Setup FreeRADIUS on Kali Linux for 802.1X Authentication

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello everyone my name is Francois and today in this video we are going to set up a free radius server on Kali Linux the objective is to use this server to perform altitude and 1x authentication on a Wi-Fi networks actually we're going to test it on two different Wi-Fi networks on the cisco networks and on our robot networks now what do we want to use edited and 1x authentication and why would we use free rages so to answer the first question why do we want to use editor than 1x it's a very secure way to connect to the Wi-Fi network and but in order to to have it working you need a register and the register is going to act as an authentication server now most most of the time in the enterprise word you're going to have a register that cost a lot of money for instance our back here parks or Cisco eyes I see and you know you don't necessarily have the money to buy this type of servers it's very advanced serve servers right but sometimes you don't have the need for like such an advanced level and sometimes you just want to have you know like a quick register in your lab so you can do some testing oh you just want to have you just want to have the ability to install a very simple register for a small business right so that's when free registers and it because free reduce is free and you can install it on a you know a basically any Linux servers and it's it it's pretty easy to use and you can use it with any any kind of Wi-Fi equipment doesn't have to be enterprise level I don't have to be Cisco it and have to be a robot you can use it with I connect here or a d-link router and it's going to allow you to have a secure way to connect to your Wi-Fi network so let's get into it the lab set up we have 40 days so we have an Arabic controllers 650 with a narva ap 105 we have a Cisco controller 2504 with the Cisco ap 1702 they're all connected on the LAN on VLAN 20 and then we have another VLAN for the server's VLAN 100 on which we are going to install the free reduce service so I have a Kali Linux VM running and that's what we're going to use to install the free register on and then we we're going to configure our controllers so they can talk to this Reggie server and we're going to configure two new Wi-Fi networks one on the Arabic controller that we're going to call Aruba Sam file and and then another one on the Cisco controller that we're gonna call Cisco's and file and both of these Wi-Fi networks are going to be using wpa2 enterprise which uses attitude and 1x authentication and we're going to use the eep eep eep MSV to eat method to perform with altercations so in attitude on 1x setup attitude on 1x is basically a framework that allows you to access to the network in a secure way by blocking the access to the network until the client is fully authenticated and in this framework framework you have the silicon which is the client you have the authentication the Authenticator the Authenticator is going to relate the authentication request to the authentication server and the authentication server authenticates as this applicant so in our case this applicant is going to be our client the Authenticator is going to be the Aruba controller and the Cisco controller and the authentication server is going to be our four registered so how are the authentication process working for in our case in our case we're going to use I'd return 1 X with eep eep eep msfv - so if peep means it's protected and then I creates basically creates a tunnel and within the journal you're gonna have a second eeep method and the second if method its EEP mhm mhm at V - now how it works it's a it's basically a double developed authentication so the server's register is gonna authenticate itself to the client using a certificate and then the client is going to authenticate itself to the register using a username animal and a password so basically that sets the set up and so I think we have everything in place to get to work so let's get started we have three main steps in this process the first one is install and set up the four edges and the Canadian X the second one is configured the new Wi-Fi attitude on one ex-wife and worse than the controllers and then we can finally test everything so for the first step we're going to start by validate the network interface and the Kali Linux so if we recall correctly we have the kali linux server on the VLAN 100 so we're going to make sure we have connectivity back to the router and we're going to make sure we have connectivity back to both controllers since they're going to be communicating together after that we're going to download and install the free edges server onto the kali linux once it's done we're gonna configure for register use P with MSI v2 as in a method we're going to add the Wi-Fi controllers at the red sky and this is important so the radius server knows who is sending the authentication request if you don't do this step the register is just gonna say I'm not going to proceed anything because I don't know who's gonna who's sending Mizzy identification request after that we're gonna add new users in the radius server database so we can use these users to connect to the to the Wi-Fi network and basically the users are the one you see here and are the one used by the end user after that we're going to create our own CA certificate CA and server certificate to use we could use like a basics certificate that comes with for ages but it's really it's possible with open SSL to create your own CA certificate it's not too long and it's pretty cool so we can which is going to do it and then use our CA certificate on our clients I come back to the little drawing here just here certificate on the clients then install it so the clients we know that the server certificate you know is comes from a known Authority Authority and then we will be ready to start the register