企业级WiFi安全认证方案：基于FreeRADIUS3的EAP-TTLS/PAP与EAP-TLS实践¶

整体网络架构¶

为什么选择这套方案¶

技术组件解析

1. FreeRADIUS3 作为认证服务器的核心，能同时处理多种EAP认证方式，非常适合设备类型多样的企业环境
2. EAP-TTLS/PAP 在安全与兼容性之间取得了很好的平衡——外层的TLS隧道保护着内部的PAP认证流程，让传统的用户名密码认证也能安全地运行在现代设备上
3. EAP-TLS 是目前WiFi认证的安全标杆，完全用证书代替密码。正如微软官方文档中强调的, 这种双向证书认证提供了最高级别的安全性
4. OpenLDAP + SSHA密码 这套组合确保了密码存储的安全。SSHA（加盐哈希）格式既能防止密码泄露，又保持了跨平台的兼容性
5. step-ca私有CA 让我们能够自主管理证书的全生命周期，避免了依赖第三方CA的诸多限制

全平台兼容表现¶

这套方案的一个突出优点是对各类设备的原生支持：

1. Android/iOS移动设备：系统原生支持这两种EAP认证
2. Windows电脑：内置的802.1X客户端同样完美兼容
3. Chromebook：基于Linux内核，认证流程与其他平台保持一致

特别值得一提的是密码格式的兼容性, SSHA格式在不同系统间都能被正确识别，这在实际部署中省去了很多适配工作。

从流量分析看安全性¶

我们通过实际tcpdump抓包验证了以下安全特性：

1. 分层保护机制：RADIUS协议层面仅使用共享密钥保护完整性，但实际的身份验证数据在EAP层进行加密
2. 敏感数据加密：用户密码或证书交换发生在EAP-Message属性内部，通过TLS隧道加密传输
3. 可见的元数据：用户名、设备MAC地址、SSID等网络元数据以明文形式传输
4. 密码零暴露：即使抓取RADIUS包，攻击者也无法获得用户的真实密码

   23:15:58.573406 IP (tos 0x0, ttl 254, id 3068, offset 0, flags [none], proto UDP (17), length 317)
       192.168.14.2.1645 > 192.168.10.254.1812: RADIUS, length: 289
           Access-Request (1), id: 0x44, Authenticator: 125297c9c76bcbe2dfdea597d7efbf88
             User-Name Attribute (1), length: 11, Value: anonymous
             Framed-MTU Attribute (12), length: 6, Value: 1400
             Called-Station-Id Attribute (30), length: 31, Value: 108c.cf38.7be1:intl.pionc.com
             Calling-Station-Id Attribute (31), length: 16, Value: 7429.af58.4ff9
             Vendor-Specific Attribute (26), length: 27, Value: Vendor: Cisco (9)
               Vendor Attribute: 1, Length: 19, Value: ssid=intl.pionc.com
             Vendor-Specific Attribute (26), length: 14, Value: Vendor: Wi-Fi Alliance (14122)
               Vendor Attribute: 2, Length: 6, Value: Yangji
             Service-Type Attribute (6), length: 6, Value: Login
             Vendor-Specific Attribute (26), length: 26, Value: Vendor: Cisco (9)
               Vendor Attribute: 1, Length: 18, Value: service-type=Login
             Message-Authenticator Attribute (80), length: 18, Value: .l3N...5.ok.Is..
             EAP-Message Attribute (79), length: 73, Value: ..
             NAS-Port-Type Attribute (61), length: 6, Value: Wireless - IEEE 802.11
             NAS-Port Attribute (5), length: 6, Value: 552
             NAS-Port-Id Attribute (87), length: 5, Value: 552
             State Attribute (24), length: 18, Value: .q...v.B..S.....
             NAS-IP-Address Attribute (4), length: 6, Value: 192.168.14.2
   23:16:01.648522 IP (tos 0x0, ttl 64, id 25001, offset 0, flags [none], proto UDP (17), length 199)
       192.168.10.254.1812 > 192.168.14.2.1645: RADIUS, length: 171
           Access-Accept (2), id: 0x44, Authenticator: 21adcd9048da7c2a72f48b3ddea93aa2
             Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311)
               Vendor Attribute: 17, Length: 50, Value: ..i....&....c.....8v...xk.R.........J.......k.Y...
             Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311)
               Vendor Attribute: 16, Length: 50, Value: .g0.E..(.........B.......:..t.n[...}o...@.7......K
             EAP-Message Attribute (79), length: 6, Value: ..
             Message-Authenticator Attribute (80), length: 18, Value: ..z5..i...3.(!j.
             User-Name Attribute (1), length: 11, Value: anonymous
   

核心优势总结¶

1. 灵活的双模式：既支持密码认证方便用户使用，又提供证书认证满足高安全场景
2. 全标准协议：所有组件都采用开放标准，避免了厂商锁定
3. 层层防护的设计：从传输加密到存储加密，每个环节都有相应的保护措施
4. 面向未来的架构：无论是本地部署还是云端迁移，这套架构都能很好适应

