Use a RADIUS server for authentication |

This document describes how to configure and use Remote Authentication Dial-In User Service (RADIUS) Authentication on the Wi-SUN Border Router. RADIUS allows centralized authentication of Wi-SUN nodes attempting to join a Field Area Network (FAN), enhancing security by integrating with existing authentication infrastructures.

Configure RADIUS on XBee Hive for Wi-SUN

RADIUS authentatication can be configured via the web UI or the command line

When the method of authentication for the XBee Hive for Wi-SUN is configured for RADIUS, other methods of authentication are disabled.

Configure via Web UI

Go to Wi-SUN Border Router > Authorization > Method.
Set the Method to RADIUS.
Navigate to Wi-SUN Border Router > Authorization > RADIUS.
Configure the following settings:
- RADIUS Host: The hostname or IP address of the RADIUS server.
- Secret: The shared secret used to authenticate XBee Hive for Wi-SUN with the RADIUS server.
Click APPLY to save the settings.

Configure via command line

At the command line prompt, enter config mode.
```
> config
(config)>
```
Set auth method` to RADIUS.
```
(config)> wisun auth method radius
```
Configure the hostname or IP address of the RADIUS server.
```
(config)> wisun auth radius host 192.168.86.42
```
Configure the shared secret used to authenticate XBee Hive for Wi-SUN with the RADIUS server.
```
(config)> wisun auth radius secret mysecret
```
Save settings.
```
(config)> save
Configuration saved.
>
```

Set up a RADIUS server

Setting up a RADIUS server can be challenging. Below is an example of how to set up a RADIUS server using FreeRADIUS. This example was verified using FreeRADIUS Version 3.2.1.

Prerequisites

FreeRADIUS installed and running (e.g., via apt-get install freeradius).
Certificates and keys for the Wi-SUN Border Router and Certificate Authority (CA).

Install and place certificates and keys

Place the following files in /etc/freeradius/3.0/certs/ or a preferred secure directory.

RADIUS server private key: server_key.pem
RADIUS server certificate: server_cert.pem
CA certificate: ca_cert.pem

Configure RADIUS clients

Add the Wi-SUN Border Router as an authorized client in /etc/freeradius/3.0/clients.conf.

client border-router {
    # IP address range allowed to connect as a client (e.g., the Border Router)
    ipaddr = 192.168.0.0/16

    # Shared secret for mutual authentication between the Border Router and RADIUS server
    secret = wisunsecret
}

Adjust ipaddr to match your Border Router’s network/subnet and set a strong secret value.

Configure EAP-TLS

Configure EAP-TLS parameters in /etc/freeradius/3.0/mods-enabled/eap to align with Wi-SUN security requirements.

eap {
    default_eap_type = tls

    # Wi-SUN networks may require longer time for EAP exchanges
    timer_expire = 3600

    tls-config tls-common {
        # Private key and certificate for RADIUS server
        private_key_file = /etc/freeradius/3.0/certs/server_key.pem
        certificate_file = /etc/freeradius/3.0/certs/server_cert.pem

        # Trusted Certificate Authority (CA) for validating clients
        ca_file = /etc/freeradius/3.0/certs/ca_cert.pem

        # Avoid automatic certificate chains to prevent client-side validation issues
        auto_chain = no

        # Fragment size to ensure RADIUS packets fit within IEEE 802.15.4 frames (Wi-SUN requirement)
        fragment_size = 1024

        # Cipher suites enforced by Wi-SUN specification
        cipher_list = "ECDHE-ECDSA-AES128-CCM8"
        ecdh_curve = "prime256v1"
    }

    tls {
        tls = tls-common
    }
}

Restart FreeRADIUS service

Apply the new configuration.

sudo systemctl reload freeradius

Notes and recommendations

The fragment_size setting is important to ensure that large EAP messages can be transmitted over the Wi-SUN network, which relies on IEEE 802.15.4 frame sizes.
The timer_expire value is set higher than default to accommodate longer handshake times in Wi-SUN mesh networks.
Ensure that cipher_list and ecdh_curve match what is supported by both the Border Router and Wi-SUN nodes, following Wi-SUN FAN security standards.
Protect sensitive files like clients.conf and certificate/key files with proper file permissions.

Additional testing and verification

To verify that FreeRADIUS is running and listening on UDP port 1812 (the RADIUS default port), run:

sudo ss -unlp | grep freeradius

To run FreeRADIUS in debug mode (helpful for troubleshooting):

sudo systemctl stop freeradius
sudo freeradius -X

This will display detailed logs of the authentication process, helpful for diagnosing issues.