-
Notifications
You must be signed in to change notification settings - Fork 0
WiFi Enterprise FreeRADIUS
Notes for FreeRADIUS running on pfSense and the WiFi Enterprise option on the ESP8266. This description is based on search results and observations.
Hardware:
- ASUS RT-N16 configuration highlights
Firmware Version: 3.0.0.4.380_7378- Administration - Operation Mode - selected
Access Point(AP) mode - Wireless - General
Authentication Method: WPA2-EnterpriseWPA Encryption: AES
- Wireless - RADIUS Setting
- FreeRADIUS for authentication
- running on pfSense Fire Wall 2.7.0-RELEASE (amd64)
- with the package "freeradius3" v0.15.10 installed.
Update: It has been a while since I updated. (Going from memory - I believe) In all cases of success with the ESP8266, I was using the runtime patch version of the Espressif SDK v3.05 offered in the current Arduino ESP8266 git. The patch addresses some memory leak issues when using the WiFi Enterprise option.
From pfSense->Services->FreeRADIUS->Users
- Add user/password to be used by the ESP client.
From pfSense->Services->FreeRADIUS->Clients
- Specify the
Client IP AddressandClient Shared Secret. The WiFi AP is a client of the RADIUS server.
From pfSense->Services->FreeRADIUS->Interfaces
- `Interface IP Address: (IP address of the listening interface.)
Port: 1812Interface Type: AuthenticationIP Version: IPv4
From pfSense->Services->FreeRADIUS->EAP there are 7 config blocks.
EAP is effectively a framework used to transport the authentication protocol. It can be used for wireless or wired networks. While EAP is not an authentication method, it can encapsulate an authentication method like MD5, GTC, LEAP, TLS, TTLS, PEAP, and MSCHAPv2.
Selections:
Default EAP Type: TTLSMinimum TLS version: 1.1
- The client must have a certificate.
- Deployment-wise, this may be the most popular
- The ESP8266 crashes on a connection with a double free of memory allocation.
- Memory leaks may also be present on reconnects.
- The heap spaced leaked contains the string for Identity
- For "[email protected]", that is about 40 bytes for the debug build. (16 bytes overhead, 8 byte aligned)
- Resolved by merged PR, https://github.com/esp8266/Arduino/pull/8746#issue-1482451894, in a current Arduino ESP8266 core git.
- Memory leaks may also be present on reconnects.
Selections
Default EAP Type: MD5
- Works with ESP8266
- Microsoft started EAP-TTLS support with Windows 8
- REF
Protected EAP
Selections:
Default EAP Type: MSCHAPv2
Second-most widely supported EAP standard. Works with Windows.
- Works with ESP8266
- Generally supported by Microsoft, Apple Computer, Cisco, wpa_supplicant
- To be secure a CA certificate is required on the client! REF, REF
MS Challenge Handshake Authentication Protocol version 2 MSCHAPv2 is a USERNAME/PASSOWRD-based authentication method.
- Keeping the Lights On - how to manage GPIO state across reboots and crashes
- Boot fails when SPI Bus used
- GPIO Drive Strength and Ringing
- LDO Regulators WIP
- ESP8266 Power Considerations This is only a rough outline, needs a lot of development.
- Upgrading Flash Chips, QIO, and DIO
- Dodgy Extra 2K of DRAM or CONT - WIP
- WDTracks - Print last call before WDT
- 5V Tolerant I/O?
Arduino IDE specific
Misc.
- Exception Causes
- ESP8266 will not boot
- Stacks sys and cont
- WIP Boot ROM and SDK Notes
- Multi-segment Boot ROM Loader, notes
- Cache_Read_Enable How to turn off and on instruction cache execution.