It's amazing how long it can take to set up a small "reasonably-secure" WPA wireless network.
I thought it would be pretty straight-forward. Just configure the AP to EAP, tell it the radius secret, apt-get install freeradius, distribute some X.509 certificates and start wpa_supplicant on the client machines.
In principle, that's it. However, practical issues I ran into:
- The AP crashes every so often
- The AP needs to reboot after every single config change (no chance to do multiple changes and then reboot
- The AP needs some 5 minutes to reboot
- The AP refuses to use certain totally valid IP addresses, be it via DHCP or statically configured in the web frontend
- The Debian freeradius package on AMD64 misses EAP support due to a libtool problem (missing -fPIC), known since January.
- The Debian freeradius package doesn't ship with EAP-TLS, since the EAP-TLS code is GPL licensed but links to openssl.
- wpa_supplicant doesn't work with the PowerBook built-in Airport (orinoco_cs) card
So I wasted the better part of a day to overcome the issues above, but I'm still not happy. My PowerBook now needs an Atheros Cardbus card, even though it has a built-in card. DHCP randomly fails for unknown reasons (I see the valid DHCP replies go into the AP, but it fails to pass them on).