WPA(2) Enterprise + FreeRadius

  • I would like to use WPA2 enterprise with FreeRadius.
    I followed this guide: http://hubpages.com/technology/How-to-Set-Up-a-Radius-Server-on-pfSense-Using-the-FreeRadius-Package

    All is working. I'm just wondering is it really this simple to setup?  ;D
    At the moment my iPhone 6S (iOS 9.0.2) is connected without any problems.

  • LAYER 8 Global Moderator

    yeah its pretty simple, there are some gotchas if you want to use eap-tls with ios devices wanting password on the p12 that isn't done with cert manager.

  • Indeed it was easy. :D

    Hmmm serious?
    I have it running with TLS with my self-signed cert on my pfSense box and did not need to do anything on my iPhone.
    Only thing I got was a question to trust the certificate on iOS (probably due to being self-signed).

    radiusd[48071]: Login OK: [Panja] (from client panja-radius port 0 via TLS tunnel)

  • LAYER 8 Global Moderator

    That is not using eap-tls there difference

  • Ok, sorry my bad.

    EAP-TLS is more secure?
    I am using PEAP right?

    Btw pity I have a few devices that cannot be setup with WPA2 enterprise.
    I need to add a separate SSID with WPA2 personal for those devices.

  • LAYER 8 Global Moderator

    yeah it is a pity devices that do not support wpa2 enterprise, means you still have to run a psk ssid for those - I have a nest thermostat and a harmony smart hub (remote control) for example that I have looked into if they would be adding.  And doesn't seem like any plans to do so..

    Yeah eap-tls is more secure, each device that connects needs cert installed from the CA, not just a username password and trusting the server cert.  The server also has to see and validate the cert issued to the device.  Its a bit more work setting it up to be sure because you have to create the certs for each device.  Best option for a laptop would be to store this cert on a smartcard for example.. But this is difficult on a ipad or smartphone, etc..

    Issue ran into is that cert manager in pfsense does not put a password on the .p12 - but in ios it will not allow you to import without.  So have to run it through openssl putting a psssword on it.

  • Thanks for the very clear answer!

    I'm probably going to run 2.4GHz with WPA2 AES Personal and 5GHz with WPA2 Enterprise.
    The devices I have that do not support WPA Enterprise are also devices that do not have 5GHz support (printer, Logitech Squeezebox).

Log in to reply