Use RADIUS and 802.1X to offer per-user authentication for your 802.11 networks.
One of the big downsides of using WPA-PSK or WEP (which you shouldn’t be using) to control access to a wireless network is that they require all valid users to know the key to the network. Not only does this make changing the key more difficult, but it also forces you to change it if you ever need to deny access to a single user. Enter 802.1X, a port-based authentication protocol originally developed for use on Ethernet LANs to control access to physical ports on a switch.
802.1X came into play with wireless LANs when work began on the 802.11i standard, which adds significant security features to 802.11-based networks. However, IEEE standards often take a long time to ratify (they’re designed by committee), so the WiFi Alliance, an industry trade group, adopted some portions of the standard under the WiFi Protected Access (WPA) moniker. Once 802.11i was ratified, the designation of WPA2 became used to denote full compliance with the standard. For this reason, you’ll often see the combined use of 802.1X and 802.11 referred to as WPA Enterprise or WPA2 Enterprise.
To do its job, 802.1X makes use of a Remote Access Dial-In User Service (RADIUS) server to provide authentication, authorization, and accounting. Other components in an 802.1X-controlled network include the authenticator and the supplicant. The authenticator is the device that provides access to the network’s resources (e.g., a switch or AP). When a device is connected to the network, the authenticator detects it and asks it to identify itself. The supplicant is a piece of software on the connecting device that responds. The authenticator then acts as an intermediary between the supplicant and the authentication server until access is granted. This process is governed by the Extensible Authentication Protocol (EAP), which, as the name suggests, allows 802.1X to support many different authentication mechanisms.
Of the many available authentication mechanisms, two are widely supported by Windows, Mac OS X, and Linux: EAP/TLS and Protected EAP (PEAP). EAP/TLS makes use of your PKI infrastructure and the TLS protocol to provide authentication. That is, you need to have a Certificate Authority set up and you must generate certificate/key pairs for your authentication server and all of your clients. Many network administrators might see this as a considerable amount of work. On the other hand, PEAP requires a certificate/key pair for the server only. This hack shows how to set up 802.1X to use PEAP for authentication.
The first thing to do is to set up a
RADIUS server. One excellent (and free) server is FreeRADIUS (http://www.freeradius.org). Begin by downloading the FreeRADIUS tarball from the site’s download page (http://www.freeradius.org/getting.html); then unpack it and change into the directory that it creates. Build it by running ./configure && make. After it finishes, become root and run make install.
Now, you’ll need to create a user and group for it to run under (something like _radiusd). After you’ve done that, edit FreeRADIUS’s configuration file, radiusd.conf. If you didn’t specify an alternate installation prefix when running configure, it should be in /usr/local/etc/raddb.
You’ll need to tell it the user and group that you just created. Search for user
= nobody to find a good location in the file to do this. Then, add a couple of lines similar to these:
user = _radiusd group = _radiusd
Now, edit the eap.conf file in the same directory and locate the following line in the eap section:
default_eap_type = md5
Change it to read:
default_eap_type = peap
If you don’t already have a Certificate Authority, create one now [Hack #69] and generate a certificate/key pair for the authentication server. You should also distribute your CA’s certificate to your clients [Hack #70] so that they can verify that the authentication server is legitimate when they connect to your wireless network.
Once you’ve done this, uncomment the tls section and set all of the certificate variables to point to your server’s certificate, key, and CA certificate files.
Also uncomment the following lines:
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/randomNow, uncomment the peap section and then uncomment the following line:
# default_eap_type = mschapv2
You’re almost done configuring the RADIUS server. The only thing left is to allow the authenticator to access it. Do this by editing clients.conf and adding an entry similar to this:
client 192.168.0.5 {
secret = authpass
shortname = openwrt-ap
}where secret is a password that the authenticator will use to access the server and shortname is a short descriptive name for the device. Of course, the password you use for secret should be a much longer, higher-quality one than the example shown here.
To add users to the RADIUS server, edit the users file and add entries like this:
andrew User-Password == "wlanpass"
After you’ve done that, you need to change the owner of radiusd’s log and run directories to the user that you created:
#chown _radiusd /usr/local/var/log/radius#chown _radiusd /usr/local/var/run/radiusd
Then, you can start radiusd:
# /usr/local/sbin/radiusd
If your AP supports 802.1X, there should be a WPA Enterprise, WPA2 Enterprise, or 802.1X setting in the section of the device’s configuration interface where you tell it whether you want to use WEP, WPA-PSK, or no authentication at all. Once you change it to use 802.1X, you’ll need to tell your AP the IP address of your RADIUS server and the password to use when talking to it.
If you’re using OpenWRT [Hack #76], it’s a little more complicated and involves setting NVRAM variables. Still, it’s not very difficult.
First, log into your AP using SSH and enter commands similar to these:
#nvram set wl0_akm="wpa wpa2"#nvram set wl0_crypto="aes+tkip"#nvram set wl0_radius_key="authpass"#nvram set wl0_radius_ipaddr=#192.168.0.43nvram get wl0_radius_port=1812#nvram commit
When running the preceding commands, be sure to substitute the IP address of your RADIUS server for the value of wl0_radius_ipaddr. Also, replace authpass with the password you set when configuring FreeRADIUS.
These commands allow your AP to support both WPA and WPA2. However, if you want to allow only WPA, you can substitute different values for wl0_akm and wl0_crypto:
#nvram set wl0_akm="wpa"#nvram set wl0_crypto="tkip"
For WPA2, use these:
#nvram set wl0_akm="wpa2"#nvram set wl0_crypto="aes"
If you don’t have the nas package installed, you should install it now:
# ipkg install nas
This is the piece of software that will talk to the supplicants and to your authentication server.
After you’ve ensured that the nas package is installed and have set the NVRAM variables, reboot your AP. You should now be able to access your wireless network by setting your client to use 802.1X with PEAP and then entering any of the usernames and passwords that you entered in the users file.
Now, you can have the benefits of a well-protected wireless network without the overhead of distributing keys to each of your users.
For deployments with a large number of users, the simple users text file might become unwieldy. Fortunately, FreeRADIUS is flexible in being able to interface with many different authentication mechanisms, from Unix accounts to SQL databases and LDAP servers. If you need to interface with any of those kinds of systems, be sure to check out FreeRADIUS’s documentation.