so let's get to work so I have the Kali Linux right here and I log in now in Kali Linux so I have the version 4.0 we're going to start by checking the network configuration so my IP address is 192 168 111 so the server is in the VLAN 100 that's perfect so let's try to do ping the gateway 192 168 101 so we can ping the gate well good let's let's see if we can communicate with the controllers so the Cisco controller is at 192 168 2032 so let's see if we can hang it here it works perfect and now let's see if we can communicate to the robot controller with the dot three and it works so at this point we're good we're good to go we can install their fridges so in order to do so it's pretty straightforward sudo apt-get install free radius star so it's gonna take a little while so I'll be back when it's done all right so the process is done this check if the forest is install yeah so we have four ages version to the 2.5 so now we're ready to modify the configuration so we're gonna move to the directory wrenches directory you see free radius okay so here we are and the main configuration file is radius D cough the Fermi adjust is designed to be working as is when you install it so we're not going to make any changes in this configuration file however we're gonna make changes in other configuration files that you know connect back to this this configuration file is the main configuration file so let's start if we go back to our to-do list let's start by configured for reduce to use P and M hiv-2 so in order to configure the three register use P it's gonna happen on the EEP kampf file so we can go ahead and open this file and in order to have to use p p-- you need to modify the default EEP type from md5 to peak and then you save the file so let's make sure everything is saved peep so here we see the default if method is bit so we get so this is the first part the the peep and then the inner method to to configure the inner method this is going to happen in a file located in the modules directory so can go ahead and modify this file this file is called mi shop MS wrapped and then so you just have to enable the use of an PPE you have to enable the encryption you have to ennoble strong and you have to enable this as well to with NT domain hack all right so you just save everything and we get we finished the first step which is configured for register use peep and MS avi - now we can add the Wi-Fi controllers as regice clients so if we go back to our directory it's gonna happen in the client fire clients con fire and while it does that we're gonna add the controller so when the controller sends the authentication request the fare ragers knows them and process the request if we don't do so the Farage server just going to ignore the request and it's not gonna work the authentication process is not gonna work so let's go ahead and modify this file and add the two controllers as clients all right so I'm gonna add it right here cuz I have the example right here so client 1a 192 168 20.2 which is 2 which is the Cisco which is the Cisco controller so the secret is going to be used to authenticate the controllers with their register or so for some example I'm going to use a secret actually I'm gonna use free rages secret 1 2 3 and then you can spritz 5 specify sorry I love your name so Cisco this is just for I could debug if you are trying to debug something it's gonna show you the name so you can find information easily so I'm gonna do the same thing with the robot controller I'm gonna use the same secret to make it easier short name our controller alright so now we're good we added the two controllers so they're going to be able to relay the authentication request from the supplicant so from the client so we can now save the changes make sure that the changes have been applied so I just go back and see if I have Cisco let's say as a cisco actually I'm gonna use the IP address double-shot guys been making a mistake so we have C school and Aruba alright so we good so we've configured the the people that we added the Wi-Fi controllers as clients now we need to add the users to the fridges server database so the N users can you know be known by the free register so this happens in the users file right here I'm going to open the users file the user right here so I could i could add only one user and use it for all my testing but are we gonna do we're gonna add two users one we're gonna use for the test we're gonna do on the Cisco Network and then one we're gonna use for the test we're going to use we're gonna do on the Aruba network so first user I'm gonna call it Cisco user I'm gonna set a password as Cisco password one two three three same thing with create a second user by user clear text password we call thank you we go Aruba password one two three okay so we have two users and we have the password defined so we're going to use these information in order to connect to go back to our level trying to connect you're using the client to the Wi-Fi network so with here we have the Aruba user and we have the Cisco user all right so we're good we're gonna save the file make sure that everything has been saved screw user made a mistake she's cool user yeah we have it and then all right so that's respondent we're good we can trigger everything we needed on the regicide the only thing we have left to do is create the certificates but before doing that this I'm gonna test that the radius server it's actually you know fully configured because we could use it as is and it's gonna use like their internal certificate so we can actually test it right now so in order to do so I'm gonna open a new terminal get bigger a bit and I'm gonna fire up the full radius server so in order to start the service you can do a freeway Idris minus X and here it starts the service and it tells me it's listening on port 1812 1812 which is the UDP port used for registered instigation and then on port 1813 which is the rageous UDP port used