Back to article
Set up Secure Wireless With Zeroshell Linux (part 2)
Setting up RADIUS Wireless Client Authentication
April 27, 2009
Last week we began playing around with ZeroShell, a multi-purpose LAN server that can run on a old PC. We gathered the hardware, downloaded the CD image, and burnt the Live CD. Then we booted up ZeroShell and configured the IP settings to use an existing router. Finally, we created a profile to store the settings, so they're saved and loaded after reboots or shutdowns.
Now we're going to play with some of ZeroShell's features. We'll configure the built-in RADIUS server to do 802.1X/PEAP authentication, so you can use the Enterprise mode of WPA/WP2 encryption for your wireless network. Plus we'll setup the wireless access point (AP), in case you need to extend the coverage of your network.
Setting up the RADIUS server for WPA/WPA2-Enterprise
If you want the best Wi-Fi encryption possible and password-based authentication (so users don't know the encryption keys), you need to use the Enterprise mode of WPA/WP2 encryption. Typically, you'd have to invest a lot of time and money into getting the required RADIUS server, however, ZeroShell has one built-in you can use. Setting it up involves enabling the RADIUS server, exporting the CA certificate, inputting AP details, and creating user accounts. Here's exactly how to do it:
On each AP's web-based configuration utility, configure the wireless security/encryption settings to use the Enterprise/RADIUS/PEAP version of WPA or WPA2. For the server IP address, input the IP of the ZeroShell machine. For the shared secret, input the secret you created for the particular AP in ZeroShell.
Configuring Windows ClientsIn Step 3 of configuring the RADIUS server of ZeroShell, we exported the default self-signed Certificate Authority file. You need to load each computer with it. In Windows, double-click the DER file, click Open, click the Install Certificate button, and follow the wizard to place it in the Trusted Root Certification Authorities store (see Figure 4).
The remaining step is to configure the computers with the encryption and authentication settings. On Windows computers, on the main Security dialog for the network's profile, select WPA or WPA2 Enterprise for the security type and choose Protected EAP (PEAP) for the authentication method (see Figure 5). Then you need to click the Settings button to open the PEAP settings dialog. Verify the Validate server certificate checkbox is marked, and then check the ZeroShell Example CA entry (see Figure 6). Make sure the Authentication Method is set to Secured Password (EAP-MSCHAP v2). Finally, click the Configure button, uncheck the Automatically use my Windows logon name and password option (see Figure 7), and click OK. Then click OK and all the dialogs to save the settings for the network profile.
Now you can connect to the network and, when prompted, enter a username and password you setup with ZeroShell. The first time connecting, you'll will see a Validate Server Certificate dialog, where you can click OK to accept the certificate.