Logo Light

Network

Web Apps

System

Cloud

Cryptography

IoT

Exercise 40: Setting Up a RADIUS Server for Secure Authentication

by | Apr 10, 2025 | 0 comments

Objective

Configure and test a RADIUS server for centralized authentication using FreeRADIUS. Authenticate Wi-Fi users through RADIUS and explore the benefits of centralized user management and enhanced security.

Scenario

An organization wants to secure its wireless network using centralized authentication. In this exercise, you’ll set up a FreeRADIUS server on Linux, configure it to authenticate Wi-Fi users, and verify secure authentication from a client device. You’ll also explore how RADIUS enhances network security and user management.

⚠️ Important: Perform this exercise in a legal and controlled environment. Unauthorized use of authentication services is illegal and unethical.

Lab Instructions

Step 1: Install FreeRADIUS

a. Install FreeRADIUS Server

sudo apt update
sudo apt install freeradius freeradius-utils -y

b. Verify Installation

sudo systemctl status freeradius
  • Ensure the service is running.

Step 2: Configure FreeRADIUS for Authentication

a. Create a Test User

  • Edit the user authentication file:
sudo nano /etc/freeradius/3.0/users
  • Add a test user:
wifiuser Cleartext-Password := "securepassword"

b. Configure Clients (Wi-Fi Access Point)

  • Edit the client configuration file:
sudo nano /etc/freeradius/3.0/clients.conf
  • Add the Wi-Fi Access Point as a RADIUS client:
client wifi-router {
    ipaddr = 192.168.1.1
    secret = sharedsecret
}
  • Explanation:
    • ipaddr: The IP of the Wi-Fi router.
    • secret: The shared secret between the RADIUS server and the router.

c. Restart FreeRADIUS

sudo systemctl restart freeradius

Step 3: Configure the Wi-Fi Access Point

  1. Access the router’s admin panel.
  2. Navigate to Wireless SettingsSecurity Settings.
  3. Select WPA2-Enterprise or WPA3-Enterprise as the security mode.
  4. Enter the RADIUS server details:
    • RADIUS Server IP: 192.168.1.100
    • Port: 1812
    • Shared Secret: sharedsecret
  5. Save the configuration.

Step 4: Test RADIUS Authentication

a. Connect from a Client Device

  1. Connect to the Wi-Fi network using the SSID.
  2. Enter the credentials:
    • Username: wifiuser
    • Password: securepassword

b. Monitor Authentication Logs

  • On the RADIUS server, check logs:
sudo tail -f /var/log/freeradius/radius.log
  • Expected Result: Successful authentication entry for wifiuser.

Step 5: Discuss Advantages of RADIUS

  1. Centralized Authentication: Manage all user credentials from a single server.
  2. Scalability: Easily scale user management across multiple devices and locations.
  3. Enhanced Security: Uses EAP protocols for secure authentication.
  4. Access Control: Define specific access policies per user or device.
  5. Accountability: Logs all authentication attempts for auditing.

Solution & Explanation

What is RADIUS?

  • Remote Authentication Dial-In User Service (RADIUS) is a protocol for centralized user authentication, authorization, and accounting (AAA).

How RADIUS Enhances Security

  • Encrypted Communication: Uses shared secrets and secure protocols.
  • Centralized Control: Simplifies user management.
  • Access Policies: Custom access control rules for users/devices.

RADIUS Workflow

  1. User Authentication: A user attempts to connect to the network.
  2. Access Point Requests Authentication: Forwards credentials to the RADIUS server.
  3. RADIUS Validates Credentials: Grants or denies access based on the response.

Testing & Verification

  1. Successful Connection: Verify the client connects after correct credentials.
  2. Log Analysis: Confirm authentication logs reflect access attempts.
  3. Invalid Credentials: Attempt login with incorrect details and verify access is denied.

Verify RADIUS Status

sudo freeradius -X

Security Best Practices

  1. Strong Shared Secrets: Use complex shared secrets between the server and clients.
  2. Secure Protocols: Implement WPA2/WPA3-Enterprise with EAP-TLS for stronger encryption.
  3. Regular Log Monitoring: Continuously monitor logs for unauthorized access attempts.
  4. Firewall Rules: Restrict RADIUS communication to trusted devices only.
  5. Regular Updates: Keep FreeRADIUS and system packages updated.

Additional Script (Optional)

Automate FreeRADIUS setup:

#!/bin/bash
# FreeRADIUS Installation and Configuration Script
sudo apt update
sudo apt install freeradius freeradius-utils -y
sudo bash -c 'echo "wifiuser Cleartext-Password := \"securepassword\"" >> /etc/freeradius/3.0/users'
sudo bash -c 'echo "client wifi-router {\n    ipaddr = 192.168.1.1\n    secret = sharedsecret\n}" >> /etc/freeradius/3.0/clients.conf'
sudo systemctl restart freeradius

Run the script:

chmod +x setup_freeradius.sh
sudo ./setup_freeradius.sh

Conclusion

In this exercise, you successfully installed and configured FreeRADIUS to provide secure authentication for Wi-Fi users. By centralizing authentication, RADIUS enhances network security and simplifies user management. Understanding and implementing RADIUS is vital for protecting network access and maintaining control over user permissions.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *