How to secure your Wifi with EAP-TTLS and tunneled PAP

Introduction

This HOWTO was written as a counterpoint to all the EAP-TTLS HOWTOs on the web which start with "first, install 389ds".

Although having a 389 directory server is a benefit to busy LANs which provide resources to many users, there is little benefit running it on a network such as the home network which only contains phones and tablets.

Why

The main reason to implement Extensible Authentication Protocol (EAP) in a home LAN is to avoid the ability of wardrivers to deduce your pre-shared key (PSK) from packet captures. Given a long enough PSK I doubt if this is yet an issue, but on phones and tablets a long PSK is inconvent to type in.

How

Instead of a PSK, the Wifi router will communicate over a TLS tunnel with the client, which is not believed to be crackable by a wardriver. The client which trusts the TLS certificate the Wifi router presents, will send its unencrypted password inside the tunnel and this authorises it to use the LAN.

Usual password policies should be practiced here: password length and complexity. The wardriver who tries to connect using the TLS tunnel will have to guess the username/password combination. The default rate limiting in freeradius's EAP configuration makes this infeasible for the wardriver but does introduce a possible denial of service (DOS) attack vector.

Install

Note: there are some sed-fu below which rely on commands being run in the order shown

(Optional) Get a raspberry pi 1. Local schools may be throwing these out by now.
(Optional) Install raspbian jessie.
Install freeradius from your package manager:
```
apt-get install freeradius
```
Hint: if there are errors it might be because you have old configuration still present?
Install a web server from your package manager:
```
apt-get install apache2
```
Backup the default configuration:
```
x = /etc/freeradius
cp -dpR $x{,.orig}
```
Think of a reasonably secure password.

Create an encrypted password file:

echo testuser$(openssl passwd -1 -salt `tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c8`) >> $x/passwd

Tell freeradius to use this file for authentication:

cat >> $x/modules/passwd << EOF

passwd {
	filename = $x/passwd
	format = "*User-Name:Crypt-Password:"
	hashsize = 100
	ignorenislike = no
	allowmultiplekeys = no
}
EOF

Enable this authentication inside the TLS tunnel only:

sed -i '/^#       unix/apasswd' $x/sites-default/inner-tunnel

Generate a big hex string to use as the TLS certificate password:

sed -i 's/\(private_key_password.*= \).*$/\1'`od -tx -An -N32 -w32 /dev/urandom | tr -d ' '`'/' $x/eap.conf

Grab the example certs provided by the freeradius package:
```
cp -pR /usr/share/doc/freeradius/examples/certs $x/
```

Populate some variables to avoid typing them over later:

read -p "Enter a URL you control to publish your CRL: " r
read -p "Enter your country: " c
read -p "Enter your locality: " l
read -p "Enter your organization: " o
read -p "Enter your contact email: " e
read -p "Enter a common name for this certificate" n

Populate the certificate configuration files:

sed -i 's/\(default_days.*\)= .*$/\1= 3650/' $x/certs/*.cnf
sed -i 's/\(default_md.*\)= .*$/\1= sha256/' $x/certs/*.cnf
sed -i 's/\(.*_password.*\)= .*$/\1= '`grep -m1 -o '[0-9a-fA-F]\{64\}' $x/eap.conf`'/' $x/certs/*.cnf
sed -i 's/\(crlDistributionPoints.*= \).*$/\1'$r'/' $x/certs/*.cnf

for i in certificate_authority server client
do
  sed -i '/^\['$i'\]/,/^\[/s#\(countryName.*= \).*$#\1'$c'#' $x/certs/*.cnf
  sed -i '/^\['$i'\]/,/^\[/s#\(localityName.*= \).*$#\1'$l'#' $x/certs/*.cnf
  sed -i '/^\['$i'\]/,/^\[/s#\(organizationName.*= \).*$#\1'$o'#' $x/certs/*.cnf
  sed -i '/^\['$i'\]/,/^\[/s#\(emailAddress.*= \).*$#\1'$e'#' $x/certs/*.cnf
  sed -i '/^\['$i'\]/,/^\[/s#\(commonName.*= \).*$#\1'$n'#' $x/certs/*.cnf
done

Create the certificates:
```
cd $x/certs
make
```
Make the TLS trust certificate available on the webserver:
```
cp ca.der /var/www/html/ca.crt
```
Apply the changes:
```
systemctl restart freeradius
```
Hint: if this fails, "freeradius -Fxx" is your friend!
On a wired connection, login to your Wifi router's admin panel and change the Wifi settings to use EAP.
Hint: it will be the setting that mentions "RADIUS". Also, WPA2 is preferred over WPA.
Enter the appropriate IP address of the host you installed freeradius as the RADIUS server IP address.

Testing

Have a look out your window for wardrivers. Look safe enough? Then continue.
On a tablet or phone, connect to your Wifi using EAP-TTLS and PAP using the testuser password, but skip the CA certificate part.
Navigate the device's web browser to the web server on the freeradius host and download the ca.crt file.
Follow the device's instructions for how to install the certificate.
Disconnect then reconnect to Wifi using the CA certificate this time.

If it all worked correctly, you can continue adding proper user accounts for everyone who will use your Wifi, using the "echo testuser..." command as above, but with a proper username instead of "testuser". Don't forget to systemctl restart freeradius when you are done.

Caveats

If the wardriver sets up a doppelgänger SSID your devices MUST refuse to connect to it (hence why the TLS certificate).
If you think a device has leaked its password to anyone (or if you just feel mean) you should revoke it using the following command (run on the freeradius server and replacing "testuser" with the username you wish to revoke):
```
sed -i '/^testuser:/d' /etc/freeradius/passwd
systemctl restart freeradius
```
You might also wish to reset your router to make sure any wardriver is kicked out immediately.
Depending on the feature set of your router, it might still be supporting WPA-PSK or even WEP or WPS. Check this otherwise EAP will be for naught.

Further considerations

Backup your freeradius host to a secure encrypted drive. Remember, it contains a TLS certificate signing key which you definitely don't want to make public.
Host a certificate revocation list (CRL) somewhere on your LAN.
Lock down your router to only give out IP addresses to known MACs.
Install an IDS and honeypot on your LAN with alerts sent to you and/or a big monitor.
Reduce the lifetime of the server TLS certificate.
Setup reminders for when it is time to recreate the TLS certificates.
Change the inner tunnel to use MS-CHAPv2 instead of PAP.
Do away with passwords altogether and use EAP-TLS certificates to authenticate your devices.