme. Next the client configuration on OS/X Leopard and finally the installation of a EAP client for windows that supports TTLS on Windows XP/Vista.
PFsense | FreeRADIUS
The first step is to install freeradius on the pfsense: In the system menu; choose Packages and click on install freeradius.
Next choose FreeRADIUS from the services menu. Here we can configure the basic setup of FreeRADIUS.
My Accesspoint is on the inside LAN so select LAN from the interface list. Next make a note of the radius listening port (1892). During setup I choose for all the logging I could get so select yes from all the logging options.
Next make an entry for the accesspoint in the client tab.
Enter the IP of the accesspoint, choose a short name and make a secret passphrase (and make a note of this, you need it later). The Description is a optional field.
Next is adding the users that can use the WLAN:
I only used the required fields; username, password and number of multiple connections.
So much for the GUI configuration part. Next we open a ssh session to the firewall and make a few changes to the eap.config file.
ssh admin@firewall (from the menu:) 8 cd /usr/local/etc/raddb/ vi eap.configI made the following changes to the default file:
default_eap_type = ttls
Next uncomment the gtc section and choose PAP :
gtc {
auth_type = PAP
}
Next uncomment the TLS block, we need the TLS block configured before we can use TTLS.
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
cipher_list = "DEFAULT"
}
(Of course we need to use our own certificates, but that's the next step and maybe a new article)
And finally uncomment the TTLS block:
ttls {
default_eap_type = md5
}
After saving this file you need to restart the radius server, this can be done from the status | services menu in the pfSense interface.
Accesspoint | Airport Extreme
Now we have configured the radius server, next is the accesspoint. There are a lot of accesspoints that can provide this functionality but I'm using an airport extreme so I will describe this.
Start the AirPort Utility and choos manual configure of the accesspoint. In the wireless tab choose WPA2 Enterprise:
Next configure the radius server:
Fill in the ip address of the freeRADIUS server, the port and the same secret passphrase we choose in the freeRADIUS config.
The server side is now configures the next steps are the clients. I give a description of a Mac OS/X Leopard config and of a Windows XP/Vista config. A Linux (Ubuntu) description will follow.
Client 802.1x | Mac OS/X
In Mac OS/X Leopard there is support for 802.1x and for TTLS so we don't have to install additional software.
Start the system preferences and select network. Click on the Airport icon and then choose Advanced.... Now click on the + in the preferred network list to make a new entry:
Select WPA2 Enterprise from the list and fill in the username and password of a radius user. Save this entry and next click on the 802.1x tab and make a new User profile:
Only select TTLS from this list and press on configure and choose PAP for the TTLS Inner Authentication. Now you're done. The first time you connect you get a warning about the certificate, but you can choose to always trust the certificate.
Client 802.1x | Windows XP/Vista
Windows XP and Vista don't support TTLS out of the box. So it requires the installation of a helper program. I'm using SecureW2 and this works very good. First download the software (SecureW2 EAPSuite 1.1.1).
After the installation start the TTLS Manager from the startmenu.
arrgh I see now that you say that you are using freeradius ON the firewall. BTW, I didn't get the MacPort freeradius port to install "out of the box" but by changing to the proper "port" directory and doing "sudo ./configure --without-rlm_perl" and then "make install" (had to do that twice for it to work) freeradius 2.1.3 compiled and installed on Mac OS 10.5.6.
Posted by: Marshall Stacks | 07 January 2009 at 16:43
Very nice- just what I want to do. However, I don't understand why the firewall is involved. Do you have the firewall in front of the RADIUS server?
Also, I just tried to install freeradius (OS 10.5.6) using "port install freeradius" but the freeradius build chokes. Any suggestions? Thanks
Error: Target org.macports.build returned: shell command " cd "/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_release_ports_sysutils_freeradius/work/freeradius-server-2.1.3" && make all " returned error 2
Posted by: Marshall Stacks | 07 January 2009 at 16:43
To get the macports freeradius 2.1.4 built on OS X 10.5.6, edit the Portfile for freeradius and add --without-rlm_perl to configure.args. Then run the normal port install command and it should compile ok.
Posted by: raoulw | 12 April 2009 at 01:00
Hi I am trying to follow your tutorial here, but with no luck. I am running 1.2.3 of PFsense and 1.1.2 of FreeRadius. When ever I change "default_eap_type = " to anything but MD5, FR will not restart.
Any ideas on what could be going wrong?
Posted by: lost | 23 August 2009 at 21:32