March 25, 2019

Set up Secure Wireless With Zeroshell Linux (part 2)

Setting up RADIUS Wireless Client Authentication

  • April 27, 2009
  • By Eric Geier

Last week we began playing around with ZeroShell, a multi-purpose LAN server that can run on a old PC. We gathered the hardware, downloaded the CD image, and burnt the Live CD. Then we booted up ZeroShell and configured the IP settings to use an existing router. Finally, we created a profile to store the settings, so they're saved and loaded after reboots or shutdowns.

Now we're going to play with some of ZeroShell's features. We'll configure the built-in RADIUS server to do 802.1X/PEAP authentication, so you can use the Enterprise mode of WPA/WP2 encryption for your wireless network. Plus we'll setup the wireless access point (AP), in case you need to extend the coverage of your network.

Setting up the RADIUS server for WPA/WPA2-Enterprise

If you want the best Wi-Fi encryption possible and password-based authentication (so users don't know the encryption keys), you need to use the Enterprise mode of WPA/WP2 encryption. Typically, you'd have to invest a lot of time and money into getting the required RADIUS server, however, ZeroShell has one built-in you can use. Setting it up involves enabling the RADIUS server, exporting the CA certificate, inputting AP details, and creating user accounts. Here's exactly how to do it:

  1. On the main ZeroShell web-based GUI, click the RADIUS link on the menu.
  2. Select the Enabled checkbox (see Figure 1) on the top of the page.
  3. Click the Trusted CAs button, then on the Trusted Certification Authorities window, select the CA certificate, select the DER format, click Export, and save it. By default, ZeroShell uses self-signed certificates, so you'll have to manually load the CA onto each computer you want to use WPA/WPA2 Enterprise on; which we'll do soon.
  4. Click the Access Points tab on the top. Figure 2 shows the AP page.
  5. Input the details of each AP on the network: make a descriptive name, input the AP's IP address, and create a long unique mixed character secret. Then click the Add button.
  6. Click the Users link on the main menu. See Figure 3 shows the Users page.
  7. For each person that's going to use the network, click the Add tab on the top to create a username and password. They will be use this when logging onto the Wi-Fi network. Just make sure to keep the 802.1X Access option checked under Enabled Services.

On each AP's web-based configuration utility, configure the wireless security/encryption settings to use the Enterprise/RADIUS/PEAP version of WPA or WPA2. For the server IP address, input the IP of the ZeroShell machine. For the shared secret, input the secret you created for the particular AP in ZeroShell.

Configuring Windows Clients

In Step 3 of configuring the RADIUS server of ZeroShell, we exported the default self-signed Certificate Authority file. You need to load each computer with it. In Windows, double-click the DER file, click Open, click the Install Certificate button, and follow the wizard to place it in the Trusted Root Certification Authorities store (see Figure 4).

The remaining step is to configure the computers with the encryption and authentication settings. On Windows computers, on the main Security dialog for the network's profile, select WPA or WPA2 Enterprise for the security type and choose Protected EAP (PEAP) for the authentication method (see Figure 5). Then you need to click the Settings button to open the PEAP settings dialog. Verify the Validate server certificate checkbox is marked, and then check the ZeroShell Example CA entry (see Figure 6). Make sure the Authentication Method is set to Secured Password (EAP-MSCHAP v2). Finally, click the Configure button, uncheck the Automatically use my Windows logon name and password option (see Figure 7), and click OK. Then click OK and all the dialogs to save the settings for the network profile.

Now you can connect to the network and, when prompted, enter a username and password you setup with ZeroShell. The first time connecting, you'll will see a Validate Server Certificate dialog, where you can click OK to accept the certificate.

Most Popular LinuxPlanet Stories