Wireless networks for businesses, including smaller ones, should always be protected with the enterprise mode of Wi-Fi Protected Access (WPA or WPA2). It provides stronger encryption to protect against Wi-Fi hackers. Plus it hides the encryption keys from your users, so employees can’t find them stored on their computer and use them maliciously or give […]
Wireless networks for businesses, including smaller ones, should always be protected with the enterprise mode of Wi-Fi Protected Access (WPA or WPA2). It provides stronger encryption to protect against Wi-Fi hackers. Plus it hides the encryption keys from your users, so employees can’t find them stored on their computer and use them maliciously or give them out. The way the personal or pre-shared key (PSK) mode of WPA or WPA2 distributes the encryption keys makes it more vulnerable to cracking.
The enterprise version, however, requires the use of a RADIUS server. This server provides a way for the users to authenticate themselves, so they can access the network. So instead of having to input the encryption key, users log onto the network with a username and password. The actual keys are exchanged without the user even knowing. Plus each user’s key is different and regularly updated.
One authentication server you could use is called FreeRADIUS, an open source project, developed under the GNU General Public License Version 2 (GPLv2). It is actually the most widely used RADIUS server in the world. In addition to doing 802.1X/PEAP authentication, which is what we’re going to set up, it supports many other authentication types for a variety of network types. It also features fail-over and load balancing, and supports numerous backend databases.
First you need to install a Linux distribution. This tutorial is based on using CentOS, a free open source operating system. Mac OS X and Windows are also supported, as well as other Linux distributions.
Tip:If you didn’t do a default fresh install of CentOS 5.3, you might want to make sure you still have the OpenSSL package installed before starting the server.
You should be able to install FreeRADIUS on any regular old PC. Just make sure the FreeRADIUS machine has a wired connection to the network. Also make sure it has a static IP address rather than a dynamic one. Assign one to the network adapter in CentOS or reserve one via your router’s DHCP settings.
Note: The installation instructions are based upon the current CentOS version 5.3 and FreeRADIUS version 2.1.6. Right now the current FreeRADIUS packages aren’t available via the regular CentOS repositories; only the out-dated version 1.x.x packages are. Therefore we will use a third-party location. However, in the future, you may be able to install a current (2.x.x) version of FreeRADIUS using the packages via the Package Manager or by running “yum install freeradius”.
Tip: If you get the “Package is not signed” error, type “gedit” and use the text editor to change “gpgcheck=1” to “gpgcheck=0” in the /etc/yum.conf file, and then save and close the editor. After the install is complete, reverse this setting. Now type the install line again in the existing terminal window.
Now you’ll probably want to install additional FreeRADIUS packages, such as for database backend support. For a listing of packages type “yum info freeradius2*” In this tutorial, we’ll cover MySQL, so we’ll install it: “yum install freeradius2-mysql”. Again, elect to install the dependencies by typing “y”.
If you haven’t worked with Unix/Linux servers or command-line driven applications before, FreeRADIUS may seem hard to understand at first. Though there are some GUI utilities available, it’s typically configured via only configuration text files.
However, as you’ll see, FreeRADIUS is fairly straightforward to set up. Understand that it “just works”, meaning the default configuration files are preconfigured to run most authentication protocols without many or any additional changes.
Don’t change or delete any settings without understanding what it is and what it will do. A simple mistake can break the configuration and it can take hours to troubleshoot. If you make any modifications outside of this tutorial, try to take it step-by-step. Change one setting or a section of settings, then test to see if it works and to make sure you haven’t broken the configuration.
Though the SSL certificates that are required for PEAP and TLS are now created automatically by FreeRADIUS, you must customize the password and identification attributes. Do this before running the server for the first time. Here’s how to make the changes:
In the existing root terminal, type “/usr/sbin/radiusd -X”. This will create your self-signed certificates and start the server in debugging mode so you can see what’s happening. If everything goes as planned you’ll see “Ready to process requests” at the end.
Though the server is now installed and able to run, the next sections will take you through configuring several more settings before it’s ready to authenticate your Wi-Fi users.
There are many types of EAP, so you must specify which one you want to use. We’re discussing the use of PEAP, which doesn’t require you to create security certificates for each user. They connect to the network using their username and password.
When you’re ready, make a simple modification to the EAP configuration file:
Next you need to create the usernames and passwords users will enter when connecting to the Wi-Fi network. First we’ll create at least one user account in the configuration file to test the server. Later we’ll discuss using a MySQL database to store the user information, which is great if you have a lot of users or need to regularly change the user credentials.
in the existing root text editor, open etc/raddb/users. Then somewhere type a username, hit Tab, and type Cleartext-Password := “thepassword“.
Here’s an example:
egeier Cleartext-Password := "pass123"
Save and close the file, but leave the text editor open.
Now you must enter the IP address and shared secret (password) of at least one wireless access point (AP), which is called a client by FreeRADIUS. Again, as we’ll discuss later, you can optionally store the client details in a database, such as MySQL. However, if you’re working on a small network, it’s probably easier to use the text file method.
On the existing root text editor, open etc/raddb/clients.conf and enter the details somewhere for each AP following this example:
client 192.168.0.1 {
secret = testing123
shortname = private-network-1
}
Modify the IP address as needed, enter a unique secret for each AP, and optionally enter a descriptive name. The secret and shortname are tabbed over one, and the values are also aligned with tabs. Don’t forget to save the file when you’re done.
Stay tuned–in the next part, we’ll open the firewall, install the CA file on all the computers and configure them with the encryption and authentication settings. Plus we’ll set up MySQL for the user and AP details.
Eric Geier is the author of many networking and computing books, including Home Networking All-in-One Desk Reference For Dummies (Wiley 2008) and 100 Things You Need to Know about Microsoft Windows Vista (Que 2007).
Enterprise Networking Planet aims to educate and assist IT administrators in building strong network infrastructures for their enterprise companies. Enterprise Networking Planet contributors write about relevant and useful topics on the cutting edge of enterprise networking based on years of personal experience in the field.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.
