Manual:Wireless PEAP client with FreeRADIUS

From MikroTik Wiki
Revision as of 11:18, 2 January 2019 by Normis (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Version.png

Applies to RouterOS: v6.40 +

Summary

The Enterprise variants of WPA and WPA2, also known as 802.1x uses a RADIUS server for authentication purposes. Authentication is achieved using variants of the EAP protocol.

PEAP protocol often is used for wireless EAP authentification. It is considered a secure way to establish EAP authentification.

This guide will show a basic setup to use PEAP on RouterOS wireless client. We will use FreeRADIUS Version 3 server on Debian with a default configuration, RouterOS access point, and RouterOS wireless client. To follow this manual you will need some basic knowledge of RADIUS server and RouterOS wireless configuration.

Configuration

To ensure that you can follow along easily and get started quickly, configuration this guide uses is as default as possible.

First, we will set up a RADIUS server, then access point and a wireless client. Finally, we will look into basic troubleshooting.

Setup

Alt text
Diagram describing the network setup used in this manual.

In this guide we will use the following setup:

  • 192.168.88.1 - RouterOS Access Point;
  • 192.168.88.2 - FreeRADIUS server;
  • 192.168.88.3 - RouterOS wireless client.

Please see the network diagram above.

FreeRADIUS

Assuming that you have already installed FreeRADIUS server, go to the FreeRADIUS configuration folder:

~# cd /usr/local/etc/raddb/
Icon-note.png

Note: Based on your operating system and FreeRADIUS version configuration folder can be located elsewhere.


In this folder, you should find files like clients.conf, users, radiusd.conf etc.

Add Client

Access points that use RADIUS to authenticate their wireless clients from RADIUS point of view are Radius Clients. To allow an access point to use RADIUS you have to edit file clients.conf. The file contains documentation on how to use it. Add the following lines:

client Access-point {
	ipaddr = 192.168.88.1
	secret = password1234
}
  • Access-point - can put any name here that describes the Radius client;
  • ipaddr - IP address of access point;
  • secret - secret password that will allow an access point to use RADIUS service.

Add User

To control (allow/limit) access to the wireless client (phone, laptop, another router etc.) you have to edit users file. It is useful to go through documentation of this file, to learn about the vast amount of setting that can be configured for each user. For now just simply add the following line:

testing Cleartext-Password := "password"
  • testing - username of the user, it will be necessary to provide this when connecting to access point;
  • password - password for the user.

By default, this entry will allow the user with username testing and password password to authenticate.

Run server

To run FreeRADIUS server use radiusd -X. if you want more debug output use radiusd -Xx. If you change any FreeRADIUS settings, you have to restart the server for changes to take effect.

Access Point

Assuming that you have already configured access points wireless and other settings, we will need to configure security profile and RADIUS client.

Security Profile

Security profile must be configured in such way that it will use EAP and passthrough authentication information to RADIUS server. Use the following command line interface command to create a security profile:

/interface wireless security-profiles add name=EAP_AP mode=dynamic-keys authentication-types=wpa2-eap eap-methods=passthrough
  • name - use any name here, you will reference security profile by it when assigning to wireless interface;
  • mode - set to use dynamic-keys to use encryption, otherwise use none to have open access point;
  • authentication-types - set security protocol, most devices support wpa2-eap which is considered more secure than wpa-eap;
  • eap-methods - by setting to passthrough EAP authentication packets from the wireless client are forwarded to the RADIUS server. passthrough is a default value for this property.

Other settings are can be left to default values. When a security profile is created, for it to take effect it should be set to the wireless interface:

/interface wireless set wlan1 security-profile=EAP_AP
  • wlan1 - a name of the wireless interface you are using as a client;
  • security-profile - set to the name of security profile just created for interface to use it.

Assuming that other properties of the wireless interface are already configured. Properties you might want to configure include mode, band, channel-width, country, frequency,scan-list, and others.

RADIUS

We must specify for the access point which RADIUS server to use for its wireless authentication. Set the following RADIUS setting:

/radius add address=192.168.88.2 secret=password1234 service=wireless
  • address - IP address of RADIUS server;
  • secret - password for RADIUS client to access RADIUS services, use the same which is set on RADIUS in clients.conf file;
  • service - set to service which to use particular RADIUS server for, the same server can be used for multiple services if needed.

Wireless Client

In this guide as a wireless client, we use MikroTik router. Assuming that wireless and other settings are already configured, we only need to configure security profile.

Security Profile

Security profile must be configured precisely - even slight changes or errors can result in unsuccessful authentication. Add a new security profile:

/interface wireless security-profiles add name=EAP_client \
    mode=dynamic-keys authentication-types=wpa2-eap eap-methods=peap \
    supplicant-identity=somestring mschapv2-username=testing \
    mschapv2-password=password tls-mode=dont-verify-certificate
  • name - use any name here, you will reference security profile by it when assigning to wireless interface;
  • mode - set to use dynamic-keys to use encryption, otherwise use none, if your access point is open i.e. has no security;
  • authentication-types - set security protocol, most devices support wpa2-eap which is considered more secure than wpa-eap. This setting must overlap with what is set on the access point;
  • eap-methods - set it to peap to use PEAP method
  • supplicant-identity - use some sting, can be the same as username, will be used in the first phase of PEAP authentication to establish a TLS-based tunnel with RADIUS server. Don't leave empty;
  • mschapv2-username - set as the username of RADIUS user, should match with the entry in RADIUS users file;
  • mschapv2-password - set as the password of RADIUS user, should match with the entry in RADIUS users file;
  • tls-mode - define how to manage TLS certificates, PEAP usually uses server-side certificates, so set to dont-verify-certificate.

Other settings should be left default.

Finally set a newly created security profile to the wireless interface:

/interface wireless set wlan1 security-profile=EAP_client
  • wlan1 - a name of the wireless interface you are using as an access point;
  • security-profile - set to the name of security profile just created for interface to use it.

Assuming that other wireless interface settings are configured in order to establish a link with the access point and all other settings are correct, the wireless client should authenticate successfully.

Conclusion

With this guide should be enough to configure the basic RouterOS wireless client with PEAP authentication. If done correctly, authentication should be successful and you will have a basic setup. However, in real life situations with this setup often is not enough. More advanced configuration should be done to achieve other goals like accounting, limits etc. For other RADIUS configurations you might need to configure access point and/or client differently, some RADIUS configurations might not work with RouterOS devices. RouterOS clients support only MSCHAPv2 as the inner method of PEAP.

Debug

Setuping RADIUS might be challenging and not always everything works as you intend. In these cases, you can use debug logs both on RADIUS server and RouterOS side.

To see debug information while running FreeRADIUS server start it with parameter -X like this:

$ radiusd -X

To get more debug information just add another "x" - radiusd -Xx.

To see debug logs in RouterOS, add logging rule to access point. Use this command to see all packets sent to RADIUS:

/system logging add topics=radius prefix=~~~ 
  • topics - set the topic you want to see in the log;
  • prefix - you can add a prefix to distinguish RADIUS related logs from other, this is optional;

Now information about communication with RADIUS server can be seen with /log print follow.

See also