How to set up a WiFi router using WPA2 or WPA3 Enterprise and RADIUS
Find and configure the IP address of the NAS where the RADIUS server will be installed.
The first thing we have to do is find the NAS server on the network, it is very important to know its private IP address because in the wireless configuration we will need to enter this IP address to authenticate the wireless clients. It is highly recommended that this private IP address never change, so we have two possible options:
- Put the fixed IP on the NAS server
- Configure a static DHCP router and always set a static IP address.
This way we will force this NAS server to never change its private IP address, which is very important for everything to work properly.
After we have properly configured the NAS or router so that the NAS server will never change its IP address, we are going to set up the server.
Configure FreeRADIUS Server
FreeRADIUS is a software par excellence for configuring a RADIUS server with very advanced options, this software supports various types of authentication and works very well. A very important feature is that it is compatible with any operating system, which is necessary for maximum compatibility.
Setting up this server is very complicated, you need to set up the config files in an advanced way, create a CA and more. Using a NAS server like QNAP will greatly simplify the task of eliminating the need to set up a server on a computer, a Linux server, or a Raspberry Pi. All QNAP NAS servers support quick and easy server setup.
All we need to do is go to the section ” Control Panel / Applications / RADIUS Server “. Once inside, we need to turn on the server and allow access to the system’s user accounts, although the latter is optional and optional.
After activating the server in the “RADIUS Clients” section, we need to directly register a router that will forward all authentication to the server. The data that we will need to enter is the following:
- Name and surname : we give a name to the client
- IP address : we put the private IP address of the router, in our case 192.168.50.1
- Prefix length : we put 32, indicating that only this IP address will be the client.
- The secret key : we define a strong password, this is the authentication key between the router and the FreeRADIUS server. This password does not belong to the client.
The configuration will be as follows:
After we have configured the client, now we will need to create users. In this case, we will need to create a user for each Wi-Fi client that we are going to connect to the wireless network, we will need to provide a username as well as its password. All clients that are in this “Users” list will have permission to authenticate with the server and therefore will be able to connect to Wi-Fi without any restrictions.
After we have configured the server, we have to go to the router to configure it correctly, as we have to set up WPA2-Enterprise or WPA3-Enterprise authentication and provide different details.
Configure a router with WPA2 / WPA3-Enterprise authentication and RADIUS.
The first thing we need to do is go to ” Advanced / Wireless Settings “section. In this menu, we will need to select the type of encryption WPA2-Enterprise, and several additional menus will be automatically displayed that we will need to fill out:
- Authentication method : WPA2-Enterprise
- WPA encryption : AES
- Server IP : 192.168.50.141
- Server port : 1812
- The secret of connection : 123456789 (in our case, this is the password that we set on the server in the “RADIUS Clients” section).
Below you can see how it will look in our case:
All the information we provided should be reflected in the RADIUS Configuration section with the frequency band we configured. Here we will see the private IP address of the server, port, and also the connection secret.
Once we have configured the router correctly, right now we can authenticate the various Wi-Fi clients with their respective username and password that we created earlier. We will show you how to connect Windows 10 computer and Android devices.
Connect your PC with Windows to Wi-Fi using WPA2-Enterprise
To set up a Wi-Fi network using WPA2-Enterprise, we will have to manually set up a network connection. We must go to ” Control Panel / Network and Sharing Center “section. In this menu we have to click on” Setting up a new connection or network “.
In the list of available options, we must click on ” Connecting to a wireless network manually “And click” Next “.
Now we will need to enter the name of the Wi-Fi network to which we are going to connect, this network name or SSID should be exactly the same as in the router. In the security type, select “WPA2-Enterprise”, the encryption type will necessarily be AES, it does not allow you to change it. The “Security key” icon will be disabled, this is normal.
Now click on ” Start this connection automatically “To disable it, and the same with the option” Connect even if the network isn’t broadcasting your name “.
When clicking on “Next” we have to click ” Change settings “As indicated by the master Windows… We’ll get a menu with everything we’ve set up so far.
On the “Security” tab, select the “Microsoft: Protected EAP (PEAP)” option and click “Configure”:
In this menu, we will need to click on ” Verify the server’s identity by verifying the certificate “To disable this option. Leave the rest of the parameters by default.
When we connect to the WiFi wireless network, now it will ask us to login, we will need to enter the username and password that we have registered on the server in the RADIUS Users menu.
After entering the credentials, if we were correct in entering the user credentials, we can perfectly see that we are logged in and have an Internet connection without any problems.
After we have successfully configured the PC with Windows, let’s see how to connect an Android smartphone.
Connect your Android smartphone to Wi-Fi using WPA2-Enterprise
In Android smartphones, we have to click the Wi-Fi network we want to connect to, there is no need to manually add a wireless network like in operating systems Windows… In this case, as soon as we click on the wireless Wi-Fi network, various configuration options will appear. We need to fill it in like this:
- EAP Method: PEAP
- Phase 2 Authentication: MSCHAPv2
- CA Certificate: Do Not Verify
In the “Identity” section we will need to enter our username that we have registered on the server, and in the “Password” we will need to enter an access code. We will automatically connect to a wireless Wi-Fi network, and we will be able to access the Internet without any problems using WPA2-Enterprise and the type of 802.1x EAP encryption that our smartphone tells us.
Another possible configuration for these smartphones would be as follows:
- EAP method: TTLS
- Phase 2 Authentication: MSCHAPv2
- CA Certificate: Do Not Verify
In the “Identity” and “Password” sections, we will also need to enter our credentials, as before.
As you have seen, it is very easy to set up WPA2-Enterprise authentication on a router, and even more if we are using an authentication server like the one integrated into QNAP. However, we cannot download the CA in order to install it on all wireless Wi-Fi clients without exception, so we can still suffer from an unauthorized access attack where a cybercriminal impersonates a legitimate access point, what if we had a CA in our system. will fail because it is checked before the connection is established. To ensure this security, it will be necessary to set up our own FreeRADIUS server from scratch or on a system like pfSense where we have all the configuration options available.