Introduction

A more secure way than using pre-shared keys (WPA2) is to use EAP-TLS and use separate certificates for each device. In the previous tutorial Linux Router with VPN on a Raspberry Pi I mentioned I'd be doing this with a (Ubiquiti UniFi AP). I have tested this with two phones running CyanogenMod 11 (Android 4.4.4).

Installation

Install freeradius and haveged. You'll need haveged to increase randomness of /dev/random Entropy and randomness. When feature 3465 is resolved if you have a Raspberry Pi you could use it's own hardware random number generator (bcm2708-rng).

apk add freeradius freeradius-eap haveged

Certificates

You will want to create your certificates. The easiest way to do that is to use the scripts provided by FreeRadius. The scripts allow you to easily create a CA (certificate authority), Server certificate, and Client certificates. Remember to increase the expiry time from 60 days if that doesn't suit you and fill in the other information in the .cnf files like the README says.

The readme for that script is in /etc/raddb/certs/README or can be found here.

Certificate Revocation List

The CRL is not created by the script, you have to do that one manually.

I created a file called crl.cnf:

[ ca ]
default_ca		= CA_default

[ CA_default ]
dir			= ./
certs			= $dir
crl_dir			= $dir/crl
database		= $dir/index.txt
new_certs_dir		= $dir
certificate		= $dir/ca.pem
serial			= $dir/serial
crl			= $dir/crl.pem
private_key		= $dir/ca.key
RANDFILE		= $dir/.rand
name_opt		= ca_default
cert_opt		= ca_default
default_days		= 730
default_crl_days	= 730
default_md		= sha256
preserve		= no
policy			= policy_match
crlDistributionPoints	= URI:http://www.example.com/example_ca.crl

[ policy_match ]
countryName		= match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

[ policy_anything ]
countryName		= optional
stateOrProvinceName	= optional
localityName		= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

[ req ]
prompt			= no
distinguished_name	= cacrl
default_bits		= 2048
input_password		= <password1>
output_password		= <password2>
x509_extensions		= v3_ca

[certificate_authority]
countryName		= <COUNTRY_CODE>
stateOrProvinceName	= Radius
localityName		= <REGION>
organizationName	= FreeRadius
emailAddress		= freeradius@localhost 
commonName		= "FreeRadius Certificate Authority"

[v3_ca]
subjectKeyIdentifier	= hash
authorityKeyIdentifier	= keyid:always,issuer:always
basicConstraints	= CA:true
crlDistributionPoints	= URI:http://www.example.com/example_ca.crl

Create the revocation list:

openssl ca -gencrl -keyfile ca.key -cert ca.pem -out crl.pem -config crl.cnf

Finally, create new file which will hold both CA and revoked certificates:

cat ca.pem crl.pem > cacrl.pem

Create the Diffie-Hellman file

openssl dhparam -check -text -5 1024 -out /etc/raddb/certs/dh

References

• https://forums.freebsd.org/threads/howto-wpa2-enterprise-with-freeradius.28467
• https://samhobbs.co.uk/2013/12/remove-network-may-be-monitored-by-an-unknown-third-party-in-android-4-4-kitkat