Posted inNetworking

Build a Secure Enterprise WiFi with WPA3 and 802.1X on Linux: A hostapd and VLAN Guide

Networking tutorial - IT technology blog
Networking tutorial - IT technology blog

The Problem with Shared WiFi Passwords

Walk into almost any small office or startup, and you’ll likely spot a sticky note on the wall with the WiFi password. This is WPA2-Personal (PSK). While it’s convenient, it’s a security liability for a growing business. When an employee leaves, you’re forced to change the password for every single device in the building to remain secure. In reality, most teams never do this, leaving the network wide open to former staff or anyone who caught a glimpse of that sticky note.

Most basic office setups dump employees, printers, and guests into one ‘flat’ network. This is a massive risk. I’ve seen a single guest laptop infected with ransomware encrypt an entire company NAS in under 30 minutes. The cleanup cost in those cases often exceeds $10,000—far more than the price of setting up a proper network from the start.

The Root Cause: Identity and Isolation

Standard WiFi fails because it lacks Identity and Isolation. WPA2-PSK validates a password, not a person. You can’t tell if ‘User A’ or ‘User B’ is hogging the bandwidth or poking around sensitive HR files.

Beyond identity, there is the issue of reach. Without VLAN (Virtual Local Area Network) tagging, your Access Point (AP) acts as a simple bridge, throwing all traffic into one bucket. We need an architecture that validates individual credentials and puts traffic into specific ‘lanes’ based on the user’s role.

Comparing Enterprise vs. Personal WiFi Approaches

Before we look at the configuration, let’s see how WPA3-Enterprise compares to standard alternatives.

WPA2/WPA3-Personal (PSK)

  • Mechanism: Every device shares a single Pre-Shared Key.
  • Target: Home users or tiny shops with fewer than 5 people.
  • The Catch: No individual accountability. A single leak compromises the entire perimeter.

Cloud-Managed Hardware (Ubiquiti, Cisco Meraki)

  • Mechanism: Proprietary APs managed via a web portal.
  • Target: Mid-sized businesses with a budget for a GUI-driven experience.
  • The Catch: High hardware costs and recurring licensing fees.

Linux Software AP (hostapd + FreeRADIUS)

  • Mechanism: A standard Linux server with a compatible WiFi card. 802.1X handles authentication.
  • Target: IT teams who demand total control and zero licensing overhead.
  • Strength: Unmatched flexibility in routing, logging, and firewalling.

Pros and Cons of the Linux hostapd Approach

I’ve deployed this setup in production environments with 50+ users, and the stability is impressive. However, it requires a specific skillset. Here is the reality check:

The Upside:

  • Granular Control: You can script specific actions the moment a user connects.
  • Zero Licensing: No monthly fees per AP or per user.
  • WPA3 Native: Easily implement SAE and GCMP-256 for modern security.
  • Data Sovereignty: You own the logs; no telemetry goes to a cloud vendor.

The Downside:

  • Technical Overhead: You’ll be managing text files rather than clicking buttons in a dashboard.
  • Hardware picky: You must choose WiFi cards that support “AP Mode” on Linux.

Recommended Setup

For this guide, use a clean install of Ubuntu 22.04 or 24.04 LTS. You need a WiFi card that supports nl80211 and AP mode. Look for Atheros chips like the ath9k or ath10k series—they are the gold standard for Linux APs. We will use FreeRADIUS for logic and hostapd to manage the radio.

Implementation Guide

Step 1: Install the Core Components

Start by updating your system and installing the necessary tools.

sudo apt update
sudo apt install hostapd freeradius freeradius-utils bridge-utils -y

Step 2: Configure FreeRADIUS (The Brain)

FreeRADIUS verifies the credentials. We’ll use simple passwords for this example, though you can later link this to Active Directory. Edit the clients config so hostapd can talk to the RADIUS server:

# /etc/freeradius/3.0/clients.conf
client localhost {
    ipaddr = 127.0.0.1
    secret = testing123
}

Now, define your users and assign them a VLAN ID. We’ll use VLAN 10 for Staff and VLAN 20 for Guests.

# /etc/freeradius/3.0/users
"john_doe" Cleartext-Password := "staff_password"
    Tunnel-Type = 13,
    Tunnel-Medium-Type = 6,
    Tunnel-Private-Group-Id = "10"

"guest_user" Cleartext-Password := "guest_password"
    Tunnel-Type = 13,
    Tunnel-Medium-Type = 6,
    Tunnel-Private-Group-Id = "20"

Apply the changes: sudo systemctl restart freeradius.

Step 3: Configure hostapd (The Radio)

Next, we configure the WiFi radio. WPA3-Enterprise requires Management Frame Protection (MFP) to prevent de-authentication attacks.

# /etc/hostapd/hostapd.conf
interface=wlan0
bridge=br0
driver=nl80211
ssid=Corporate_WiFi
hw_mode=g
channel=6

# WPA3-Enterprise Settings
ieee8021x=1
wpa=3
wpa_key_mgmt=WPA-EAP
dynamic_vlan=1
vlan_file=/etc/hostapd/hostapd.vlan
vlan_tagged_interface=eth0

# RADIUS Server details
auth_algs=1
wpa_eap_reauth_period=3600
auth_server_addr=127.0.0.1
auth_server_port=1812
auth_server_shared_secret=testing123

# Management Frame Protection (Required for WPA3)
ieee80211w=2

Map the VLANs in the helper file:

# /etc/hostapd/hostapd.vlan
*   wlan0.#

This tells hostapd to spin up virtual interfaces like wlan0.10 automatically when a user logs in.

Step 4: Network Isolation

Create bridges on the Linux host to handle the traffic. You can use iproute2 to create br10 (Staff) and br20 (Guest).

# Manual bridge creation
sudo ip link add br10 type bridge
sudo ip link set br10 up

sudo ip link add br20 type bridge
sudo ip link set br20 up

To lock down the network, use iptables. This prevents br20 (Guests) from reaching br10 (Staff).

# Drop traffic from Guest VLAN to Staff VLAN
sudo iptables -A FORWARD -i br20 -o br10 -j REJECT
sudo iptables -A FORWARD -i br20 -d 192.168.10.0/24 -j REJECT

Step 5: Testing the Connection

Run hostapd in debug mode to watch the handshake in real-time:

sudo hostapd -dd /etc/hostapd/hostapd.conf

On your phone or laptop, select the WiFi. Choose “EAP” and enter the credentials for john_doe. If it works, hostapd will create the wlan0.10 interface and bridge it to br10 instantly.

Final Summary

Switching to WPA3-Enterprise might seem like overkill for a small team, but the security ROI is massive. By isolating users into VLANs at the point of entry, you shrink your attack surface. If a guest brings a compromised device into your office, it remains trapped in VLAN 20. It can’t sniff traffic or scan ports on your production servers. This setup is a reliable, cost-effective way to build professional-grade infrastructure without the vendor lock-in.

Share:
Tags: