I have been using my UniFi system for a few months and I’m very pleased. The WiFi is very fast, I can roam around the house seamlessly, and the handoffs are seamless. Now I want to move to the two final stages: advanced access control and then content control for the kids. For access control, I’m going to use RADIUS, specifically pfsense’s freeRADIUS package. I’ve read that this it is a bit arcane, but my experimentation has shown that it’s actually pretty straightforward.

Prep

First things first, I needed two things. The freeRadius package on my router, and a radius certificate. I used the package manager and the LetsEncrypt system, respectively, for this.

freeRADIUS

The FreeRADIUS system makes sense when you think about it, and so does the UI in pfSense, but at first glance they are both a bit odd.

freeRADIUS doesn’t take calls to authenticate directly. Rather, you register systems that will be using it to authenticate. So each Switch, AP, and server that uses a given RADIUS server will get registered independently. Those devices then send in authentication requests to the RADIUS server.

Also, the settings allow for many mind-bending configurations, since it’s built to be very pluggable.

RADIUS was built for metered dial in, so it can do things like measure how much time a dial-up user spent online.

Also, RADIUS stores all its secrets in plain text, by design. I guess the message is keep your RADIUS server safe, but I’m a bit leery of this. You can also store user password as MD5 hashes, but not device secrets, which are just plain text in config files.

First Steps

The first step in configuring RADIUS is on the 4th tab (I told you the UI wasn’t intuitive). You need to add interfaces for authentication, accounting, and status.

You will need to create 3 ports per IP you want the server to listen on:

• Port 1812: authentication
• Port 1813: accounting
• Port  1816: status

I suspect you may only need an entry for 1812, but I added all 3. You also need to select the port type in the dropdown, even though 1812 and 1813 are registered ports.

 

Once that is done, you can explore the settings tab (tab 5), which I didn’t change. These seem exotic.

Clients

Then I headed to the NAS/Clients tab (Tab 3). Nowadays, NAS means ‘Network Attached Storage’, and are usually a box with hard drives inside and blinky lights outside that you can buy at BestBuy. Real players build their own.

However, back in the day that RADIUS was developed, it meant ‘Network Access Server’, which is just like it sounds – a server that will make access requests of the RADIUS server.

Each device that needs to access your RADIUS server needs an entry here. Each AP, other servers, etc.. Since Unifi uses one radius profile, you’ll want to use the same secret for all Unifi devices. You’ll want to enter each of your APs here (which is why I used DHCP reservations, to the IPs wouldn’t drift). I just used passwordsafe to gen a of 16 character password to use.

EAP Setup

The EAP tab (Tab 6) took me the longest to figure out, and also causes me the most consternation. This is where the security of the call to the RADIUS server is set up. The two variables are how you want to store your password (md5, clear text, or ntlm hash) and what protocol to use (there are a bunch). I’m not totally comfortable storing password in plain text, but MD5 isn’t super good either. Then there is the cryptic ‘Disables weak EAP types: MD5, GTC and LEAP’ checkbox, which apparently prevents weak types, but requires either cleartext or NTLM hashes. pfSense currently does not seem to have native support for ntlm hashes, so I feel that that checkbox is somewhat ironic.

I get it that RADIUS is predicated on a very secure core server, but still.

Anyhow, I found that this matrix was very helpful in figuring this out, and the freeradius wiki has a very good explanation of the EAP modules. I ended up with the configuration below:

I’m a bit out of my depth here, since it seems that every manufacturer of hardware put their hat in the ring when this was designed.

So I chose TTLS (Tunneled TLS) so it secures the connection using TLS, with GTC as the inner protocol, which also supports MD5 passwords.

Users

This part is easy. Go to the Users tab (Tab 1), add a user, assign password, choose MD5-Password as the encryption. There is a lot of other cool stuff you can do, like assigning VLANs to users, and using one-time passwords, but they might be overkill (for now…).

FireWall

By default, I allow all traffic to the internal interfaces of my pfSense server, so nothing is needed here. But you might need to to open the RADIUS ports.

Unifi Setup

Unifi setup is pretty easy. In the Profiles Tab of the Settings Section, Add a RADIUS profile for that connects to your new freeRADIUS server.

Once that is done, go to the wireless network you want to secure, and assign that profile to the network:

Once this is done, you ought to be able to log into your wireless network using a username and password, rather than a shared Wifi Password.

Troubleshooting

For testing, it’s possible to connect to your freeRadius server from another *nix host to test if it’s working. The program itself is called radtest and it’s part of freeradius-utils.  So:

#yum install freeradius-utils
#radtest username password <ip of freeRADIUS server> 0 sharedsecret

It will emit diagnostic information to help identify if everything is working. Honestly, it wasn’t as bad as I expected. It’s not super intuitive, but it makes sense in its own way. You will need to add that server you’re testing from as a NAS client.

One more resource I used:

https://wiki.freeradius.org/guide/Basic-configuration-HOWTO

What I’m listening to as I do this:

Iron Maiden’s Somewhere In Time.  One of my favorite albums and the album that got me into Heavy Metal. As an impressionable teenager, I got loved this album, between the artwork, the concept songs, and the moody theme. The track Alexander the Great is the reason I know all about Alexander the Great, which is very helpful.