Manage RADIUS for WPA-Enterprise with CIITIX and Linux
October 28, 2010
Based on Linux, CIITIX-Wi-Fi lets you implement Enterprise WPA or WPA2 encryption on your network with a minimum of fuss and a handy GUI.
CIITIX-Wi-Fi couples FreeRADIUS, daloRADIUS, and OpenSSL to give you a turn-key Wi-Fi authentication solution. It's an open source Debian-based Linux distribution, released under the GPLv2 license. It lets you quickly and easily implement the Enterprise mode of WPA or WPA2 encryption for your wireless network by providing the required 802.1X authentication. You can also use it to authenticate other network connections and components.
CIITIX-Wi-Fi is GUI-based so you don't have to be an IT or Linux expert. Plus it automatically generates the SSL certificate required for the RADIUS server. You can alternatively supply your own certificates.
CIITIX-Wi-Fi can even run in LiveCD mode, so you don't have to have a dedicated hard disk. However, we're going to permanently install it, which requires less than 400MB on your hard drive.
Installing to drive
If this is going to be a mission-critical solution supporting many users, you might want to use new hardware or set it up on an adequate virtual machine.
To get started, download the CD image (ISO) file and burn it to a disc. This tutorial is based on CIITIX-WiFi version 1.1.
Before continuing, make sure you have the computer plugged into your network via an Ethernet cable.
Now turn on the computer you want to install it on, insert the disc, and restart the computer. The computer should automatically boot from the disc, otherwise you need to enable booting from CD in the BIOS. Once you see the boot screen, select the GUI Install.
Go through the screens to set up the regional settings, partition the drive, and complete the installation. Make sure you assign a static IP to the machine during the network configuration.
Once it's done installing, you'll see a login screen. Enter the username and password you created during the installation.
Before doing anything else, you should change the default password for the Web-based GUI:
- Click JWM > Www Browser and login into the GUI front end with username "administrator" and password "radius".
- Click Config.
- Click List Operators.
- Select the administrator operator.
- Enter a new password and hit Apply.
Enable remote administration
If you want to remotely administrator the CIITIX-Wi-Fi machine from another PC on the local network, you need to enable remote access to the Web-based GUI. This takes a change in the Web server configuration file.
Start by logging out of the normal user account and logging in to the root account : click JWM > Exit. At the login screen, enter "root" for the username and the password you created during the installation.Now continue with these steps:
- Bring up the text editor: click JWM > Debian > Applications > Editors > GVIM.
- Open the file at /etc/apache2/apache2.conf.
- Hit Insert on your keyboard
- Scroll down to line 290, and change it to Allow from all.
- Save the file and exit GVIM.
Now you must restart the Web server: click JWM > Terminal. Type the following command and hit Enter:
Now you should be able to remotely login to the Web-based GUI. Open a browser on another PC, type the IP address of the CIITIX-Wi-Fi machine followed by a / and dalo, and hit Enter. For example, http://192.168.1.100/dalo. Use the default username "administrator" and password "radius", if you haven't already changed the password.
Create user accounts
Now you can create the accounts users will use when logging onto your Wi-Fi network:
- Click Management > Users.
- Click New User.
- Input a Username and Password.
- Select Cleartext-Password as the Password Type.
- Optionally, add/select a Group.
- Click Apply.
Input access points details
Now you can input the access point details:
- Click Management > NAS.
- Click New NAS.
- For the NAS IP Host, enter the IP address of the wireless router or AP.
- Create NAS Secret, which you'll input into the AP later.
- Create a descriptive NAS Shortname.
- Click Apply.
Now you need to restart FreeRADIUS on the CIITIX-Wi-Fi machine to apply the changes:
- Click JWM > Terminal.
- Type su and hit Enter.
- Type your password and hit Enter.
- Type the following command and hit Enter: /etc/init.d/freeradius restart
If you want to do this remotely, you can download a utility like WinSCP, login as root, and work use the Terminal.
Configure the access points
You must configure your wireless router and/or access points with the encryption and authentication settings. Login to the Web-based GUI of each and set encryption to WPA or WPA2 Enterprise. Then for the RADIUS server address, enter the IP of the CIITIX-Wi-Fi machine, and use the default port of 1812. Then enter the NAS Secret you created earlier for the particular AP as the Shared Secret.
Install the certificates onto the clients
Before users can connect, their computer must be loaded with the server's CA certificate and preconfigured with the proper authentication settings.
To get the certificates, you can remotely connect to the CIITIX-Wi-Fi machine from a Windows PC on the local network. Download WinSCP to a Windows computer, open the application, and then follow these steps:
- Connect with the following details:
- Host name = IP address of the CIITIX-Wi-Fi machine
- User name = root
- Password = what you created during installation.
- Double click the client-certificates directory on the right side.
- Drag the CA.der file onto your Windows desktop.
To install in Windows, double-click the certificate and select to install. Make sure you install them into the Trusted Root Certification Authorities store.
Configure the clients
In Windows, you can't just connect to the network. You must preconfigure the PEAP settings. Manually create a network profile in Windows. Make sure you enable server verification and select the CA certificate (CIITIX-WIFI Certificate Authority). In the Secured Password (EAP-MSCHAP v2) settings, deselect the automatic logon option.
Connect the clients
Finally, users can connect. They can bring up the list of available wireless networks and select the network. They'll be prompted for additional logon information, where they can enter a username and password you created with CIITIX-Wi-Fi.
Eric Geier is the founder and CEO of NoWiresSecurity, which helps businesses easily protect their Wi-Fi with enterprise-level encryption by offering an outsourced RADIUS/802.1X authentication service. He is also the author of many networking and computing books, for brands such as For Dummies and Cisco Press.