Categories
Firewall Linux Network radius WIFI WPA2

Ubiquity WiFi with WPA2 Enterprise

Due to some hardware problems with my switches (cheap Chinese ones) I recently decided to switch my core home network to Ubiquity systems.

Only 3 weeks later I had to realize that my old FritzBox had lost its 2.4 GHz WiFi (seems to be quite common and may obviously go unnoticed for a long time – till you try to reach a system that only “speaks” 2.4 GHz).

So I decided to also switch (part of) my WiFi network to Ubiquity hardware. This new hardware will hopefully allow some things that weren’t possible with my FritzBox Mesh network:

  • getting a guest WiFi (on a separate subnet)
  • using WP2 Enterprise (Login with username/password) for WiFi

While the order is still underway (hoping for delivery in the next 2-3 days) I decided to prepare things in advance.

Preparing radius on OPNsense firewall

So the first thing to prepare was the radius server (required for WPA2 Enterprise).

So I went looking for support in my OPNsense firewall (System->Firmware->Plugins) and searched for “radius”.

This gave me two possible packages:

os-freeradius: RADIUS Authentication, Authorization and Accounting Server
os-radsecproxy: RADIUS proxy provides both RADIUS UDP and TCP/TLS (RadSec) transport

While in the end I’m aiming for encrypted communication I decided to keep things simple for the beginning and to use only os-freeradius for the first tests. Installing is as easy as clicking the “+” sign and waiting for things to finish.

After a quick refresh of the OPNsense web UI you can find the settings here: Services->FreeRADIUS.

Configuration steps

Configure LDAP

Go to Services->FreeRADIUS->LDAP: I guess if you’re running a LDAP environment, the options to enter here are well known.

Configure Radius Client

Go to Services->FreeRADIUS->Clients, enable advanced mode to see last option:

Name: VLAN1 Test Client
Secret: shared_radius_client_secret
IP Address or Network with CIDR: 192.168.1.154/32
Require Message-Authenticator: YES

Allow access to port 1812/udp on OPNsense

I guess if you’re running OPNsense I don’t need to tell you how to do that, so I’ll skip it here.

Testing radius authentication

To test the radius configuration I used the tool radtest (from package freeradius-utils):

linux # sudo apt install freeradius-utils
linux # radtest marcel userpw_of_marcel opnsense.mydomain.de 1 shared_radius_client_secret
Sent Access-Request Id 117 from 0.0.0.0:48750 to 192.168.1.1:1812 length 76
	User-Name = "marcel"
	User-Password = "userpw_of_marcel"
	NAS-IP-Address = 192.168.1.154
	NAS-Port = 1
	Message-Authenticator = 0x00
	Cleartext-Password = "userpw_of_marcel"
Received Access-Accept Id 117 from 192.168.1.1:1812 to 192.168.1.154:48750 length 38
	Message-Authenticator = 0x50a607bc2a9399a1981f761eb36f6447

That wasn’t as hard as I had expected … now let’s wait for the delivery … stay tuned for more …

Leave a Reply

Your email address will not be published. Required fields are marked *