实用资源¶

1. FreeRADIUS配置实例
2. step-ca证书管理指南
3. OpenLDAP密码安全配置
4. 见底部示例视频-基于密码连接Wi-Fi
5. 见底部示例视频-基于证书连接Wi-Fi

我们也销售这个解决方案，您将收到一张光盘，详情请点击 这里。

---

Secure Enterprise WiFi Authentication¶

Secure Enterprise WiFi Authentication: FreeRADIUS3 with EAP-TTLS/PAP & EAP-TLS

Network Architecture Overview¶

Why This Authentication Stack Matters¶

The Technology Stack Explained

1. FreeRADIUS3 serves as our authentication server, supporting multiple EAP methods simultaneously. This flexibility is crucial for enterprise environments where device heterogeneity is the norm.
2. EAP-TTLS/PAP (Tunneled TLS with PAP inside) provides a practical balance between security and compatibility. The outer TLS tunnel protects the inner PAP authentication, allowing legacy password systems to work securely across modern platforms.
3. EAP-TLS represents the gold standard for WiFi authentication, using X.509 certificates instead of passwords. As Microsoft notes in their network access documentation, EAP-TLS offers the highest level of security through mutual certificate authentication.
4. OpenLDAP with SSHA passwords ensures credential security at rest. The Salted SHA (SSHA) format provides one-way hashing while maintaining native compatibility across all major platforms.
5. step-ca PKI provides a self-hosted certificate authority, giving complete control over certificate lifecycle management without vendor lock-in.

Cross-Platform Compatibility¶

One of the key successes of this implementation is native support across all major platforms:

1. Android/iOS: Native EAP-TTLS and EAP-TLS support
2. Windows: Native EAP-TTLS and EAP-TLS support
3. Chromebook: Linux based, also support EAP-TTLS and EAP-TLS

The importance of password format compatibility cannot be overstated. As detailed in the protocol compatibility reference, SSHA password storage ensures seamless operation across this diverse ecosystem.

Security Analysis: What Our Traffic Captures Reveal¶

Through detailed tcpdump analysis, we’ve verified several security guarantees:

1. Layered Protection Mechanism: The RADIUS protocol layer only uses a shared key to protect integrity, but actual authentication data is encrypted at the EAP layer.
2. Sensitive Data Encryption: User passwords or certificate exchanges occur within the EAP-Message attribute and are transmitted encrypted through a TLS tunnel.
3. Visible Metadata: Network metadata such as usernames, device MAC addresses, and SSIDs are transmitted in plaintext.
4. Zero Password Exposure: Even if a RADIUS packet is captured, an attacker cannot obtain the user’s real password.

   23:15:58.573406 IP (tos 0x0, ttl 254, id 3068, offset 0, flags [none], proto UDP (17), length 317)
       192.168.14.2.1645 > 192.168.10.254.1812: RADIUS, length: 289
           Access-Request (1), id: 0x44, Authenticator: 125297c9c76bcbe2dfdea597d7efbf88
             User-Name Attribute (1), length: 11, Value: anonymous
             Framed-MTU Attribute (12), length: 6, Value: 1400
             Called-Station-Id Attribute (30), length: 31, Value: 108c.cf38.7be1:intl.pionc.com
             Calling-Station-Id Attribute (31), length: 16, Value: 7429.af58.4ff9
             Vendor-Specific Attribute (26), length: 27, Value: Vendor: Cisco (9)
               Vendor Attribute: 1, Length: 19, Value: ssid=intl.pionc.com
             Vendor-Specific Attribute (26), length: 14, Value: Vendor: Wi-Fi Alliance (14122)
               Vendor Attribute: 2, Length: 6, Value: Yangji
             Service-Type Attribute (6), length: 6, Value: Login
             Vendor-Specific Attribute (26), length: 26, Value: Vendor: Cisco (9)
               Vendor Attribute: 1, Length: 18, Value: service-type=Login
             Message-Authenticator Attribute (80), length: 18, Value: .l3N...5.ok.Is..
             EAP-Message Attribute (79), length: 73, Value: ..
             NAS-Port-Type Attribute (61), length: 6, Value: Wireless - IEEE 802.11
             NAS-Port Attribute (5), length: 6, Value: 552
             NAS-Port-Id Attribute (87), length: 5, Value: 552
             State Attribute (24), length: 18, Value: .q...v.B..S.....
             NAS-IP-Address Attribute (4), length: 6, Value: 192.168.14.2
   23:16:01.648522 IP (tos 0x0, ttl 64, id 25001, offset 0, flags [none], proto UDP (17), length 199)
       192.168.10.254.1812 > 192.168.14.2.1645: RADIUS, length: 171
           Access-Accept (2), id: 0x44, Authenticator: 21adcd9048da7c2a72f48b3ddea93aa2
             Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311)
               Vendor Attribute: 17, Length: 50, Value: ..i....&....c.....8v...xk.R.........J.......k.Y...
             Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311)
               Vendor Attribute: 16, Length: 50, Value: .g0.E..(.........B.......:..t.n[...}o...@.7......K
             EAP-Message Attribute (79), length: 6, Value: ..
             Message-Authenticator Attribute (80), length: 18, Value: ..z5..i...3.(!j.
             User-Name Attribute (1), length: 11, Value: anonymous
   

Key Takeaways¶

1. Dual-Method Approach: Supporting both EAP-TTLS/PAP and EAP-TLS ensures both compatibility and maximum security where needed
2. Standards-Based: Using open standards guarantees long-term support and interoperability
3. Defense in Depth: Multiple encryption layers (TLS tunnels, SSHA storage, LDAP encryption) protect credentials at every stage
4. Future-Proof: This architecture supports seamless migration to cloud infrastructure without security compromises

Implementation Resources¶

• FreeRADIUS Configuration Examples
• step-ca Documentation
• OpenLDAP SSHA Password Storage
• WiFi Connect of iPhone with EAP-TTLS
• WiFi Connect of iPhone with EAP-TLS

How to Connect to WiFi Using EAP-TTLS on iPhone(username and password)/基于密码连接Wi-Fi¶

How to Connect to WiFi Using EAP-TLS on iPhone(Certificate-Based)/基于证书连接Wi-Fi¶

We are also sell this sulotion, you will reviece a CD, click here for details.