Browsed by
Category: Security

Configuring 802.1x with FreeRADIUS and Cisco WLC

Configuring 802.1x with FreeRADIUS and Cisco WLC

There have been many lengthy articles written about how to install and configure 802.1x and FreeRADIUS for access points.
This post is mainly for my own sake, but if anyone else finds this useful, great!
My setup contains of FreeBSD 9.3 with a FreeRADIUS3 installed, Cisco Virtual Wireless Controller running on VMware, a lightweight access point, and finally a Windows 7 laptop.

First of all, configuring FreeRADIUS3 is very simple, since it’s designed to be working right of the box, with little or no changes. 3 files need to be edited:

  • /usr/local/etc/raddb/users – credentials for end users
  • /usr/local/etc/raddb/clients.conf – devices (e.g. access points) specified
  • /usr/local/etc/raddb/mods-enabled/eap – configuration related to peap

In the users file, enter a username that logs on to the laptop and the password, such as
testuser ClearText-Password := “testpassword”

In the clients.conf file, enter an entry for the wireless lan controller,
client wlc {
   ipaddr =
   secret = thisisoursharedsecret

Finally, the eap file is lengthy with lots of comments, but only this needs to be changed:
eap {
 default_eap_type = peap
  private_key_password = whatever #if you change the password in certs/server.cnf, update this to reflict it!#
  ttls {
     use_tunneled_reply = yes
  peap {
     use_tunneled_reply = yes

The required selfsigned certificates are created and installed when FreeRadius3 is installed and are located in /usr/local/etc/raddb/certs. If you want to update them, remove the cerrts with
rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*
then edit the *.cnf files and generate the certs again by typing gmake.
To start FreeRADIUS in debugging mode, type radiusd -X

Cisco WLC
With FreeRADIUS configured, it is time to head to WLC and configure it. Starting with adding the radius server under Security -> AAA -> Radius -> Authentication.


In the shared secret, make sure to enter the same as you did in the entry in the users file above.

Then it is time to create the WLAN (SSID) under WLANS. When the WLAN is created, verify that Layer 2 security is WPA+WPA2, WPA2 Policy-AES is checked, together with 802.1x under Authentication Key Management. Also under AAA Servers, add the Radius server under Authentication Servers.
Then add the WLAN to the AP group, and make sure it is enabled.

Client configuration
The only thing left is to copy the CA cert (ca.der) to the laptop and import the certificate as a trusted root cerificate (through certmgr.msc). To set up the wireless network to use 802.1x, go to the security tab of the network and make sure the network is using security type WPA2-Enterprise and encryption type is AES. Verify that PEAP is chosen in the drop down list and click Settings. Validate Server certificate should be checked, as well as the newly imported root CA. Click OK and choose Advanced settings. Check Specify Authentication mode and select User authentication.



Installing Snort on a flash based FreeBSD system

Installing Snort on a flash based FreeBSD system

For some years I have run Snort on my main server, along with Apache, bind etc and this solution has the obvious limit to only check traffic accessing the server. In a perfect world, it should be placed either before or behind the router/firewall so all traffic to the internal network is examined. This can be accomplished by various techniques, such as getting a passive network tap or using a hub. Since I already had an ITX system, Alix 2D3, which is a small flash based mobo with 3 NICs, 256 MB, 600 MHz, I decided to give it a try and use it. In theory it seems straight forward, bridge two NICs together, connect the cablemodem to one NIC and the router to the second and let Snort sniff the bridged interface. In practice, it was not much more difficult.


Being the FreeBSD guy I am, I decided to install it on the 4 GB flash card. A few things to keep in mind.. Since compact flash cards has a finit number of writes, it is important to try and minimize the write operations, which can be solved by mounting the filesystems with noatime which stops the system from writing when the files were last accessed, and by mounting /tmp and /var/log to RAM by using tmpfs. One caveat with the Alix mobo is that it has no VGA output and to install the operating system, I did an install using PXE and a serial cable. It’s pretty simple, a good guide can be found here and another one here. To be able to remotely manage the box without connecting a console cable to it, I used the first interface (vr0) as management and applied a local address to it.

When installation was complete, I SSH’d into the box and upgraded ports. Then installed some must have apps like vim, screen and bash before installing Snort and Oinkmaster (to keep the rules updated).  Since I am running BASE (a web GUI for querying and analyzing alerts) on my main server and it’s using Mysql as the backend, I compiled Snort with support for logging to mysql. Before starting Snort, I had to bridge two physical interfaces (vr1 & vr2) to create one logical interface (bridge0)  that Snort could listen on.  After a few modications to snort.conf (specifying logging, etc) I started it with snort -i bridge0 and lo and behold! It worked!

Alix2C2 as a firewall with M0n0wall

Alix2C2 as a firewall with M0n0wall

For some time I have been pondering the option of getting a stand-alone router/firewall, since the combined modem/router provided by my ISP has some drawbacks (very rudimentary logging, max 10 ports forwarded etc). A few years back, I used my main multi-homed server (running FreeBSD 4.5 at that time) as a gateway/firewall. What I did like about it was the configurability and the logging options, but when I retired that box and moved FreeBSD over to a virtual machine, I simply got myself a modem/router combo.

One of my criterias now when I had moved into a new apartment, was that the firewall should be small, quiet and energy efficient. PC Engines has become one of the better


known manufacturers of ITX boards, starting with the WRAP which has know been succeeded by its Alix series. These are fanless, compact, and sports a compact flash socket. I settled for an Alix2C2, which has 2 NICs, 256 MB DDR DRAM, USB and a 500 Mhz AMD Geode LX800. LinITX also sold suitable enclosements for the Alix boards, and I bought a black one.
The next option was to choose the software, which there are plenty to choose from, M0n0wall, PFSense, IPcop , Smoothwall, etc. They can all be run from a CF card and doesn’t require a hard disk. Since using a CF card, the write cycles  are limited and everything is kept in RAM to reduce number of writes on the card and increase overall speed. I chose to go with M0n0wall, since its known to run well on Alix2C2, but I guess is’s a matter of taste, personal preferences and what features you are interested in.

Alix2c2 enclosement
Alix2c2 enclosement

When all had been settled it was time to get the hands dirty. Several guides has been written about this, and I followed the one on M0n0walls site. After downloading the embedded image from their site, I had to transfer it to the CF, which I did by writing the image with the help of a card reader. Since I was sitting at my Windows machine when doing the install, I downloaded physwriteimage and wrote the embedded image. Tried to use the GUI but since my CF card was larger than 2 GB (a waste, I know) it wouldn’t work. But using the command prompt and adding the ‘u’ flag to the arguments, it wrote the image fine. Inserted the CF card in the slot on the Alix board, slid it into its enclosement, added the power adapter and it was booting. But since the default configuration has the management IP as and I wanted it to have I had to connect a null-modem cable to its serial port (it doesn’t have a VGA connector) and connect to it through HyperTerminal. After the settings were committed, the box was ready for some action. Connected it to a local switch and the rest of the configuration was easy done through the web interface.