Cheap WPA(2)-Enterprise Solution (Radius server)

[Lucifer]

Hi everyone,

Allthough my topic won't be backtrack related, I decided to share it anyway, since it concerns wireless security.

Since the first day I learned about aircrack, I obviously became more aware about my wireless network security at home.
As my network has grown to 11 clients now (pc's, phones, game console, and a NAS server on a dualband router, 2.4 and 5 Ghz WLANs), I decided it was time to take my wireless security
to the next step, the reason being: 'If I can crack it, so can someone else'.
WPA(2)-Enterprise is the strongest wireless security to date, so I started searching how I could configure it.
So as all of you know, it requires a radius server, yet I was unwilling to pay for one.
Sadly enough, my NAS server doesn't support radius.
Then I stumbled on this free online radius server, and after some small issues, I managed to configure it, and it's working beautifully.
Both my wireless networks are now WPA2-AES EAP secured.

So basicly, I just wanted to share this with you guys, in case you want to upgrade to Enterprise aswell, without spending money.
The radius server is located at www.wifiradis.net .
This was the only online radius server I could find, and allthough the site looks unprofessional, the radius server is working and gets the job done without a hitch.
Now, I can finally be sure no one will be cracking and accessing my network.

And yes, I know WPA-TKIP and AES are virtually impossible to crack if you're using a big random password, but still, a hacker who has targeted my WLANs would be messing with them (DOS attacks) to get the handshakes if I used WPA-Personal, this is what I'm trying to avoid by using Enterprise. The hacker won't bother deauthenticating my wireless clients or cracking my WLANs since it cannot be done.
Allthough DOS attacks are still possible now I'm using Enterprise, I do feel more secure, and I can use easy-to-remember passwords since brute forcing the PSK is out of the question now, instead of a big random 64 character password.

If anyone is interested, I would be glad to help you configure it, if needed.
(Note that low-end routers/wifi equipment usually don't support this 802.1x authentication mode.)

I hope this info can be helpful to someone.

Bye,

[Agarax]

OK, this is neat, BUT a couple of things:

A) If I'm too paranoid to trust a 14 character password to protect my wireless LAN, offshoring my AAA to some site on the internet isn't going to work either.

B) After reading a translation of the about page Google Translate I noticed something important. The goal of the site isn't to make your network 'more secure', it's to allow you to share you internet with select people and still have control (i.e. not sharing your one key with everyone.)

C) Setting up a RADIUS server isn't expensive. "Pourquoi le service WifiRadis est-t-il gratuit ? ("Why is the service WifiRadis he free?) Parce que personne ne va payer pour cela, cela ne vaut pas un radis. (Because nobody will pay for it, it is not worth a bean. )"

D) WPA2-Personal is really damn secure even if you capture the 4 way handshake. The only weakness is users who don't set up good passwords. Any DOS that can be performed against it without the preshared key can be performed against a WPA2-Enterprise.

[Lucifer]

A: You are correct, but I don't think they're going to come all the way to your country to see what's on your home network. As long as you don't use the same password like your email account, you'll be fine.

B: true again, but I personally just wanted a radius server without paying for it, that's it.

C: I know it doesn't cost millions, but I really wanted to try and find a free solution first, before buying one. And I did.

D: Correct once more, but like I said in my original post:

And yes, I know WPA-TKIP and AES are virtually impossible to crack if you're using a big random password, but still, a hacker who has targeted my WLANs would be messing with them (DOS attacks) to get the handshakes if I used WPA-Personal, this is what I'm trying to avoid by using Enterprise. The hacker won't bother deauthenticating my wireless clients or cracking my WLANs since it cannot be done.
Allthough DOS attacks are still possible now I'm using enterprise, I do feel more secure, and I can use easy-to-remember passwords since brute forcing the PSK is out of the question now, instead of a big random 64 character password.

And in a worst-case scenario this online radius server is one big scam (which I doubt since the site has been online for many years), and they would come to my country to acces my network, they would find all my clients and server are password protected, can't modify anything on the network. By the time they started bruteforcing my server, I would have already noticed the intruders.
They can't trace my psychical location either, I'm on a dynamic WAN IP, and an ISP doesn't give out adresses/names without hard reasons.

Ofcourse something like this will have it's disadvantages aswell, but hey, at least it's free right?

