SmallNetBuilder

Follow SmallNetBuilder
Follow SmallNetBuilder on TwitterConnect On Facebook Google+Get the SmallNetBuilder RSS Feed
You are here: Wireless Wireless How To How To: Setting up FreeRADIUS for WPA & WPA2 Enterprise - Part 2

How To: Setting up FreeRADIUS for WPA & WPA2 Enterprise - Part 2

Print E-mail
Prev - Page 1 of 9 - Next >>

Introduction

Update 11/19/2007: Update with the X509v3 extensions for Windows.

Wireless Defense - Image by Ryan Dallas

In Part 1, we set up the concepts behind how industrial strength WPA2-Enterprise security works and why it's important for the security of your wireless network. In this article we'll show you how to implement WPA2-Enterprise with FreeRADIUS.

Equipment and Software Setup

Before we get into the nitty gritty of getting your own CA, public and private keys set up, here's the run down on the equipment and software I'll be using and the typeface conventions I'll be following for the code listings.

When we're talking about setting up an industrial strength security implememtation, Linux is the natural choice. I've tried to make this How To as general as I can, but you'll have to be aware of the little distro-to-distro differences. So I've included my setup in Table 1.

My Setup
Distribution Slackware 10.2
Kernel 2.6.21 Series (Custom Compiled)
OpenSSL Version 0.9.8g
FreeRADIUS Version 1.1.7
Wireless Router/AP D-Link DGL-4300

I'm going to compile everything from source which will work on every distro. But I recommend you use your distro's package management software such as APT, or portage, if you are familiar with using it (it will make the installation that much easier).

It is very important that you use at least version 0.9.8g of OpenSSL, which was released just a few weeks before this How To was published. You'll need this version or higher because some of the options we need to use didn't appear until the 0.9.8g release.

Typeface Conventions

To make it easier to follow and copy/paste, I am going to provide copies of the actual shell commands that I used and their output. They'll appear in blocks like this:

Code Goes in Here...
NOTE! Many of the blocks of shell commands are too wide for our normal SmallNetBuilder fixed 1024 px wide format and cause distorted pages. Click here to set the page to a fluid format and then expand your browser window as needed. Click here to restore the normal fixed-width format.

These controls are also located at the top right of each page in icon form.

Everything you enter will appear in boldface. The output from the command will be in normal formatting.

~ $ openssl version
OpenSSL 0.9.8e 23 Feb 2007

Any parameters (such as filenames, passwords, etc.) that you'll need to adjust for your setup will be in bold-italic.

~ $ openssl sha1 myfile.txt
SHA1(myfile.txt)= da39a3ee5e6b4b0d3255bfef95601890afd80709

Ocassionally, I'll break up long commands onto multiple lines by "escaping" the newline at the end of the command. This is done by typing a backslash (\), hitting return and continuing the command.

~ $ somecommand -that -has -a -million \
-options -and -you -have -to \
-use -them -all -on myfile.txt

For my bash shell I've set PS1 like this:

bash-3.1$ export PS1="\w \$ "
~ $

If you don't know what that means, don't worry about it. Every time you see a $ you're just a regular user, everything before that is the current working directory ("~" in this case is short for my home directory, /home/brandon).

Some commands will require super-user privileges, so elevate yourself to super-users status by using:

~ $ su
Password: pA55w0Rd
/home/brandon #

Note: Ubuntu is slightly different here, you'll need to enter "sudo su", then, when prompted, enter your user password and you'll have a root shell.

We're going to be digging into some pretty monstrous config files in a moment, so I'll print line numbers at the beginning of the line and highlight what I've changed/added in bold-italic.

2123  post-proxy {
2124
2125     #  If you want to have a log of replies from a home server,
2126     #  un-comment the following line, and the 'detail post_proxy_log'
2127     #  section, above.
2128  #       post_proxy_log
2129
2130  #       attr_rewrite
2131
2132      #  Uncomment the following line if you want to filter replies from  
2133      #  remote proxies based on the rules defined in the 'attrs' file.
2134
2135  #       attr_filter
2136
2137      #
2138      #  If you are proxying LEAP, you MUST configure the EAP
2139      #  module, and you MUST list it here, in the post-proxy
2140      #  stage.
2141      #
2142      #  You MUST also use the 'nostrip' option in the 'realm'
2143      #  configuration.  Otherwise, the User-Name attribute
2144      #  in the proxied request will not match the user name
2145      #  hidden inside of the EAP packet, and the end server will
2146      #  reject the EAP request.
2147      #
2148          eap
2149  }

And I'll occasionally abbreviate long uninteresting output with an ellipsis.

~ $ command
Uninteresting output that keeps going.
...

So, without further ado, let's lock down our wireless network.




Related Items:

How To Set Up a Site-to-Site VPN with OpenVPN
How To: Setting up FreeRADIUS for WPA & WPA2 Enterprise - Part 1
A DIY SSL VPN with SSL-Explorer - Part 1
How To: Convert your Xbox to a NAS - Part 2
CloudLathe Launches Private BYO Cloud

Amazon Top-Selling Wireless Routers