Child pages
  • 802.1X secured wifi installation

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • SSID - SSID of choice
  • Channels - '@@@'
  • RADIUS server IP - 192.168.9.1
  • RADIUS server port - 1812
  • RADIUS server secret/password - Password chosen in clients.conf for this particular NAS
  • IP address - IP address needs to match IP mentioned in clients.conf
  • Disable DHCP
  • Some models: Reauthentication period - Specify to something equal to or greater than the Session-Timeout specified in /etc/freeradius/3.0/sites-available/default. Some NASes interpret 0 as disabling re-authentication, and might then also ignore any value mentioned by the FreeRADIUS Session-Timeout / Termination-Action attributes.
  • Secure password - Choose a secure password for accessing the NAS web (or other) interface. It is important as it controls access to the wireless security settings, and the web (or other) interface is reachable by supplicants connected to the network.
  • Some models: Operation mode - Some NASes have an Operation mode setting, which sets/locks some settings to defaults that are appropriate for different kinds of uses, e.g. "DSL Router", "Wireless Router", "Wireless Access Point". This varies by model, but usually something like "Wireless Access point" is a good first choice, if available, alternatively "Wireless router"

TP-Link Archer C20 v4 00000004

 In this model, the "Reauthentication period" setting is not available, but the router does honor the timeout specified by the RADIUS server. Operation mode can be set to "Wireless Access Point" '@@@'. All other settings should be set as mentioned above.

TP-Link TD-W8968 V4 0x00000001

In this model, the "Reauthentication period" setting is available as "Network Reauth Period" '@@@', and the router does honor the timeout specified by the RADIUS server overriding the setting specified here if it is lower '@@@'. Operation mode can be set to "Wireless Router" '@@@'. All other settings should be set as mentioned above. '@@@' some more settings

TP-Link TL-WR740N v4 00000000

In this model, the "Reauthentication period" setting is not available, and the router does not honor the timeout specified by the RADIUS server. Judging by the source code of the very old version of hostapd running on this router, it is believed (but not tested) that, once authenticated, the router might allow the supplicant to continue being part of the network for up to twelve hours without querying the RADIUS server again. No operation mode setting is available '@@@'. All other settings should be set as mentioned above.

Supplicant configuration

Linux

 

1. Copy the .ca file generated during certificate generation onto the computer.

 

2. Select the network's SSID from the list in Network Manager.

 

3. When asked, enter the following information, then press connect:

 

CA certificate: Browse and select the .ca file

 

Identity: the username

 

Password: the password

 

Leave all other fields as they are


Android

 

1. Copy the .ca file generated during certificate generation onto the phone.

 

2. Open the “Settings” app, go to “Wi-Fi” → “Advanced settings” → “Install certificates”.

 

3. Select the .ca file.

 

4. Assign it a name of choice

 

5. Under “Certificate use” select “WiFi”

 

6. Once again, open the “Settings” app, go to “Wi-Fi”, and select the network's SSID from the list.

 

7. When asked, enter the following information, then press connect:

 

CA certificate: Select the earlier chosen name when installing the .ca file

 

Identity: the username

 

Password: the password

 

Leave all other fields as they are


Windows 10

  1. Select the network's SSID from the list of wireless networks
  2. Enter username and password
  3. When prompted whether to trust the server, confirm

Mac OS

 

  1. Select the network's SSID from the list of wireless networks
  2. Enter username and password
  3. When prompted whether to trust the server, confirm

iPhone

 

  1. Select the network's SSID from the list of wireless networks
  2. Enter username and password
  3. When prompted whether to trust the server, confirm

Security observations

On Linux and Android supplicants it is required to install the .ca file generated during certificate generation in order to verify the RADIUS server's identity. In case the identity presented by the RADIUS server changes at any point, the supplicant fails to connect, and re-presents the user with the prompt for network credentials. It is possible to connect without installing the .ca file, but one needs to specify "No CA certificate required" or "Do not validate". In this case the supplicant will send credentials to any RADIUS server for that SSID without verifying its identity.

...