Zeroshell workshop

Wireless LANs (WLANs) have long since firmly established themselves even in private homes – at the expense of communication security. It's true that the WPA2 standard has made an important step forward from its predecessors; but, its pre-shared key (PSK) technology is still plagued with inadequacies in terms of preventing attacks. The IEEE 802.11i WPA2 Enterprise specification does in fact provide more security. Zeroshell [1] will help you get up to speed with relative simplicity.

Technology

Although WPA2-PSK uses only a single key for the whole network, authentication with WPA2 Enterprise uses various other methods together with a RADIUS server. The RADIUS server provides central user accounting, so that, for example, net access (and possibly de-access) for every client can be configured separately. With WPA2 Enterprise, the RADIUS server rather than the net access point does the authentication. If the login is successful, the access point unlocks the client's network access as determined by the RADIUS server.

Authentication via RADIUS server is based on a significantly enhanced infrastructure. You can choose among different authentication methods; the completely encrypted communication and registration with different keys and certificates makes for a high degree of security. With WPA2 Enterprise, the user registers with a username and password, which the RADIUS server encrypts, at the access point. Thus, asymmetric encryption per EAP-TLS specification secures the communication between the client ("supplicant"), access point ("authenticator"), and the RADIUS server.

Every client and the RADIUS server have X.509 certificates and private keys that help the devices communicate. Access points and the RADIUS server wrap up their communication with help from passwords ("shared secrets"). The access point uses neither certificates nor keys but, instead, works transparently. The certificates are usually generated by Zeroshell on the RADIUS server, and you need then to install the root certificate on the client computer.

Keyword PKI

Zeroshell is based on a so-called public key infrastructure (PKI). Public keys, first of all, secure the digital certificates against any possible falsification. The certificate is further protected by a digital signature that is authenticated with the sender's public key. Thus, PKI is based on a cascading authentication sequence that makes it virtually impossible for attackers to decipher the data traffic and access.

The focal point of a trusted PKI is the certification authority (CA) that generates the digital certificates. You can get such root certificates from service providers, but Zeroshell also provides an integrated root CA that generates certificates and keys. Depending on the security specification and service, these include user as well as host certificates. That means you can build a private PKI completely using Zeroshell without having to rely on third-party software or services.