Raspberry Pi
For a while now I’ve been looking at the single board computers after I began looking into replacing my ageing servers, which aren’t exactly being used to their full capacity but they’re really loud and big which means that I can’t easily move them around if needed.
I also moved to a small one bedroom apartment which means that it’s somewhat more difficult to have the servers here, though I’m thinking about where to set them up. So looking into smaller hardware I stumbled upon the Raspberry Pi hardware back when the Model B was the latest but I just couldn’t justify owning one.
A couple of weeks back I heard about Ubiquiti, just around the time I was thinking that I needed to upgrade my hardware from the Linksys WRT54GH that I was using at the time. This small router just wasn’t cutting it anymore. Further looking into the Ubiquiti UniFi hardware it was aparent that I did need to have the UniFi Controller running all the time and also wanted to setup WPA2 Enterprise security for the WiFi, so now I did have the reason to own a Raspberry Pi and the model 3 had just been recently released.
Setting up the Raspberry Pi Model 3
There are several HowTo posts on installing the Raspian OS on this computer so I won’t go into detail, I went with the headless setup route as I don’t need a desktop running on this device.
Downloading the latest Raspian OS Lite from the Raspberry Pi site.
Then writing it to the Micro SD card via Win32 Disk Imager.
Everyone will recommend using a Class 10 or better Micro SD card but all I have right now is a 32GB Class 4, it’s a bit slow but not so slow that just kills the experience, but will be replacing it with a faster card at a later point.
Once the image is written to the memory card just insert it into the Raspberry Pi and connect it to the power supply and let it boot. The boot up time is rather quick so not much of a waiting period.
Assuming you have access to your router and DHCP setup then it shouldn’t be too difficult to obtain the IP address so that you can SSH into the device. The default setup has the username pi and the password is raspberry and then the first step is to finish configuring the base of the system by running the command sudo raspi-config.
The base configuration changes I did was to expand the file system so that the whole storage space of the Micro SD card. After that change the user by creating a new user and removing the user pi, to add the user you’ll need to go through the adduser command like any other system and then through the raspi-config utility you can remove the pi user.
Once this is done you can proceed with setting up the rest of the system.
Freeradius
For the WPA2 Enterprise, a RADIUS server is required so for this setup I went with the Freeradius server as it’s free and not too difficult to setup.
For starters run the apt-get update to update the repositories in the Raspberry Pi.
Installation of the server is also straight forward by running the apt-get install freeradius.
I’ll delve into the configuration specifics in another post.
MySQL
There are different options to store the user credentials that are used by the Freeradius server to authenticate the users. The simple one is to go with a plain text file, another option is to go with the MySQL database, and an even more advanced is to go with LDAP server.
In this instance I went with the MySQL database because of the simplicity of setting it up and just adding the users.
Because of the different methods that Freeradius allows for communicating between the device that requests the authentication and the the RADIUS server, not all of them allow for the passwords to be encrypted, which can be a huge issue depending on your paranoia and setup. You can store the passwords in plain text for more compatability between protocols or you can implement the encryption that MySQL has integrated to store the values and then change the commands used by Freeradius to make the queries.
I will also delve into this subject in a separate post as it makes it easier to dedicate a post to that setup. I’m looking into expanding the setup to include VPN so I might switch over to LDAP instead of MySQL.
Ubiquiti UniFi Controller
If you’re setting up the UniFi Access Point with just WPA2 Personal then you don’t need to have the UniFi Controller running all the time but having it available allows for several management features.
The installation is pretty simple as Ubiquiti has the deb packages in a repository that can be added to the aptitude configuration. They also offer the option to download the deb package directly from the site but that doesn’t give the option to easily update it through aptitude package manager.
Once installed and configured the rest of the seetup is done via the web browser from any other computer that has access to the Raspberry Pi.
SSL Certificates
I would recommend getting SSL certificates, either self signed or provided by a Certificate Authority, to replace those that come by default with Freeradius and UniFi Controller, not only to eliminate the certificate warning in the web browser but to also control the certificates.
I used the StartSSL, which they have free SSL certificates that can be easily generated and can be used for up to 5 hosts per certificate. Though at first I generated one certificate to use for all of the devices in my network, it would be best, and I’ll be changing that later on, practice to have a different certificate per device.
Just for the Raspberry Pi setup you’ll need two certificates, though you can easily get away with just one, so that you use one for the UniFi Controller web management page and one for the Freeradius authentication. If you’re going to be setting up a web server on this device then you would also want to get another SSL certificate for that role.
For the installation of the certificates, the most complex one will be the UniFi Controller as it uses a Keystore for the storage of the files and that needs to be created, I had to use a tool in Windows to create the Keystore. This same process is done for the EdgeRouter Lite.
For the creation of the keystore I used KeyStore Explorer and the password is aircontrolenterprise.
This setup is working for my small network and can be easily expanded to maintain more than one UniFi Access Point but if more resources are needed then you can either go with one or more UniFi Cloud Key or install the Unifi Controller software on a VPS.
