Notes on Kerberized RADIUS for WPA2
OpenSSL funness
- common name can be anything, but using the hostname of the RADIUS server is an easy choice
- send CSR off to CAcert for certification, or go through the difficulties of creating your own CA (sial has a useable tutorial on this)
MORE STUFF
- setup kerberos
- generate host/host.example.com and radius/host.example.com principals for RADIUS server
use the radiusd.conf from http://www.sas.upenn.edu/~omar/wireless/work_freeradius.html or http://user.kollasch.net/jakllsch/radiusd.conf
frob users file to contain (replacing the getpwent one is ok)
DEFAULT Auth-Type = Kerberos
Fall-Through = 1- setup the EAP-TLS stuff in radiusd.conf
- randomosity is 128 bytes from /dev/random
- tell radiusd about the client (in this case the WAP)
- ["Blog/2006-06-23"]