FreeRadius - Wifi auth with PWD and TTLS



  • freeradius3 0.15.7_3
    pfsense 2.4.4-RELEASE-p3 (amd64)

    Usecase: This is for my home and I have different vlans based on usage

    Vlan10 - Direct Connection to the internet
    Vlan11 - Internet via VPN
    Vlan 12 - IOT Devices
    Vlan 13 - My children

    All vlans are accessible via my unifi ap. I want to be able to switch vlans based on what I am doing (vlan 10 or 11) and I want to be able to restrict the time that my children (vlan 13) have access to the internet.

    On vlan 13 i'm using a time based firewall schedule so that there are only certain days and hours of the day that the kids can access the internet.

    The solution I came up with was using radius auth for the wifi network and associating a vlan with the user. I can change user accounts to hop on or off the VPN and I don't have to mess with MAC filtering or hooking up my childrens friends devices when they visit. (I have no doubt my kids would get around mac filters eventually). At first I struggled with getting simple username and password auth setup. Apparently the eap-pwd module in Freeradius is full of vulnerabilities. This is not an issue for me since I'm not worried about my kids cracking my passwords, I would be really proud if they did! My biggest concern was all of the extra parameters needed to connect via TTLS and MSChapv2 , I wanted something simple that just asks for a username and password so I built a config that uses both TTLS with MSChapv2 and eap-pwd because I could.

    I spent many hours researching freeradius configurations and reading posts and other blogs on how to set this up but none offered a beginning to end tutorial, so here it is.

    A little EAP primer

    This setup is probably not recommended due to the changes required and eap-pwd is full of vulnerabilities so proceed at your own risk.

    The setup involves making a copy of a fresh and untouched freeradius config directory and then using the new copy as the new freeradius base dir for running the service. This is needed since pfsense will overwrite any changes made from the terminal.

    Here are my UI configs. The missing pages mean I didn't make any changes.

    From the ssh terminal on my pfsense box:

    mkdir /usr/local/etc/raddb-pwd
    cp -r /usr/local/etc/raddb/ /usr/local/etc/raddb-pwd/
    vi /usr/local/etc/raddb-pwd/mods-enabled/eap
    

    At the bottom of the eap file I added the following config. Beware of the very last curly brace (not in my block), make sure it's the last character of the file!

            # EAP-pwd -- secure password-based authentication
            #
            pwd {
                    group = 19
    
                    #
                    server_id = theserver@example.com
    
                    #  This has the same meaning as for TLS.
                    fragment_size = 1020
                    
                    # The virtual server which determines the
                    # "known good" password for the user.
                    # Note that unlike TLS, only the "authorize"
                    # section is processed.  EAP-PWD requests can be
                    # distinguished by having a User-Name, but
                    # no User-Password, CHAP-Password, EAP-Message, etc.
                    virtual_server = "inner-tunnel-ttls"
            }
    
    vi /etc/rc.conf
    

    Enter the following in the file:

    radiusd_flags="-d /usr/local/etc/raddb-pwd"
    

    Once that's in place, reboot and verify that freeradius is using the new path:

    ps -aux | grep radius 
    /usr/local/sbin/radiusd -d /usr/local/etc/raddb-pwd
    

    This has been tested on:

    • Windows 10 (which will default to TTLS)
    • Linux (which will use either TTLS or PWD - whatever you config)
    • Android (which will use either TTLS or PWD - whatever you config)
    • Mac OSX 14.x - Not sure what it's using, but it's connecting.

    I hope this post helps someone in the future and saves hours of digging through posts and docs.


Log in to reply