For more documentation downloads and support head to http://ciitix.ciit.net.pk and remember to check out the forums. This document serves as quick guide on how to set up a wireless network using WPA / WPA2 with radius authentication. This document will only cover the basics and is not exhaustive of all possibilities and features but with this information and basic networking skills you should be able to get running very soon. No knowledge if Linux is assumed in this guide and for the most part its spelled out with screen shots.
I’d like to thank the team who created this easy way of implementing radius authentication for WiFi and believe it’s the only package around which is aimed at a turn key solution meaning no compiling, setting up databases and the like. After all everyone has enough to worry about keeping there IT infrastructure working. I decided to do this guide for the users wanting to try out and implement radius authentication for WiFi security. This project is still very new, and at time of writing the latest version is v1.1.
1) You have downloaded the ISO file and have that ready to install; see http://ciitix.ciit.net.pk for downloads.
2) You have an access point / wireless router which is capable of WPA / WPA2 enterprise setup.
3) Basic networking skills and computing skills, and hardware ready to install CIITIX-WiFi
The PC which you will be installing CIITIX-WiFi on does not need to be a super spec machine, but if is being deployed as a mission critical assset you will be better off using new hardware or a virtual machine.
The installation hardware which was used for this tutorial was VMWare ESXi server, 1 vCPU, 1 vHDD (4gb), 768 Ram.
And just for trivia while sitting idle it is using 10Mhz and 7mb ram. Anything Pentium 3 based and up will suffice.
Let’s get started
Burn your ISO onto CD and place that into your drive, and boot from the CD drive. Make sure you have no important data on the hard disk because the installation will destroy all existing data on the drive you install to.
1) After your system is booted you will see the following screen, at this point you choose ‘Start GUI Install’ and hit enter.
2) On the next screen you will choose your language.
4) Configure the host name for the system, if unsure leave it as debian:
5) Configure the system clock / choose your time zone:
6) Partition your installation disk, choose Guided – use entire disk:
7) Choose your hard disk:
8) Select All files in one partition:
9) Choose Finish partitioning and write changes to disk:
10) Choose Yes – this will destroy any data on the disk!
11) Relax while everything installs…
12) The installer will now ask for usernames and passwords you will use later on to administer the system. Fill these out, not all screens are here as it’s very simple.
Remember the root password!
13) Select Yes to install the GRUB boot loader to the drive:
14) The installation is now complete.
At this point your new radius authentication server is installed and will now restart and boot. After the reboot is complete will find out the machine’s IP address so we can administer it.
15) After it has rebooted, log into the machine with username root and password you created before.
16) Now click on JWM > Terminal you will see a black box appear, in that type
Then hit enter. It will display the status of all network cards on the system. Mine is called eth0 with an IP address of 192.168.0.15 as in the picture. Your IP will be different. Look for inet addr:
Administration of the system is done through a web page. Some users will want to enable this page to be viewed over the local network. By default it is not done, meaning you need physical access to the machine it is running on to add users etc. If you Don’t want to enable remote viewing of the web interface skip this section.
All we need to do is edit one text file and change one parameter. If you know how to edit this file change line 290 to read:
Allow from all
The file is located in /etc/apache2/apache2.conf. We need to obtain a program called WinSCP and install it on a Windows based PC. This program is like a remote file explorer for a Linux based system. Download and install it from http://winscp.net/eng/download.php. After you have this program installed run it and follow these steps:
A) Click NEW.
B) Fill out the details:
host name = ip address of the machine
user name = root
password = the password you created before
C) Click Save.
D) Now click Login.
E) Double click on the two dots ( ..) at the top of the directory listing:
F) Now double click on the following in this order:
G) It will now open up the apache2.conf file for editing. Go right to the bottom of the file to line 290 and make it read:
Allow from all
Click the disk icon on the top left to save it and now close that window.
H) Now in WinSCP go to Commands > open terminal (or Crtl+T does the same thing) and copy and paste the following command, then hit execute:
This will restart the web server and re read the file we just edited and all access to the web interface from the local network.
I) Using your web browser point it to the IP address if your machine. Replace 192.168.0.15 with your IP address.
You will be greeted with the login page. The username is administrator and password is radius. If you have enabled the web administration on the local network you will want to change this password. If you enter something incorrect you will get this error:
The following will set up a single user and NAS device.
17) Go to management > user > new user and enter a username and password of your choice. Make sure to select Cleartext-Password as the type. After you’re done, click Apply.
18) Go to Management > NAS > new NAS.
A) Enter the IP address of your access point or router, in this case it’s 192.168.0.1
B) Create a password in NAS Secret.
C) NAS Type = other (unless your using a Cisco AP choose other).
D) Create a short NAS name, in this case I chose dlinkap:
Now we’re done here, we need to log into the access point / router and make it use the new authentication server.
The following screenshots used here are from a D-Link DAP-1150 access point. Practically all access points are the same, you will need to find where yours keeps these settings. What we need to do is make it use WPA or WPA2 enterprise and specify the radius server, that’s it. The radius server IP is the IP address of the CIITIX-WiFi server and the port is always 1812 and the shared secret is the password you created when we were adding a NAS device.
The only thing left is to get a copy of the certificates that our workstation will use to log on. Using WinSCP navigate to
You will see two file in there. Copy these to your desktop, you can drag and drop these from WinSCP. It makes good sense to copy these to a USB flash drive for ease of installation on other PC’s. Check out previous steps on where to get and how to use WinSCP.
With Windows 7 you can double click on one of these certificates and an installation wizard will appear to guide you.
Make sure you specify to install them in trusted root certificates the same goes for windows XP, Vista. Now upon trying to connect to the wireless network you will be prompted for a password. Enter the username and password you created in the ‘users’ section in the web management and that’s it. The password for the certificate when installing is ciitixwifi your done!
A quick guide is:
1) On the workstation double click on the ca certificate > click open > click install certificate > click next > choose place all in following store > click browse > click trusted root certification > click ok > click next > finish:
2) Double click on server certificate > click next > click next > enter password ciitixwifi > click next > place all in following store > browse > trusted root ca > ok > next > finish.
That’s it. When you try to connect to the WiFi network it will use the certificate automatically and ask for a user name and password as pictured below.
Windows might complain upon the first time using the certificate. This is normal and it won’t ask you gain after the first time. Its because its a self signed certificate from your CIITIX-WiFi server. Iphone and Ipad devices will automatically obtain the certificates from the server. You do not need to install these manually. Linux users will need to Install the certificates, there are many flavours of Linux, but some distros such as Linux Mint which is Ubuntu based can install the certificates by double clicking on them. Again a wizard appears to guide you.
Other devices which are run an embedded OS such as the Nintendo Wii for example may not be compatible with Enterprise Authentication.