How to Set Up WPA Enterprise (EAP-TTLS-PAP) authentication

In this tutorial, we will guide you set up WPA Enterprise (EAP-TTLS-PAP) authentication for WiFi networks using OpenWISP. The RADIUS capabilities of OpenWISP provides integration with FreeRADIUS to allow users to authenticate with their django user accounts. Users can either be created manually via the admin interface, generated or imported from CSV.

Pre-requisites for following this tutorial

Enable OpenWISP RADIUS

Note

You don’t need to do anything if you are following this tutorial on the OpenWisp Demo System. OpenWISP RADIUS is already enabled on the OpenWISP Demo System.

Your OpenWISP installation should have the RADIUS module enabled. If not, you can follow the steps at Enabling the RADIUS module in the OpenWISP 22.05 ansible role documentation.

Firmware Requirements

In order to use WPA Enterprise authentication, your firmware needs to be equipped with a version of the wpad package which supports WPA Enterprise encryption.

Please refer to the OpenWrt WPA encryption documentation for more information.

This tutorial uses OpenVPN for VPN. Ensure that your OpenWrt device has openvpn package installed.

Note

The OpenWrt firmware image provided for the OpenWISP Demo System includes openvpn and the full wpad package by default.

One Radio Available

We require at least one radio named radio0 to be available and enabled for the successful execution of this tutorial.

For simplicity, we will focus on a single radio, but it’s important to note that the WPA Enterprise functionality can be extended to multiple radios if necessary.

Alternatively, you have the option of using WPA Enterprise encryption on one radio while the other radios use different encryption methods.

However, these additional scenarios are not explained in this tutorial and are left as an exercise for the reader.

VPN Tunnel

We recommend setting up a VPN tunnel to secure RADIUS communication between OpenWrt devices and the FreeRADIUS server. Unencrypted RADIUS traffic exposes sensitive data, such as usernames and passwords. You can use OpenWISP to automate provisioning of OpenVPN tunnels, just follow the steps in the OpenVPN tunnel Automation section.

Note

If you are following this tutorial on our Demo System, the Management VPN (OpenVPN) template will be applied on your device by default. If not, you need to enable that template on your device. Otherwise, your device won’t connect to the FreeRADIUS server.

../_images/enable-openvpn-template.png

Configuring FreeRADIUS for WPA Enterprise

Note

You don’t need to do anything if your are following this tutorial on our Demo System. The FreeRADIUS site is already configured on the OpenWISP Demo System.

Before we go ahead with making changes to the FreeRADIUS configuration, we need to gather the following information:

  • Organization’s UUID

  • Organization’s RADIUS token

From the OpenWISP navigation menu, go to Users & Organizations and then Organizations, from here click on the desired organziation.

../_images/navigating-to-organization.png

From the organization’s page, we need to find the organization’s UUID and RADIUS token.

../_images/organization-uuid.png ../_images/organization-radius-token.png

This is good point to decide whether to use self-signed certificates or public certificates issued by a trusted Certificate Authority (CA). Both options have their pros and cons, and the choice largely depends on your specific requirements and constraints.

Self-Signed Certificates

Pros:

  • Generated locally without involving a third-party CA.

  • Eliminates the need for external entities, reducing the risk of compromised trust.

Cons:

  • Requires installation of self-signed CA on all client devices.

Public Certificates

Pros:

  • Issued by trusted CAs, thus works out of the box with most devices.

Cons:

  • Offers a higher risk of compromise.

  • Cumbersome to set-up.

We recommend to use Ansible OpenWISP2 role to which simplifies configuring FreeRADIUS to use WPA Enterprise. Please refer to the “Configuring FreeRADIUS for WPA Enterprise (EAP-TTLS-PAP)” section in the ansible-openwisp2 documentation for details.

If you still prefer to configure the FreeRADIUS site manually, you can refer the “Freeradius Setup for WPA Enterprise (EAP-TTLS-PAP) authentication” section of the OpenWISP RADIUS documentation.

Creating the NAS

Note

You can skip this step if you are following this tutorial on our Demo System. The NAS has been already configured on the Demo System.

From the OpenWISP navigation menu, go to RADIUS and then NAS, from here click on the Add NAS.

../_images/navigating-to-nas.png

Fill in the organization, short name, secret, and set the type to “Wireless - IEEE 802.11”. In the name field, enter the IP address of the NAS. Since every device acts as a NAS in our scenario, we specify the subnet of the VPN. This would allow FreeRADIUS to accept RADIUS traffic from all the devices.

../_images/create-nas.png

Warning

Creating or modifying a NAS in OpenWISP requires a restart of the FreeRADIUS server. Otherwise, the changes won’t take effect.

We would need the NAS’s secret in the next step while creating a template.

Creating the Template

Note

This template is also available in our Demo System as WPA Enterprise (EAP-TTLS), feel free to try it out!

From the OpenWISP navigation menu, go to Configurations and then Templates, from here click on the Add template.

../_images/create-template.png

Fill in name, organization, leave type set to “Generic”, backend set to “OpenWrt”. Scroll down to the Configuration variables section, then click on “Toggle Raw JSON Editing”.

