Notice: Due to size constraints and loading performance considerations, scripts referenced in blog posts are not attached directly. To request access, please complete the following form: Script Request Form Note: A Google account is required to access the form.
Disclaimer: I do not accept responsibility for any issues arising from scripts being run without adequate understanding. It is the user's responsibility to review and assess any code before execution. More information

Why WPA2 with Shared Keys is Insecure (And What to Do About It)

byartic6 -
0

This is an overview of using WPA2-Enterprise, if you are in the Home market, you may find many consumer routers do not support enterprise features, if you’re router does not support it then you simply cannot use it - to check this go into your Wi-Fi settings and under Wi-Fi security Select the drop-down box and see what options come up as below:


In the above image, you can see the desired setting WPA2-Enterprise when that option is selected, it will change from shared secret into the options we will use later when we’ve completed the radius set up:

The Problem with WPA2-PSK (Pre-Shared Key)

I've seen many networks running WPA2 with a shared passphrase, thinking they're secure. The reality is more concerning than most realize. When you use WPA2-PSK, every device on your network shares the same key. This creates several critical vulnerabilities:

  1. Single Point of Failure: If one person leaves your organization or one device gets compromised, you'd need to change the password on every single device to maintain security. In practice, this rarely happens.
  2. No Individual Accountability: You can't track which specific user is doing what on your network. Everyone appears the same to your logging systems.
  3. Key Distribution Problem: How do you securely share that 20+ character WPA2 password? Usually it ends up written on whiteboards, sent in emails, QR codes or shared verbally - all insecure methods.
  4. Offline Dictionary Attacks: Attackers can capture the 4-way handshake and run offline brute-force attacks against your password without you ever knowing (I have a couple of this exact process on this blog)
This is an example QR code that will automatically join the Wi-Fi using PSK:

WPA2-Enterprise: A Better Approach

WPA2-Enterprise solves these problems by using IEEE 802.1X authentication. Instead of sharing a single password, each user has individual credentials that authenticate against a RADIUS server using certificates.

  1. Individual Authentication: Each user has unique credentials. When someone leaves, I simply disable their account - no network-wide password changes needed.
  2. Certificate-Based Trust: The authentication relies on certificates, not just passwords. This prevents man-in-the-middle attacks that plague shared key systems.
  3. Centralized Management: I can manage all wireless access from a single RADIUS server, with detailed logging of who connects when.
  4. No Shared Secrets: There's no network password to compromise or share insecurely.

Complete WPA2-Enterprise Setup Guide

I'm setting up a FreeRADIUS server on a Kali Linux thin client. This will provide enterprise-grade wireless authentication with trusted certificates that won't generate security warnings on devices.

Step 1: Install Required Packages

sudo apt update
sudo apt install freeradius freeradius-utils certbot

Step 2: Get Let's Encrypt Certificate

# Replace radius.yourdomain.com with your actual domain
sudo certbot certonly --standalone -d radius.croucher.cloud

# Copy certificates to FreeRADIUS directory
sudo cp /etc/letsencrypt/live/radius.yourdomain.com/fullchain.pem /etc/freeradius/3.0/certs/server.crt
sudo cp /etc/letsencrypt/live/radius.yourdomain.com/privkey.pem /etc/freeradius/3.0/certs/server.key
sudo chown freerad:freerad /etc/freeradius/3.0/certs/server.*

Step 3: Configure Users with Hashed Passwords

# Generate password hashes
echo -n "<password>" | sha256sum

Edit /etc/freeradius/3.0/users and add your users:

sudo nano /etc/freeradius/3.0/users

Add at the top of the file:

# WiFi Users - replace hashes with your generated ones
lee.croucher    SHA256-Password := "ef92b778bafe771e89245b89ecbc08a44a4e166c06659911881f383d4473e94f"

Step 4: Configure Access Point Connection

Edit /etc/freeradius/3.0/clients.conf:

sudo nano /etc/freeradius/3.0/clients.conf

Add your wireless access point (replace IP with your AP's IP):

client wireless_ap {
    ipaddr = 192.168.86.1
    secret = <sharedsecret>
    require_message_authenticator = yes
}

Step 5: Configure EAP/TLS Settings

Edit /etc/freeraduis.3.0/mods-enabled/eap:

sudo nano /etc/freeradius/3.0/mods-enabled/eap

Find the tls-config tls-common section and update:

eap {
    default_eap_type = peap
    
    tls-config tls-common {
        private_key_file = /etc/freeradius/3.0/certs/server.key
        certificate_file = /etc/freeradius/3.0/certs/server.crt
        cipher_list = "HIGH"
        cipher_server_preference = yes
        tls_min_version = "1.2"
    }
    
    peap {
        default_method = mschapv2
        copy_request_to_tunnel = yes
        use_tunneled_reply = yes
    }
}

Step 6: Start and Enable FreeRADIUS

# Enable and start the service
sudo systemctl enable freeradius
sudo systemctl start freeradius

# Check status
sudo systemctl status freeradius

Step 7: Test Authentication

# Test with one of your users (replace with actual password, not hash)
radtest lee.croucher <password> localhost 0 testing123

# You should see "Access-Accept" if successful

Step 8: Configure Your Wireless Access Point

In your AP's settings:

  • Authentication Type: WPA2-Enterprise
  • RADIUS Server IP: 192.168.86.250
  • RADIUS Port: 1812
  • Shared Secret: <sharedsecret>

Step 9: Set Up Certificate Auto-Renewal

sudo crontab -e

Add this line for automatic renewal:

0 3 * * * certbot renew --post-hook "cp /etc/letsencrypt/live/radius.yourdomain.com/fullchain.pem /etc/freeradius/3.0/certs/server.crt && cp /etc/letsencrypt/live/radius.yourdomain.com/privkey.pem /etc/freeradius/3.0/certs/server.key && chown freerad:freerad /etc/freeradius/3.0/certs/server.* && systemctl restart freeradius"

Step 10: Client Device Configuration

When connecting devices to your WiFi:

  • Security: WPA2-Enterprise
  • EAP Method: PEAP
  • Phase 2 Authentication: MSCHAPv2
  • Server Certificate: radius.croucher.cloud
  • Username: lee.croucher
  • Password: <password>

Troubleshooting

If authentication fails:

# Run FreeRADIUS in debug mode
sudo systemctl stop freeradius
sudo freeradius -X

This will show detailed logs of authentication attempts.

Adding New Users

To add new users later:

# Generate hash for new password
echo -n "newuserpass" | sha256sum

# Add to /etc/freeradius/3.0/users
echo 'newuser    SHA256-Password := "generated_hash_here"' | sudo tee -a /etc/freeradius/3.0/users

# Restart service
sudo systemctl restart freeradius

Conclusion

Moving from WPA2-PSK to WPA2-Enterprise significantly improves your wireless security posture. The individual authentication, certificate-based trust, and centralized management provide much better security than shared keys ever could.

The initial setup requires more effort, but the long-term security and management benefits make it worthwhile for any organization serious about wireless security.

Tags
Previous Post Next Post

نموذج الاتصال