Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WPA(2) Enterprise + FreeRadius

    Wireless
    2
    7
    2.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      Panja
      last edited by

      I would like to use WPA2 enterprise with FreeRadius.
      I followed this guide: http://hubpages.com/technology/How-to-Set-Up-a-Radius-Server-on-pfSense-Using-the-FreeRadius-Package

      All is working. I'm just wondering is it really this simple to setup?  ;D
      At the moment my iPhone 6S (iOS 9.0.2) is connected without any problems.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        yeah its pretty simple, there are some gotchas if you want to use eap-tls with ios devices wanting password on the p12 that isn't done with cert manager.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.03 | Lab VMs 2.7.2, 24.03

        1 Reply Last reply Reply Quote 0
        • P
          Panja
          last edited by

          Indeed it was easy. :D

          Hmmm serious?
          I have it running with TLS with my self-signed cert on my pfSense box and did not need to do anything on my iPhone.
          Only thing I got was a question to trust the certificate on iOS (probably due to being self-signed).

          
radiusd[48071]: Login OK: [Panja] (from client panja-radius port 0 via TLS tunnel)
          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            That is not using eap-tls there difference

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.03 | Lab VMs 2.7.2, 24.03

            1 Reply Last reply Reply Quote 0
            • P
              Panja
              last edited by

              Ok, sorry my bad.

              EAP-TLS is more secure?
              I am using PEAP right?

              Btw pity I have a few devices that cannot be setup with WPA2 enterprise.
              I need to add a separate SSID with WPA2 personal for those devices.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                yeah it is a pity devices that do not support wpa2 enterprise, means you still have to run a psk ssid for those - I have a nest thermostat and a harmony smart hub (remote control) for example that I have looked into if they would be adding.  And doesn't seem like any plans to do so..

                Yeah eap-tls is more secure, each device that connects needs cert installed from the CA, not just a username password and trusting the server cert.  The server also has to see and validate the cert issued to the device.  Its a bit more work setting it up to be sure because you have to create the certs for each device.  Best option for a laptop would be to store this cert on a smartcard for example.. But this is difficult on a ipad or smartphone, etc..

                Issue ran into is that cert manager in pfsense does not put a password on the .p12 - but in ios it will not allow you to import without.  So have to run it through openssl putting a psssword on it.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.03 | Lab VMs 2.7.2, 24.03

                1 Reply Last reply Reply Quote 0
                • P
                  Panja
                  last edited by

                  Thanks for the very clear answer!

                  I'm probably going to run 2.4GHz with WPA2 AES Personal and 5GHz with WPA2 Enterprise.
                  The devices I have that do not support WPA Enterprise are also devices that do not have 5GHz support (printer, Logitech Squeezebox).

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post