for accounting so now if I go back to this one if I want to make sure that the radio server is up and running listening on the sports I can do a net stat listening and and I'm gonna have you DP radius and UDP ranges I can see so we're all good to go there's a little program built in into Kelly olynyk's that's called rad test and rad test allows you to test your regi servers if you have a username and password if I and luckily we have which is defined to username password so we can do our little test and test if register is working properly so we can go ahead and test our Cisco user for instance so Cisco user and then the password Cisco password 1 2 3 our server is localhost and then take the key that's used to not the secret in the default conversion is testing one two three okay so here what we have is that it's an it's sending access request and then we have received it access except packet from the radius server which is good which is which means that everything is working fine so now I'll go back on the other window on a registry where we can see the logs and we can see that you know it's been accepting the user we have defined the Cisco user and with this path key so everything works good for the Cisco user we can do the same thing with the arrow by user Aruba user Aruba password 1 2 3 so close because the service local Lowe's and then testing 1 2 3 and we have the same enter access except so everything is working fine and everything is working good and we could use this service for the free range server as is okay so I'm gonna stop the process and we're gonna go on with the configuration now what we want to do is create our own CA certificate and now our own server certificate and then afterwards we can export the CS certificate and install it on on the client all the clients that are going to connect to the Wi-Fi network and this way we're going to have a secure way to connect and the clients are going to know that this register they connecting to is the real ready server and they don't you know connect to some unknown ready server and with on Linux there is a tool that's called open SSL that's built in into Kali Linux by default and OpenSSL can be used to generate all the pieces needed for a certificate see a certificate and a server certificate so we're going to go ahead and perform all the tasks needed to create those two certificates after that we're gonna have to modify a little bit the free registration so they can use these new certificates into the process so this is a long the longest depth of of the first chapter so just bear with me alright so the first thing I'm gonna first thing I'm gonna do I'm gonna back up CEO open SSL configuration file so you can find them in SSL openness so okay I'm gonna back it up there's another name backup alright so if something goes wrong we can always revert back and I'm gonna modify the open SSL fire configuration file so once we in the file we're going to start by changing their directory where everything is kept we're going to use a new directory in our free rageous directory so it everything is at the same place and it's easy to use so I'm gonna call the new directory for radius it's not making a mistake here I'm gonna call the new territory EEP and then EEP CA okay so ATC free reduce beep beep CA alright and then we're going to change the default values the certificates so every time we generate a new certificate it's going to be using these default values so country code I'm in Canada so I'm going to use CA some province I'm gonna use Ontario as a CD gonna use London organization is so it's your company so scrape it by a company names and file Networks Inc then I could use a unit so let's use IT and I've come on name this is gonna be the name basically the certificate so I can do since I see email if they want to contact the IT alright so that's that's pretty much it so we can now save their configuration okay so now we need to create the new directory right so we can go ahead and create the new directory right here so we are already in ATC for a Jew so we can create it right here if so that is it and now we can can go into the directory so we have nothing and we're going to use the open SSL script that's used to generate certificate we're going to copy the script and paste it in this directory so we can use it locally in this directory alright so the script is located at us our leave as a Cell misc see a dot PL all right I'm gonna copy right here dot and then we should have prayed okay so we have the script and we will be able to use it later on to generate a certificate but right before that we we're going to modify this script so the script generator to guess where we want it to to be generated so let's go ahead and modify this script okay so we need to change one of the parameters so we need to change this parameter see a top so this is where it's going to be generating the certificate so we want it where the courageous is so eight it is c3 regice it if CJ all right so we're good we're gonna save it yes all right so we're good we can validate that everything is in place and has been saved properly so if we look for eep eep CA we have it we now have the CA top parameter set to the file we want it the destination we want all right okay so now we're going to use the scripture generate our new CAS certificate so we can use the script with the option - new c8 okay so press ENTER and then you have to enter a password that you're going to use later on to generate a server certificate so make sure you remember it okay and then it's gonna reuse default that have we entered in the configuration file earlier so we can just press ENTER it's going to take the default configuration for the name I'm just going to name it CA address I'm not gonna use these ones and then the passphrase alright so it has just created to see your certificate so we see now that we have an EPC a directory so if we go into it we have a CA cert dot pen so we have