Setting up WPA2-Enterprise with RADIUS
The recent KRACK attack has one again got me thinking about wifi security, and with my recent change to a Ubiquiti UniFi access point, I thought I'd get round to implementing WPA2-Enterprise with RADIUS.
WPA2-Enterprise is just as vulnerable to the KRACK attack as WPA2-Personal, but there are other benefits of using Enterprise. The main difference is that you don't have a single shared encryption key - each client can have its own username and password (or digital certificate) to authenticate. This means if you crack the security to one device, that won't give you access to another.
In order to handle authentication you need to use a RADIUS server - which is a simple protocol for accepting some credentials and returning authentication results. FreeRADIUS is arguably the de-facto implementation and is unsurprisingly, free. I have no idea why this isn't bundled with domestic access points given the advantages.
The big bonus for me in terms of RADIUS is the ability to distribute a VLAN to wireless clients. This means I can segregate off my more sensitive equipment like my NAS and PC from untrustworthy things like my TV and set-top-box.
So on to it. I, as usual, am using openSUSE, which reduces a lot of the donkey work.
Installing
zypper install freeradius-server
That was easy.
Configuring RADIUS
Edit /etc/raddb/mods-enabled/eap
EAP-PWD is authenticating with username and password, it's simple and secure, enable it by uncommenting the pwd section to look something like this:
pwd { group = 19 server_id = myserver@mydomain fragment_size = 1020 virtual_server = "inner-tunnel" }
Scroll down until you find the peap section and set use_tunneled_reply = yes. Otherwise PEAP connections don't get their VLAN information and land up going onto your management VLAN!
You will also need to setup x509/TLS certificates to authenticate your RADIUS server. Follow the instructions in /etc/raddb/certs/README. If you already have a CA and server certificate, just use those.
Allowing access to your Access Point
RADIUS views a client as the device doing the authentication work, and not the end-device. So in this instance, it's the wireless access point.
In the /etc/raddb/clients.conf file, add an entry with relevant details, e.g.
client myaccesspoint { ipaddr = 192.168.0.55 secret = secretforaccesspointonly }
Defining Users
There are lots of plentiful ways to store credentials, such as LDAP/AD, SQL databases. Or you can just use a file: /etc/raddb/users. The format is simple:
bob Cleartext-Password := "my-wifi-password" Reply-Message := "Hello, %{User-Name}", Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 100
The final step is to configure your wireless access point to use WPA2-Enterprise, and set the RADIUS server to the IP address of your newly configured server along with your new shared secret.