FreeRADIUS + WPA2 Enterprise + 802.1x = How?

  • OK…  I have an Airport Extreme that I would like to have do 802.1x authentication for WPA2 enterprise encryption.  I guess I don't know enough about FreeRADIUS to get a good enough start.

    I have installed FreeRADIUS, added the client and one user.  Except I keep getting 802.1x auth failures when trying to log in.  I did a tcpdump between the extreme and the PFSense server but all I really see is rejects from the RADIUS server back.

    Does anybody have a quick and dirty on this?  I feel like I'm missing something.


  • I run into the same issues. And, honestly, I have no idea how to fix it. There were some forum quotes stating unsure support of the 802.1x protocol. Maybe someone knows more about this.

  • Ive never used this but a quick search of the pfs mailing list yields this:

    If you are running from a hard drive install you would need to do the following:
            - Install the freeradius package
            - Edit the radius.conf and eap.conf to match your environment
            - Copy your certificates to the pfsense's file system
            - Start freeradius.

    I would also suggest having a read through this


  • Finally, I could make Airport Extreme and Airport Express to run in the WPA2 Enterprise mode. Here is how it works:

    • go to the shell

    • type: vi /usr/local/etc/raddb/eap.conf

    • uncomment all command lines within the brackets of the following protocols: tls and ttls (DO NOT uncomment the commentaries)

    • save the file

    • restart FreeRADIUS in the Services Menu of the Browser.

    • Configure the Airports as Clients on pfSense/Freeradius and configure the wireless settings on the airport as WPA2 Enterprise with the Radius settings you just configured (secret key, etc.)

    • Connect to the Airport via your Powerbook and choose "TTLS - PAP" in the 802.1X Configuration menue.

    Everything should work fine for now, except that you get a certification warning.

    Note that this help is not the safest way to use. At least you need to create new certificates later and place them in /usr/local/etc/raddb/certs

Log in to reply