Blog
Photo Album
Past Work
Links

 Mozilla 
CSS
XHTML
It is so real, so full of light.
-- Moonspell
# 475646 visitors #

icon  Freeradius + WRT54GS = secure WLAN ^^

Posted on (2005-12-04)

WRT54GSSo you have a Linksys WRT54GS like me, and you want WPA-radius EAP/TLS security? Well, this howto may be something to help you.

The basic idea is to install HyperWRT to the WRT54GS. I configured it as WPA-Radius to the server where I installed Freeradius.

To configure everything I just followed the instructions from the 802.1x HOWTO.

Anyway I made a small guide:

  • A. Install freeradius @ your linux server
  • B. Configure Freeradius to work with EAP/TLS
  • C. Generate certificates
  • D. Check if freeradius works properly
  • E. Configure the Linksys WRT54GS

A. Install freeradius @ your linux server

Well this step is easy :) I'm running freeradius on my Gentoo server so you just enter:
xerox@GateKeeper ~ $ emerge freeradius

B. Configure Freeradius to work with EAP/TLS

  • /etc/raddb/radiusd.conf: General Radius configuration file, we must define auth systems and others to use. There are a lot of parts I haven't used so I left it as was coming. Don't forget to edit the bind adress to the ip of your server.
  • /etc/raddb/clients.conf: IPs and network systems that can be radius clients. This will be the WRT54GS.

C. Generate certificates

To generate certificates we need OpenSSL to do the job. If you still haven't got it, you know: emerge openssl.

As I was saying we're going to use the freeradius and openssl scripts to generate certificates. First of all let's go to the freeradius folder were we can find a folder called "scripts" with: CA.certs, certs.sh and xpextensions. I recommend checking inside the scripts because I had problems with these. If you are lazy to look at the files, you can check mine in this small package: certs.tar.gz.

These files are modified to work from the same folder we're working in. Once we have identified the files, we must have the script CA.pl in our PATH. It's a perl script, I copied it temporarly in /usr/bin and I deleted it after generating the certificates. I also included the file in the package, if you are lazy...
Once we have all things in a folder, we can edit CA.certs to include our information to the variables at the beginning of the file. There is no need to change more variables, it is done automaticly. Don't forget the password because we will need it when configuring the server and the clients.

To generate the certificates just:
xerox@GateKeeper ~ $ ./certs.sh
The output should be something like this:
Generating DH parameters, 512 bit long safe prime, generator 2
This is going to take a long time
........................+..................
+...........+..............................
+...+......................................
+............+..............+..............
..........................................+
...............................+..+.......+
..........+........+.....+................+
......+....................................
.................+.+.......................
...+.........................+............+
..............................+..+.........
.......................+...................
........................+...+.......++*++*+
   See the 'certs' directory for the certificates.
   The 'certs' directory should be copied to .../etc/raddb/
   All passwords have been set to 'whatever'
Now copy the content from ./certs to /etc/raddb/certs.

D. Check freeradius works properly

The most important thing now is checking the configuration files I gave you.

About the radiusd.conf: Check if the paths to the certificates are the correct ones. Also check the parameter "private_key_password = whatever". Change 'whatever' to your password, the one you have used for the variable PASSWORD inside the CA.certs file.

About the clients.conf: Edit this file like in the next example:

client 192.168.0.1 {
        secret        = SharedSecret99
        shortname     = localhost
}

See that here appears another password, this 'pre-shared key' is used by the WPA-client (WRT54GS) and the radius server (freeRadius) to crypt their communications. Then you have to make sure this key is inserted in the AP configuration.

To start freeradius:
GateKeeper xerox # /etc/init.d/radiusd start
* Starting radiusd..           [ ok ]
GateKeeper xerox #
If you have problems you can look into the log-files. The start daemon logs are in /var/log/raddb/startup.log and the connection ones in /var/log/raddb/radius.log.

E. Configure the Linksys WRT54GS

WRT54GS
[comment]Posted by (frederic)

(IItjo) - 2007-06-09
Great howto tnx!

(Fares) - 2015-10-11
Setup L2TP/IPSec to Authenticate off FreeRADIUS on CentOS 5 In this tutorial we will setup L2TP over IPSec and coiungfre it to authenticate off your FreeRADIUS database, we will make this tutorial as simple as possible and won't go into great detail to confuse novice users we will supply the configuration templates that get you up and running. This tutorial assumes you have already setup FreeRADIUS – to setup FreeRADIUS follow this guide here.

(Lucimario) - 2015-10-11
Done everything as<a href=&quothttp://diwtgl.com&quot> mneeiontd</a>.. I have a vps therefore I had to install apache and php etcbut when I am going to the directory its lists all the files other than opening index.php file also when i tried to login to index.php it showsServer errorHTTP Error 500 (Internal Server Error): An unexpected condition was encountered while the server was attempting to fulfill the request.Please Help


back pageid