How to Configure FreeRADIUS with LDAP Authentication for WPA2-Enterprise on Ubuntu Server


10 views

When implementing enterprise WiFi authentication, the Ubuntu package repository's FreeRADIUS version (2.1.12) has a critical limitation - it's compiled without OpenSSL support. This breaks essential EAP methods:

Ignoring EAP-Type/tls because we do not have OpenSSL support.
Ignoring EAP-Type/ttls because we do not have OpenSSL support. 
Ignoring EAP-Type/peap because we do not have OpenSSL support.

The solution involves compiling FreeRADIUS from source with proper EAP support. Here's the streamlined process:

# Install build dependencies
sudo apt-get build-dep freeradius
sudo apt-get install libssl-dev libkrb5-dev libldap2-dev

# Get source
apt-get source freeradius
cd freeradius-2.1.12+dfsg

# Configure with EAP support
./configure --with-openssl --with-eap-tls --with-eap-ttls --with-eap-peap \
            --with-eap-md5 --with-eap-mschapv2 --with-eap-fast

After successful compilation, configure /etc/freeradius/modules/ldap:

ldap {
    server = "ldap.yourdomain.com"
    identity = "cn=admin,dc=yourdomain,dc=com"
    password = your_ldap_password
    basedn = "ou=users,dc=yourdomain,dc=com"
    filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
    
    # For WPA2-Enterprise
    access_attr = "dialupAccess"
    dictionary_mapping = ${confdir}/ldap.attrmap
    
    # Samba password compatibility
    samba_account = yes
    update {
        control:Password-With-Header += 'userPassword'
        control:NT-Password := 'sambaNTPassword'
        control:LM-Password := 'sambaLMPassword'
    }
}

Generate or obtain certificates for EAP-TLS/TTLS/PEAP:

# Create CA
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 3650 -key ca.key -out ca.pem

# Server certificate
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl x509 -req -in server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server.crt -days 3650

When testing, watch for these key indicators in the radius debug logs:

rlm_ldap: sambaNTPassword -> NT-Password == 0x444134343138374543...
rlm_ldap: sambaLMPassword -> LM-Password == 0x43463344364638413932...
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding

Key troubleshooting commands:

# Test authentication
radtest testuser password localhost 0 testing123

# Continuous monitoring
tail -f /var/log/freeradius/radius.log

For HP enterprise APs, ensure these RADIUS settings:

RADIUS Server IP: [your server IP]
RADIUS Shared Secret: testing123
RADIUS Auth Port: 1812
RADIUS Accounting Port: 1813
EAP Type: PEAPv0/MSCHAPv2

Setting up enterprise-grade WiFi authentication requires careful integration between RADIUS and directory services. The Ubuntu repository version of FreeRADIUS (2.x) presents a significant limitation - it lacks OpenSSL support out of the box, making secure EAP methods like PEAP and TTLS unavailable.

First, we need to compile FreeRADIUS with proper SSL support. Here's the modified build process based on Debian packaging:

sudo apt-get build-dep freeradius
apt-get source freeradius
cd freeradius-2.1.12+dfsg
./configure --with-openssl --with-openssl-lib-dir=/usr/lib/ssl
dpkg-buildpackage -rfakeroot -uc -b
sudo dpkg -i ../freeradius_*.deb

The critical part is configuring FreeRADIUS to authenticate against LDAP while handling both modern and legacy password hashes. Here's a working /etc/freeradius/modules/ldap configuration:

ldap {
    server = "ldap://your.ldap.server"
    identity = "cn=admin,dc=domain,dc=com"
    password = your_ldap_password
    basedn = "ou=users,dc=domain,dc=com"
    filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
    
    password_attribute = userPassword
    samba_nt_password = sambaNTPassword
    samba_lm_password = sambaLMPassword
    
    access_attr = "dialupAccess"
    set_auth_type = yes
}

For WPA2 Enterprise, we need proper EAP setup in /etc/freeradius/eap.conf:

eap {
    default_eap_type = peap
    timer_expire = 60
    
    peap {
        default_eap_type = mschapv2
        copy_request_to_tunnel = yes
        use_tunneled_reply = yes
    }
    
    tls {
        private_key_password = your_password
        private_key_file = ${certdir}/server.key
        certificate_file = ${certdir}/server.pem
        dh_file = ${certdir}/dh
        random_file = /dev/urandom
    }
    
    mschapv2 {
        with_ntdomain_hack = yes
    }
}

When testing with radtest, you might encounter password mismatch issues. The key is ensuring your LDAP directory contains proper password attributes:

# To test authentication
radtest testuser password localhost 0 testing123

# For debugging
tail -f /var/log/freeradius/radius.log

Common issues include:

  • Mismatched password hashes between LDAP attributes
  • Incorrect certificate paths in EAP configuration
  • Missing LDAP schema attributes for Samba passwords

For HP access points, the RADIUS configuration typically requires:

  • Primary RADIUS server IP and port (1812)
  • Shared secret matching your FreeRADIUS clients configuration
  • EAP method set to PEAP or TTLS
  • Optional secondary RADIUS server for redundancy