This directory contains the RADIUS configuration files for OpenWRT (and other) routers.
These configurations files should be saved at the radius configuration root (/etc/freeradius3/
on OpenWRT)
First thing you need to do is to go on the OpenWRT website and download the firmware for your router. We strongly recommend to check the OpenWRT firmware selector to see if your router is supported, and select the right firmware for your device.
You have 2 options following your router state:
- If your router is already running OpenWRT, download the sysupgrade binary.
- If your router is running the stock firmware, you need to download the factory binary.
After downloading the firmware, check the file integrity with the sha256sum provided on the website.
If you are flashing from the stock firmware, fetch your manufacturer's documentation to see how to flash the firmware. If you already have OpenWRT installed on your router follow these steps to upgrade your firmware:
-
Power off your router.
-
Plug in an ethernet cable (not the power cable yet !) on the lan port of your router.
-
Hold down the reset button on your router.
-
While holding the reset button, plug in the power cable.
-
Wait for the indicator light(s) to blink.
-
Release the reset button.
-
Add a static IP address to the pc ethernet interface (e.g.
192.168.1.2
)ip addr add 192.168.1.2/24 dev <interface>
-
Connect to 192.168.1.1 with your browser.
-
Go on the
System
tab, thenBackup / Flash Firmware
. -
Upload the file you downloaded and click on the flash image button.
-
Wait for the router to reboot / reload the page and connect with root/root as creds.
To install FreeRADIUS on OpenWRT, you need to connect to your router with SSH and run the following commands (make sure
you have an internet connection), optionally, you can install the freeradius3-utils
package for additional testing tools.
opkg update && opkg install freeradius3
opkg install freeradius3-utils # Optional
In order for eduroam to work, you need to install the wpad
package, which is not installed by default. You will
maybe need to remove preinstalled WPA related packages to avoid conflicts.
opkg install wpa2-eap
On the OpenWRT interface, go to the Network
tab, then wireless
and add a new wireless network with the following settings:
-
General setup tab
- Mode:
Access Point
- ESSID:
eduroam
- Network:
lan
- leave the rest as default
- Mode:
-
Wireless Security tab
- Encryption:
WPA2-EAP
- RADIUS Authentification Server :
127.0.0.1
- RADIUS Authentification Port :
1812
- RADIUS Authentification Secret :
your_secret
(the same as in theclients.conf
file) - leave the rest as default
- Encryption:
First, make sure you have an ip address assigned to your ethernet interface. If that's not the case you'll need to add an ip address to your ethernet interface to communicate with the radius server (we'll assume 192.168.2.1
) like this.
ip adrr add 192.168.2.1/24 dev <interface>
Edit the /etc/freeradius3/clients.conf
file and add the following configuration:
client name {
ipaddr = 192.168.2.1
secret = your_secret # The same as in the wireless configuration
}
Note : this is the minimum configuration, you can add more options if needed, refer to the FreeRADIUS / eduroam documentation for more information.
To test the configuration, you can use the radclient
command from the freeradius3-utils
package.
First, you need to create a test user in the /etc/freeradius3/mods-config/files/authorize
file, you can just simply
uncomment the bob
user.
echo "User-Name=bob, User-Password=hello" | radclient -x 192.168.1.1 auth testing123
If the command returns Access-Accept
, your configuration is correct, otherwise check the logs in /var/log/radius/radius.log
.
If you see the message below when starting the FreeRADIUS (in debug mode):
radiusd -X
[...]
(TLS) Failed loading legacy provide
You can refer to this issue on the OpenWRT GitHub repository and follow the workaround provided.
If you see the message below when trying to authenticate with the RADIUS server (in debug mode):
radiusd -X
[...]
Ignoring request to auth address * port 1812 bound to server default from unknown client <your_pc_address> port 46085 proto udp
Make sure you have the correct client configuration in the /etc/freeradius3/clients.conf
file.