[TriLUG] radius, wpa2-enterprise help in exchange for lunch or beer

Joseph F Garvey jgarvey at us.ibm.com
Thu Feb 18 10:55:46 EST 2010 

I've done the raduis/hostapd/wpasuplicant setup once. Everyone's entitled 
to do
something stupid periodically :-). It was needlessly hard, and there's a
better/easier/more-secure solution that works across multiple OSs.

Set the firewall on your Wifi AP to allow DHCP and Openvpn connections 
only (forwarded
to a server if you can't hack your router (load DDWRT, OpenWRT, etc)  or 
you're
doing a corporate setup).

Benefits: 
        * You can assign the same (aka fixed) IP address on a wired and
           wireless network. Even if the wireless network is a separate 
subnet.
        * In a corporate environment you avoid having to admin both 
wireless and
                remote access as separate apps.
        * Openvpn setup is significantly easier than 
radius/hostapd/wpasuplicant
        * Openvpn is freely available for multiple common OS's
        * Scales well in a corporate environment.
        * If wifi has a separate subnet, it can be easily firewalled, so 
guests
           can have internet access, but can't have any local network 
access.
           I actually allow guest printer access.
        * Access Points can be cheaper/older (minimum built in 
infrastructure).
           No need to upgrade AP firmware for WPA firware bug, or the 
like.
        * Wireless clients have simple firewalls (since everything goes 
over
           Openvpn, you don't have to worry about opening a port in all 
the client
           firewalls to support a new protocol.
        * Wifi Security protocols have been cracked one after another, 
making
           wifi security an oxymoron.

Drawbacks:
        * Openvpn has issues with multicast traffic... requiring you to 
set up
              multicast routing if you rely on multicast (most folks won't 
ever notice
              multicast issues).
        * Linux community doesn't have a good solution for dealing with 
DHCP
           and Openvpn fighting over the routing table entries, and the 
contents
           of resolv.conf, so you'll have to hack your DHCP setup script.

-- 

Joe Garvey




Joseph Mack NA3T <jmack at wm7d.net> 
Sent by: trilug-bounces at trilug.org
02/17/2010 09:06 PM
Please respond to
Triangle Linux Users Group General Discussion <trilug at trilug.org>


To
Triangle Linux Users Group General Discussion <trilug at trilug.org>
cc

Subject
Re: [TriLUG] radius, wpa2-enterprise help in exchange for lunch or beer






On Tue, 16 Feb 2010, Cristóbal Palmer wrote:

> If you have previously set up a radius server for 
> wpa2-enterprise wifi, please ping me OFF LIST. There might 
> be nice beer and/or lunch in your future.

I'd be happy to learn about radius/wpa2 too

Thanks Joe

-- 
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!--
TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
TriLUG FAQ  : http://www.trilug.org/wiki/Frequently_Asked_Questions

More information about the TriLUG mailing list