Securing your home wireless network with RADIUS

(like my previous post, this process is reconstructed from memory and a judicious amount of diffing… so there may be bits missing)

Call me paranoid, but I’ve always been nervous about my home wireless network. I know that WPA is supposed to be reasonably secure (my router, a Netgear DG834Gv2, doesn’t support WPA2), but the lack of logging makes me worry that I really don’t know who might be having a go at it. I do all the right things to secure it — strong password, MAC filtering — but still I worry that someone might sit outside my house downloading something that could get me prosecuted. (and yes I know that MAC filtering isn’t strong security but it will defeat a casual would-be intruder).

So I decided to try something different. I knew that my router supports 802.1x with RADIUS (some call it ‘WPA Enterprise’). I also knew that some wireless networks (like the rather smart Eduroam we have at work) authenticate with a username/password pair. I like the idea of logging who connects and when, and I also like the fact that the wireless clients get a different encryption key every time they connect.

As I’ve mentioned before, I have a Linux VPS at Bytemark on which I run various things, so I decided to try setting up a RADIUS server on it. Of course this would mean that my wireless network would stop working if the Netgear couldn’t see the VPS, but (a) if my ADSL service is down then wireless is pretty pointless, and (b) I will, contrary to my own fears, survive without it. If I ran a server at home then that would be a logical place to run the RADIUS service.

For this recipe you will need

  • A wireless router/access point that supports using a RADIUS server (I’ll just refer to it as the ‘router’ in this post)
  • A Linux box somewhere the router can see it (these instructions are for Debian)
  • Freeradius installed on the server (I use the stock Debian 6.0 one)

There are lots of configuration files that come with Freeradius and they all live in /etc/freeradius. There is probably a clean way of doing this, but I’m just going to go through the edits I made to the default files in order to get this working.

Firstly, clients.conf: we define our router as a thing that is allowed to talk to the Freeradius server. We need a ‘shared secret’: a password that is known only to Freeradius and the router. This is particularly important if (a) you’re going to be hosting your Freeradius server somewhere other than on your LAN and (b) you don’t have a static IP address provided by your ISP.

I stuck an extra bit on the end of the default clients.conf:

client {
        ipaddr = 83.x.x.x       # my static IP address at home
        secret = noone-knows-this
        shortname = home

If you don’t have a static IP address, you can add your ISP’s whole netblock by adding ‘netmask = 16’ (or whatever the size of their netblock is). Alternatively you can allow connections from everywhere… but obviously this is less secure, should a nasty bug in Freeradius be exploited.

Next, we need to edit eap.conf. We’re going to point Freeradius at an SSL certificate which will be sent through the router to the wireless client (your phone, laptop, fridge, or whatever). This is so that the client knows that it’s talking to the real RADIUS server and not an imposter. The user should be asked by the client to look at and approve the certificate on first connection.

Now I’m assuming that you already have—or know how to generate—a certificate, so I’m not going to go into that here… but what you should have is a private key and the certificate itself. Now edit eap.conf and change the following lines, substituting the locations of these two files:

private_key_file = /etc/ssl/private/server.key
certificate_file = /etc/ssl/certs/server.crt

I made the following changes to radiusd.conf for a bit of extra logging. There are options to log passwords as well, which you might want to do if you are certain of your server’s security (i.e. it’s in your house) and you want to know what passwords people are trying to hack you with. I also disabled request proxying as we won’t be using that feature. Here are the changes:

auth = yes
proxy_requests = no

Next, we define the credentials which will be used by the actual user of a wireless device (i.e. the username and password they will enter). Edit the users file and add the following for each user:

username        Cleartext-Password := "some-password-or-other"

The eagle-eyed reader will notice that the password is in plain text! I remember reading about this at the time, and understanding why it’s necessary, but now I can’t remember. If you know of a way around this, a comment would be appreciated 🙂 But assuming that this really is necessary, obviously don’t use this password for anything else, ever. Rest assured, however, that it is never actually transmitted in plain text.

You’ll need to restart Freeradius now, and poke a hole in your firewall so that your router can connect to the server on port 1812/tcp. Obviously you should make the rule as narrow as possible; hopefully you’re lucky enough to have a static IP address from your ISP.

The next thing to do is reconfigure your router so that it uses the RADIUS server we just set up. Every device has its own way of doing this, but on the DG834G it’s under ‘Wireless settings’: set the security option to WPA-802.1x and enter the details of the RADIUS server. Make sure that you have some other way of talking to the device before you apply your new settings in case things don’t work!

