WPA2-EAP and 802.11r with openWRT and FreeRadius

Linux Networking

When it comes to Enterprise WiFi, the simple - plug-in, set your password and enjoy - approach doesn't work as expected, especially if you have multiple APs around and need to implement fast transitioning between them. Also how to authorize the WPA2-EAP clients in your network? You need some server with credentials and stuff!

Simple two nodes network

Let's start small with two OpenWRT devices, one is serving as a master router, the second is a dumb AP. We'll start with a simple WiFi network with shared passphrase and a central DHCP server. So, on the router:

  • Create a new WiFi network
    • Set security to a WPA2-PSK
    • Set WiFi password
    • Check Isolate clients under the advanced tab
  • Create a new interface WLAN
    • Set static IP like 192.168.2.1/24
    • Set the physical settings to bridge and assign an unused LAN port and the Wifi network to it
    • Enable DHCP for this interface
  • Create a new firewall zone WLAN, assign it to the WLAN interface and set forwarding to wan zone

Now you should be able to connect to this WiFi, get IP from 192.168.2.0/24 range and be able to access internet. Same access should be available over the LAN port you specified. So let's move the the dumb AP device:

  • Create a WiFi network with same settings as on the router
  • Create a new interface WLAN, set it to unamanaged and assign WiFi network and some LAN port to it
  • Connect AP over the selected LAN port to the router's LAN port in the WLAN network

So, make sure you can connect to both devices (e.g. place them far away and stand with your phone nearby each of them while connecting), everything should work. If not, check your networking, LAN port settings, maybe try to set static IP from the same network on the AP WLAN interface and try to ping it from router,... If you see a bunch of DHCP errors int he AP log, just exclude the br-WLAN from the DHCP settings (can be done in luci, there's a DHCP and DNS tab).

802.11r Fast Transition

You may have noticed that your WiFi device might get disconnected briefly when going from one AP to another, this in unpleasant during the online calls if you are used to walk while talking, or maybe you are just in the middle between the APs and your phone keeps jumping from one to another. Here's the 802.11r to save you!

When using the preshared key network, the setup is pretty straightforward, just open your WiFi settings on both devices and check the 802.11r Fast Transition field, nothing else is needed as the encryption keys, mobility zone, etc. gets derived from the network SSID and password, at least on a recent OpenWRT version. Give it a try!

VLANs

Let's talk about a basic security, assume you have a company network with several servers, multiple services, WiFi networks for employees and guests and you don't want your employees to access everything. It makes sense to separate all the traffic into several networks, but who would wire multiple ethernet cables to a single device? VLANs to a rescue!

VLANs allow passing a ethernet frames in a separate network over a single wire, basically the specification only defines additional encapsulation of the packet and the switch or other networking device on the route decides how to handle the frame (pass unchanged, strip the header making it non-VLAN network from this point, drop is the given VLAN is not allowed on the corresponding port,...).

So, let's modify our network setup a little bit. Remember the LAN ports you used for communication between router and AP? Let's start on router:

  • Add a new network, let's say management
    • Set static ip, e.g. 192.168.3.1
    • Add a VLAN 10 to it - depends on your device, VLANs might be created under switch tab (mark port as tagged), or simply manually add a custom network device like eth0.10, where eth0 is the LAN port and 10 the VLAN number.
  • Add a firewall zone management and allow forwarding from this zone to all other zones (WLAN,...)
  • Modify your WLAN network so the VLAN 11 on same LAN port as before is used

Do the same on the AP, only change the static ip on management interface to e.g. 192.168.3.2. The WiFi network should work same as before, but you shouldn't be able to ping the 192.168.3.0/24 addresses, these should be only pingable from inside the OpenWRT devices or from any device in the VLAN 10 if you connected anything else there. If you have any switches between the AP and router, make sure you added the VLAN 10 and 11 to corresponding ports, it won't work otherwise. Hooray, now you have your management and WLAN communication separated from each other!

Throwing WPA2-EAP into the setup

That was for the easy part. Now we need to break the setup and rework the authorization. You have a radius in your network, right? The Radius provides authorization backend for the Enterprise WiFi, usually you setup LDAP server with your user accounts and passwords and connect it to the radius server as authorization backend and the radius handles all the auth requests from the network devices. There's plenty of how-tos online, just google some setup guide...

