Setting up a RADIUS Server
Goal: To set up a LANforge wireless access point with a local RADIUS server.
- The LANforge auto-install --do_radius option will setup FreeRADIUS on the LANforge system with two example EAP methods, EAP-TLS and EAP-TTLS
- The config files for FreeRADIUS are located in /etc/raddb
- /etc/raddb/certs contains the files necessary for EAP-TLS
- The LANforge auto-install copies the necessary files into /home/lanforge for use by LANforge wireless clients.
- For EAP-TLS, use client.p12 as the client's Private Key and ca.pem as the client's CA Cert File. The Private Key password is lanforge
- /etc/raddb/users contains the user and password for EAP-TTLS
- The example EAP-TTLS user is testuser with password testpasswd. Additional entries can be added to the users file, then restart FreeRADIUS with systemctl restart radiusd.service
- An alternative to FreeRADIUS is to use the hostapd RADIUS server.
- Stop the FreeRADIUS service with systemctl stop radiusd.service
- Modify the interface to use for the hostapd process and select the RADIUS checkbox.
- Create a hostapd_<port-name>.conf file in the /home/lanforge/wifi directory with the following info.
- Setup the desired EAP methods and passwords in the /etc/hostapd.eap_users file.
- If using EAP-SIM or EAP-AKA, verify entries in the /etc/hlr_auc_gw.milenage_db file, then start the HLR tool.
- Verify the hostapd process is running for the interface selected for the RADIUS server, here it is eth1.
- Whether you use FreeRADIUS or hostapd RADIUS, setup your AP with the RADIUS server's IP address and port.
- If using a LANforge AP on the same system as the RADIUS server, then the AP will address the RADIUS server at localhost or 127.0.0.1 with port 1812.
- If using an external AP or WLAN Controller, then configure the device to address the RADIUS server on the network connected to a LANforge interface configured for RADIUS.