WPA + FreeRadius + OSX

Apple

In a fit of masochism, I decided to secure my Airport Express WLAN via WPA and Radius authentication.

RADIUS authentication lets you manage access to your wireless LAN from a central RADIUS server, making it much more secure than storing authentication info on your wireless access points.

I picked up a pre-compiled OSX package of FreeRadius from <a href=http://carpestellarem.com/Products/StellarRADIUSLite.php">Carpe Stellarem.

There are a few other ways to get FreeRadius, including via Fink package, and by Andreas Wolf’s installer.

Carpe Stellarem also sells a shareware, GUI-based RADIUS configurator app for $19, and I recommend you pay for it. I didn’t, because I am a fool, and because I wanted to learn how to configure RADIUS by hand, and because I am a fool.

I found this page very useful, although it does not explain exactly what I wanted to do.

My installation steps are pretty much as follows:

  • Install FreeRadius.
    • Modify /etc/raddb/clients.conf to have the IP of your Access Point, and a “shared secret”.
      client 192.168.1.50 {
      secret = testing123
      shortname = wifi
      nastype = other
      }

      • Add a user to /etc/raddb/users. Username should be the WiFi NIC’s MAC address, and the password should be the same [this is the only way it’d work for me.]
        0001020a0b0c Auth-Type := Local, User-Password == “0001020a0b0c”
        Reply-Message = “Hello, %u”

        • Configure your WAP [in my case, the Airport Extreme] to talk to the RADIUS server, using the “shared secret” you listed above.
          • Start the RADIUS daemon in debug mode: /usr/local/sbin/radiusd -X

            • Try to connect, and cross your fingers. Pay very close attention to error messages; if you have problems, RADIUS will usually tell you exactly where you screwed up.

If you’ve done everything right, your client machine [laptop] will hop right onto your WLAN, with no fuss. The whole authentication mechanism takes place behind the scenes. If it does prompt you for a password, you’ve probably done something wrong in your users.conf file, so check it first.

Once you’ve proven that everything works, you’ll need to fiddle with making radiusd start on boot. For this to happen, it’ll have to be able to run “daemonized” — via /usr/local/sbin/radiusd .

I got stuck at this part; radiusd “reads configuration files”, then dies. The minimal [and rude] info I’ve found via searches indicates that /etc/raddb/radiusd.conf should have both ‘user=’ and ‘group=’ set to a user and group that have read/write permission to the RADIUS files and directories. However, even setting these to root/wheel didn’t fix the problem. If I find anything out, I’ll post the fix here. (I do wonder if it is a problem with the precompiled version of FreeRadius that I used.)