Anton Lindstrom (about, @twitter, @github)

Airport Express and FreeRadius

Published:

I have been experimenting some with FreeRadius recently. RADIUS is a protocol for AAA and can be used for authentication in amongst other Cisco and HP network equipment.

We recently bought an Apple Airport Express to be able to bridge the Internet connection from one part of our apartment to another. As they are rather cheap and works very well with other Apple products it is a pretty good choice. To be strengthen the security I am using MAC filtering with WPA2.

While it is simple to add more MAC addresses in the Airport it is not as scalable and simple as using a script to update a row in a file, MySQL or LDAP. An issue related to the Airport is that it has to restart each time the configuration is updated. With these things in mind I decided to implement RADIUS and use it with the Airport Express. The free implementation FreeRadius is a big, modular pretty recognizable RADIUS-server which I have been researching for a few weeks is the server I am going to use.

When searching for the MAC address access control for the Airport it was not very easy to find good material, at last I found this which I am going to use. Using what the author did there worked well. I am pasting them in here as well. First, install FreeRadius:

apt-get install freeradius

Add (or replace existing examples with) this in /etc/freeradius/clients.conf

client 10.10.10.1 {
    secret = yourShareds3cret
    shortname = airport
    nastype = other
}

After adding the client, client 10.10.10.1, is the IP of your access point next step is to add the MAC addresses in the users file. Add the following in /etc/freeradius/users and use the same secret as you did in the clients.conf file. The first part is the MAC address of your clients (laptops etc.).

00FF00-FF00FF  Cleartext-Password := "yourShareds3cret"

In the Airport, choose "Access Control" and then under MAC Address Access Control, use RADIUS. Supply the IP address of your FreeRadius server and under "Primary Shared Secret" add the same secret you added in clients.conf and users, in this example it would be "yourShareds3cret".

If you want to verify your configuration, use "freeradius -X" to go into debug mode. Then check for lines like: Calling-Station-Id = "00-FF-00-FF-00-FF". That should be the MAC address of the client you want to authenticate.