Router Charts

Router Charts

Router Ranker

Router Ranker

Router Chooser

Router Chooser

NAS Charts

NAS Charts

NAS Ranker

NAS Ranker

More Tools

More Tools

Wireless How To


Update 11/19/2007: Update with the X509v3 extensions for Windows.

Wireless Defense - Image by Ryan Dallas

In Part 1, we set up the concepts behind how industrial strength WPA2-Enterprise security works and why it's important for the security of your wireless network. In this article we'll show you how to implement WPA2-Enterprise with FreeRADIUS.

Equipment and Software Setup

Before we get into the nitty gritty of getting your own CA, public and private keys set up, here's the run down on the equipment and software I'll be using and the typeface conventions I'll be following for the code listings.

When we're talking about setting up an industrial strength security implememtation, Linux is the natural choice. I've tried to make this How To as general as I can, but you'll have to be aware of the little distro-to-distro differences. So I've included my setup in Table 1.

My Setup
Distribution Slackware 10.2
Kernel 2.6.21 Series (Custom Compiled)
OpenSSL Version 0.9.8g
FreeRADIUS Version 1.1.7
Wireless Router/AP D-Link DGL-4300

I'm going to compile everything from source which will work on every distro. But I recommend you use your distro's package management software such as APT, or portage, if you are familiar with using it (it will make the installation that much easier).

It is very important that you use at least version 0.9.8g of OpenSSL, which was released just a few weeks before this How To was published. You'll need this version or higher because some of the options we need to use didn't appear until the 0.9.8g release.

Typeface Conventions

To make it easier to follow and copy/paste, I am going to provide copies of the actual shell commands that I used and their output. They'll appear in blocks like this:

Code Goes in Here...
NOTE! Many of the blocks of shell commands are too wide for our normal SmallNetBuilder fixed 1024 px wide format and cause distorted pages. Click here to set the page to a fluid format and then expand your browser window as needed. Click here to restore the normal fixed-width format.

These controls are also located at the top right of each page in icon form.

Everything you enter will appear in boldface. The output from the command will be in normal formatting.

~ $ openssl version
OpenSSL 0.9.8e 23 Feb 2007

Any parameters (such as filenames, passwords, etc.) that you'll need to adjust for your setup will be in bold-italic.

~ $ openssl sha1 myfile.txt
SHA1(myfile.txt)= da39a3ee5e6b4b0d3255bfef95601890afd80709

Ocassionally, I'll break up long commands onto multiple lines by "escaping" the newline at the end of the command. This is done by typing a backslash (\), hitting return and continuing the command.

~ $ somecommand -that -has -a -million \
-options -and -you -have -to \
-use -them -all -on myfile.txt

For my bash shell I've set PS1 like this:

bash-3.1$ export PS1="\w \$ "
~ $

If you don't know what that means, don't worry about it. Every time you see a $ you're just a regular user, everything before that is the current working directory ("~" in this case is short for my home directory, /home/brandon).

Some commands will require super-user privileges, so elevate yourself to super-users status by using:

~ $ su
Password: pA55w0Rd
/home/brandon #

Note: Ubuntu is slightly different here, you'll need to enter "sudo su", then, when prompted, enter your user password and you'll have a root shell.

We're going to be digging into some pretty monstrous config files in a moment, so I'll print line numbers at the beginning of the line and highlight what I've changed/added in bold-italic.

2123  post-proxy {
2125     #  If you want to have a log of replies from a home server,
2126     #  un-comment the following line, and the 'detail post_proxy_log'
2127     #  section, above.
2128  #       post_proxy_log
2130  #       attr_rewrite
2132      #  Uncomment the following line if you want to filter replies from  
2133      #  remote proxies based on the rules defined in the 'attrs' file.
2135  #       attr_filter
2137      #
2138      #  If you are proxying LEAP, you MUST configure the EAP
2139      #  module, and you MUST list it here, in the post-proxy
2140      #  stage.
2141      #
2142      #  You MUST also use the 'nostrip' option in the 'realm'
2143      #  configuration.  Otherwise, the User-Name attribute
2144      #  in the proxied request will not match the user name
2145      #  hidden inside of the EAP packet, and the end server will
2146      #  reject the EAP request.
2147      #
2148          eap
2149  }

And I'll occasionally abbreviate long uninteresting output with an ellipsis.

~ $ command
Uninteresting output that keeps going.

So, without further ado, let's lock down our wireless network.

More Wireless

Featured Sponsors

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Top Performing Routers


Top Performing NASes


Over In The Forums

Up to now, I was using an Airport Extreme (the tower version) in AP mode. My AP sits downstairs and my main machine, a Macbook Air, is upstairs. I spe...
I have from two to 5 Ps4's on my Nighthawk x8 and I am trying to play Black Ops 3, the playstation that connects first has an open nat type. All of th...
Hi I can Make File Transfer cable with Gigabit Ethernet Windows 10 2.8 GB File 80-90MB/S But I wired cable Mac Mini MAC OS X El Capitan 2.8 GB F...
Just picked up a AC87U router and was under the assumption that for backup purposes I could use the Smart Sync feature, this turned out to be a very b...
Hi guys. Happy black friday if anyone is interested in this. Seems like a good deal. I recently bought 66u so this is tempting to buy and ebay my 66u....

Don't Miss These

  • 1
  • 2
  • 3