FreeRADIUS with only EAP-TLS enabled.
This may be useful if you want to use AES on your WiFi.
docker run -d -p 1812:1812/udp --restart=always -v pki:/etc/raddb/certs -e CLIENT_ADDRESS=... -e CLIENT_SECRET=... -e PRIVATE_KEY_PASSWORD=... evansgp/radius-eap-tls
Keys and certificates are read from /etc/raddb/certs which is exposed as a volume.
Radius is listening on port 1812 UDP.
The following environment variables are used:
- CLIENT_ADDRESS, where to accept connections from (i.e. your AP) (mandatory)
- CLIENT_SECRET, the password shared with your AP (mandatory)
- PRIVATE_KEY_PASSWORD, password for the private key (mandatory)
- PRIVATE_CERT, the filename of the private cert (default: issued/server.crt)
- PRIVATE_KEY, filename of the private key (default: private/server.key)
- CA_CERT, filename of the CA certificate (default: ca.crt)
- DH_FILE, filename of the DH parameters (default: dh.pem)
Running the following will create each file not already present in the volume, prompting for input where required and leaving things in the default locations:
- CA certificate and key
- DH parameters
- Server certificate and key
- Client certificate and key for an entity named
git clone firstname.lastname@example.org:evansgp/docker-radius-eap-tls.git cd docker-radius-eap-tls docker build easyrsa -t easyrsa docker run -it -v pki:/easyrsa/pki easyrsa build-client-full laptop
Repeat for as many clients as you need, supplying a unique name each time. Copy the
private/laptop.key to the client (for e.g.). Some devices require their keys in a different format, for example Android OS, which you can export using:
docker run -it -v pki:/easyrsa/pki easyrsa build-client-full android-phone docker run -it -v pki:/easyrsa/pki easyrsa export-p12 android-phone
private/android-phone.p12 to your device.
Now configure your AP with WPA2 Enterprise, AES, the server IP and client secret.
easy-rsa can quickly generate your certificates and keys.
WARNING WARNING WARNING
This probably isn't secure and will most likely rape your dogs and kill your women.
Look after your PKI.