After setting up my wireless FreeBSD router I wanted to secure my wireless network with WPA2 Enterprise.
I’ve had a really hard time finding any good documentation on hostapd, but I finally got it to work. So why would you use WPA2 Enterprise, isnt Personal good enough? Well, the problem is these days that anyone can set up a wireless network with the same name as yours. If you connect to this fake network beliving you are connected to your own someone have full access to everything you send and receive. WPA2 Enterprise fixes this because the access point also has to prove its identity by providing a valid SSL Certificate. If this certificate changes you will be notified right away.
So, how do you set it up in hostapd? Well, its not that complex at all, the problem is that you cant find any documentation on it.
Configuration
Here is my configuration for WPA2 Enterprise. This uses hostapds own internal RAIDUS-server but you could as well use FreeRADIUS or some other RADIUS server out there, but then you’ll have to figure out how to configure that in hostapd. 😀
/etc/hostapd.conf
interface=wlan0 driver=bsd ctrl_interface=/var/run/hostapd ctrl_interface_group=wheel ssid=web wpa=2 wpa_key_mgmt=WPA-EAP wpa_pairwise=TKIP CCMP macaddr_acl=0 auth_algs=1 own_ip_addr=127.0.0.1 ieee8021x=1 eap_server=1 eapol_version=1 # Path for EAP server user database eap_user_file=/etc/hostapd_eap_user ca_cert=/etc/ssl/startssl.ca.pem server_cert=/etc/ssl/domain.tld.crt private_key=/etc/ssl/domain.tld.key
/etc/hostapd_eap_user
"peter@domain.tld" PEAP [ver=0] "peter@domain.tld" MSCHAPV2 "passphrase" [2]
You can also set up it to require client certificate to connect to make it even more “secure”. It all depends on how you handle your certificates and passwords.
#"peter@domain.tld" PEAP [ver=0] "peter@domain.tld" TLS
I use free host and client certificates from https://www.startssl.com but if you want to set up your own CA you can find and excellent article here
Update:
I have found some “documentation” in the form of well commented configurationfiles.
https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
https://w1.fi/cgit/hostap/plain/hostapd/hostapd.eap_user
https://w1.fi/cgit/hostap/plain/hostapd/