our CA certificate so that's perfect we can go on and now we're going to create a server certificate so we're gonna run the script again with another option that's called new rec as new requests - notes all right so I'm gonna do the same data for the server we can use we can say free regice and the challenge password put it and set it okay so the request is done so we have the new key we now have a pair of key ready to be sent to the CA in order to generates the server certificate so if we check the keys we have the new key and the new request though we're going to use these keys to generate the server certificate so in order to do so you have to use this script again C a and then with the option minus sign and to the pathway the password that's the one you enter perviously do you want to sign the certificate yes I do yes commit all right so sign certificate is in the new new cert dot p.m. right so new cert that p.m. is our server certificate for our free radius server so now we have if we go back to our little dry now we have our CA certificate and we have our server certificate so now what we need to do we need to configure our free register ver to use these two certificates all right so let's go back into the free radius and to do so we need to create two extra files named th and random so in order to do so we can use open SSL open SSL to each check text 512 out eh so we're creating the th file count equal to and then finish mark 6:41 down new cert stop here Yuki that p.m. you wreck that the n-th all right so now we have our th file and our random file that we're going to use in the free registration okay so if we go back into the free reduce directory we can go ahead and config and I change the EEP configuration all right so I know EEP calm and then we need to change the private key file file all right here it is private key file so we need to change it with our cert if server certificate so it's e TC three rages EEP and it's you key that PE M so that's a server certificate then we need to change the certificate file right here to ET c 3 regice EEP new cert dot p.m. all right and then after that we need to change the see any file right here which is the the a certificate file radius EEP EEP C a and it's called see a cert dot p.m. and then we need to change the th file that we've just created a TC 3 radius EEP eh and finally the random file so we tc3 regice EEP random one let's change I'm going to uncomment this line I go and then we can save their configurations all right make sure their configuration has been saved alright one of the changes that I've made is here appear here so we're good to go now we can go ahead and start the rager server again all right make sure that it's listening listening on the portable one rages and it is ok so radius which is UDP 1812 and regice accounting which is UDP 1813 so at this point we have finished the configuration on the free radio server so we're good to go and we're good to head up to the controllers to configure their Wi-Fi networks with a 2 mm 1x so now that we have the three register set up and running it's now time to configure the attitude on One X Wi-Fi network on the controllers so on both Cisco and our robot we're going to do the followings add the free radio server as a radio server on the controller after that we're going to configure a new WLAN using wpa2 enterprise with a 2 mm 1x authentication and we're going to use the free regice that we added previously as the authentication server after that we can go ahead and above the wlm and start our testing so I start with the Cisco controller again alright so I'm using a 2504 controller and for the version I have is 8.1 that one 11.0 so first step is to add the free register as a register so in order to do so on the cisco box you click on security and then you navigate to a a radius out on education and then at the top right click on new so we basically adding a new server register I think we're gonna enter the IP address of our free radio server so 192 168 111 and then they asking for the shared secret and the share secret is the secret we defined in the client file on the free radio server so we used three radius secret one two three three radius secret one two three and this share secret is gonna be used by the controller and by the register so they know they authenticate each other and they know they can talk securely so I applied the changes that's basically all we have to do on the register who can also add accounting server so we're gonna use the free radio server to the accounting as well it's the same settings since it's the same server free radius secret one two three three radius secret one two three okay I didn't do any mistake all right at this point we're good to go we can go ahead and configure a new WLAN so we just navigate to the WLAN tab and then here we can just click go next to create new create new go profile I go back to my new drawing I chose Cisco sent fire ant like Enterprise I like to use the same name for my profile name and my SSID makes it easier so I'm gonna do same name cisco some file and apply okay here as interface I'm going to select WLAN and WLAN refers to VLAN 88 because I want my client to connect unto VLAN 88 right so the WLAN interface on my controller refers to VLAN 88 I'm going to enable the the new network and then and I will get to security to setup to configure the register aright so the default settings I already set up for WPA encryption wpa2 encryption using AES with other student one excellent education so we don't have to change anything here and then on the AAAS server tab that's where we're going to specify what authentication server to use and what I can think serve it to you so in our case we only have the free server so we can we can use this or you can select it here if you don't define the server in your security tab you're not gonna see anything when you when you try to select a server here so you have to previously define