Create a new folder to store configuration files. Note these files will contain credentials in clear text and this folder will have to be well protected. Protecting this data will be the subject of a future post.
$ mkdir ~/hapd_conf $ cd ~/hapd_conf $ nano hostapd_local.conf
Create the file hostapd_local.conf with the following:
driver=none eap_server=1 radius_server_auth_port=1812 ctrl_interface=/var/run/hostapd interface=eth0 radius_server_clients=/home/pi/hapd_conf/hostapd.radius_clients eap_user_file=/home/pi/hapd_conf/hostapd.eap_user server_cert=/home/pi/hapd_conf/cert.pem private_key=/home/pi/hapd_conf/key.pem private_key_passwd=abc123
Create hostapd.eap_user from the example below. All user and passwords should be listed there
# Phase 1 users "user_1" PEAP # Phase 2 (tunneled within EAP-PEAP or EAP-TTLS) users "user_1" MSCHAPV2 "some_strong_password" [2]
The file above configures PEAP-MSCAHPv2. For other methods, check hostapd documentation.
Create the file hostapd.radius_clients. This file should reflect your Wi-Fi Access Point or Router. The shared secret “secret” must be the same on both. The IP address is the Access Point IP address as the Raspberry Pi sees it.
# RADIUS client configuration for the RADIUS server # NOTE: This is your access point IP address (as the RADIUS server sees it # Can have more than one AP acessing the same RADIUS server 192.168.1.41 secret
Starting the server:
$ cd ~/hostapd-2.9/hostapd $ sudo ./hostapd ../../hapd_conf/hostapd_local.conf
Alternatively it can be started as a daemon. See hostapd documentation.