Securing you wifi network using 802.1x also known as WPA (or WPA2) Enterprise
I used to have a simple policy for my wifi network which would be “open” with no crypto whatsoever. I did this in order to allow for any visitor at home to be able to surf without having to share a secret with him. However, I soon realized that this was not good for the “privacy” of my data and turned to an OpenVPN-based solution in order to protect the traffic from my “known” hosts. This being done, in the absence of visitors, I would simply stop routing wireless traffic that was not VPN.
However, the advent of WPA and WPA-Enterprise made me believe that there was a simpler solution that would allow me to achieve the same thing but in a way that would also allow my visitors to benefit from some “privacy”. However, I still didn’t want to share a secret with them nor did I want to have them install anything on their machine.
Setting up WPA2 on my access point and coupling that with a Radius server was the solution I was looking for!
The WPA2 standard provides several ways to authenticate users. In fact retro-compatibility has motivated the use of a WPA2-PSK (Pre-Shared Key) mode where you share the secret with all the nodes on the network but it also provides a new mode called WPA2-EAP (Extensible Authentication Protocol) where there is no Pre-Sharing of the key.
EAP is not WPA specific in any way, it existed way before WPA became a standard. The protocol aims at providing generic primitives that allow the transport and realization of most of the Authentication Protocols available. EAP can be used in conjunction with a number of authentication methods such as PEAP, TLS, TTLS… Depending on which one you decide to use, your users will be required to have a certificate to authenticate themselves (TLS) or can simply use a login/password combination (TTLS, PEAP).
Another thing to consider is that not all EAP clients support all the authentication methods, PEAP is supported natively by Windows XP and many tools exist for Linux (xsupplicant, WPA supplicant…). However, TTLS is not natively supported by Windows XP’s EAP client, maybe your wireless card vendor has added support for it (Intel has) but it’s not a certainty (SecureW2 provides an implementation of TTLS for Windows XP). For MacOS X, PEAP as well as TTLS are supported so you’re good to go.
For WPA2-EAP authentication to work, you’ll need to setup a Radius server. I’ve chosen the FreeRadius implementation which is an Open Source project. Depending on the method you want to enable, you’ll need to create a small PKI. On Unixes, a great tool exists as a graphical frontend to openssl which will make your life easier, it’s called Tiny CA and will help you create root certificates as well as client ones if you want to use TLS and export them in the proper format which is not always so straightforward.
For EAP/TTLS and EAP/PEAP, you can set your Radius server to use LDAP/pam/files for authentication, easily deploying WPA2 in an enterprise using the existing architecture. The clients will only have to enter their usual username and password to connect to the Wireless network.
So when I get some visitor, it’s easy for me to create a temporary account for him and provide him with a secure wireless channel which is much more secure than any “captive portal” based solution which can almost all be defeated by IPoDNS or IPoICMP tools out there and that don’t provide any privacy.
I haven’t seen any commercial device that would ship with an integrated radius server, the OpenWRT projects provides a FreeRadius package that you can install in order to have the Radius server bundled in the AP.