Synology usage series 32 – Setup Wifi WPA2 Enterprise with Freeradius+Openldap/Client Certificate


More wireless client configuration

Windows 7

Setup of Windows 7 is totally same as vista, with one extra step below.

In the wireless Network Properties, where you choose security type and encryption type of your wifi access point, click Advanced settings.

In the 802.1x settings, click ‘Specify authentication mode:’ and then select ‘User authentication’.

Windows 7 - 802.1x settings - advanced settings

Windows 7 – 802.1x settings – advanced settings

Android

Modify wifi network.

Security: 802.1x EAP
EAP method: PEAP
Phase 2 authentication: MSCHAPV2
CA certificate: (unspecified)
User certificate: (unspecified)
Identity: [ldap user name]
Anonymous identity: [blank]
Password: [ldap user password]

Click Save.

I did not bother with installing CA/client cert on the phone yet. Of course this will introduce man-in-the-middle attack but I need to get things working first. I’ll update here later about the certs thing for Android.

Update Nov 23 2011 Installing CA and client certificate to Android Phone

You need to install CA/client certificate to your phone only if you enforce client certificate, if you did not generate client certificate, just skip the steps here.

Firstly go to Settings / Location & Security settings / Credential storage / Set password, input your password. We will need this password when installing CA cert to the phone.

Installing client certificate

Copy client.p12 to the ROOT of the phone’s SD card/USB storage. Then go to Settings / Location & Security / Credential Storage / Install from SD card. Input the output password of your client’s certificates.

Installing server certificate

To install CA’s certificate, login to Diskstation as root.


# cp /opt/etc/raddb/certs/ca.pem /volume1/web/ca.pem
# chown nobody:nobody /volume1/web/ca.pem

Create the /volume1/web/cert.php using codes below


<?php
header("Content-Type: application/x-x509-ca-cert\n");
readfile('ca.pem');
?>

Then open the stock browser of your android phone, input the URL

http://192.168.1.100/cert.php

replace the ip address 192.168.1.100 to your NAS address.

Once both CA and client certificates are installed, get back to the WIFI setup and select the CA cert and client cert from the list.





Leave a Reply

Your email address will not be published. Required fields are marked *