Router Charts

Router Charts

Router Ranker

Router Ranker

Router Chooser

Router Chooser

NAS Charts

NAS Charts

NAS Ranker

NAS Ranker

More Tools

More Tools

Wireless How To

Introduction

Update 11/19/2007: Update with the X509v3 extensions for Windows.

Wireless Defense - Image by Ryan Dallas

In Part 1, we set up the concepts behind how industrial strength WPA2-Enterprise security works and why it's important for the security of your wireless network. In this article we'll show you how to implement WPA2-Enterprise with FreeRADIUS.

Equipment and Software Setup

Before we get into the nitty gritty of getting your own CA, public and private keys set up, here's the run down on the equipment and software I'll be using and the typeface conventions I'll be following for the code listings.

When we're talking about setting up an industrial strength security implememtation, Linux is the natural choice. I've tried to make this How To as general as I can, but you'll have to be aware of the little distro-to-distro differences. So I've included my setup in Table 1.

My Setup
Distribution Slackware 10.2
Kernel 2.6.21 Series (Custom Compiled)
OpenSSL Version 0.9.8g
FreeRADIUS Version 1.1.7
Wireless Router/AP D-Link DGL-4300

I'm going to compile everything from source which will work on every distro. But I recommend you use your distro's package management software such as APT, or portage, if you are familiar with using it (it will make the installation that much easier).

It is very important that you use at least version 0.9.8g of OpenSSL, which was released just a few weeks before this How To was published. You'll need this version or higher because some of the options we need to use didn't appear until the 0.9.8g release.

Typeface Conventions

To make it easier to follow and copy/paste, I am going to provide copies of the actual shell commands that I used and their output. They'll appear in blocks like this:

Code Goes in Here...
NOTE! Many of the blocks of shell commands are too wide for our normal SmallNetBuilder fixed 1024 px wide format and cause distorted pages. Click here to set the page to a fluid format and then expand your browser window as needed. Click here to restore the normal fixed-width format.

These controls are also located at the top right of each page in icon form.

Everything you enter will appear in boldface. The output from the command will be in normal formatting.

~ $ openssl version
OpenSSL 0.9.8e 23 Feb 2007

Any parameters (such as filenames, passwords, etc.) that you'll need to adjust for your setup will be in bold-italic.

~ $ openssl sha1 myfile.txt
SHA1(myfile.txt)= da39a3ee5e6b4b0d3255bfef95601890afd80709

Ocassionally, I'll break up long commands onto multiple lines by "escaping" the newline at the end of the command. This is done by typing a backslash (\), hitting return and continuing the command.

~ $ somecommand -that -has -a -million \
-options -and -you -have -to \
-use -them -all -on myfile.txt

For my bash shell I've set PS1 like this:

bash-3.1$ export PS1="\w \$ "
~ $

If you don't know what that means, don't worry about it. Every time you see a $ you're just a regular user, everything before that is the current working directory ("~" in this case is short for my home directory, /home/brandon).

Some commands will require super-user privileges, so elevate yourself to super-users status by using:

~ $ su
Password: pA55w0Rd
/home/brandon #

Note: Ubuntu is slightly different here, you'll need to enter "sudo su", then, when prompted, enter your user password and you'll have a root shell.

We're going to be digging into some pretty monstrous config files in a moment, so I'll print line numbers at the beginning of the line and highlight what I've changed/added in bold-italic.

2123  post-proxy {
2124
2125     #  If you want to have a log of replies from a home server,
2126     #  un-comment the following line, and the 'detail post_proxy_log'
2127     #  section, above.
2128  #       post_proxy_log
2129
2130  #       attr_rewrite
2131
2132      #  Uncomment the following line if you want to filter replies from  
2133      #  remote proxies based on the rules defined in the 'attrs' file.
2134
2135  #       attr_filter
2136
2137      #
2138      #  If you are proxying LEAP, you MUST configure the EAP
2139      #  module, and you MUST list it here, in the post-proxy
2140      #  stage.
2141      #
2142      #  You MUST also use the 'nostrip' option in the 'realm'
2143      #  configuration.  Otherwise, the User-Name attribute
2144      #  in the proxied request will not match the user name
2145      #  hidden inside of the EAP packet, and the end server will
2146      #  reject the EAP request.
2147      #
2148          eap
2149  }

And I'll occasionally abbreviate long uninteresting output with an ellipsis.

~ $ command
Uninteresting output that keeps going.
...

So, without further ado, let's lock down our wireless network.

Amazon Top-Selling Wireless Routers

More Wireless

Featured Sponsors

Win This!

TP-LINK Archer C9 & TL-PA4010KIT

You could win a TP-LINK Archer C9 AC1900 class router and AV500 Powerline Adapter kit

Learn How!

Top Performing Routers

AC3200
AC2350
AC1900
AC1750
AC1200

Top Performing NASes

NoRAID
RAID1
RAID5

Over In The Forums

Hi Guys Running latest 378.52_2 on RT-AC66U. Have a MBP connecting to it via 5GHz. Recently I think (last two updates) I have had issues with Wifi....
This is a simple but effective way to block ads on all your devices. ------------------------------------------------------------ Changelog: Edit Apr...
Asuswrt-Merlin 378.52 is now available for all supported models. UPDATE: 378.52_2 is now available, resolving the following issues: CHANGED: Updated...
Hello, I successfully set up an OpenVPN connection to the PIA VPN. However, I would like to set up selective routing for Netflix, Hulu and various o...
I'm having several issues with QOS but one that's easy to reproduce is with ping times. With no real traffic my pings are 10-30ms; when there's traff...

Don't Miss These

  • 1
  • 2
  • 3