15
RADIUS Secured and Authenticated WiFi Robert Leahy Charles Bodman Brandon Ellis
RADIUS Secured andAuthenticated WiFi
Robert LeahyCharles Bodman
Brandon Ellis
Setup
• D-Link DIR-825 Wireless Access Point, Hardware Revision B1, Firmware Version 2.03NA
• Tablet running Windows 7 (WiFi client)• Server (VMWare Workstation) running CentOS
5.5 x64 and FreeRADIUS 2
Configuration
Your FreeRADIUS 2 installation must be configured to use EAP.You must generate certificates for the server (ideally these would be trusted and signed, but self-signed can be used if you either bypass server authentication (bad) or install the certificate for the server on all clients (inconvenient)).You must configure a secret for the access point, and setup a user account.
Configuration
User account is created in /etc/raddb/users
Configuration
Secret is setup in /etc/raddb/clients.conf
Configuration
AP must be set to use WPA-Enterprise, and secret/server IP must be entered:
Configuration
In order to set Windows up to use WPA-Enterprise – unless you’re logging on with domain credentials with a properly-signed certificate (we’re not) – you have to do some fiddling.To get to these options, you right-click your wireless network and go to Properties.
Configuration
This is your first stop. In here you setup your security type (discussed earlier) and encryption type (if your router is setup to use both, choose either). You need to select PEAP (if it’s not already), and then go into Settings…
Configuration
…in here you need to turn of validation of the server certificate (since it’s self-signed and we’re not installing it as trusted). You then need to hit Configure and turn off automatically using Windows credentials…
Configuration
…once this is done we can go back to the first menu and go into Advanced Settings…
Configuration
…here we need to Replace Credentials and enter our WiFi credentials, and then we can connect!
Connecting
With configuration done, we just click Connect on the network as per usual.
Connecting
We can monitor the RADIUS operation by running FreeRADIUS (radiusd) with the -X switch
Advantages of RADIUS
In a typical WiFi network – using a pre-shared key (PSK) – the network is secure against others, but each person on the network is not secure against the others due to the shared nature of the key.
RADIUS authentication obviates this issue, by providing per user authentication, and per user encryption.
