FreeRadius EAP-TLS configuration
A more secure way than using pre-shared keys (WPA2) is to use EAP-TLS and use separate certificates for each device. In the previous tutorial Linux Router with VPN on a Raspberry Pi I mentioned I'd be doing this with a (Ubiquiti UniFi AP). I have tested this with two phones running CyanogenMod 11 (Android 4.4.4).
Install freeradius and haveged. You'll need haveged to increase randomness of /dev/random Entropy and randomness. When feature 3465 is resolved if you have a Raspberry Pi you could use it's own hardware random number generator (bcm2708-rng).
You will want to create your certificates. The easiest way to do that is to use the scripts provided by FreeRadius. The scripts allow you to easily create a CA (certificate authority), Server certificate, and Client certificates. Remember to increase the expiry time from 60 days if that doesn't suit you and fill in the other information in the .cnf files like the README says.
The readme for that script is in /etc/raddb/certs/README or can be found here.
Certificate Revocation List
The CRL is not created by the script, you have to do that one manually.
I created a file called crl.cnf:
[ ca ] default_ca = CA_default [ CA_default ] dir = ./ certs = $dir crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir certificate = $dir/ca.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/ca.key RANDFILE = $dir/.rand name_opt = ca_default cert_opt = ca_default default_days = 730 default_crl_days = 730 default_md = sha256 preserve = no policy = policy_match crlDistributionPoints = URI:http://www.example.com/example_ca.crl [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] prompt = no distinguished_name = cacrl default_bits = 2048 input_password = <password1> output_password = <password2> x509_extensions = v3_ca [certificate_authority] countryName = <COUNTRY_CODE> stateOrProvinceName = Radius localityName = <REGION> organizationName = FreeRadius emailAddress = freeradius@localhost commonName = "FreeRadius Certificate Authority" [v3_ca] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = CA:true crlDistributionPoints = URI:http://www.example.com/example_ca.crl
Create the revocation list:
Finally, create new file which will hold both CA and revoked certificates: