Ultimate S-Tier Wifi Security with EAP-TLS Certificates (feat. Smallstep)
Рет қаралды 8,846
Күн бұрынSo in a previous video I talked about the different types of WiFi security, and concluded that WPA-Enterprise is the ULTIMATE! So today we're going to implement that, using a Unifi WiFi setup and Smallstep's new certificate authority as an example.
Smallstep has the written instructions on their blog (thx Carl):
smallstep.com/blog/home-netwo...
Support me on Ko-Fi if you enjoy my content and find it useful:
ko-fi.com/apalrd
Feel free to chat about my upcoming projects on Discord!
/ discord
My previous video on WiFi Security: • How Secure is YOUR WiF...
My previous video on Certificates (relevant for self-hosting Smallstep): • Self-Hosted TRUST with...
My previous video on RADIUS (relevant for self-hosting FreeRADIUS): • One WiFi, Multiple Net...
Timestamps:
00:00 - Introduction
00:56 - Chain of Trust
03:42 - Network Setup
11:12 - Certificate Generation
15:08 - Mobile Config
22:06 - Conclusions
@nickjongens2169 3 ай бұрын
Thanks, just saw an ad for smallstep and found this video around the same time. You're an S-Tier presenter :)
@apalrdsadventures 3 ай бұрын
Thanks!
@grantwilcox330 5 ай бұрын
thank you for sharing. slowly learning about using security certificates.
@james-cucumber 5 ай бұрын
Super interesting video! (Commenting mostly for the algorithm’)
@apalrdsadventures 5 ай бұрын
Thanks for that!
@crmeae 5 ай бұрын
Muy interesante video (Truly very interesting video)
@grigory559 2 ай бұрын
Excellent video, thank you so much! Have you found any way to automatically distribute generated certificates on iOS devices? I'm pretty sure my wife won't be happy if I ask her to do that every 3 months 😕
@dannylberry 5 ай бұрын
I've just set this up using my own RootCA for the smallstep PKI. anyone happen to know if you stay under the 20 device cap is it still free? I can see my authorities type is Advanced?
@adrianstephens56 5 ай бұрын
Link-level security has its value (such as for identity protection), but you are trusting the AP - this might make sense at home, but not in public. Therefore, end-to-end security is always necessary. I argued this in the 802.11 standards group many years ago in the context of mesh networks, where you might have great link-level encryption, but have to trust an unknown set of intermediate nodes.
@apalrdsadventures 5 ай бұрын
You're not trusting the AP though, you're trusting the RADIUS server. The AP is just facilitating the EAP exchange by passing frames along.
@mjmeans7983 5 ай бұрын
In which use cases would Smallstep not be useful when implementing EAP-TLS? I presume one answer would be when only securing local connections in a network segment that doesn't have internet access at all. Is that correct? Are there other uses cases where Smallstep is not necessary or perhaps even a disadvantage?
@apalrdsadventures 5 ай бұрын
Depends on if you mean Smallstep SaaS or step-ca (the open-source backend). You can use the open-source backend along with FreeRADIUS to implement everything in this video, except generating mobileconfig files. They are just xml though, and step-ca can do the SCEP bit. So Smallstep (SaaS) is adding a GUI in this case, and also doing the job of configuring FreeRADIUS. Step-CA (open-source backend) is adding a ton of plumbing above what OpenSSL would provide as a CA, especially in supporting enrollment protocols like SCEP, ACME, Nebula, and integrating other types of certs like TLS and SSH into the same system.
@dozerd42 5 ай бұрын
Does your AP support WPA3 Enterprise for Wifi6 clients, but still support WPA2 for WiFi clients? Not all my devices support Wifi6 yet.
@apalrdsadventures 5 ай бұрын
Security / 802.11 settings are separate. You can run in WPA2/3 transition and allow clients of either generation, and separately allow 802.11N/AC/AX (on 5Ghz). In WPA-Enterprise, using WPA2/3 transition doesn't have nearly as many downsides as it does in WPA-PSK.
@zyghom 5 ай бұрын
earthquake here at 17:55 ? ;-) And btw how many t-shirts in one video? ;-) And hair styles? ;-)
@apalrdsadventures 5 ай бұрын
More T-shirts / hair styles = the video took a long time to make
@jagdtigger 5 ай бұрын
Id rather not depend on external provider, can i use self signed for this?
@apalrdsadventures 5 ай бұрын
RADIUS-side you can use a single self-signed cert if you want, or it can be issued by an authority clients trust. Client-side you need an authority to issue certs and then the RADIUS server trusts the authority to validate individual certs. OpenSSL can do this (but it's clunky), and step-ca (the open source backend of Smallstep) can also do this self-hosted. FreeRADIUS would then be configured with the eap module and point at the root certificate used by the clients. The authority doesn't need to be public, but you really do need an authority somewhere.
@jagdtigger 5 ай бұрын
@@apalrdsadventures Great 👍, thanks. Id rather spend a few hours figuring this out and writing rudimentary bash scripts to automate it with cron than to scramble when the external provider goes under......
@Dogo.R 5 ай бұрын
Why doesnt mac address whitelisting acheive the same thing certificates do?
@gmdc5850 5 ай бұрын
I think it is relatively easy to generate MAC addresses, so you could bypass that security feature
@apalrdsadventures 5 ай бұрын
Yes, devices can easily choose whatever MAC they wish, and MACs are always unencrypted over the air, so it's not hard to find a valid MAC to clone.
@ericjohnson2193 5 ай бұрын
🤔 in theory, could a mobile app be made to do certificate renewal for you?
@apalrdsadventures 5 ай бұрын
This is how MDMs (Mobile Device Management systems) operate, basically.
@mjmeans7983 5 ай бұрын
Camera security? Are you aware of any open-source camera firmware that supports EAP-TLS Certificate security so that security cameras can't be eaves-dropped on?
@hasanmujeeb8922 5 ай бұрын
Wow that’s awesome
@hasanmujeeb8922 5 ай бұрын
What’s the firmware?
@mjmeans7983 5 ай бұрын
Okay, so I plan on investigating the github projects ESP32-EAP-TLS-WPA2 and ESP32-CAMERA at some point. Hopefully they will work together well enough to make a much more secure security camera.
@user-kv9dw4tp3y 5 ай бұрын
Здравствуйте! Хотел бы сказать что футболка классная. Спасибо
@user-kv9dw4tp3y 5 ай бұрын
Спасибо за интересные видео. Очень позновательно. Помогли мне продвинуть домашнюю инфраструктуру
@apalrdsadventures 5 ай бұрын
Glad it's helping you! I don't actually speak Russian, it's a T-shirt of the first dog in space, Лайка
@robertopontone 5 ай бұрын
Quite unique content, but this time too complex for me 😢
@RomanTruman 25 күн бұрын
Like for Лайка :D
@antonfelin 5 ай бұрын
На майке "лайка" Написано?
@apalrdsadventures 5 ай бұрын
Лайка was the name of the first Soviet space dog, hence the dog on the shirt
@dzmitryulasau878 5 ай бұрын
I got confused as well 😀
@zyghom 5 ай бұрын
@@apalrdsadventures and now you say you speak Russian ;-)
@andrieshrr 5 ай бұрын
I also noticed this t-shirt :D
Infinity Circus
Рет қаралды 6 МЛН
Kirill Multitool
Рет қаралды 70 МЛН
apalrd's adventures
Рет қаралды 16 М.
Mactelecom Networks
Рет қаралды 28 М.
Electronics_latvia
Рет қаралды 1,4 МЛН
lev89k
Рет қаралды 1,1 МЛН