Creating a WPA2 Enteprise Access Point Using Linux

Most consumer Wi-Fi routers are configured to use WPA2 Personal, which has some shortcomings in terms of security.

WPA2 Enterprise addresses these shortcomings by allowing individual username and passwords for each client, in addition to allowing for certificate-based authentication allowing clients to verify the authenticity of the access point.

This guide shows how to setup a Fedora 29 Linux system with an AWUS036NH wireless antenna to act as a secure wireless access point. Hostapd and FreeRADIUS will be used to achieve this.

Check the wireless card is detected by the OS

Check the device is recognised using lsusb:

Check the adapters MAC address (we will need this later):

Configure NetworkManager to ignore the device, based on the MAC address:

Restart NetworkManager for the change to take effect:

Setting up Hostapd

Install the necessary packages:

Start by creating certificates required for authentication:

Copy the certificates to the hostapd directory to prevent selinux triggering:

Modify the hostapd configuration file, including the below parameters:

Configure Users

Install DNSMasq

DNSMasq provides DHCP services for the access point.

Enable IP Forwarding

Enabling IP forwarding allows traffic from the Wifi adapter to be forwarded through the systems default gateway:

Make the change permanent by changing /etc/sysctl.conf:

Ensure network address translation is applied to traffic leaving the external interface (in this case enp2s0):

Save the rules to run on reboot:

Set services to start on boot

That’s it! You should now be able to connect to the wireless access point. You will be prompted to verify the server certificate the first time you connect, and then for the username and password previously configured.