To test the new setup, you’ll need to get your wireless client to forget all about your network. If you can’t figure out how to do this, just change the SSID on the router so that it looks like a new network to your clients. Now when you connect, you should first be presented with the RADIUS server’s certificate for your approval. After this, you’ll be prompted for a username and password; enter the credentials you put in the users file. And fingers crossed… you should be connected! Freeradius will write a log entry into /var/log/freeradius/radiusd.log, and your wireless device will get a one-time encryption key.

You might notice that connecting to your wireless network takes a bit longer than it used to due to the extra steps involved. This is particularly noticeable on things like iPhones which will drop and re-establish the connection every time you start using them. Personally I find the extra couple of seconds to be a small inconvenience for the extra security and peace of mind.

Hopefully this was helpful. I’ve deliberately avoided explaining the nuts and bolts of RAIDUS, as this has been done many times and with far more clarity than I can manage!


Filed under security

11 Responses to Securing your home wireless network with RADIUS

  1. Aj

    if I understand correctly, the RADIUS set-up is essentially to pretect access to your network from wireless clients and remote clients. it has no capability to protect resources (network shares, Printers etc) on the network itself.

    Also, if setup correctly, will the RADIUS setup replace the VPN for remote dial-in/access (or) compliment it?

    • flup

      RADIUS is an AAA (authentication, authorisation and accounting) service, so in theory it could be used to protect any device or network. In the case of this article, it’s used by a wireless access point to identify users and generate per-session encryption keys. If your network shares or printers support RADIUS as an AAA method then it could be used in this way. Lots of network equipment (routers, switches etc) support RADIUS natively.

      RADIUS can’t replace a VPN. A user would be identified and authorised by RADIUS, the role of which ends there. The VPN then creates the encrypting tunnel and passes the user’s network traffic.

  2. Brendan

    I’ve been running RADIUS for my house for a few months. Got a VM running Windows Server 2012 with ADDS and VPN as well. I’d be a little apprehensive about running this on a VPS because if something goes down or you lose the connection you’d have a lot of issues fixing it on a wireless device.

    Just out of curiosity how do you have the VPS connected to your network, persistent SSH or VPN or ??

    • flup

      Absolutely, running the RADIUS server remotely isn’t for everyone. I had wired clients I can use in case it all goes horribly wrong. My home connection has a static IP address so I just poked a hole in the VPS’s firewall and let it send RADIUS requests directly.

      FWIW I stopped doing this a couple of months ago: there are just too many clients I use from time to time that don’t have working (or any) support for 802.1x. My AP doesn’t support multiple SSIDs, so I just reverted to WPA2. A shame that so many consumer devices’ support for 802.1x is totally broken (or absent).

  3. Mohammad

    There is one thing that isn`t clear for me;;; its a LAN security right???,, so why do I need Static ip from the isp ,, while I am in the LAN ( using private ips ”″ ) ?????

    • flup

      I’m using a RADIUS server located outside my home network, so a static IP address helps me be sure that inbound RADIUS are really from my router. If you host RADIUS locally then you’re absolutely right.

  4. GentFula

    What would you say would be an effective method to prevent ARP-spoofing/poisoning on a network protected with WPA2 with AES encryption standard? I have used wireshark and saw some unauthorized MAC Addresses on my network.

    • flup

      If you’re seeing ARP traffic from these clients, that means they have your WPA2 key (otherwise they couldn’t encrypt the packets correctly). What makes you think there is ARP spoofing going on? Have you tried looking up the first three bytes of the unauthorised addresses in this list? That’ll at least give you a clue as to what kinds of devices they are.

      • GentFula

        According to Wireshark which is what I use to monitor my network traffic, it found a MAC address making several ARP requests. This MAC address is No where to be found on my network, therefore it’s foreign. I believe that someone is attempting Man in the middle attacks. I sometimes get kicked off my network.

        When you say the first 3 bytes, are you referring to the first 3 octets of the IPv4 address? On a private network, wouldn’t that be irrelevant?

        • flup

          So you can see an unrecognised MAC address, which means that client had your WPA2 key. It doesn’t necessarily mean that the address is spoofed — there would be nothing to gain from that unless your access point is MAC-filtering.

          What address is it trying to ARP for? Does it go away if you change your WPA2 key? If not, does it go away if you disable wireless and only use a wired connection?

          It’s the first three bytes of the MAC address you want: these are assigned to hardware manufacturers.

  5. Lakshmi

    Can the free radius server of this server be configured with SHA256 signature algorithm in PEAP security mode?

Leave a Reply