Due to some hardware problems with my switches (cheap Chinese ones) I recently decided to switch my core home network to Ubiquity systems.
Only 3 weeks later I had to realize that my old FritzBox had lost its 2.4 GHz WiFi (seems to be quite common and may obviously go unnoticed for a long time – till you try to reach a system that only “speaks” 2.4 GHz).
So I decided to also switch (part of) my WiFi network to Ubiquity hardware. This new hardware will hopefully allow some things that weren’t possible with my FritzBox Mesh network:
- getting a guest WiFi (on a separate subnet)
- using WP2 Enterprise (Login with username/password) for WiFi
While the order is still underway (hoping for delivery in the next 2-3 days) I decided to prepare things in advance.
Preparing radius on OPNsense firewall
So the first thing to prepare was the radius server (required for WPA2 Enterprise).
So I went looking for support in my OPNsense firewall (System->Firmware->Plugins
) and searched for “radius”.
This gave me two possible packages:
os-freeradius: RADIUS Authentication, Authorization and Accounting Server
os-radsecproxy: RADIUS proxy provides both RADIUS UDP and TCP/TLS (RadSec) transport
While in the end I’m aiming for encrypted communication I decided to keep things simple for the beginning and to use only os-freeradius
for the first tests. Installing is as easy as clicking the “+
” sign and waiting for things to finish.
After a quick refresh of the OPNsense web UI you can find the settings here: Services->FreeRADIUS
.
Configuration steps
Configure LDAP
Go to Services->FreeRADIUS->LDAP
: I guess if you’re running a LDAP environment, the options to enter here are well known.
Configure Radius Client
Go to Services->FreeRADIUS->Clients
, enable advanced mode to see last option:
Name: VLAN1 Test Client
Secret: shared_radius_client_secret
IP Address or Network with CIDR: 192.168.1.154/32
Require Message-Authenticator: YES
Allow access to port 1812/udp on OPNsense
I guess if you’re running OPNsense I don’t need to tell you how to do that, so I’ll skip it here.
Testing radius authentication
To test the radius configuration I used the tool radtest
(from package freeradius-utils
):
linux # sudo apt install freeradius-utils
linux # radtest marcel userpw_of_marcel opnsense.mydomain.de 1 shared_radius_client_secret
Sent Access-Request Id 117 from 0.0.0.0:48750 to 192.168.1.1:1812 length 76
User-Name = "marcel"
User-Password = "userpw_of_marcel"
NAS-IP-Address = 192.168.1.154
NAS-Port = 1
Message-Authenticator = 0x00
Cleartext-Password = "userpw_of_marcel"
Received Access-Accept Id 117 from 192.168.1.1:1812 to 192.168.1.154:48750 length 38
Message-Authenticator = 0x50a607bc2a9399a1981f761eb36f6447
That wasn’t as hard as I had expected … now let’s wait for the delivery … stay tuned for more …