WPA Enterprise security

June 13, 2007 at 9:38 pm 3 comments

Stop the presses!

WEP is broken! It’s been broken for years!

You aren’t still using WEP are you?

Tell me you are at least using WPA-PSK (PreShared Key). Of course, WPA-PSK is for average consumers because it is relatively easy and relatively secure. Sure, it’ll probably keep out your gray-haired neighbors, but if you are using a pre-shared key made up of a word or a phrase, you are hardly invulnerable. In fact, if someone is persistent enough, it doesn’t matter what your pre-shared key is, it can be hacked.
That’s where WPA Enterprise security comes in. This is the technology companies use who want to ensure that their cash registers on wheels can take credit cards without revealing private customer data to anyone within 100 yards with a laptop.

Call me crazy. Call me paranoid. Perhaps it’s because I’m a programmer and guard most of my source code like it’s my first born child. Whatever the case, I didn’t want wireless on the same segment of my network with my main programming machine unless it was secured with WPA Enterprise.

The down side of WPA Enterprise security?

  • Time consuming to implement
  • Most documentation for free software is extremely complex
  • Requires a RADIUS server

A what, you say? A RADIUS server! You know, those are the servers that are about half the size of DIAMETER servers. 🙂

The most popular RADIUS server is FreeRADIUS. Probably due to the price. But, have you tried reading any of the tutorials?

Not to brag, but I’m proficient at programming in Pascal, C, C++, C#, Rexx, PHP, and Ruby. I design networks, configure routers, and switches. I even write programs that interact with network gear via SNMP, telnet, and SSH.

Even with all the technical knowledge I have, the documentation found on the Internet seems as if it were written by a hundred clowns with bees in their pants. (No offense meant, if you happen to have bees in your pants 😛 ) Most of the docs are written as if the reader is already familiar with RADIUS, EAP, PEAP, Certificates, 802.1X and the myriad of other terms associated with WPA Enterprise security.

So what’s my point? Well, after trying multiple times over the course of months using various methods, I found a distribution of Linux that I thought would do the trick. It’s a web-based Linux called ZeroShell.
I thought “Great! A distro of Linux that should be super easy to use!”


After initially loading it, I was surprised. Yes, it was what it claimed to be. A distro that could be used entirely via web interface. However, I was still no closer to figuring out how to get WPA Enterprise security working with it. This distro has web pages allowing you to create users, certificates, configure RADIUS, etc. But, there was no documentation telling you what steps to go through to get it up and working. Asking on the forum was pretty much fruitless.

I dropped this disto and kept looking around.

About two weeks later, I came back to it. I ended up vaguely following some documentation through the web interface, and was amazed. I got it working!

So, maybe Zeroshell isn’t so bad after all..  In fact, as I’ve picked through it, I’m learning to like it more and more all the time.

I believe it was the night after I first got WPA Enterprise working that I decided to start over and document the process that I went through to get it working in the first place.   Since there wasn’t a WPA Enterprise configuration document for Zeroshell yet, I decided that I would give back to the community and write one.  The resulting PDF file is now available via the Documentation link on Zeroshell’s site. From the posts in the forums, lots of others have had success following my PDF, so it seems like a decent document. I admit, though, that I could add a lot more detail, and I should probably go back and document things better, ultimately documenting what happens when your certificates start expiring, along with other options, like integrating your Active Directory domain. Hopefully, I’ll be able to go through that right sort of thing right here in this blog over the coming weeks. (Reminder: Get Active Directory domain)

Actually, Zeroshell could be used for a lot more than just a RADIUS server for WPA Enterprise security. It can be used as your firewall. It even has a Captive Portal feature. Just today, I ran across a configuration screen that lets you specify password complexity, minimum length, maximum # of days without changing the password, etc. I haven’t tried the majority of these features, but it sounds like some really fancy stuff especially for free software!


Entry filed under: Networking.

iTunes and a network share Eager Loading

3 Comments Add your own

  • […] 14, 2007 I’m happy to announce that ZeroShell, which I’ve blogged about here, is now being used to authenticate WPA Enterprise security for approximately 30 users across about […]

  • 2. egeier  |  November 16, 2009 at 10:53 am

    You should also check out NoWiresSecurity’s outsourced RADIUS/802.1X service: http://www.nowiressecurity.com. You don’t have to setup your own server.

    • 3. ptaylor  |  November 19, 2009 at 5:52 pm

      I’ve used a similar service in the past. It worked pretty well, except when their Radius server went down. Then, my wireless was down for a few days.


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


June 2007
« May   Jul »

Most Recent Posts

%d bloggers like this: