Router Charts

Click for Router Charts

Router Ranker

Click for Router Ranker

NAS Charts

Click for NAS Charts

NAS Ranker

Click for NAS Ranker

More Tools

Click for More Tools

Wireless How To


Update 11/19/2007: Update with the X509v3 extensions for Windows.

Wireless Defense - Image by Ryan Dallas

In Part 1, we set up the concepts behind how industrial strength WPA2-Enterprise security works and why it's important for the security of your wireless network. In this article we'll show you how to implement WPA2-Enterprise with FreeRADIUS.

Equipment and Software Setup

Before we get into the nitty gritty of getting your own CA, public and private keys set up, here's the run down on the equipment and software I'll be using and the typeface conventions I'll be following for the code listings.

When we're talking about setting up an industrial strength security implememtation, Linux is the natural choice. I've tried to make this How To as general as I can, but you'll have to be aware of the little distro-to-distro differences. So I've included my setup in Table 1.

My Setup
Distribution Slackware 10.2
Kernel 2.6.21 Series (Custom Compiled)
OpenSSL Version 0.9.8g
FreeRADIUS Version 1.1.7
Wireless Router/AP D-Link DGL-4300

I'm going to compile everything from source which will work on every distro. But I recommend you use your distro's package management software such as APT, or portage, if you are familiar with using it (it will make the installation that much easier).

It is very important that you use at least version 0.9.8g of OpenSSL, which was released just a few weeks before this How To was published. You'll need this version or higher because some of the options we need to use didn't appear until the 0.9.8g release.

Typeface Conventions

To make it easier to follow and copy/paste, I am going to provide copies of the actual shell commands that I used and their output. They'll appear in blocks like this:

Code Goes in Here...
NOTE! Many of the blocks of shell commands are too wide for our normal SmallNetBuilder fixed 1024 px wide format and cause distorted pages. Click here to set the page to a fluid format and then expand your browser window as needed. Click here to restore the normal fixed-width format.

These controls are also located at the top right of each page in icon form.

Everything you enter will appear in boldface. The output from the command will be in normal formatting.

~ $ openssl version
OpenSSL 0.9.8e 23 Feb 2007

Any parameters (such as filenames, passwords, etc.) that you'll need to adjust for your setup will be in bold-italic.

~ $ openssl sha1 myfile.txt
SHA1(myfile.txt)= da39a3ee5e6b4b0d3255bfef95601890afd80709

Ocassionally, I'll break up long commands onto multiple lines by "escaping" the newline at the end of the command. This is done by typing a backslash (\), hitting return and continuing the command.

~ $ somecommand -that -has -a -million \
-options -and -you -have -to \
-use -them -all -on myfile.txt

For my bash shell I've set PS1 like this:

bash-3.1$ export PS1="\w \$ "
~ $

If you don't know what that means, don't worry about it. Every time you see a $ you're just a regular user, everything before that is the current working directory ("~" in this case is short for my home directory, /home/brandon).

Some commands will require super-user privileges, so elevate yourself to super-users status by using:

~ $ su
Password: pA55w0Rd
/home/brandon #

Note: Ubuntu is slightly different here, you'll need to enter "sudo su", then, when prompted, enter your user password and you'll have a root shell.

We're going to be digging into some pretty monstrous config files in a moment, so I'll print line numbers at the beginning of the line and highlight what I've changed/added in bold-italic.

2123  post-proxy {
2125     #  If you want to have a log of replies from a home server,
2126     #  un-comment the following line, and the 'detail post_proxy_log'
2127     #  section, above.
2128  #       post_proxy_log
2130  #       attr_rewrite
2132      #  Uncomment the following line if you want to filter replies from  
2133      #  remote proxies based on the rules defined in the 'attrs' file.
2135  #       attr_filter
2137      #
2138      #  If you are proxying LEAP, you MUST configure the EAP
2139      #  module, and you MUST list it here, in the post-proxy
2140      #  stage.
2141      #
2142      #  You MUST also use the 'nostrip' option in the 'realm'
2143      #  configuration.  Otherwise, the User-Name attribute
2144      #  in the proxied request will not match the user name
2145      #  hidden inside of the EAP packet, and the end server will
2146      #  reject the EAP request.
2147      #
2148          eap
2149  }

And I'll occasionally abbreviate long uninteresting output with an ellipsis.

~ $ command
Uninteresting output that keeps going.

So, without further ado, let's lock down our wireless network.

More Wireless

Wi-Fi System Tools
Check out the new Wi-Fi System Charts, Ranker and Finder!

Featured Sponsors

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Over In The Forums

Hi,I have n rt-n66u running firmware "" of Johns.I have recently upgraded my broadband to 300mbps, however it seems the N66U i...
I run RT-N66U with the newest 3.68_2 firmware.Since 3.68 I have had an issue with DNS-based Filtering.I run my traffic through OpenDNS with the DNS-se...
​ There's a better way to get WiFi Everywhere™.Read on SmallNetBuilder
View attachment 10496​ Synology unveiled five new NASes, targeting businesses (DS3018xs), media professionals (DS918+, DS718+ and DS218+), and value ...
I have a new RT-AC66U-B1 flashed to Asuswrt-Merlin v380.68_2 which I would like to overclock to to eke out a bit more performance with openvpn. I have...

Don't Miss These

  • 1
  • 2
  • 3
Get Backblaze Now!