Skip to content

EAP-TLS RADIUS Server on Ubuntu

This project provides a guide to setting up an EAP-TLS authentication FreeRADIUS server on Ubuntu, including: - Installing FreeRADIUS - Generating EAP-TLS Certificates - Configuring RADIUS Server - Connecting Client Devices - Debugging and Troubleshooting

๐Ÿš€ Experiment Environment

  1. Ubuntu Virtual Machine (as the RADIUS server).
  2. Router (as the wireless access point).
  3. Redmi K50 Smartphone (as the wireless client).
  4. Wireless Network Adapter (for debugging or packet capture).

๐Ÿ“Œ 1. Installing FreeRADIUS

sudo apt update && sudo apt install freeradius freeradius-utils -y

Check if the RADIUS server is running:

sudo systemctl status freeradius

If not started:

sudo systemctl enable --now freeradius

๐Ÿ“Œ 2. Configuring FreeRADIUS

Modify clients.conf

sudo nano /etc/freeradius/3.0/clients.conf

Add the following entry (โš ๏ธ Replace 192.168.51.2 with your router's IP โš ๏ธ):

client your_router {
    ipaddr = 192.168.51.2  
    secret = testing123  
    shortname = router  
}

Enable EAP Module

sudo nano /etc/freeradius/3.0/mods-enabled/eap

Ensure the following configuration:

eap {
    default_eap_type = tls
}

tls-config tls-common {
    private_key_file = /etc/freeradius/3.0/certs/server.key
    certificate_file = /etc/freeradius/3.0/certs/server.crt
    CA_file = /etc/freeradius/3.0/certs/ca.crt
    dh_file = /etc/freeradius/3.0/certs/dh
    random_file = /dev/urandom
}

โš ๏ธ Since my certificates are stored here, you need to replace them with your own certificate paths!

๐Ÿ“Œ 3. Generating Certificates

Create the certificate directory (if it does not exist):

sudo mkdir -p /etc/freeradius/3.0/certs
cd /etc/freeradius/3.0/certs

Generate CA Certificate

sudo openssl genrsa -out ca.key 2048
sudo openssl req -x509 -new -nodes -key ca.key -sha256 -days 365 -out ca.crt -subj "/C=JP/ST=Miyagi/L=Sendai/O=Tohoku University/OU=Goto Lab/CN=CA"

Generate Server Certificate

sudo openssl genrsa -out server.key 2048
sudo openssl req -new -key server.key -out server.csr -subj "/C=JP/ST=Miyagi/L=Sendai/O=Tohoku University/OU=Goto Lab/CN=radius-server.local"
sudo openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256

Generate Client Certificate

sudo openssl genrsa -out client.key 2048
sudo openssl req -new -key client.key -out client.csr -subj "/C=JP/ST=Miyagi/L=Sendai/O=Tohoku University/OU=Goto Lab/CN=client"
sudo openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365 -sha256

โš ๏ธ Note: The above commands include information such as "Tohoku University" and "Goto Lab," which are specific to my research lab. Please replace them with your own organization details!

Create PKCS#12 Client Certificate (For Mobile Import)

sudo openssl pkcs12 -export -inkey client.key -in client.crt -certfile ca.crt -out client.p12

๐Ÿ“Œ 4. Start FreeRADIUS and Test

sudo systemctl restart freeradius
sudo journalctl -u freeradius -f

Test authentication using radtest:

radtest user password 127.0.0.1 0 testing123

If successful, it should return Access-Accept.

๐Ÿ“Œ 5. Connect Wireless Clients

Prepare Client Certificates

  1. Copy client.p12 and ca.crt to your smartphone (e.g., using Google Drive).
  2. Import the certificates on Android/iPhone:
  3. Go to Wi-Fi Advanced Settings, select EAP-TLS authentication.
  4. Choose client.p12 as the client certificate.
  5. Choose ca.crt as the CA certificate.

๐Ÿ“Œ 6. Configure Router

  1. Open your router management interface.
  2. In Wireless Security or Advanced Settings, enable WPA2-Enterprise (EAP-TLS).
  3. Set up the RADIUS server address:
  4. RADIUS Server IP: Your RADIUS Server IP
  5. Port: 1812
  6. Secret: testing123 (This must match the secret value in clients.conf)

๐Ÿ“Œ Ensure the RADIUS shared key in clients.conf matches your router configuration

client your_router {
    ipaddr = 192.168.51.2  # Replace with your router IP
    secret = testing123    # RADIUS shared secret
    shortname = router     # Alias for easier identification
}

โš ๏ธ Note: If the secret in clients.conf does not match the router configuration, RADIUS authentication will fail!

๐Ÿ“œ License

This project is licensed under the MIT License. You are free to use and modify it. If you reference or further develop this project, please acknowledge the source.

๐Ÿ“š References

This project is based on the following resources: - FreeRADIUS Official Website: https://www.freeradius.org/ - NII Academic Authentication Promotion Office - Eduroam & RADIUS Documentation: NII MeatWiki

๐Ÿ“ฉ Contact

If you have any questions or suggestions, please submit an issue or visit my GitHub page:

๐Ÿ”— GitHub Profile

If you find this project useful, please consider giving it a Star โญ!