Synology usage series 32 – Setup Wifi WPA2 Enterprise with Freeradius+Openldap/Client Certificate


Make sure you really want to do this because not all device support 802.11x like

  • PS Vita

Prerequisite

  1. Modding series 9 – Setup an OpenLDAP Server
  2. Modding series 21 – Install FreeRadius Server and integrate with OpenLDAP Server

Setup FreeRadius to support EAP-PEAP-TLS

  1. SSH to DS as root
  2. Edit /opt/etc/raddb/radiusd.conf, add following line to the config file$INCLUDE ${confdir}/sites-enabled/


    # vi /opt/etc/raddb/radiusd.conf

    # add sites-enabled to the config
    $INCLUDE ${confdir}/sites-enabled/

     

  3. Edit /opt/etc/raddb/radiusd.conf again, looks for the authenticate section and then add mschap within the section.
    
    # vi /opt/etc/raddb/radiusd.conf
    
    authenticate {
     .
     .
     .
      # add mschap
      mschap
    }
    

    Looks for modules section and add three lines within modules section as below

    
    # vi /opt/etc/raddb/radiusd.conf
    
    modules {
     # add expiration, logintime and attr_filter modules
     $INCLUDE ${confdir}/modules/expiration
     $INCLUDE ${confdir}/modules/logintime
     $INCLUDE ${confdir}/modules/attr_filter
    
    }
    
  4. Edit /opt/etc/raddb/eap.conf, change default_eap_type to peap.
    
    # vi /opt/etc/raddb/eap.conf
    
    .
    .
    default_eap_type = peap
    .
    .
    
  5. Edit /opt/etc/raddb/sites-enabled/default, looks for authorize section and un-comment the ldap line.
    
    # vi /opt/etc/raddb/sites-enabled/default
    
    authorize {
    .
    .
    # un-comment the ldap 
     ldap
    .
    .
    }
    

    Then looks for authenticate section and uncomment Auth-Type LDAP as well.

    
    # vi /opt/etc/raddb/sites-enabled/default
    
    authenticate {
    .
    .
    # un-comment the ldap 
     Auth-Type LDAP{
         ldap
     }
    .
    .
    }
    
  6. Edit /opt/etc/raddb/sites-enabled/inner-tunnel, looks for authorize section and un-comment the ldap line.
    
    # vi /opt/etc/raddb/sites-enabled/inner-tunnel
    
    authorize {
    .
    .
    # un-comment the ldap 
     ldap
    .
    .
    }
    

    Then looks for authenticate section and uncomment Auth-Type LDAP as well.

    
    # vi /opt/etc/raddb/sites-enabled/inner-tunnel
    
    authenticate {
    .
    .
    # un-comment the ldap 
     Auth-Type LDAP{
         ldap
     }
    .
    .
    }
    
  7. Edit /opt/etc/raddb/clients.conf, add the Wifi Access Point to the config file.


    # vi /opt/etc/raddb/clients.conf

    # add access point details here, 192.168.0.1 is the ip of the access point

    client 192.168.0.1 {
         secret = [shared secret password of radius server]
         shortname = [SSID of the access point]
         nastype = other
    }
    

     

  8. If you have firewall activate on your diskstation, make sure to add a firewall rule to allow the wifi access point to access the udp port 1812, 1813 and 1814.

For now the radius server is already able to perform authentication for wpa/wpa2 enterprise!

Generate client certificate

If you do not plan to perform authorization using client certificate, you can skip this part.

  1. SSH to DS as root
  2. Edit /opt/etc/raddb/certs/client.cnf, refer to modding series 21 for details about this client certificate config file. Fill in the [Client] section with the client details. Make sure common name is unique for every client.** IMPORTANT The Country Name, State and Organization Name MUST match the value of the CA.
  3. Before we generate the client certificate, we MUST backup the original certificate first.


    # cd /opt/etc/raddb
    # cp -r certs certs.b4genclient

  4. Generate a client certificate


    # cd /opt/etc/raddb/certs
    # chmod 660 index.txt
    # make client.pem

    This will generate new set of certificate files and overwrite existing client.* files. Make sure you perform backup to the directory certs first. Or simple backup existings client.* files to somewhere safe.

  5. If you want to generate another client certificate for other wifi client. Edit the client.cnf and run make client.pem again. If make failed and said it couldn’t load a certificate, just copy the server.crt from backup directory and try again.


    # cp /opt/etc/raddb/certs.b4genclient/server.crt /opt/etc/raddb/certs
    # make client.pem





Leave a Reply

Your email address will not be published. Required fields are marked *