RADIUS, are my assumption correct?

I have two routers, one of which can only support DD-WRT, as a third party firmware (Buffalo WZR-1750HDP) the other of which can only support OpenWRT (TP-Link Archer c6 v3.2)- After much research and experimentation I have come to believe that my radius server should be on the OpenWRT router because OpenWRT wiki and forums are much more "open" about supporting Free Radius as a server, while DD-WRT seems a better candidate as a client to that server.
My wireless AP would be DD-WRT because I have read somewhere that it is wise to keep the wireless AP separate from the Radius server (that may or may not have been in an openwrt wiki or forum post. I think it was just general advice on the web).
My network is a home network and such that in part I merely want to experiment with FreeRADIUS, and the other part is that, if I could make it work, I would feel a lot more secure about my setup especially about those devices which can only connect via WPA2.

That is the extent of my thinking so far and I wondered if the asumptions I am making are correct

I'm all for hacking and experimentation, but:

  1. You're not going to gain much by way of security in a home-type setup by running RADIUS authentication for WPA. You may in fact weaken your security if you choose to go EAP-PEAP and get the PKI component wrong.

  2. You add a significant amount of complexity by adding 802.1X. You end up:

  • managing (and paying for) certificates
  • compatibility crap with modern clients starting to enforce TLS1.3
  • EAP-PEAP being crippled in modern OS' for security reasons
  • ...and going full-on EAP-TLS in a home setup is a big "nope" for me...
  1. "Experimenting" with FreeRADIUS in a small, embedded environment is - imho - an exercise in frustration due to it being quite an extreme corner case. For experimentation, use a well-support environment on a general-purpose computing device (even a Raspberry Pi is OK for that) and re-evaluate shoehorning it into a consumer router once you've bedded down what you want.

If you just want to mess around with RADIUS in general, use one of the online services like JumpCloud, which has a free tier for up to 10 users.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.