802.1X Authentication Part 1
Part 1 of 802.1X Authentication

802.1X Authentication Part 1

Over the period of time, WiFi has evolved and has became more secure.

From Open encryption to WPA3 Enterprise SHA256, Wifi has evolved not just with its speed but also its security.

In this article, I will explain how you can use Enterprise level Encryption for your secure Wifi Network

Many WiFi AP Software Stacks are evolving themselves to accommodate Wide range of features.

In this article, I will cover the following points:

  • ???So how does 802.1x?authentication works?
  • ???What is the Role of External Radius server here?
  • ???How TTLS and TLS Authentication works in Wifi.
  • ???How can You setup 802.1x Authentication at your home and configure the Radius Server on Raspberry Pi

There are three main components in 802.1x authentication required:

  • ???Access Point
  • ???Authentication Server (Radius Server)
  • ???Supplicant (Wifi station)


No alt text provided for this image


  • Supplicant (Wifi Station) can be any end user device that supports enterprise grade authentication. It can be your smartphone or your laptop.
  • Access Point is a device which broadcasts SSID, which is your wifi name.
  • Access Point is pre-configured with the Authentication server details.
  • Authentication Server can be configured in any small network device. In our case, we will use raspberry pi for radius server.

AAA means Authentication, Authorization and Accounting

Access point should know the details for Radius server such as :

host/ip address, port and shared secret.


On the Radius server side, username and password and user policies are configured. So if supplicant wants to connect to network, it has to know the username and password which is configured on radius server side.

for EAP-TTLS, username and password is enough, however for EAP-TLS, additional security is added where supplicant should have Certificates that can be generated for each user or for each user group

On a large scale Wifi network deployment, it is complex to configure every access point if password needs to be changed. More than user level authentication, Radius server can also be configured to use user level policies such as VLAN tagging and Upload and Download rate and many more.

I will show how to configure freeradius server on raspberry pi as mentioned below:

Install OS on sd card

?Download rpi-imager for linux

(for ubuntu)
sudo apt install rpi-imager

(or)

(for fedora)
sudo dnf install rpi-imager        

Open rpi-manager using below command

rpi-manager        
No alt text provided for this image
No alt text provided for this image
No alt text provided for this image

Install the OS on your sd card and do initial setupConfigure the static IP using below example commands. (Please connect the RPI with ethernet)

Install the network manager using below command

sudo apt-get install network-manager        

Configure the static ip on ethernet port of your raspberry pi

sudo nmcli connection modify 'Wired connection 1' IPv4.address 192.168.52.90/24
sudo nmcli connection modify 'Wired connection 1' IPv4.gateway 192.168.52.1
sudo nmcli connection modify 'Wired connection 1' IPv4.dns 8.8.8.8
sudo nmcli connection modify 'Wired connection 1' IPv4.method manual
sudo nmcli connection down 'Wired connection 1'
sudo nmcli connection up 'Wired connection 1'        

You can install the radius server using following command:

sudo -s
apt-get install freeradius
        

In the freeradius server, you have to configure two files as a basic setup

vim /etc/freeradius/3.0/clients.conf
        

You can make sure you are enabling entire subnet in the ipaddr in any client section. In my case, it is 192.168.52.1/24

client localhost {
   ipaddr = 192.168.52.1/24
   proto = *
   secret = testing123
   require_message_authenticator = no
   shortname = localhost
   nas_type    = other   # localhost isn't usually a NAS...
   limit {
      max_connections = 16
      lifetime = 0
      idle_timeout = 30
   }
}        


Another important file is users, here you can specify user sections, where each user has its own username and password

You can also add certain network policies in each of the user sections

here is an example of adding basic user:

shivam      Cleartext-Password := "password"
            Reply-Message := "Hello, %{User-Name}""        

After doing the above changes in respective files, you can start the radius server by using below commands.

service freeradius enable
service freeradius start        


No alt text provided for this image

As mentioned in above Image, you can create a ssid n your Access Point and add respective radius server details and try to connect your laptop/mobile using the respective username and password



Thanks,

Shivam

要查看或添加评论,请登录

Shivam Thakur的更多文章

社区洞察

其他会员也浏览了