Zeroshell workshop

RADIUS Server with Zeroshell

Setting up a RADIUS server usually requires a lot of effort under conventional Linux distributions, not the least of which involves editing a mass of configuration files and generating certificates and keys. The Zeroshell web interface, in contrast, provides all operations in a few convenient steps.

To configure the integrated Zeroshell RADIUS server, go to the RADIUS tab in the web browser's settings window. Zeroshell shows you that a certificate and key have already been generated (Figure 1). To import externally available root certificates and keys, use the Imported button at the right of the window and provide an appropriate search path.

Figure 1: The initial Zeroshell screen for the RADIUS server.

Self-generated certificates are typical in smaller installations. First, switch on the RADIUS service by clicking a checkmark on the Status line next to Enabled . Then, click the Trusted CAs button a few lines down on the right, which opens a Trusted Certification Authorities window. In the large Trusted CAs List area, you'll find the ZeroShell (Local CA) entry. Click this entry.

In the upper right of the window, select DER in the drop-down list next to Export and then click Export . Zeroshell opens a file dialog and asks you where you want to put the generated X.509 certificate. Enter a path and save the certificate to it. It later will build the authentication framework for all clients and thus needs to be stored on each workstation in the WLAN (Figure 2).

Figure 2: Generate an X.509 certificate with help from Zeroshell.

After placing the certificate, make the RADIUS server aware of the access point. Because the server doesn't send any requests through the net, you need to register every access point in the WLAN. To do this, click the Authorized Clients button at the top middle of the configuration window. Provide a name, IP address, and shared secret for the access point. With help from the shared secret, various selected characters, and digit sequences, the RADIUS server and access point will secure the communication.

After entering the values, click the plus sign at the upper right. Zeroshell then enters the access point in its list of authorized clients. Close the window and click Users in the menu down the left, then click the Add button in the middle. At the right of the window, a comprehensive configuration dialog will open where you enter the relevant data for each individual user. Be sure not to use any special characters; otherwise, Zeroshell will return an error message. For larger networks, be sure to note the relevant entries to enter them correctly for each client. Zeroshell automatically generates an X.509 certificate and public key for each user (Figure 3).

Figure 3: Zeroshell creates a separate certificate for each user.

On the Router

You also need to configure the router. There, you need to change the security options for the WLAN from WPA2 Personal to WPA2 Enterprise. As a rule, the router also requires that you enter the shared secret defined on your Zeroshell system. Be careful of uppercase and lowercase.

The router then asks about the encryption algorithm used and the IP address of the RADIUS server. Only after the complete and correct configuration of the connection can the communication between the access point and the authentication server proceed successfully. This proceeds transparently to the clients so that they don't come in direct contact with the authentication service.