Configuring the Router
I used a D-Link DGL-4300 [reviewed], so your setup pages may differ. Open up your wireless router or AP's wireless configuration section and find the Wireless Security settings. Change the security mode to WPA-Enterprise or WPA2-Enterprise mode, add the RADIUS server's IP address and the shared secret (Figures 1 and 2).
Figure 1: Selecting WPA-Enterprise mode
Figure 2: EAP Configuration
Configuring a Linux Client
Connecting a Linux client using WPA or WPA2 security requires wpa_supplicant. Configure wpa_supplicant with the following options set in ".config" file in addition to the drivers and interfaces you need for your setup:
CONFIG_IEEE8021X_EAPOL=y CONFIG_EAP_TLS=y CONFIG_PKCS12=y #Make sure to include any other options you need as well
Re-compile and re-install wpa_supplicant. Now create a folder on the Linux client to house the client public and private keys (PKCS#12 file) and the CA certificate. In my case, I set it up in /etc/wireless.
Next edit "wpa_supplicant.conf" and add a section similar to the following, to point to your new WPA2-Enterprise setup.
# WPA2-EAP/AES using EAP-TLS network={ ssid="smallnetbuilder" key_mgmt=WPA-EAP eap=TLS identity="linux_laptop" ca_cert="/etc/wireless/cacert.pem" private_key="/etc/wireless/linux_laptop.p12" private_key_passwd="pA55w0rD" }
The "identity" field should match the common name on the client certificate and the user we set up in FreeRADIUS' users file. Restart wpa_supplicant and connect to the network.