802.1X Authentication Part 1
Shivam Thakur
| Embedded Software Wireless Engineer @ Plume Design Inc. | Passionate to Create Solutions that helps to innovate the Innovation |
Over the period of time, WiFi has evolved and has became more secure.
From Open encryption to WPA3 Enterprise SHA256, Wifi has evolved not just with its speed but also its security.
In this article, I will explain how you can use Enterprise level Encryption for your secure Wifi Network
Many WiFi AP Software Stacks are evolving themselves to accommodate Wide range of features.
In this article, I will cover the following points:
There are three main components in 802.1x authentication required:
AAA means Authentication, Authorization and Accounting
Access point should know the details for Radius server such as :
host/ip address, port and shared secret.
On the Radius server side, username and password and user policies are configured. So if supplicant wants to connect to network, it has to know the username and password which is configured on radius server side.
for EAP-TTLS, username and password is enough, however for EAP-TLS, additional security is added where supplicant should have Certificates that can be generated for each user or for each user group
On a large scale Wifi network deployment, it is complex to configure every access point if password needs to be changed. More than user level authentication, Radius server can also be configured to use user level policies such as VLAN tagging and Upload and Download rate and many more.
I will show how to configure freeradius server on raspberry pi as mentioned below:
Install OS on sd card
?Download rpi-imager for linux
(for ubuntu)
sudo apt install rpi-imager
(or)
(for fedora)
sudo dnf install rpi-imager
Open rpi-manager using below command
rpi-manager
Install the OS on your sd card and do initial setupConfigure the static IP using below example commands. (Please connect the RPI with ethernet)
Install the network manager using below command
sudo apt-get install network-manager
Configure the static ip on ethernet port of your raspberry pi
sudo nmcli connection modify 'Wired connection 1' IPv4.address 192.168.52.90/24
sudo nmcli connection modify 'Wired connection 1' IPv4.gateway 192.168.52.1
sudo nmcli connection modify 'Wired connection 1' IPv4.dns 8.8.8.8
sudo nmcli connection modify 'Wired connection 1' IPv4.method manual
sudo nmcli connection down 'Wired connection 1'
sudo nmcli connection up 'Wired connection 1'
You can install the radius server using following command:
sudo -s
apt-get install freeradius
In the freeradius server, you have to configure two files as a basic setup
vim /etc/freeradius/3.0/clients.conf
You can make sure you are enabling entire subnet in the ipaddr in any client section. In my case, it is 192.168.52.1/24
client localhost {
ipaddr = 192.168.52.1/24
proto = *
secret = testing123
require_message_authenticator = no
shortname = localhost
nas_type = other # localhost isn't usually a NAS...
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Another important file is users, here you can specify user sections, where each user has its own username and password
You can also add certain network policies in each of the user sections
here is an example of adding basic user:
shivam Cleartext-Password := "password"
Reply-Message := "Hello, %{User-Name}""
After doing the above changes in respective files, you can start the radius server by using below commands.
service freeradius enable
service freeradius start
As mentioned in above Image, you can create a ssid n your Access Point and add respective radius server details and try to connect your laptop/mobile using the respective username and password
Thanks,
Shivam