Setting up a WPA2 Enterprise Test Environment with Raspberry Pi
Required Gear
- Raspberry Pi 2/3 for the RADIUS server
- Ethernet cable
- Wireless Access Point (WAP) that is capable of using WPA2 Enterprise mode, and pointing to a RADIUS server for authentication
Setup
- Download RASPBIAN JESSIE WITH PIXEL
- Unzip and Write to SD card using the appropriate software (ApplePi-Baker app on Mac)
- Boot up the Pi with the newly created SD card
- WAP should be in WPA2 Personal mode for initial configuration
The following commands need an HDMI, Keyboard and Mouse connection on the RasPi
- Connect to WAP over Wi-Fi (optional)
- Change resolution to 1280x720 (optional)
- Rename host to
radiusserver
so it's easy to recognize on your Access Point (optional) - Change Keyboard to US alternative (optional)
- Enable ssh (required)
Plug the RasPi into the WAP with an ethernet cable (required)
- This will remove the catch 22 necessity for the RasPi to have to authenticate with itself once we enable WPA2 Enterprise
Plug your host computer into the WAP with an ethernet cable as well, so you don't lose connection with it during configuration (required)
-
Log into the WAP (192.168.1.1 or 10.0.0.1 typically)
-
Find the list of clients, and grab the IP address for device "radiusserver"
ssh pi@<ip_address>
-
Add a password for
root
sudo passwd root
-
Change
PermitRootLogin without-password
toPermitRootLogin yes
in:sudo nano /etc/ssh/sshd_config
-
Reboot the Pi and login as
root
, commands will be much easier.ssh root@<ip_address>
-
If you have previously ssh'd into this address and get an error, you may need to:
ssh-keygen -R <ip_address>
-
Install freeradius
apt-get install freeradius -y
-
Edit the clients.conf file
nano /etc/freeradius/clients.conf
add to bottom and save with
CTRL + X
then ENTERclient 0.0.0.0/0 { secret = "particle" nastype = other }
-
Make a directory for new certificate files on the RasPi
mkdir /etc/freeradius/certs2
-
Edit the eap.conf file
nano /etc/freeradius/eap.conf
Page down twice with
CTLR + V
add certdir2, and cadir2 as shown
certdir = ${confdir}/certs certdir2 = ${confdir}/certs2 cadir = ${confdir}/ certs cadir2 = ${confdir}/certs2
modify these variables as shown
private_key_file = ${certdir2}/server.key certificate_file = ${certdir2}/server.crt CA_file = ${cadir2}/ca.crt
-
Copy certificate files
- Download the files from this Github Repo to your local machine https://github.com/avtolstoy/particle-wpa-enterprise-docker
- In terminal, navigate to this directory:
cd particle-wpa-enterprise-docker/files/etc/freeradius/certs/
- Finally copy the files:
scp -rv * root@<ip_address>:/etc/freeradius/certs2
-
Edit the users file
nano /etc/freeradius/users
add to bottom and save with CTRL+X then ENTER
particle Cleartext-Password := "particle2017"
-
Restart freeradius in debugging mode so we can see what's going on
service freeradius stop
/usr/sbin/freeradius -X
Now let's switch the WAP to use WPA Enterprise
- Switch the Wireless Authentication Type to WPA2 Enterprise (apply)
- Under RADIUS Setting configuration:
- Server IP Address: Enter the IP address of the
radiusserver
(our RasPi) - Server Port:
1812
- Connection Secret:
particle
- Server IP Address: Enter the IP address of the
Setup the Photon/P1
-
Connect via USB cable
-
Enter Listening Mode
-
Connect via serial (
screen /dev/cu.usbmodemXXXX
on Mac or use Tera Term VT on Windows) -
Press
w
Example PEAP/MSCHAPv2 LOGIN / PASSWORD based setup (NOT SECURE!)
Note: This is the easiest setup method to gain a connection, however be warned it is not secure. Use certificates to ensure maximum security.
EAP Type 0=PEAP/MSCHAPv2, 1=EAP-TLS: 0 <ENTER> Username: particle <ENTER> Password: particle2017 <ENTER> Outer identity (optional): <ENTER> Root CA in PEM format (optional): <ENTER>
Example PEAP/MSCHAPv2 LOGIN / PASSWORD with Root CA based setup (SECURE!)
SSID: <WAP_SSID> <ENTER> EAP Type 0=PEAP/MSCHAPv2, 1=EAP-TLS: 0 <ENTER> Username: particle <ENTER> Password: particle2017 <ENTER> Outer identity (optional): <ENTER> Root CA in PEM format (optional): <copy/paste in file ca.crt> <ENTER> -----BEGIN CERTIFICATE----- MIIFlDCCA3ygAwIBAgIJAI01a4ML65mlMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNV ... -----END CERTIFICATE-----
Example EAP-TLS with Client Cert., Client Key and Root CA based setup (SECURE!!!)
SSID: <WAP_SSID> <ENTER> EAP Type 0=PEAP/MSCHAPv2, 1=EAP-TLS: 1 <ENTER> Client certificate in PEM format: <copy/paste in file client1.crt> -----BEGIN CERTIFICATE----- MIIE3DCCAsSgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMCVVMx ... -----END CERTIFICATE----- Private key in PEM format: <copy/paste in file client1.key> -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAy42H10w6nntp+Ti7Ts/czel8Gw4mz8Mh3N0R/sapRNLyznom ... -----END RSA PRIVATE KEY----- Outer identity (optional): <ENTER> Root CA in PEM format (optional): <copy/paste in file ca.crt> -----BEGIN CERTIFICATE----- MIIFlDCCA3ygAwIBAgIJAI01a4ML65mlMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNV ... -----END CERTIFICATE-----
OUTPUT in all cases
Thanks! Wait while I save those credentials... Awesome. Now we'll connect! If you see a pulsing cyan light, your device has connected to the Cloud and is ready to go! If your LED flashes red or you encounter any other problems, visit https://www.particle.io/support to debug. Particle <3 you!
-
If you are still SSH'd into your RasPi, you should see activity from the freeradius process, and your device should have an internet connection.
-
If you don't see any activity, try rebooting your RasPi