WPA2-PSK authorization with RADIUS server, is it possible?

Hello everyone! Recently I've started to experience some issues with my WIFI security. I've been using standard WPA2-Personal authorization method in my home network, but, apparently it's been compromised. I've started to see random clients that I don't recognize. So I've decided to set up a radius server on a raspberry PI that is connected to one of the LAN ports. Since I'm not an expert in networking and Linux in particular, It took quite some time to configure and make it work. But now I'm having another issue how to connect all the devices, that don't support 802.1x authorization, such as TV's, smart thermostat and so on.What would be the best way to implement WPA2-PSK while keeping radius server on the network? Any suggestion would be appreciated.

Set up an additional PSK AP interface for your IoT devices. Also a good idea to have an IoT network that is completely isolated from your LAN. WPA2-PSK is still considered secure with a good password (not in dictionary attacks).

2 Likes

In addition, Generate a good password by computer. I use keepass2, for example.

1 Like

@mk24 is spot on -- I consider all my IoT devices to be "hostile" (even to each other) and segregate them into VLANs by manufacturer. I also have always considered wireless to be insecure and keep it segregated from my "sensitive" wired networks. WPA2 is "reasonably" secure, but I also have always considered it the responsibility of the client/server to encrypt any sensitive communication.

That's where I'd spend my effort first. Some may be puzzling, like Kindles that have an unknown vendor ID in the MAC addresses. MAC filtering has never excited me as a security measure. I do, however, try to assign a fixed IP over DHCP to all the devices I know about. That way any IP that I see on the network in, for example, the X.X.X.200-210/24 block are immediately obvious as "my DHCP list doesn't have this one." A restricted number of "free" allocations makes me feel good, but isn't really a security measure.

Also, are you seeing them authenticated, or are they merely "drive-by" cell phones and the like that are validly looking for wireless APs under the 802.11 standards? That kind of activity is usually innocuous and at a reasonably high rate in urban areas.

1 Like

Thanks for your advice, Mike. I actually have no idea how to create a virtual network interface on my router.I'm using default settings and a bit afraid to touch a working system I guess I'll spend my weekend reading and learning new things ))

Thanks for the tip, Daniel. The program looks good. I've never heard of it before.

Thanks for your reply, Jeff.

Well, I see assigned IP's to those clients and dhcp lease times, so I guess they've been authenticated. And they look pretty much the same devices every time they appear. So they are not just "drive-by" devices, unless I miss something.

Once you enforce Enterprise with RADIUS you should no longer have these unauthorized devices. Making a second Wireless SSID for IoT devices is pretty trivial. Go to your wireless page in Luci and click add to add a wireless network, give it a name.. After that, The very first thing to do is get keepass2 and generate a new password and set this as your password. Make sure you use WPA2 CCMP (AES) don't use TKIP or WPA. At that point set up your authorized devices, you absolutely shouldn't have anything unauthorized at that point.

1 Like

Thanks Daniel. I've actually tried to create a new wlan right after I posted my last comment and it was surprisingly easy to do. I still learn all this stuff so sometimes simple things look complicated to me.

Old Thread, but in times of millions of IoT devices this is still quite interesting.
So to answer the
Yes, it seems possible.
CISCO implemented it some time ago as a new feature in their WLAN Products
[https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-5/b_Identity_PSK_Feature_Deployment_Guide.html](http://Identity PSK Feature)
Would be great to have it in OpenWRT as well..
There are still lots of old or simple devices out there only supporting WiFi with PSK
but not enterprise authentication with EAP/.X protocols.

If you are having a wpa2 psk compromised, maybe you have just fallen victim to the KRACK vulnerability. There is a mitigation, in the wireless security section, but if someone has brute forced your password then just change it. Use the recommendations of static IP for internals through the dhcp server, mac address filtering is bogus as someone who could use KRACK, or brute force the password surely knows your clients mac addresses.

It takes exponentially longer to decrypt a handshake of a password that is longer through a brute force dictionary attack so think bigger than the minimum 8 characters for wpa2.

Also they must live by, so if it were me I would take a homing device and find where the activity is coming from, and call the police or knock on their door, and scare the shit out of them.