the server if you want to use it here okay so we have which was the free radio server for the authentication for the accounting you can double-check at the bottom that radius is selected in the authentication method and then that's that's basically it that's all you have to do you can just apply and voila that's done you have your Cisco samphire Enterprise it's been able and it uses wpa2 authentication 80 mm 1x all right so we're done on the cisco box just before seeing trying to check if we have the use the SI this broadcast broadcasting I'm going to show you the WLAN interface I was talking to you about so if you go into controller and the interface you can see that the WLAN interface is right here and relate to villain 88 alright so at this point we're good I can see if I have my if the network is broadcasting here I can see it's broadcasting so we get to go through the testing configure the Cisco controller we can go and configure the Arab a controller so I'm going to login into the country that I have in the lab and it's basically almost the same steps on the Arab a controller you have a little bit more breaks to build and then I also comes together at the end but it's basically the same process it's a pretty straight forward so I'm gonna head to the configuration tab first thing I'm gonna check is the VLAN so I should have the villain 88 right here as you use it on the layer 2 so that's why I don't have any IP address here and I already had the 88 villain because that the one I use for my testing usually for my finding Wi-Fi networks I I test so I already have it here I don't have to create it again and we're good to go on this end so we can go ahead and start the configuration of the new Wi-Fi network first thing is to add the free Reggie server to the list of registers so you can go to security authentication and then you can navigate to the server tab and then under radio server you can click on register and you we're gonna add a new one so three rapes clinically free radius and face and file add and they you click on it right click on this one that's the one I want to change alright and then here I can change settings so host is the IP address of our radio server so 192 that one 68 at 111 the key is the secret that we previously defined just like on the Cisco Box we use the same one so this is 3 ready is secret 1 2 3 3 2 1 2 3 all right and then it's gonna use port 1812 for sonication and 1830 and for our container this is perfect we don't have to do anything else we can just apply and here we have our ready server so we're good now we can create a new server group in which we are going to include the free register so 3 bridges because it's group courageous oh and you can go ahead and click on the group and add the free a server alright so we added the free ready server and the server tab it's Reiter's that's it apply alright so we've just added our for ready servers with the secret so they can communicate the controller will be able to forward request authentication request to the free ready server and we've just created a server group including this free ready server that we can use later on in the authentication process so the next thing to do is to create a a a pro/5 so we can navigate to the a a profile tab right here and then the a profile is going to be used by our SSID to authenticate their users so we can go ahead and create a new one I'm going to call it a a free radius and I'm gonna click on it to modify it and I'm going to change the role that would be assigned to the user that is fully authenticated using either 2 and 1 X so this is the attitude on 1x authentication t4 rule and I'm gonna use role that I have previously defined that's called some file connected and basically Sunfire connectedness or will that give you access to the internet so once the user will be fully authenticated the user is going to have this for some file connected and he's gonna be able to go online so I'm going to apply this here alright and now I'm gonna configure the attitude n1x authentication profile so you now we get to layer two authentication you click on edit Oudin Y X authentication and you can create a new one so I'm gonna call it three years add we're gonna click on the a profile we've created earlier and if we click on the edit to do my legs authentication we're going to select the one which we're going to select our group here and this refers to our free radius server alright so basically what's going to happen that we are going to use this a a profile for our Wi-Fi network and then the controller is going to send the authentication request to this radio server and using the configuration that we get just gave and then if the register replies to the access except except the controller is going to put the user into the samphire connected wall and it's going to grant access to network and access to Internet so now all we have to do is modify our ap configuration though so the AP broadcast this new Wi-Fi network compatible with wpa2 enterprise and attitude on 1x an altercation so in order to do so you can navigate to wireless ap configuration I'm going to choose the AP group that I'm currently using which is a piece and file AP groups and file and I'm going to navigate to wireless LAN virtual ap and here you can see that I'm already using two different societies on my on my Aruba AP so I have a robust on file and I have a robust Empire guest and I'm going to add a new profile I'm gonna call our over to them again our Besant file and add alright the air profile we're going to use the one with just configured so we can see that we have this Empire connected can just apply and then the SSID we're going to create a newer society and we're going to call it Aruba some file and and this a society is going to be wpa2 aes perfect apply says that it already exists all right so I guess we can select it okay apply all right I can just apply the configuration all right configuration they