francois.is

Enabling Freeradius in WSL to connect to cisco lab

by

sissokofrancois@gmail.com
in

1. Overview

By default, WSL 2 creates a lightweight VM and places your Linux environment behind a NAT. This allows you to access services via localhost on Windows, but it prevents external devices from reaching your WSL instance directly. To fix this, you must configure WSL to use a bridged network interface. That way, WSL shares a physical network interface with Windows and can obtain an IP address on the same LAN as your Cisco lab devices.

2. Create or Modify .wslconfig

  1. On your Windows system, create (or edit if it already exists) a file named .wslconfig in your user profile directory (usually C:\Users\<YourUserName>\.wslconfig).
  2. Add the following lines to configure WSL 2 to use a bridged networking mode:
    [wsl2]
    networkingMode=bridged vmSwitch=ExternalLANBridge
  3. Once finished, restart WSL (and possibly your computer) for changes to take effect.
  4. networkingMode: Set to bridged.
  5. vmSwitch: Specify the name of the virtual switch (e.g., ExternalLANBridge).

3. Create a Virtual Switch in Windows

If you do not already have an external virtual switch, you can create one using a PowerShell script. This switch will bridge your physical Ethernet adapter and allow the WSL VM to receive an IP address on the same LAN.

A sample PowerShell script might look like this:

# Check if the ExternalLANBridge switch already exists
if (!(Get-VMSwitch -Name "ExternalLANBridge" -ErrorAction SilentlyContinue)) {
    New-VMSwitch -Name "ExternalLANBridge" -NetAdapterName "<YourEthernetAdapterName>" -AllowManagementOS $true
}

4. Configure a Static IP in WSL on Startup

When WSL starts, it will attach to the ExternalLANBridge you created. However, you will likely want a static IP so that your Cisco equipment can always reach the FreeRADIUS server at the same address.

  1. Create a script (e.g., script.sh) inside WSL that will set the static IP. For example:
    #!/usr/bin/env bash # Flush existing addresses
    ip addr flush dev eth0
    # Assign a static address
    ip addr add <WSL-Static-IP> dev eth0
  2. Make the script executable: chmod +x /home/<user>/bin/script.sh
  3. Allow the script to run without asking for a password. Edit your sudoers file using visudo:textCopy code<user> ALL=(ALL) NOPASSWD: /home/<user>/bin/script.sh
  4. Configure a startup process that runs this script each time WSL launches (e.g., by placing it in your profile, or using other mechanisms like systemd if you’ve enabled it in WSL).

5. Install FreeRADIUS

  1. Update your package
    sudo apt update
  2. Install FreeRADIUS and related
    sudo apt install freeradius freeradius-utils
  3. Check the status of FreeRADIUS:
    sudo systemctl status freeradius

6. Configure FreeRADIUS

6.1 Edit the Users File

  1. Open /etc/freeradius/3.0/users.
  2. Add your test user (or multiple users) with the appropriate credentials. For example:
    username Cleartext-Password := "password" Service-Type = NAS-Prompt-User, Cisco-AVPair = "shell:priv-lvl=15"
    • username: the user login
    • Cleartext-Password: the user’s password
    • shell:priv-lvl=15: grants privileged (enable) mode on Cisco devices

6.2 Edit the Clients Configuration

  1. Open /etc/freeradius/3.0/clients.conf.
  2. Add an entry for your Cisco switch or router:textCopy codeclient cisco-switch { ipaddr = <switch-ip> secret = <shared-secret> nas_type = cisco }
    • <switch-ip>: the IP address of your Cisco device
    • <shared-secret>: the secret key matching what you set on the Cisco side

7. Configure Cisco for RADIUS

On your Cisco device, run the following commands:

enable
configure terminal
aaa new-model
radius-server host <radius-server-ip> auth-port 1812 acct-port 1813 key <shared-secret>
aaa authentication login default group radius local
aaa authentication login CONSOLE group radius local
aaa authorization exec default group radius local
  • <radius-server-ip>: Use the static IP you assigned to WSL.
  • <shared-secret>: Must match the one in your clients.conf.

There is also the new model of radius which is configure like this
aaa new-model
radius server <name_of_server>
address ipv4 <radius_server-ip> auth-port 1812 acct-port 1813 key <shared-secret>
aaa group server radius <Name_of_group>
server name <Name_of_radius_server>
aaa authenication login default group <Name_of_group> local
aaa authorization exec default group <Name_of_group> local

Make sure your keys are stored in plaintext

8. Optional: 802.1X, PEAP, and MSCHAP

If you wish use more advanced security (e.g., 802.1X, PEAP, and MSCHAP) in your environment, you need to configure those protocols in both FreeRADIUS and on your Cisco devices. This involves:

  • Installing any required EAP modules in FreeRADIUS (often installed by default).
  • Configuring eap.conf in /etc/freeradius/3.0/mods-enabled/.
  • Adjusting your Cisco switch or router to handle 802.1X on specific interfaces.

It has been quite a few months seen this blog post has been written and windows has made some updates that make this process simpler involving the modes of wsl.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *