!

DD-WRT with WPA2-Enterprise

Authentication!
22. MAY 2014 EGON.RATH@GMAIL.COM!

WPA2 currently supports two different authentication approaches - WPA2-PSK and WPA2Enterprise. Normally, home-users will use WPA2-PSK because its simply to set-up and almost no
device suitable for home use supports WPA2-Enterprise.!

With DD-WRT things have changed, WPA2-Enterprise is now in reach for everyone. In this small
tutorial i will outline the steps necessary to set it up.!

Please not that it does not automatically increase the level of security in your network. If you use a
long enough WPA2 Pre-Shared Key and if you can make sure that nobody has access to this key
they are equal in terms of security. WPA2-Enterprise has its advantages in other areas like the
ability to revoke network access for single clients. It also increases complexity of the system setup
as you will soon see.

Page 1 of 3

Step 1: Enable JFFS2!

You need to enable JFFS2 to make your Filesystem writable (without it, everything is stored in
NVRAM):!

Step 2: Enable FreeRadius and generate a Root-Certificate!

The passphrase used in this step is used to protect the private portion of the certificate

Page 2 of 3

Step 3: Configure the RADIUS Authenticator!

Under Clients enter the IP Address of your Access Point. If you have only one AP, this is probably
the IP Address of the device you are currently working on. The Shared Key entered here is used to
encrypt the communication between the Authenticator and the RADIUS Server.!

!
Step 4: Add Users!
!

Insert the credentials of your users here - these are used to authenticate to RADIUS. You can also
generate a certificate if you dont want your users to manually have to enter a username/password
but instead use certificate based authentication.!

Step 5: Enable WPA2-Enterprise!

The Shared secret entered here is the one entered on Step 3.!

!
Step 6: Connect to the Network!
!

The first time you connect to the Wireless Network you will be presented a warning because the
Certificate is not trusted. To prevent this from happening, install the Root Certificate which is stored
in /jffs/etc/freeradius/certs/server.crt on the DD-WRT box. Enable SSH and use SCP to download
it.

Page 3 of 3