[GRLUG] WPA2-Enterprise, RADIUS and Linux

[Adam Tauno Williams]

> <f5e00c450805110150p21b956eah65dc615d17685b25 at mail.gmail.com>,
> "Michael Mol"
> <mikemol at gmail.com> wrote:
> > My wireless network is almost completely set-up.  Since my access
> > point can serve as AP to two SSIDs at the same time, with different
> > wireless and LAN settings for both, I've got it partitioned out.
> > On one hand, I've got a weak-security WEP network for guests and
> > family members with mobile devices that don't support WPA2.  On the
> > other hand, I've got a strong-security WPA2-Personal with frequent
> > group-key changes.  And since the AP support it, I've got the two
> > networks on mutually-exclusive subnets, with the AP/router providing
> > Internet service to both.
> > Since I can, I'd like to switch the stronger network to
> > WPA-Enterprise, and have it authenticate clients against my Linux
> > desktop's user accounts.  Which means I need to set up a RADIUS
> > server.
> > I haven't done that before...Any recommendations or caveats?
> I would recommend getting freeRADIUS running on your desktop machine -
> www.freeradius.org .  When I first set it up, I followed the excellent
> set of articles in Linux Journal to do so (linked below).  Basically,
> it requires installing and configuring the server, generating a server
> self-signed SSL certificate, and setting your AP to authenticate
> against it.  After that, launch the server in debug mode and try an
> authentication and work on it from there.  The Linux Journal articles
> describe setting up 802.1X with TLS and certificates, but it's fairly
> easy to default your authentication mode to do TLS and PEAP instead
> when you are setting freeRADIUS up (just make sure your password store
> is compatible with MS-CHAPv2).

My set-by-step process of setting up PEAP & RADIUS are here
<http://www.whitemiceconsulting.com/node/97>

> I can answer some basic questions if you have them - shoot me an email
> off-list.