Configuring 802.1x with FreeRADIUS and Cisco WLC

Configuring 802.1x with FreeRADIUS and Cisco WLC

There have been many lengthy articles written about how to install and configure 802.1x and FreeRADIUS for access points.
This post is mainly for my own sake, but if anyone else finds this useful, great!
My setup contains of FreeBSD 9.3 with a FreeRADIUS3 installed, Cisco Virtual Wireless Controller running on VMware, a lightweight access point, and finally a Windows 7 laptop.

FreeRADIUS
First of all, configuring FreeRADIUS3 is very simple, since it’s designed to be working right of the box, with little or no changes. 3 files need to be edited:

  • /usr/local/etc/raddb/users – credentials for end users
  • /usr/local/etc/raddb/clients.conf – devices (e.g. access points) specified
  • /usr/local/etc/raddb/mods-enabled/eap – configuration related to peap

In the users file, enter a username that logs on to the laptop and the password, such as
testuser ClearText-Password := “testpassword”

In the clients.conf file, enter an entry for the wireless lan controller,
client wlc {
   ipaddr = 192.168.0.50
   secret = thisisoursharedsecret
}

Finally, the eap file is lengthy with lots of comments, but only this needs to be changed:
eap {
 default_eap_type = peap
  ….
  private_key_password = whatever #if you change the password in certs/server.cnf, update this to reflict it!#
  ….
  ttls {
     use_tunneled_reply = yes
      ….
  peap {
     use_tunneled_reply = yes
     ….

The required selfsigned certificates are created and installed when FreeRadius3 is installed and are located in /usr/local/etc/raddb/certs. If you want to update them, remove the cerrts with
rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*
then edit the *.cnf files and generate the certs again by typing gmake.
To start FreeRADIUS in debugging mode, type radiusd -X

Cisco WLC
With FreeRADIUS configured, it is time to head to WLC and configure it. Starting with adding the radius server under Security -> AAA -> Radius -> Authentication.
radius-server

radius-server-edit

In the shared secret, make sure to enter the same as you did in the entry in the users file above.

Then it is time to create the WLAN (SSID) under WLANS. When the WLAN is created, verify that Layer 2 security is WPA+WPA2, WPA2 Policy-AES is checked, together with 802.1x under Authentication Key Management. Also under AAA Servers, add the Radius server under Authentication Servers.
Then add the WLAN to the AP group, and make sure it is enabled.

Client configuration
The only thing left is to copy the CA cert (ca.der) to the laptop and import the certificate as a trusted root cerificate (through certmgr.msc). To set up the wireless network to use 802.1x, go to the security tab of the network and make sure the network is using security type WPA2-Enterprise and encryption type is AES. Verify that PEAP is chosen in the drop down list and click Settings. Validate Server certificate should be checked, as well as the newly imported root CA. Click OK and choose Advanced settings. Check Specify Authentication mode and select User authentication.

Done.

References:
http://www.rrfx.net/2011/02/wpa2-enterprise-on-ubuntu-configuring.html
http://www.wi-fiplanet.com/tutorials/article.php/3834676
http://kirkkosinski.com/2012/10/securing-wi-fi-with-peap-and-freeradius-on-centos/
http://www.admin-magazine.com/Articles/FreeRADIUS-for-WiFi-Hotspots

Leave a Reply

Your email address will not be published. Required fields are marked *