FreeRADIUS is great, and I wouldn't use anything else.
But to increase the adoption of EAP, what would be better is a super simple daemon, you point it at LDAP or a file, and it sets itself up for PEAP or EAP-TTLS and you just have to point your APs at it. FreeRADIUS is far to complex for most use cases.
I note that many APs now come with nice web interfaces and can integrate with LDAP and Active Directory directly, which is a great step forward.
Ideally AD would support something like SRP directly so you wouldn't even need server certificates.
> But to increase the adoption of EAP, what would be better is a super simple daemon, you point it at LDAP or a file, and it sets itself up for PEAP or EAP-TTLS and you just have to point your APs at it.
You mean like hostapd provides? :)
##### Integrated EAP server ###################################################
# Optionally, hostapd can be configured to use an integrated EAP server
# to process EAP authentication locally without need for an external RADIUS
# server. This functionality can be used both as a local authentication server
# for IEEE 802.1X/EAPOL and as a RADIUS server for other devices.
# Use integrated EAP server instead of external RADIUS authentication
# server. This is also needed if hostapd is configured to act as a RADIUS
# authentication server.
eap_server=0
# Path for EAP server user database
# If SQLite support is included, this can be set to "sqlite:/path/to/sqlite.db"
# to use SQLite database instead of a text file.
#eap_user_file=/etc/hostapd.eap_user
I want simple, non-enterprise wifi, but I want the "enterprise" feature of per-user credentials.
Sadly, setting up a RADIUS server is the only way I can see this is possible.. way to complicated, I'd sooner just put a static file on the router, but I'm not sure if this is possible.
Some of the small business gear has this feature. I use Ubiquiti access points, and through the Unifi interface I enabled the built-in RADIUS server and added some users to it. Now I have enterprise-style WiFi authentication.
Honestly it's not that complex to set up a freeradius or similar server. You can have freeradius read a static file for user management, you don't need to use LDAP necessarily.
One issue with WPA2 Enterprise is the client user interface. It's hard for users to configure the correct settings because there is no feedback about configuration issues - wrong EAP mode - vs credential errors - wrong user password. All you get is a "Can't connect".
There is also the problem of so many eap modes. There are some interesting EAP modes that have come along - like EAP-PWD - that remain unimplemented on major platforms, and are basically unusable. So you're left with EAP-TTLS with PEAP and MSCHAPv2 (stores passwords weakly), or EAP-TLS with client certificates. And no one wants to manage client certificates if they can help it.
Both of the above make WPA2 Enterprise on BYO devices quite a challenge.
EAP-PWD seems like a weird thing to want. It's probably incrementally better than WPA2-PSK if you actually have a small number of users who can keep the secret (or in a home network with no guests) and if you use a decent secret, but that's a pretty narrow scenario.
It's not obvious that you're better off security-wise with EAP-PWD than you'd be on WPA3-PSK for example, the UX for PSK is better, and the compatibility story for WPA3 is probably acceptable today, so there's no reason to want EAP-PWD now even if it might have been better than the status quo five years ago.
MSCHAPv2 is garbage but that's Microsoft's fault, and the uncomfortable reality for almost any medium or large organisation will be that there is a bunch of Microsoft stuff and so whatever crap they shovelled into Windows is what you have to put up with.
The more I think about "evil twin" and read/ re-read this thread, the more I think maybe the most attractive new-build answer is throw away WPA2 Enterprise in favour of WPA3 with no password†, then do BeyondCorp / ZeroTrust and defend your systems at their edge not by hoping a poorly defended WiFi network or VPN saves you from doom.
†In WPA3 networks with no password are still secured against passive adversaries, so the UX is nicer but it's just as safe as having a WiFi PSK that inevitably is easy to find out. And unlike MSCHAPv2 it doesn't let bad guys harvest all your users' credentials for the price of a DES cracker.
I agree totally. My phone company gives me access to their hotspots using EAP-SIM/AKA, which is really useful, but there's no way for an AP to advertise the EAP methods they support which sucks. And EAP-PWD is awesome but like you said, rarely implemented. There's also EAP-GTC which I think allows you to do secure password auth as well.
We currently use PEAP with MSCHAPv2 since the user credentials are protected in transport and our domain controllers are pretty secure, but it'd be nice to be more flexible.
Having recently set up FreeRADIUS + WPA2 for the first time, I have to say, it wasn't really that hard at all. It wasn't any harder than setting up a mail server, or web server, or commercial grade router, or any other similar task that anybody's IT department (or contracted IT service) shouldn't be able to handle without a sweat.
> I have to say, it wasn't really that hard at all.
I agree; I think the problem is that it looks hard, with a truckload of config files and settings. It's not obvious that you wouldn't need to touch most of them. That's a UI/UX problem really...
But to increase the adoption of EAP, what would be better is a super simple daemon, you point it at LDAP or a file, and it sets itself up for PEAP or EAP-TTLS and you just have to point your APs at it. FreeRADIUS is far to complex for most use cases.
I note that many APs now come with nice web interfaces and can integrate with LDAP and Active Directory directly, which is a great step forward.
Ideally AD would support something like SRP directly so you wouldn't even need server certificates.