did successfully and the only thing I'm missing here is the villa right so in order to change the villain we can go and click on the robust and file and society and here you can choose the villain 88 you can double check that we have the right information here we have the air profile and then we have the SSID a robust and violent alright so I have left a lot of default configurations because I wanted to focus on how to configure the regicide and how to configure the Aero 2001 xa8 profile but if you want to you know later on go back to your configuration change some settings radio settings and stuff like this you can surely do so alright so I have applied my configuration so everything should be up and running so if I check in my wife I started bar I should see our bus on fire and so we're good we're good to go now we have a rhuebottom file and we have Cisco's and fire and so we are ready to test our you know we are ready to test the free range server and make sure everything worked and we can connect the networks ready to test we're gonna test on two different clients Mac OS 10 11 1 and Windows 8 so for each client we're going to import this year certificate so the client can recognized the FIR radio server we're going to connect to the new SSID and we're going to use the users that we have previously defined in our free registries or database so if you recall we define two different users one called Cisco user and the other one called robot user alright so if we go back to the old drawing authentication process so on the free radio server we have created previously two different certificate to see a certificate and server certificate I have sent the CA certificate to my client so I have it on my desktop right here right here and I'm going to I'm going to import it to the certificates on my MA and so once I do this my client my Mac is going to recognize the free radio server the certificate coming from the free rager server so when I connect to the robust entire enterprise network I'm not gonna have any pop up asking me do you recognize this certificate it's gonna be transparent for the end-user so that's exactly what we want okay so now how do we add these the CAS certificate to the Mac so I have it here on my desktop so I'm gonna close this one you just have to double click on it all right so I've double clicked on it and it adds it to your keychain certificate so here I have it sent via CLA it tells me this root certificate is not trusted so I can double click on it trusts and then click on our restaurant all right because I know it's mine I have created it you can double check the information the country the states the organization the common name everything that we have defined previously is here so we know it's our certificate so we can trust it no problem so once I close this window they're gonna ask me to put my root password for my Mac just as a security measure and here we have we have our CS certificates Empire CA that we can now use on this computer so we can now go ahead and try to connect to the first Network so we're going to try to connect to the aruba to the world by Wi-Fi network and we're going to use the user Aruba user so I can just I'm going to open network preferences to do it this way and under the Wi-Fi interface network interface I'm going to select a robust and file and alright and here tells me okay how do you want to connect you can select automatic you can as a user we're going to use Ruba user right and then as a password if rico correct is the password is Ruba password one two three all right Ruba password one two three and then once I click to join it's going to send the authentication request to the controller and the controller is going to forward it to the free register and if everything goes right the we should connect to network because this user is defined on the free ridges server all right as you saw I took earlier why to connect we had the authentication setup like process in the first step and then after that it was seeking for IP address so now it looks like we connected and as you can see here we had eep-eep and mossad v2 and it was with being connected for 28 seconds all right so now if we go back and if I want to check my IP address how's this or I can see it here 192 168 80 8.14 but I also has this neat little tool that's called Wi-Fi signal and it's great you can just have a whole bunch of information about your world the Wi-Fi network on which you connected to and here you also has the IP address 192 168 80 8.14 so I know I'm in the VLAN 88 and I'm connected and if I want to double check on the ready server in the logs we should see the user Aruba user and then msfv 2 for our user and then accept accept all right and then we see it's coming from the IP address 192 168 22 3 which is the back controller so everything worked you know perfectly and we connected to the Wi-Fi network and then if we want to check if we can go online we can just check on Google and here we go we connect it on Google everything works fine and if I want to double-check on the controller I can never get to the monitoring tab and there's the monitoring tab or the dashboard I click on clients and I should see a row by user here we are alright so the Aruba test worked perfectly on the Mac OS now we can try to do the same thing on the Cisco Network so I'm going to select Cisco samphire Enterprise the username I'm going to use this time is the Cisco user and the password is Cisco password one two three join right so seeking for the IP address all right so everything worked perfectly as well we didn't get any pop up for any certificates because we previously install the CA certificate under on this client on the silicon so everything worked perfectly so it's showing us that we connected to the eep-eep MSI v2 and then we have this IP address on till at 88 so we can try to see if we can go online again all right it works and then I can double check on the controller