FreeRADIUS for WPA2 Enterprise

Hopefully in the coming week I will be publishing a blog post on impersonating a WPA2 Enterprise wireless access point with the WiFi Pineapple.  Hak5 has recently released their v2.2.0 for the WiFi Pineapple which has support for PineAP to now imitate enterprise access points, and capture enterprise client credentials.  In order to test this I must first get an access point up and running with 802.1x support.  Thus, I thought I would put together a quick tutorial on setting up FreeRADIUS on an Ubuntu 16.04 machine, and then tie it into my Ubiquiti AP.  

FreeRADIUS is an open source RADIUS server used by many organizations. It performs AAA functions, supporting many authentication protocols and is widely popular because it is modular and scalable.

In 802.1X, and in my lab, FreeRADIUS will play the role of the authentication server. FreeRADIUS can be the proxy to another authentication server such as Active Directory.

The initial installation of FreeRADIUS can be achieved by simply running the sudo apt-get install freeradius command.  You can test to make sure the installation was completed successfully by running freeradius -v from the terminal.  

You can test the default credentials by typing sudo freeradius -CX.  In the second screenshot you will see that if all is well FreeRADIUS will report that the configuration appears to be OK.  

There are many different options that can be fine tuned for FreeRADIUS, but for now I am just attempting to get a small number of devices setup.  To begin with we need FreeRADIUS to look for designated clients.  The word “clients” can be deceiving but in FreeRADIUS terms this means the authenticators such as the APs or WLAN controllers. We want to verify that only authorized authenticators are used on our network. The authenticators and the authentication server will use shared secrets to verify each other.  In order to whitelist our Ubiquiti AP we will open the clients.conf file and add the client as shown in the screenshot below.  

Once the AP has been whitelisted we need to add users allowed to authenticate.  To do this we will edit the users file in /etc/freeradius/.  The format should be username Cleartext-Password := "Password".  You can see from the screenshot below that I added a very insecure user for testing purposes.

FreeRADIUS has the functionality to test the newly created username and password by running the following command:  radtest user password 127.0.0.1 0 testing123.  Running this locally means that the server you will have to provide the secret key for is the localhost.  You can verify the localhost password from the /etc/freeradius/clients.conf file.   If all goes well you will see an Access-Accept.  In the screenshot below I have showed what the rejection message looks like.  

Now that configuration is complete we can start the FreeRADIUS service with service freeradius start.  

In order to tie in FreeRADIUS to the Ubiquiti AP we will need to login to our Unifi Controller.  I will not elaborate how to do that because I assume that you will be familiar with those steps already.  Under Settings --> Wireless Networks --> Add New WLAN Group.  You will get a configuration screen like the one shown below.  

Choose the Create New Radius Profile from the RADIUS Profile menu item.  Once that menu is loaded you will enter the Profile Name, IP Address, Port 1812, and the Password/Shared Secret.  

You can attempt to login to your WPA2 Enterprise WLAN by selecting the SSID from any wireless device.  The wireless device should prompt you for both a username and password.  You can verify that the authentication is working by viewing the log file at /var/log/freeradius/radius.log.  

This concludes the setup of a FreeRADIUS server.  I am actively working on a blog post to impersonate this WLAN using the WiFi Pineapple.