I have a recently purchased (and upgraded to dd-wrt v24) Netgear r6300 w/32Gb USB drive formatted as ext4 mounted on /opt. The router doesn't presently have its WAN port connected to the internet as I'm not confident I know what I'm doing with it yet - though if needed, I could attach it to the internet for updates etc. I've got LAN port 1 attached directly to an Ubuntu machine via the machine's Ethernet connection. I've got the router configured for SSH access and have defined keys to access the terminal. I am able to connect a terminal session successfully as root... but have no further idea what to do with this yet (still learning Linux).
I'm trying to configure FreeRadius [Is there a tutorial (written in plain English) that explains this process anywhere?]
Services/FreeRadius: I've created a passphrase and clicked the Generate Certificate button, which it says has completed. In the users section I've added 2 test credentials and applied. I've clicked the Generate Ceritifcates buttons next to each of them, loading the little window with the 4 certificates listed... I don't know what to do with each of these certificates, or which certs applies to which machine.
Wireless/Basic Settings: I have my AP set up, with the same SSID defined for both the 2.4GHz and 5GHz bands. The AP shows up in my Wifi list both on all my machines.
Wireless/Wireless Security: I have the Security mode set to WPA2 Enterprise and I've specified the internal LAN address (192.168.x.x) of the router as the Radius host. It also asks for the Radius Auth Shared Secret - which I've populated, though I'm not sure what this will be used for yet. Should this be the same as the passphrase I entered in the Server Certificate field of the Services/FreeRadius tab?
Is there anything else to do on the router?
On to my local machines...
I have an Ubuntu machine, a windows 7 machine and an iPhone. When I attempt to connect to any of them to the Wifi , it asks for a username and password as I would expect - I'm assuming this is the test credential I defined under the Services/FreeRadius/Users section. Entering the username and password on my Ubuntu machine doesn't connect the machine like I would expect it should - it asks for a certificate which I assume is one of the matching ones from the test credential I entered... providing the pem file which Ubuntu appears to be looking for fails.
I haven't even got to my Windows machines or iDevices. Which certificates apply to which? Is there anything else I need to know?
Why are you going through the hassle of setting up freeradius? Are you planning to implement a captive portal? If so good luck, I have attempted it myself and was unable to get all the different services to work together, I did get close but getting help on it is very difficult. As for thhe certs generated per credential I'm assuming these are the certs you'll need to copy over to the end device trying to authenticate this way. Not sure though.
Even for initial SSH, defining keys is secure when accessing over the internet but directly connected without any other device to listen in on the packets, you can telnet then without worry. Keep the ssh w/ key authentication for remote access.
Setting up the router with basic SSID and WPA2 encryption should suffice for most wireless devices/clients.
Might want to explain the goal here so others can help you more directly.
The goal is to have everyone authenticate on the wifi using a username/password and certificate instead of a shared key. The same as you would if you were using a commercial router in an enterprise with a full blown RADIUS server.
Joined: 13 Aug 2013 Posts: 6818 Location: Romerike, Norway
Posted: Wed Oct 02, 2013 19:01 Post subject:
Radius Auth Shared Secret - Is the password that the AP is using to authenticate with the Radius Server when checking the username and password.
I have only run it with Freeradius hosted on an Ubuntu Server. Enabled the debug screen and looked at the output when a client tried to connect.
Only a server side certificate is needed, but some clients especially Windows will reject it if the certificate cannot be verified by any of the known CA defined in Windows.
Created seperate Vlans so guest wouldn't have access to my internal servers, and only internet.
Great plan, HUGE PITA to setup. I wasn't successful. But if you do manage to get it to work. PLEASE for the love of open source, document the steps you took to complete it. Cause I could not for the life of me get it to work. and it was not worth the hassel for the rare times I would have someone actually use it.
I give you the best of luck in accomplishing this task!
I actually PM'd Jon with some questions I had as his tutorial wasn't exactly clear. He did respond to my questions, I haven't had time to completely interpret his response and get a working solution... though I feel I'm getting closer.
As soon as I have a working solution, I will document everything and post it on my blog for the rest of the community.
Created seperate Vlans so guest wouldn't have access to my internal servers, and only internet.
Great plan, HUGE PITA to setup. I wasn't successful. But if you do manage to get it to work. PLEASE for the love of open source, document the steps you took to complete it. Cause I could not for the life of me get it to work. and it was not worth the hassel for the rare times I would have someone actually use it.
I give you the best of luck in accomplishing this task!
As soon as I have a working solution, I will document everything and post it on my blog for the rest of the community.
