]> Setting up WPA2-Enterprise with RADIUS 🌐:aligrant.com

Setting up WPA2-Enterprise with RADIUS

Alastair Grant | Sat 4 Nov 2017

The recent KRACK attack has one again got me thinking about wifi security, and with my recent change to a Ubiquiti UniFi access point, I thought I'd get round to implementing WPA2-Enterprise with RADIUS.

WPA2-Enterprise is just as vulnerable to the KRACK attack as WPA2-Personal, but there are other benefits of using Enterprise.  The main difference is that you don't have a single shared encryption key - each client can have its own username and password (or digital certificate) to authenticate.  This means if you crack the security to one device, that won't give you access to another.

In order to handle authentication you need to use a RADIUS server - which is a simple protocol for accepting some credentials and returning authentication results.  FreeRADIUS is arguably the de-facto implementation and is unsurprisingly, free.  I have no idea why this isn't bundled with domestic access points given the advantages.

The big bonus for me in terms of RADIUS is the ability to distribute a VLAN to wireless clients.  This means I can segregate off my more sensitive equipment like my NAS and PC from untrustworthy things like my TV and set-top-box.

So on to it.  I, as usual, am using openSUSE, which reduces a lot of the donkey work.


zypper install freeradius-server

That was easy.

Configuring RADIUS

Edit /etc/raddb/mods-enabled/eap

EAP-PWD is authenticating with username and password, it's simple and secure, enable it by uncommenting the pwd section to look something like this:

pwd {
  group = 19
  server_id = myserver@mydomain
  fragment_size = 1020
  virtual_server = "inner-tunnel"

Scroll down until you find the peap section and set use_tunneled_reply = yes.  Otherwise PEAP connections don't get their VLAN information and land up going onto your management VLAN!

You will also need to setup x509/TLS certificates to authenticate your RADIUS server.  Follow the instructions in /etc/raddb/certs/README.  If you already have a CA and server certificate, just use those.

Allowing access to your Access Point

RADIUS views a client as the device doing the authentication work, and not the end-device.  So in this instance, it's the wireless access point.

In the /etc/raddb/clients.conf file, add an entry with relevant details, e.g.

client myaccesspoint {
   ipaddr =
   secret = secretforaccesspointonly

Defining Users

There are lots of plentiful ways to store credentials, such as LDAP/AD, SQL databases.  Or you can just use a file: /etc/raddb/users.  The format is simple:

bob   Cleartext-Password := "my-wifi-password"
        Reply-Message := "Hello, %{User-Name}",
        Tunnel-Type = 13,
        Tunnel-Medium-Type = 6,
        Tunnel-Private-Group-ID = 100

The final step is to configure your wireless access point to use WPA2-Enterprise, and set the RADIUS server to the IP address of your newly configured server along with your new shared secret.

Breaking from the voyeuristic norms of the Internet, any comments can be made in private by contacting me.