In my personal situation, this free online radius server is excellent, and keeps the script kiddies from around the block away, if you know what I mean

And I thought it might be useful to other users who are on a tight budget, or those who just want to explore the 802.1x authentication mode before actually buying a radius server, like myself. So that's why I posted

Bye,

[egeier]

Have you heard of AuthenticateMyWiFi: Outsourced RADIUS/802.1X Authentication for WPA/WPA2-Enterprise? Hosted free and commerical service.

About Personal vs Enterprise...it's not just that PSK is vunlerabale to bruteforce, but Enterprise provides two additional crucial benefits: 1. better management of access. It's not just a static key like personal where you'd have to change everyone's key if a laptop went missing. Just change the one user's password with enterprise 2. user's can't see each other's traffic since each gets their own key.

[Lucifer]

Hi egeier,

I hadn't found that site during my search, thanks for sharing.
They seem to have alot more options vs the free radius server I'm using.
Yet the interesting options are only avaible if you're a paying customer, and you can only use their free service with limited options for a month.
The same goes for this online radius server I stumbled upon just now: http://www.wifi-soft.com/

But personally, my next step would be to buy a little radius server myself to connect to my LAN, maybe in a few months. I'm really enjoying all the advantages and options 802.1x has, that's why I'm mostlikely sticking to it. I'm looking into wired 802.1x aswell, yet I doubt my consumer grade router supports it, even though it's a top notch one, the DIR-855 .. Any interesting links on this subject are welcome!

Also, when I buy a radius server, I would obviously like to get the most out of it, so I would like to set it up the same way like the online radius you provided, with the same configuration options. Would it be hard to set up? Can anyone recommend a cheap but great little radius server?

I read about tinyPEAP custom firmware to make a radius server out of a linksys router, yet I question its reliability considering the reviews I saw on the net.

Any info will be appreciated

Bye,

[Agarax]

First of all, sorry if I was acting like a dick earlier. Looking back I was a bit harsh.

As far as building your own RADIUS server, I would recommend installing FreeRADIUS on an existing server.

What I like to do is to have one reasonably powerful server running VMWare Server. That way I can add and delete 'dedicated' servers at will for different network services.

[Lucifer]

Hey agarax,

No problem, I wasn't thinking you're a dick since your statements are correct, no matter how you post them

I've read about FreeRADIUS and other software out there, but it requires a dedicated linux machine/server, which I do not have.
It really is a pity my own NAS server doesn't support it.
What I am hoping to find, is a little cheap server box which would be online 24/7 as a dedicated radius server and nothing more.
But up untill now, I've found none.
This online radius server I'm using will do for now, untill I can find a cheap solution for my own one.
Allthough the Enterprise mode is great for various reasons, I'm not willing to spend much cash on it as I feel I already spent too much on my current home network

Bye,

[egeier]

You could use FreeRADIUS on Windows: FreeRADIUS.net - Fast, Easy & Best of all... FREE!.

But setting up a server for FR isn't costly, any old dusty PC will do. You'll have to learn some Linux stuff though. Check out my article:
Use FreeRADIUS for Wi-Fi Authentication - www.enterprisenetworkingplanet.com

Another option is ZeroShell, check out my article on it:
LinuxPlanet - Tutorials - Set up Secure Wireless With Zeroshell Linux (part 2) - Setting up RADIUS Wireless Client Authentication

If you have $100 - $200, check out USRobotics USR5453 or ZyXEL's NWA-3160 or ZyAIR G-2000 Plus v2. These APs have built-in RADIUS server.

[Agarax]

I've read about FreeRADIUS and other software out there, but it requires a dedicated linux machine/server, which I do not have.
It really is a pity my own NAS server doesn't support it.
What I am hoping to find, is a little cheap server box which would be online 24/7 as a dedicated radius server and nothing more.
But up untill now, I've found none.

What's the hardware specifications for your NAS Server? You might want to consider redeploying with a different OS and have FreeNAS running in a VM.

If you really want dedicated hardware that's only good enough to run basic services, I would recommend looking at some of these nettop/mini computers at Newegg

A dual core Atom is more than good enough for running your basic Linux services (HTTP, FTP, DNS, RADIUS, ect). It will start to choke and die if you try to run a big pipe VPN through it, though.

[Lucifer]

I already considered that, but it's simply impossible on my NAS, it's a cheap 1 Tb Iomega one, but it works great. Just impossible to add stuff to it like radius, or to change the OS.

A barebone is a great suggestion, I'll keep it in mind!
But for now, the online radius server will do.

Thanks,