WPA-EAP and FreeRADIUS, Linux vs. XP

« The Handy HTTP 301, Google Related
Dynebolic 2.0 »

WPA-EAP and FreeRADIUS, Linux vs. XP

Original date: June 15, 2006 3:18 AM by sonnik

I've been working on installing a FreeRADIUS server on my home network, to use WPA-EAP (TLS). Just for acronym explanation, that's Wi-Fi Protected Access Extensible Authentication Protocol Transport Layer Security. Many new consumer level routers now offer this; it's closely related to the features that are required to be WPA2 certified. Unfortunately, I don't believe these capabilities are documented as well as they should be.

There are a few individuals out there that seem to be going through the efforts of documenting and simplifying a FreeRADIUS setup. Some of the documentation out there is dated (for example, referencing Wi-Fi security features available as of Windows XP SP1). I've been sifting through the documentation out there, so far I'm kind of fond of http://www.urbanwireless.co.nz/. The publisher of this blog has only one entry as of May 2006, and so far it seems to cover all the issues I've seen so far.

The FreeRADIUS website references a Linux Journal series of articles. I went through this, and had problems because of Fedora's implementation of creating a Certificate Authority. Creating a CA can be a daunting task if it's the first time you've done so.

After browsing a few separate sources, I finally got to a point where I can test my installation. I was able to fully authenticate and acheive a stable EPA/TLS/TKIP connection between my client, router, and RADIUS server using Linux machines. However, I was not able to get my Windows XP machine to authenticate. Reviewing my RADIUS logs, I have a good indication of the area of the certificate/key process I need to scrutinize further.

Hopefully, on the upcoming weekend, I'll be able to post Fedora-specific instructions on creating and implementing this process. Though, during discussions with others - the opinion is that this is overkill for a home network. I'm sure that is, until someone clever figures out another attack on the original WPA-PSK (TKIP). (Right now, the only known vulnerability is a dictionary attack on week passphrases). Should a new vulnerability surface, having WPA-EAP/TLS in your back pocket may not be a bad idea.