Blue Light
Space shortcuts
Child pages
  • 802.1X secured wifi installation

Versions Compared

Old Version 53

changes.mady.by.user Dyuman

Saved on

compared with

New Version 54

changes.mady.by.user Dyuman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
....
wifi1:wifi ipv4 dynamic_shared

In /etc/shorewall/shorewall.conf set:

Code Block
SAVE_IPSETS=Yes

FreeRADIUS

Code Block
apt-get install freeradius

 

Modify Add to /etc/freeradius/3.0/mods-available/eap:

comment the following:

...

shorewall/rules (replace IP addresses with actual IP address of wifi routers):

Code Block
ACCEPT:INFO(uid)        wifi:192.168.9.2,192.168.9.3,192.168.9.4        md5$FW {
#       }
     udp    1812

 

FreeRADIUS

Code Block
apt-get install freeradius

 

Modify /etc/freeradius/3.0/mods-available/eap:

comment the following:

Code Block
....
#       md5 {
#       }
....
#       leap {
#       }
....
#       gtc {
#               #  The default challenge, which many clients
#               #  ignore..
#               #challenge = "Password: "
#
#               #  The plain-text response which comes back
#               #  is put into a User-Password attribute,
#               #  and passed to another module for
#       	#  authentication.  This allows the EAP-GTC
#               #  response to be checked against plain-text,
#               #  or crypt'd passwords.
#               #
#               #  If you say "Local" instead of "PAP", then
#       	#  the module will look for a User-Password
#               #  configured for the request, and do the
#               #  authentication itself.
#               #
#               auth_type = PAP
#       }
....
#       tls {
#               # Point to the common TLS configuration
#               tls = tls-common
#
#       	#
#               # As part of checking a client certificate, the EAP-TLS
#               # sets some attributes such as TLS-Client-Cert-CN. This
#               # virtual server has access to these attributes, and can
#               # be used to accept or reject the request.
#       	#
#       #       virtual_server = check-eap-tls
#       }
....

...

Modify /etc/freeradius/3.0/clients.conf, comment the 'client localhost' and 'client localhost_ipv6' section and add a few of these blocks at the end, one for each wifi router(replace with actual IP addresses of wifi routers):

Code Block
client test1 { # Replace test1 with a name for the routerwifi-ap1 {
       ipaddr = 192.168.9.2
       secret = password # Replace with an actual password
}
 
client wifi-ap2 {
       ipaddr = 192.168.9.3
       secret = password # Replace with an actual password
}

client wifi-ap3 {
       ipaddr = 192.168.9.2 # Replace with IP of the router4
       secret = password # Replace with an actual password
}

...

Code Block
apt-get install mysql-server freeradius-mysql
mysql -uroot
  CREATE DATABASE radius;
  exit
mysql -uroot radius < /etc/freeradius/3.0/mods-config/sql/main/mysql/schema.sql

...

Code Block
apt-get install libpam-script sshpass
mkdir /usr/share/libpam-script/pam-script.d/pam_to_mysql_update
cd /usr/share/libpam-script/pam-script.d/pam_to_mysql_update
# Install the pam_to_mysql_update.sh script from the shwl_add_shwl_del_sl_pmu archive in here
ln -s pam_to_mysql_update.sh pam_script_auth
ln -s pam_to_mysql_update.sh pam_script_passwd
 
mysql -uroot
	GRANT ALL on radius.radcheck TO 'freerad'@'localhost';
exit
pam-auth-update # And, uncheck the box for "Support for authentication by external scripts"

Add the following line at the end of /etc/pam.d/common-auth:

...