By Sebastian Bergner
Are you using a simple password to secure your WiFi? If so, how do you make sure it doesn’t fall into the wrong hands? Well, you don’t. And this is exactly why simple WiFi passwords also known as pre-shared keys represent a security vulnerability you shouldn’t neglect.
Using pre-shared keys (PSKs) to secure WiFi networks comes with a major drawback: To ensure a high level of security, they need to be changed regularly. In fact, they should be changed whenever you want to deprive users of their access to the network. This also implies sharing the new PSK with all clients which might lead to short interruptions. Especially in an office environment with frequently changing staff, this involves a lot of additional administrative overhead. And this holds particularly true for startups. But there is a remedy available: With RADIUS (Remote Authentication Dial-In User Service), you can skip the hassle of changing PSKs and feel secure.
Using RADIUS, you can centralize authentication, authorization, and accounting management for all users connected to your network. Hence, these kinds of services are also referred to as AAA or triple A systems. The centralized service enables you to delete accounts directly within the user database and thereby deny access for specific users immediately without affecting other users’ login data.
We decided to use FreeRADIUS as a triple A service but there are other solutions as well. FreeRADIUS can be integrated into existing user databases (e.g. Active Directory, LDAP or SQL databases) or username and password can be stored locally on the VM FreeRADIUS is running on. The latter option is useful for companies that don’t have a user database (yet). The respective user data could, for instance, be stored as a list in a text file. In this case, you should make sure only admins are granted access to the data. Since services like FreeRADIUS utilize individual user data for authentication, each employee has a personal username and password to connect to the WiFi. Moreover, one can use several authentication methods on all systems, i.e. macOS, Linux, Windows, Android, and iOS, and authentication capabilities don’t merely cover WiFi networks but can instead also be applied in other use cases.
How It Works in Brief
By means of a TLS handshake, the client checks if the server is trustworthy. More precisely, the client checks whether the server certificate is signed by a known CA. Only when the handshake was successful, is the encrypted communication between both peers initiated. The client generates a pre-master secret and encrypts it with the server’s public key so that only the server is able to decrypt it with its private key. Now that both peers know the pre-master secret, they can derive a master session key (MSK) utilizing the random client/server ID which was exchanged previously. In so doing, an encrypted tunnel between both peers is established. The client encrypts its username and password using its own and the server’s challenge and sends the resulting hash to the server. If you are using Microsoft’s Active Directory, the server, in turn, sends the hash to Active Directory via NTML where the hash value is compared and verified. Of course, for LDAP and SQL databases, this step is executed in a slightly different manner.
The used certificates can either be self-signed or third-party-signed. The root CA must either be installed on the client or the client has to manually trust the server when first connecting to it — the latter decreases security however and is not supported by all client platforms. The preferred and most secure method is PEAP (Protected Extensible Authentication Protocol) with EAP-MSCHAPv2.
If you decide to use FreeRADIUS, they provide comprehensive documentation and feature a lively user community to help you get started.