First, make sure you have a NT hashed passwords in your LDAP (ntPassword attribute is set and valid) as the EAP is using the NT hashes by default, usual linux password in userPassword attribute won't work here!. It's nice to launch Radius server in debug mode, so you can see what's going on while debugging the setup (launch with freeradius -X). Also don't forget to add the Router and AP IPs to the Radius clients so they can access the server!

On both AP and Router:

  • Remove wpad-basic package (opkg remove wpad-basic)
  • Install a full blown wpad with EAP support (opkg install wpad)
  • Switch WiFi network from WPA2-PSK to WPA2-EAP
  • Setup your radius server there - address of the server and secret for Radius-Authentication is all that's needed.

Now you can try connecting, it should work out of box, especially on Windows, just enter your username and password. You should see the authorization request on radius log (if not, your check your radius config) with successful access to the LDAP and authorization of the WiFi connection request.

Updates to 802.11r setup

As the WPA2-EAP doesn't have any common passphrase that could be used for generating a encryption keys, you have to do a lot of stuff manually. The most complicated part is the R0 and R1 keys, basically these keys are used when passing client between devices, all devices must know keys of each other. The R0 key is in MAC-address,NAS-Identifier,128-bit key as hex string format and R1 is MAC-address,R1KH-ID as 6 octets with colons,128-bit key as hex string. The 128bit key can be different for each key, but it's more convenient to keep it identical, you can generate any value you want, e.g. 7978490411BA8EE4C42858FB9BF0B402. So, let's assume you have a device with BSSID of 60:A4:B7:1B:B2:FE and the R1KH and NAS-ID are derived from BSSID. What will be the keys?

  • R0 Key - 60:A4:B7:1B:B2:FE,60A4B71BB2FE,7978490411BA8EE4C42858FB9BF0B402
  • R1 key - 60:A4:B7:1B:B2:FE,60:A4:B7:1B:B2:FE,7978490411BA8EE4C42858FB9BF0B402

You have to create both keys for each device (and WiFi network as BSSID is different e.g. between 5 and 2,4 GHz networks) and distribute all these keys between your devices. So on each device under WiFi network setup:

  • NAS ID - set it to BSSID of your interface without colons, e.g. 60A4B71BB2FE
  • Mobility domain - choose some 4 digit hex number and set it to all devices, e.g. 12AB
  • R1 Key Holder - Same as NAS ID
  • Add all your R0 and R1 keys

After applying this setup, you should be good to go, everything should work as it used to with WPA2-PSK, but now with per-user authorization!

Note on certificates

Windows systems tend to be picky about certificates, as the WPA2-EAP uses PEAP method on the Radius server and the radius is using self generated certificates by default, it should just work, but if you are using a custom wildcard certificates for Radius server, you might get strange warnings with access denied, expired certificate, etc. Windows just refuse to connect when the Radius is using a wildcard cert!

I tend to use Let's encrypt everywhere, but this is not applicable for eap-tls method on the radius servers, so, to use Let's encrypt (make sure it's not a wildcard certificate!) on freeradius, you have to modify the config a bit. I'd suggest to create a custom section tls-config section for peap method (used by WPA2-EAP) under /etc/freeradius/3.0/mods-enabled/eap:

    tls-config tls-peap {
        private_key_file = /path/to/privkey.pem
        certificate_file = /path/to/cert.pem
        ca_file = /path/to/fullchain.pem
        dh_file = ${certdir}/dh
        cipher_list = "DEFAULT"
        ecdh_curve = "prime256v1"
        cache {
            enable = yes
            lifetime = 24 # hours
        }

        verify {
        }

        ocsp {
            enable = no
            override_cert_url = yes
            url = "http://127.0.0.1/ocsp/"
        }
    }

In the same file, change the tls-default to tls-peap under peap section, restart radius server and you are good to go.

Note on android

Android phones (especially after version 11) tend to require a bunch of other data other from the user and password to connect to WPA2-EAP network:

  • Method: PEAP
  • Phase 2: MSCHAPv2
  • CA Certificates: Use system certificates
  • Domain: your certificate domain
  • Identity: your username
  • Anonymous identity: leave empty
  • Password: your password

Previous Post Next Post