FreeRADIUS

Notes for FreeRADIUS running on pfSense and the WiFi Enterprise option on the ESP8266. This description is based on search results and observations.

Hardware:

• ASUS RT-N16 configuration highlights
  • Firmware Version: 3.0.0.4.380_7378
  • Administration - Operation Mode - selected Access Point(AP) mode
  • Wireless - General
    • Authentication Method: WPA2-Enterprise
    • WPA Encryption: AES
  • Wireless - RADIUS Setting
• FreeRADIUS for authentication
  • running on pfSense Fire Wall 2.7.0-RELEASE (amd64)
  • with the package "freeradius3" v0.15.10 installed.

Update: It has been a while since I updated. (Going from memory - I believe) In all cases of success with the ESP8266, I was using the runtime patch version of the Espressif SDK v3.05 offered in the current Arduino ESP8266 git. The patch addresses some memory leak issues when using the WiFi Enterprise option.

FreeRADIUS On pfSense

From pfSense->Services->FreeRADIUS->Users

• Add user/password to be used by the ESP client.

From pfSense->Services->FreeRADIUS->Clients

• Specify the Client IP Address and Client Shared Secret. The WiFi AP is a client of the RADIUS server.

From pfSense->Services->FreeRADIUS->Interfaces

• `Interface IP Address: (IP address of the listening interface.)
• Port: 1812
• Interface Type: Authentication
• IP Version: IPv4

From pfSense->Services->FreeRADIUS->EAP there are 7 config blocks.

• EAP
• Certificates for TLS
• EAP-TLS
• EAP-TLS Cache
• EAP-TLS with OCSP support
• EAP-TTLS
• EAP-PEAP

EAP

EAP is effectively a framework used to transport the authentication protocol. It can be used for wireless or wired networks. While EAP is not an authentication method, it can encapsulate an authentication method like MD5, GTC, LEAP, TLS, TTLS, PEAP, and MSCHAPv2.

Selections:

• Default EAP Type: TTLS
• Minimum TLS version: 1.1

EAP-TLS

• The client must have a certificate.
• Deployment-wise, this may be the most popular
• The ESP8266 crashes on a connection with a double free of memory allocation.
  • Memory leaks may also be present on reconnects.
    • The heap spaced leaked contains the string for Identity
    • For "[email protected]", that is about 40 bytes for the debug build. (16 bytes overhead, 8 byte aligned)
  • Resolved by merged PR, https://github.com/esp8266/Arduino/pull/8746#issue-1482451894, in a current Arduino ESP8266 core git.

EAP-TTLS

Selections

• Default EAP Type: MD5

EAP-TTLS-MD5

• Works with ESP8266
• Microsoft started EAP-TTLS support with Windows 8
• REF

EAP-PEAP

Protected EAP

Selections:

• Default EAP Type: MSCHAPv2

EAP-PEAP-MSCHAPv2

Second-most widely supported EAP standard. Works with Windows.

• Works with ESP8266
• Generally supported by Microsoft, Apple Computer, Cisco, wpa_supplicant
• To be secure a CA certificate is required on the client! REF, REF

MS Challenge Handshake Authentication Protocol version 2 MSCHAPv2 is a USERNAME/PASSOWRD-based authentication method.