Zeroshell workshop

Slashdot it! Delicious Share on Facebook Tweet! Digg!
© Adrian Hughes -

© Adrian Hughes -

Safe Zone

A wireless LAN is easier to set up than a cable LAN but is significantly less secure. A RADIUS server can change that.

Wireless LANs (WLANs) have long since firmly established themselves even in private homes – at the expense of communication security. It's true that the WPA2 standard has made an important step forward from its predecessors; but, its pre-shared key (PSK) technology is still plagued with inadequacies in terms of preventing attacks. The IEEE 802.11i WPA2 Enterprise specification does in fact provide more security. Zeroshell [1] will help you get up to speed with relative simplicity.


Although WPA2-PSK uses only a single key for the whole network, authentication with WPA2 Enterprise uses various other methods together with a RADIUS server. The RADIUS server provides central user accounting, so that, for example, net access (and possibly de-access) for every client can be configured separately. With WPA2 Enterprise, the RADIUS server rather than the net access point does the authentication. If the login is successful, the access point unlocks the client's network access as determined by the RADIUS server.

Authentication via RADIUS server is based on a significantly enhanced infrastructure. You can choose among different authentication methods; the completely encrypted communication and registration with different keys and certificates makes for a high degree of security. With WPA2 Enterprise, the user registers with a username and password, which the RADIUS server encrypts, at the access point. Thus, asymmetric encryption per EAP-TLS specification secures the communication between the client ("supplicant"), access point ("authenticator"), and the RADIUS server.

Every client and the RADIUS server have X.509 certificates and private keys that help the devices communicate. Access points and the RADIUS server wrap up their communication with help from passwords ("shared secrets"). The access point uses neither certificates nor keys but, instead, works transparently. The certificates are usually generated by Zeroshell on the RADIUS server, and you need then to install the root certificate on the client computer.

Keyword PKI

Zeroshell is based on a so-called public key infrastructure (PKI). Public keys, first of all, secure the digital certificates against any possible falsification. The certificate is further protected by a digital signature that is authenticated with the sender's public key. Thus, PKI is based on a cascading authentication sequence that makes it virtually impossible for attackers to decipher the data traffic and access.

The focal point of a trusted PKI is the certification authority (CA) that generates the digital certificates. You can get such root certificates from service providers, but Zeroshell also provides an integrated root CA that generates certificates and keys. Depending on the security specification and service, these include user as well as host certificates. That means you can build a private PKI completely using Zeroshell without having to rely on third-party software or services.

Buy this article as PDF

Express-Checkout as PDF

Pages: 3

Price $0.99
(incl. VAT)

Buy Ubuntu User

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • User accounts with OpenLDAP's central administration

    If you have multiple users logging into different computers or applications, the LDAP directory service can accommodate your needs

  • Encrypting email with GnuPG

    US intelligence agencies tap into billions of call data and electronic messages monthly – reason enough to consider encrypting your email traffic.

  • Perfect setup and installation of ownCloud 9

    ownCloud makes it possible to operate a private cloud on an intranet of almost any size. All you need is a standard LAMP environment, which comes with almost every Linux server.

  • Installing and testing Nextcloud

    Leading ownCloud developers, including the project founder Frank Karlitschek, became dissatisfied with the direction of the project, so they started Nextcloud, a fork of the code and a new company. The goal is to create a better balance among the company, clients, and users. We take a look at how Nextcloud is faring.

  • Zentyal Server 3.5

    Some users may struggle when setting up various services, such as web servers, email servers, firewalls, and the like. Zentyal simplifies configuration of all those things, thanks to its intuitive user interface.