Most consumer Wi-Fi routers use WPA2 Personal, which has some shortcomings in terms of security.
WPA2 Enterprise addresses these shortcomings by allowing individual username and passwords for each client, in addition to allowing for certificate-based authentication allowing clients to verify the authenticity of the access point.
This guide shows how to setup a Fedora 29 Linux system with an AWUS036NH wireless antenna to act as a secure wireless access point. You can use Hostapd and FreeRADIUS to achieve this.
Check the wireless card is detected by the OS
Determine if the system recognises the device using lsusb
1 2 | lsusb | grep -i wirelessBus 001 Device 006: ID 148f:3070 Ralink Technology, Corp. RT2870/RT3070 Wireless Adapter |
Check the adapters MAC address (we will need this later):
1 2 3 4 5 6 7 | ifconfigwlp0s21f0u1: flags=4099<up,broadcast,multicast> mtu 1500 ether 96:fe:34:a4:fa:4b txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 |
Configure NetworkManager to ignore the device, based on the MAC address:
1 2 3 | vi /etc/NetworkManager/NetworkManager.conf[keyfile]unmanaged-devices=mac:96:fe:34:a4:fa:4b |
Restart NetworkManager for the change to take effect:
1 | systemctl restart NetworkManager.service |
Setting up Hostapd
Install the necessary packages:
1 | dnf install hostapd freeradius iptables |
Start by creating certificates required for authentication:
1 2 3 | cd /etc/raddb/certs/rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*./bootstrap |
Copy the certificates to the hostapd directory to prevent selinux triggering:
1 | cp /etc/raddb/certs/* /etc/hostapd/certs/ |
Modify the hostapd configuration file, including the below parameters:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 | vi /etc/hostapd/hostapd.confinterface=wlp0s21f0u1driver=nl80211ssid=WLAN1channel=6auth_algs=1eap_server=1ieee8021x=1eapol_version=2wpa=2wpa_key_mgmt=WPA-EAPwpa_pairwise=TKIPrsn_pairwise=CCMPeap_user_file=/etc/hostapd/hostapd.eap_userca_cert=/etc/hostapd/certs/ca.pemserver_cert=/etc/hostapd/certs/server.pemprivate_key=/etc/hostapd/certs/server.keyprivate_key_passwd=whateverdh_file=/etc/hostapd/certs/dhlogger_syslog=-1logger_syslog_level=2logger_stdout=-1logger_stdout_level=2ctrl_interface=/var/run/hostapdctrl_interface_group=0hw_mode=gieee80211n=1wme_enabled=1 |
Configure Users
1 2 3 4 | vi /etc/hostapd/hostapd.eap_user* PEAP,TTLS"testaccount1" MSCHAPV2 "SuperSecretPassword1" [2]"testaccount2" MSCHAPV2 " SuperSecretPassword2" [2] |
Install DNSMasq
DNSMasq provides DHCP services for the access point.
1 2 3 | vi /etc/dnsmasq.confinterface=wlp0s21f0u1dhcp-range=192.168.2.4,192.168.2.50,255.255.255.0,24h |
1 | systemctl start dnsmasq.service |
Enable IP Forwarding
Enabling IP forwarding allows the system to forward traffic from the Wi-Fi adapter through the default gateway.
1 | sysctl net.ipv4.ip_forward=1 |
Make the change permanent by changing /etc/sysctl.conf:
1 2 | vi /etc/sysctl.confnet.ipv4.ip_forward=1 |
Ensure network address translation is applied to traffic leaving the external interface (in this case enp2s0):
1 | iptables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE |
Save the rules to run on reboot:
1 | iptables-save > /etc/sysconfig/iptables |
Set services to start on boot
1 2 3 | systemctl enable hostapd.servicesystemctl enable dnsmasq.servicesystemctl enable iptables |
That’s it! You should now be able to connect to the wireless access point. You will be prompted to verify the server certificate the first time you connect, and then for the username and password previously configured.