The problem with WPA2 Personal is that it uses a pre-shared key (PSK) for its authentication which is transmitted through the air as a hash. A few years ago having a really good pre-shared key and unique AP name might have been enough but with the availability of rainbow tables that are in to the terabytes of pre-computed hash values and the cloud services that are providing cheap WPA/WPA2 password cracking its becoming easier for attackers to gain access to your wireless networks.
A more secure way to do Wireless authentication is by using WPA2 Enterprise EAP-TLS authentication with certificates of a 4096 bit length to a RADIUS server backend. I am going to cover the WPA2 Enterprise wireless setup with EAP-TLS in this post and then do RADIUS configuration and wireless pass through authentication in another.
I am making the assumption you have already setup a Wireless AP. If not then follow the guide here to get one going.
Creating a connection with EAP-TLS on the MikroTik can sometimes be a bit buggy but most of the time its fine.
What i am using:
- Board Name RB2011UiAS-2HnD
- Software Version 6.27
- Fedora 20 on MBP Retina
Make the certs
Most of the following is based off the MikroTik documentation found here.
First thing to do is create a personal CA and the SSL/TLS certificates that we are going to hand out to our clients. SSH in to your MikroTik, login as the admin user and run the following commands.
The key size should be large enough to make it very hard to brute force before it expires in the default 365 days. Generating the keys might take 10-20 seconds because of the size (4096 bits) but the wait is well worth the level of security.
/certificate add name=ca-template common-name=MyCA key-usage=key-cert-sign,crl-sign key-size=4096 add name=router-tls-template common-name=router-tls key-size=4096 add name=admin-template common-name=admin-client key-size=4096 add name=client-template common-name=client key-size=4096
I am using the admin IP address of my MikroTik Router for the ca-crl-host which is 192.168.88.1 by default.
/certificate sign number=0 ca-crl-host=192.168.88.1 name=MyCA sign ca=MyCA number=1 name=router-tls sign ca=MyCA number=2 name=admin-client sign ca=MyCA number=3 name=client
We now need to flag the certs we need to be trusted as trusted.
/certificate set MyCA trusted=yes set router-tls trusted=yes
Now we want to export the client certificates for installation on said
export-passphrase config directive below is the pass
phrase protecting your certificate so i would advise you make it nice
and long and then add it to a password database for later use.
/certificate export-certificate MyCA /certificate export-certificate admin-client export-passphrase=make_the_passphrase_something_fucking_long_and_crazy1 /certificate export-certificate client export-passphrase=make_the_passphrase_something_fucking_long_and_crazy2
Login to the Web Console and go to the Files menu item and download the certificates MyCA and client
Once we have the certificates install them in to clients. I am running Fedora 20 using NetworkManager on a MBP Retina
Now go back to the web interface and create a Security Profile under the Wireless Web config that looks like the following:
Once the Security Profile is complete you can now go back to the Wireless AP configuration page and change the Security Profile it is set to use with your new one if you need too.
You should now be able to authenticate to the wireless network with your installed certificate and cert pass phrase.
Once you have successfully connected you should see something like the following in /var/log/wpa_supplicant.log
wlp3s0: Trying to associate with 00:11:22:33:44:55 (SSID='YourSSID' freq=2422 MHz) wlp3s0: Associated with 00:11:22:33:44:55 wlp3s0: CTRL-EVENT-EAP-STARTED EAP authentication started wlp3s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 wlp3s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected wlp3s0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/CN=MyCA' wlp3s0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=admin-client' wlp3s0: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully wlp3s0: WPA: Key negotiation completed with 00:11:22:33:44:55 [PTK=CCMP GTK=CCMP] wlp3s0: CTRL-EVENT-CONNECTED - Connection to 00:11:22:33:44:55 completed [id=0 id_str=]
You can also create WirelessAP access-lists which will allow you to permit and deny devices based on criteria like MAC addresses (which i know can be changed via macchanger but one more layer for the ease of configuration does not hurt) and time of day. Information on how to do that here.