../_images/config-variables-raw-json.png

Paste the following JSON in the Raw JSON Editing field.

{
    "mac_address": "00:00:00:00:00:00"
}
../_images/config-variable-mac-json.png

You can refer the Configuration Variables section of this documentation for more details.

Scroll down to the Configuration section, then click on “Advanced mode (raw JSON)”.

../_images/advanced-mode.png

Before copying the following NetJSON to the advanced mode editor, you will need to update these fields to reflect your configuration:

  • key - RADIUS secret should be same as set in NAS

  • server - RADIUS server authentication IP

  • port - RADIUS server authentication port

  • acct_server - RADIUS accounting server IP

  • acct_server_port - RADIUS accounting server port

{
    "interfaces": [{
        "name": "wlan_eap",
        "type": "wireless",
        "mac": "{{mac_address}}",
        "mtu": 1500,
        "disabled": false,
        "network": "",
        "autostart": true,
        "addresses": [],
        "wireless": {
            "network": [
                "lan"
            ],
            "mode": "access_point",
            "radio": "radio0",
            "ssid": "WPA Enterprise 2 (EAP-PAP-TTLS)",
            "ack_distance": 0,
            "rts_threshold": 0,
            "frag_threshold": 0,
            "hidden": false,
            "wds": false,
            "wmm": true,
            "isolate": false,
            "ieee80211r": false,
            "reassociation_deadline": 1000,
            "ft_psk_generate_local": false,
            "ft_over_ds": true,
            "rsn_preauth": false,
            "macfilter": "disable",
            "maclist": [],
            "encryption": {
                "protocol": "wpa2_enterprise",
                "key": "testing123",
                "disabled": false,
                "cipher": "auto",
                "ieee80211w": "0",
                "server": "10.8.0.1",
                "port": 1822,
                "acct_server": "10.8.0.1",
                "acct_server_port": 1823
            }
        }
    }],
    "files": [{
        "path": "/etc/openwisp/pre-reload-hook",
        "mode": "0700",
        "contents": "#!/bin/sh\n\n# Ensure radio0 is enabled \nuci set wireless.radio0.disabled='0'\nuci commit wireless"
    }]
}

Then click on “back to normal mode” to close the advanced mode editor.

../_images/back-to-normal-mode.png

Now you can save the new template.

../_images/save.png

At this point you’re ready to assign the template to your devices, but before doing so you may want to read on to understand the different components of this template:

  • The wlan_eap creates the wireless interface that supports WPA 2 Enterprise encryption bound to radio0. This interface attached to the lan interface which is configured to provide internet access in default OpenWrt configuration.

  • A pre-reload-hook script which is executed before OpenWrt reloads its services to make ensure that radio0 is enabled.

  • The mac_address configuration variable is added to the template as a placeholder. When the template is applied to a device, the device’s actual MAC address will automatically override the placeholder, ensuring that the wireless interface is created with the correct MAC address. This is necessary for tracing which device is being used in RADIUS accounting stats.

Enable the WPA Enterprise Template on the Devices

Now is time to apply this template to the devices where you want to enable WPA Enterprise authentication on WiFi.

Click on Devices in the navigation menu, click on the device you want to assign the WPA Enterprise template to, then go to the Configuration tab, select the template just created, then click on save.

../_images/enable-wpa-enterprise-template.png

Connecting to the WiFi with WPA 2 Enterprise

For brevity, this section only includes an example for connecting a smartphone running Android 11 to the WiFi network. Similar steps can typically be followed on other devices. If unsure, consult your device’s manual for guidance.

Find the “OpenWISP” SSID in the list of available WiFi networks on your mobile and click on it. Fill in the details as follows:

  • EAP method: Set this to TTLS

  • Phase 2 authentication: Set this to PAP

  • CA certificate: Select one of the options based on your FreeRADIUS configuration

  • Domain: Enter the domain based on the server certificate used by FreeRADIUS

  • Identity and Password: Use the OpenWISP user’s username for Identity and password for Password.

Note

If you are trying this feature on our OpenWISP Demo System you can use the demo user to authenticate. You will need to update the following fields as mentioned:

  • CA certificate: Set this to Use system certificates

  • Domain: Set this to demo.openwisp.io

  • Identity and Password: Use the demo user credentials.

    Screenshot of authentication details filled in for WPA 2 Enterprise WiFi connection

You can leave the Advanced options unchanged and click on Connect after filling on the details.

Verifying and Debugging

If everything worked as expected, your device should connect to the WiFi and allow you to browse the internet.

You can also verify the RADIUS session created on OpenWISP. From the OpenWISP navigation menu, go to RADIUS and then Accounting Sessions.

Navigating to RADIUS Accounting on OpenWISP

You should see a RADIUS accounting session for this device

../_images/verify-openwisp-radius-accounting.png

If your smartphone does not connect to the internet, you can debug the FreeRADIUS configuration by following the steps in the “Debugging” section of OpenWISP RADIUS documentation.