Synology usage series 32 – Setup Wifi WPA2 Enterprise with Freeradius+Openldap/Client Certificate


Tomato Router Setup

Since I only have a tomato router (linksys wrt54g) now, instruction here is based on tomato.

  1. Open a browser and open the router admin’s console, i.e.http://192.168.0.1
  2. Navigate to the wireless setting menuBasic/Network/Wireless
  3. Security: WPA2 Enterprise
    Encryption: TKIP or AES, up to you
    Shared Key: [Input the secret password assigned for the router, refer to /opt/etc/raddb/clients.conf]
    Radius Server: [DiskStation IP address] : [Radius port 1812]

    Tomato WPA2 Enterprise Setting

    Tomato WPA2 Enterprise Setting

  4. Save the setting

Vista Wireless Client Setup

  1. Copy following files to the PC
    
    /opt/etc/raddb/certs/ca.der
    /opt/etc/raddb/certs/client.p12
    
  2. Install root certificate
    • Double-click on ca.der.
    • In the “Certificate” property box, click Install Certificate.
    • In the Wizard, click Next.
    • Choose Place all certificates in the following store, and choose “Trusted Root Certification Authorities”.
    • Click Next to finish.
  3. Install client certificate(if you did not plan to authenticate user with client certificate then you can skip this step)
    • Double-click on client.p12.
    • In the Wizard, click Next and Next again.
    • You will be asked for a password. This is the client certificate output_password specified. (Refer to client.cnf)
    • Choose Automatically select the certificate store based on the type of certificate.
    • Click Next to finish.
  4. Manage wireless networks
    • At Network and Sharing Center menu, click Manage wireless networks.
    • Right-click the highlighted the SSID and select Properties.

      Click Connect automatically when this network is in range
      Click Connect to a more preferred network if available
      Click Connect even if the network is not broadcasting

    • Click security tab

      Security type: WPA2 Enterprise
      Encryption type: AES or TKIP
      EAP Type: EAP (PEAP)
      Choose a network authentication method: Protected EAP (PEAP)

      For debugging purpose, uncheck cache user information for subsequent connections to this network.

      Once our setting is tested and success, we can enable the cache user information later.

      ** Noted: setting here MUST match the setting of router.

      Click Setting button.

      Click Validate server certificate

      In the ‘Trusted Root Certification Authorities’ listbox, select your radius CA cert.

      Select Authentication Method: Secured password (EAP-MSCHAP v2)

      Click Enable Fast Reconnect

      Click Configure button

      UNCHECK Automatically use my Windows logon name and password

Done!! Now connect to your access point and you should be prompted for your ldap username and password.

*** IMPORTANT SambaNTPassword and SambaLMPassword is needed for LDAP user entries. Refer to modding series 9 for details creating these two ldap samba attributes for your wifi user.





Leave a Reply

Your email address will not be published. Required fields are marked *