4. WPA(2) Enterprise + FreeRadius

WPA(2) Enterprise + FreeRadius

  • P

    I would like to use WPA2 enterprise with FreeRadius.
    I followed this guide: http://hubpages.com/technology/How-to-Set-Up-a-Radius-Server-on-pfSense-Using-the-FreeRadius-Package

    All is working. I'm just wondering is it really this simple to setup?  ;D
    At the moment my iPhone 6S (iOS 9.0.2) is connected without any problems.

    0
  • LAYER 8 Global Moderator

    yeah its pretty simple, there are some gotchas if you want to use eap-tls with ios devices wanting password on the p12 that isn't done with cert manager.

    0
  • P

    Indeed it was easy. :D

    Hmmm serious?
    I have it running with TLS with my self-signed cert on my pfSense box and did not need to do anything on my iPhone.
    Only thing I got was a question to trust the certificate on iOS (probably due to being self-signed).

    
radiusd[48071]: Login OK: [Panja] (from client panja-radius port 0 via TLS tunnel)
    0
  • LAYER 8 Global Moderator

    That is not using eap-tls there difference

    0
  • P

    Ok, sorry my bad.

    EAP-TLS is more secure?
    I am using PEAP right?

    Btw pity I have a few devices that cannot be setup with WPA2 enterprise.
    I need to add a separate SSID with WPA2 personal for those devices.

    0
  • LAYER 8 Global Moderator

    yeah it is a pity devices that do not support wpa2 enterprise, means you still have to run a psk ssid for those - I have a nest thermostat and a harmony smart hub (remote control) for example that I have looked into if they would be adding.  And doesn't seem like any plans to do so..

    Yeah eap-tls is more secure, each device that connects needs cert installed from the CA, not just a username password and trusting the server cert.  The server also has to see and validate the cert issued to the device.  Its a bit more work setting it up to be sure because you have to create the certs for each device.  Best option for a laptop would be to store this cert on a smartcard for example.. But this is difficult on a ipad or smartphone, etc..

    Issue ran into is that cert manager in pfsense does not put a password on the .p12 - but in ios it will not allow you to import without.  So have to run it through openssl putting a psssword on it.

    0
  • P

    Thanks for the very clear answer!

    I'm probably going to run 2.4GHz with WPA2 AES Personal and 5GHz with WPA2 Enterprise.
    The devices I have that do not support WPA Enterprise are also devices that do not have 5GHz support (printer, Logitech Squeezebox).

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy