March 11, 2020 · home project

Configuring WPA2 Enterprise with RADIUS on UniFi

I recently set up WPA2 Enterprise on our home UniFi network. WPA2 Enterprise (also known as WPA2-802.1X) offers several key advantages over WPA Personal, the two main ones being able to authenticate the access point using TLS certificates and to use unique credentials per supplicant.

The theory

802.1X is an IEEE standard for port-based network access control and uses the Extensible Authentication Protocol (EAP) to negotiate credentials. 802.1X works for both LAN and WLAN, therefore you can authenticate both Wi-Fi and ethernet clients plugged into a switch on your network.

EAP itself is merely a framework and does not define any authentication mechanisms or encryption, however there are many authentication methods available. In our case, the flavor of EAP we are using is PEAP-MSCHAPv2. PEAP is a separate standard developed by Microsoft (and others) which encapsulates EAP in a TLS tunnel, providing the encryption and server authentication that we want. Then inside PEAP, MSCHAPv2 is used to perform the challenge-handshake. MSCHAPv2 is considered completely broken as brute-force attacks can recover the keys 100% of the time, but this is okay as the handshake is done inside PEAP. PEAP-MSCHAPv2 is the most popular and widely supported configuration, due to it being the only configuration supported by Microsoft Windows.

EAP defines three parties in the authentication process:

For a (very) in-depth tour of the flow, have a look at this.

The setup

The setup itself is relatively straightforward, that's why I like UniFi products.

Configuring FreeRADIUS

The first step is to enable the RADIUS server in Settings > Gateway > RADIUS. The shared secret can be long as you never need to enter it in anywhere, it is used for the authenticators to talk to the RADIUS server. Once enabled, you can create a new user. These are the credentials that are entered when you connect to the network. I have also set a VLAN ID for the user, when connected, the user will be automatically put into the correct network with the matching VLAN ID. If you do want VLAN IDs assigned, make sure you enable RADIUS assigned VLAN IDs in Settings > Configuration Profiles > RADIUS.

If you would like to install custom TLS certificates for RADIUS server, first generate a CA and server certificate for the PKI. I have found  cfssl to be the easiest tool to use, easier than easy-rsa and definitely more straightforward than openssl.

Once generated, scp and replace the exising certificates on the USG in /etc/freeradius/certs with the new ones and restart FreeRADIUS with service freeradius restart.

Creating the networks

This should be pretty self explanatory. We create a new network with (an optional) VLAN ID 10, then create a Wi-Fi network using WPA Enterprise and the default RADIUS profile.

With RADIUS assigned VLAN IDs enabled, you can create more networks with different VLAN IDs. RADIUS users connecting to your Wi-Fi network will automatically be put into the correct network.

Result

It's working great on MacOS, iOS, and the HomePods. The Apple TV however, requires a MDM profile and I'm still trying to wrangle with Apple Configurator 2 to create a working profile.