for the CCC the Cisco user the client Cisco user here we are alright and then if we go back to the free radio server we should see this is the accounting but if we go back up a little bit we should see an accept accept accept accept here is from the air 192 168 22 which is the Cisco controller and for the Cisco user so here here is so we have tested it and Mac OS as the next step is to test it on Windows 8 so I am now on Windows 8 and I have imported the I have copied the certificate file on my desktop so as you can see the PM extension is not recognized by Windows so all I have to do is change the the extension of the certificate file changing from PE m to CRT it's asking me if I really wanted to the change I say yes and here we have the real recognized certificate file I'm going to now import it into the certificate took the trusted CA certificates on windows so you can open the control panel and in the search bar to search for a certificate and then click on manage computer certificates and then under the trusted root certification authorities certificates you can click right all tasks import and we are going to import our CA certificate finish all right so now our certificate right here I can double click on it make sure everything is good and we are good to go we can now connect to our network so let's start by connecting to the our classifier and connect it's asking us for username password so I'm gonna use my user password 1 2 3 so the first time we connect it's gonna ask us about the certificate are you sure you want to connect to this server it's because we didn't link the profile to the CA certificate yet so for the first time we're gonna say yes connect and we're now connected so if we go back to control panel if we go back to the network connection we can now see that we're connected to the Wi-Fi network a robust entire n so if we click on it click on wireless properties security next to Microsoft you know protected protected eep-eep click on settings and here we have the REO check part that says verify the certificate server's identity by validating this certificate and here in the the list of trusted root certificate you can choose sapphire sea as the one we just uploaded so after we do this and it does need a reboot for some reason on Windows but next time we connect to the robust Empire and network he shouldn't ask you know as to validate certifcate anymore I should just connect and you know it does do the it's gonna do the validation process behind the user and it's going to be transcribed for the end-user alright so this word let's try the Cisco since I meant it's the same process connect username this time we're gonna use this Cisco user which is cool password one two three same same thing here it's asking us to vanity to presenting the certificate server search again asking as if we really want to connect to the server and so here once again we have the Cisco's Empire and certificate so we can go ahead and change the same properties so next time just validates our server certificates according to the same for your CA you know authority so everything goes right all right it's same same thing here it does require the reboot so I'm going to stop the video reboot the computer and I started the video again and show you the seamless connection alright I'm back on the windows after reboot so we're gonna try to connect the network editor term 1x Wi-Fi network so let's try with the Cisco's on file and so I just did the connection seamlessly let's try the Aruba same fire ant and it just connects with that you know us asking us to validate the certificate anymore and if we check the IP address we have an IP address in the 88 villain so you know everything looks good everything looks good all right so that was a testing on Windows 8 so we've just done the testing on the mac and windows and it worked great so now to conclude this this video you can check out them useful debug comment you can use on the Aruba contra render on the Cisco controller I'm gonna you know include this little document to the blog post so you guys can check it out on your own time so thank you for watching you can go reviews it's all on the blog some fire network.com slash blog and so just don't hesitate to give me your feedbacks and maybe I can you know make it a little bit better next time thank you very much for watching bye bye
Info
Channel: SemFio Networks - Wireless Consulting Services Canada
Views: 39,179
Rating: undefined out of 5
Keywords: FreeRADIUS, Wi-Fi, 802.1X, Kali Linux, SemFio Networks, Csico, Aruba
Id: AwkIUw8mS_c
Channel Id: undefined
Length: 66min 34sec (3994 seconds)
Published: Sat Dec 05 2015
Related Videos
Suricata Network IDS/IPS Installation, Setup, and How To Tune The Rules & Alerts on pfSense 2020
Lawrence Systems
81K
How To Speak by Patrick Winston
MIT OpenCourseWare
5.1M
access EVERYTHING from your web browser!! (Linux and Windows Desktop, SSH) // Guacamole Install
NetworkChuck
508K
my SUPER secure Raspberry Pi Router (wifi VPN travel router)
NetworkChuck
367K
Kubernetes Tutorial for Beginners [FULL COURSE in 4 Hours]
TechWorld with Nana
2.6M
Enable EAP-TLS for Freeradius
Cobra Network Testing
11K
EAP-PEAP-MSCHAPv2: Why should I (not) use it? - Part 1 -
Airheads Broadcasting
33K
Solid State Batteries - Autumn 2021 mass production in Japan. Is it FINALLY happening?
Just Have a Think
1.2M
Setup freeRADIUS + mySQL + daloRADIUS for dynamic VLAN assignment on Unifi
Missing Remote
9.7K
AAA framework and RADIUS
Sunny Classroom
82K
Before I do anything on Proxmox, I do this first...
Techno Tim
247K
Raspberry Pi RADIUS Server
Tall Paul Tech
150K
Kubernetes Crash Course for Absolute Beginners [NEW]
TechWorld with Nana
266K
How to setup FreeRadius with Mysql and Daloradius web front end secure access for wifi vpn and more.
JDs Tech Tips
12K
MikroTik Tutorial 22 - How to create a Hotspot with Radius Server Authentication
TKSJa
236K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.