Using freeRADIUS with cnPilot

freeRADIUS ( is one of the most popular and widely deployed RADIUS servers. It is open source, feature rich, stable, and can be used with cnPilot access points for a variey of authentication and accounting needs.


freeRADIUS sources and binaries for a number of platforms can be downloaded from:

in addition, binaries for Windows (this is an older version with some differneces in configuration file syntax and features, but functional for Username/Password as well as 802.1X authentication) can be downloaded from:

AP Configuration:

The first step is to setup a shared secret that will be used to authenticate packets between the RADIUS clients (cnPilot access points) and the RADIUS server. On the freeRADIUS instal this will be in the etc/raddb/clients.conf file in the location where freeRADIUS is installed. Entries can be added for each AP though its simpler to add it for the whole subnet, like the example below:

client wifi-APs {
    ipaddr      =
    secret      = testing123

the same shared secret must be configured on the access point as well when adding the IP address of the RADIUS server, under Configuration -> WLAN:

User Configuration:

cnPilot APs can authenticate users on the RADIUS server for multiple security topologies, including MAC authentication, guest-access with username/password, as well as various EAP types for WPA2-Enterprise (802.1x).

No user entries are needed on the AP itself, all the configuration goes in the etc/raddb/users file on freeradius.

the following are examples of a MAC authentication as well as guest-access/EAP (username and password):

001a2b89de2d Cleartext-Password := "001a2b89de2d"

myusername Cleartext-Password := "SecretPassword"

The users file is also where specific per-user parameters (for rate limit or vlan assignment) can be defined. For instance to make the user john use VLAN 10 (dynamic vlan assignment through RADIUS) that users entry would be as follows:

john Cleartext-Password := "sm!th"
    Tunnel-Type = VLAN,
    Tunnel-Medium-Type = IEEE-802,
    Tunnel-Private-Group-Id = 10

802.1x/EAP configuration:

freeRADIUS automatically enables support for common EAP types and includes a server certificate to get things started.

Customization of EAP settings can be done in etc/raddb/eap.conf or etc/raddb/policy.d/eap depending on the version of the server and raddb/certs/README has details on setting up your own certificates.



the freeRADIUS log files contain detailed information on what is going on and will be helpful in debugging any failures. logs go to the logdir directory as set in etc/raddb/radiusd.conf. the server can also be run in full debug mode in the foreground:

./sbin/radiusd -X

on the AP side logs can be viewed under troubleshooting, with Events containing high level logs (whether connection has failed or succeded) and Debug Logs containing additional debugging information.

1 Like