Sunday, October 2, 2016

configure 802.1x (wpa2 enterprise) using hostapd on wired network


*** on hostapd/radius
1- install packages
$ sudo apt-get install hostapd freeradius

2- create hostapd configuration file /etc/hostapd/wired.conf with the following content
interface=ens38
driver=wired
use_pae_group_addr=1
ieee8021x=1
eap_reauth_period=3600
use_pae_group_addr=1
own_ip_addr=127.0.0.1
nas_identifier=ap.wired.com
auth_server_addr=127.0.0.1
auth_server_port=1812
auth_server_shared_secret=radius
acct_server_addr=127.0.0.1
acct_server_port=1813
acct_server_shared_secret=radius


3- configure radius server by modified radius configuration file below
- /etc/freeradius/radiusd.conf
    authorize {
        preprocess
        mschap
        suffix
        eap
        files
    }
   
    authenticate {
        
         Auth-Type MS-CHAP {
               mschap
          }
       
         eap
     }
   
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
name = freeradius
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
user = freerad
group = freerad
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
        type = auth
        ipaddr = *
        port = 0
}
listen {
        ipaddr = *
        port = 0
        type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions     = yes
extended_expressions    = yes
log {
        destination = files
        file = ${logdir}/radius.log
        syslog_facility = daemon
        stripped_names = no
        auth = no
        auth_badpass = no
        auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
        max_attributes = 200
        reject_delay = 1
        status_server = yes
        allow_vulnerable_openssl = no
}
proxy_requests  = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
        start_servers = 5
        max_servers = 32
        min_spare_servers = 3
        max_spare_servers = 10
        max_requests_per_server = 0
}
modules {
        $INCLUDE ${confdir}/modules/
        $INCLUDE eap.conf
}
instantiate {
        exec
        expr
        expiration
        logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/




-/etc/freeradius/eap.conf
        eap {
                default_eap_type = peap
                timer_expire     = 60
                ignore_unknown_eap_types = no
                cisco_accounting_username_bug = no
                max_sessions = ${max_requests}
                md5 {
                }
                leap {
                }
                gtc {
                        auth_type = PAP
                }
                tls {
                        certdir = ${confdir}/certs
                        cadir = ${confdir}/certs
                        private_key_password = whatever
                        private_key_file = ${certdir}/server.key
                        certificate_file = ${certdir}/server.pem
                        CA_file = ${cadir}/ca.pem
                        dh_file = ${certdir}/dh
                        random_file = /dev/urandom
                        CA_path = ${cadir}
                        cipher_list = "DEFAULT"
                        make_cert_command = "${certdir}/bootstrap"
                        ecdh_curve = "prime256v1"
                        cache {
                              enable = no
                              max_entries = 255
                        }
                        verify {
                        }
                        ocsp {
                              enable = no
                              override_cert_url = yes
                              url = "http://127.0.0.1/ocsp/"
                        }
                }
                ttls {
                        default_eap_type = md5
                        copy_request_to_tunnel = no
                        use_tunneled_reply = no
                        virtual_server = "inner-tunnel"
                }
                peap {
                        default_eap_type = mschapv2
                        copy_request_to_tunnel = no
                        use_tunneled_reply = no
                        virtual_server = "inner-tunnel"
                }
                mschapv2 {
                }
        }



- /etc/freeradius/users
DEFAULT Framed-Protocol == PPP
        Framed-Protocol = PPP,
        Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
        Framed-Protocol = SLIP,
        Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
        Framed-Protocol = SLIP
"testuser"      User-Password == "Secret149"
user1     Cleartext-Password := "password1


- /etc/freeradius/clients.conf
client localhost {
        ipaddr = 127.0.0.1
        secret          = radius
        require_message_authenticator = no
}


4- regeneration server certificate and ca certificate for freeradius
$ apt-get source freeradius 
$ cd freeradius*
$ cd raddb/certs

- edit file ca.cnf and server.cnf on line commonName, set it to your machine hostname, example below
commonName              = yakketyvm

- then use command make to regenerate the certificate and copy them to replace the old one
$ make
$ sudo cp ca* /etc/freeradius/certs/
$ sudo cp dh /etc/freeradius/certs/

$ sudo cp server* /etc/freeradius/certs/

5- finally restart the radius service and run hostapd service
$ sudo /etc/init.d/freeradius restart
$ sudo hostapd /etc/hostapd/wired.conf


*** on client
1- install packages
$ sudo apt-get install wpasupplicant

2- copy ca.pem from radius server that we configure above to in /certs/ca.pem

3- create wpa supplicant configuration /etc/eapol.conf with the following content
network={
    ssid="wssid"
    key_mgmt=WPA-EAP
    pairwise=TKIP
    group=TKIP
    eap=PEAP
    identity="user1"
    password="password1"
    ca_cert="/certs/ca.pem"
    phase1="peapver=0"
    phase2="MSCHAPV2"
}


4- connect using the following command
$ sudo wpa_supplicant -i ens38 -c /etc/eapol.conf  -D wired
- snapshot of successfully connect and authenticate using 802.1x protocol



***tips
1- if you run hostapd got the following message
bind: Address already in use

find dhcp service and shut it down


2- when problems arise, the following command is use to debug radius, hostapd and wpa_supplicant
$ sudo freeradius -X
$ sudo wpa_supplicant -dd -i ens38 -c /etc/eapol.conf  -D wired
$ sudo hostapd /etc/hostapd/wired.conf -dd



No comments:

Post a Comment