29 novembre 2007
27 novembre 2007
backtrack 2
loadkeys be-latin1
------------------------------------------------------
ifconfig eth0 up
dhcpcd eth0
wlassistant
support intel 3945: backtrack -> Radio Network Analysis -> 80211 -> Misc -> load ipw3945
--------------------------------------------------------------------------------------------------------------------------
airodump-ng --ivs --write 3com2 --channel 1 -w eth1
aireplay-ng -3 -e 3com2 -b 00:1A:C1:7D:D0:40 -h 00-1B-77-02-5C-0A eth1
aircrack-ng -x *.ivs
--------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------
ifconfig eth0 up
dhcpcd eth0
wlassistant
support intel 3945: backtrack -> Radio Network Analysis -> 80211 -> Misc -> load ipw3945
--------------------------------------------------------------------------------------------------------------------------
airodump-ng --ivs --write 3com2 --channel 1 -w eth1
aireplay-ng -3 -e 3com2 -b 00:1A:C1:7D:D0:40 -h 00-1B-77-02-5C-0A eth1
aircrack-ng -x *.ivs
--------------------------------------------------------------------------------------------------------------------------
25 novembre 2007
networkmanager ubuntu
networkmanager ne fonctionne qu'en dhcp!!!!!
Contrôle de NetworkManager en ligne de commande
Pour démarrer le service
sudo /etc/dbus-1/event.d/26NetworkManagerDispatcher start
sudo /etc/dbus-1/event.d/25NetworkManager start
Pour arrêter le service
sudo /etc/dbus-1/event.d/26NetworkManagerDispatcher stop
sudo /etc/dbus-1/event.d/25NetworkManager stop
Pour activer la connexion
dbus-send --system \
--dest=org.freedesktop.NetworkManager \
/org/freedesktop/NetworkManager \
org.freedesktop.NetworkManager.wake
Pour arrêter la connexion
dbus-send --system \
--dest=org.freedesktop.NetworkManager \
/org/freedesktop/NetworkManager \
org.freedesktop.NetworkManager.sleep
12 novembre 2007
WPA entreprise PEAP: mise en oeuvre de démo
Installation rapide d'une solution fonctionnelle de réseau 802.11 avec sécurité WPA2 entreprise PEAP (mschapv2).
On part du principe que les machines sont installées en XP et qu'on n'a pas l'autorisation d'installer un OS plus complet dessus.
Composants:
Un pc fixe XP qui fera office de serveur Freeradius (connexion ethernet classique), serveur DHCP et serveur Web.
Un pc portable avec carte wi-fi supportant le wpa2
Un point d'accès supportant la variante entreprise du WPA (norme IEEE802.11i)
Un commutateur ethernet pour relier le radius au point d'accès
On est sur un réseau indépendant et non connecté à l'Internet
1) Configuration du PC serveur radius, DHCP et web
- téléchargement d'un serveur DHCP:
http://tftpd32.jounin.net/tftpd32_download.html
-téléchargement d'un serveur web:
http://www.cherokee-project.com/download/windows/
Il suffit d'installer par défaut et le serveur tourne sur les différentes interfaces du serveur http://127.0.0.1 et http://x.y.w.z
- téléchargement de freeradius pour windows:
sur le site http://www.freeradius.net/ on trouve un exécutable pour Windows qui est compilé à partir des sources du projet principal freeradius
à la date du 12/11/2007 il s'agit de FreeRADIUS.net-1.1.7-r0.0.2.exe
Après l'installation on se retrouve avec un menu de ce type et une petite icône dans la barre des tâches (zone de notification).
Il faut éditer les fichiers de configuration clients.conf, users.conf et eap.conf. Si l'accès depuis le menu n'est pas fonctionnel les différents fichiers de configuration se trouvent par défaut dans le répertoire suivant:
C:\FreeRADIUS.net\etc\raddb\
Comme éditeur je ne saurais trop recommander d'utiliser gvim afin d'avoir un affichage correct (notepad semble ne pas comprendre les retours charriot du fichier clients.conf) et ne pas risquer de générer des caractères parasites à l'enregistrement (wordpad). Ceci étant je pratique peu notepad et wordpad.
Dans users.conf, on va définir le login/password des utilisateurs qui peuvent se connecter au réseau wi-fi. En environnement de production on utilise en général une solution d'authentification centralisée standardisée comme LDAP ou Active Directory (si on accepte de renoncer à l'interopérabilité) vers laquelle les requêtes sont redirigées. Un utilisateur testuser testpw est défini par défaut, on peut l'utiliser pour tester rapidement sans devoir éditer ce fichier.
testuser User-Password == "testpw"
Dans eap.conf, on va définir ici le type de méthode EAP dans notre cas: peap
default_eap_type = peap
Dans clients.conf, on va définir les points d'accès qui peuvent interroger le serveur radius.
Le fichier de conf clients.conf se trouve par défaut ici:
C:\FreeRADIUS.net\etc\raddb\clients.conf
Il n'y a pas de raccourci dans le menu radius
On ajoute ceci pour permettre au point d'accès 3com qui a pour adresse IP par défaut 169.254.2.2 d'adresser les requêtes. Le secret est fait pour sécuriser les choses.
client 169.254.2.2 {
secret = testing123
shortname = liv1
}
Via le menu de freeradius, lancer le serveur radius en mode debug.
Il existe un outil de test pour le serveur radius intitulé NTRadPing téléchargeable ici http://www.dialways.com. On l'utilisera pour valider les choses le cas échéant.
l'adresse ip du serveur radius sera choisie dans le "range" 169.254.0.0/16 conformément à la RFC 3927 (Dynamic configuration of IPv4 Link-local Adresses). C'est une adresse de ce type que windows s'attribue lorsqu'il ne trouve pas de serveur DHCP et qu'il n'a pas d'adresse IP configurée manuellement. Microsoft parle de ce concept sous le vocable APIPA (Automatic Private Internet Protocol Addressing)
Admettons que l'adresse IP soit : 169.254.96.171
Si on le souhaite on peut définir ce PC comme faisant office de serveur DHCP par exemple avec l'outil Tftpd32 by Ph. Jounin
2) configuration du point d'accès 3com modèle 7760
Son comportement est le suivant:
sans serveur DHCP le point d'accès prend l'IP 169.254.2.2 ( admin/password )
avec serveur DHCP le point d'accès prend une IP et il faut la retrouver à partir de la mac
ou bien utiliser l'application (windows seulement)
ensuite on peut se connecter via un navigateur et lancer la configuration de base via le setup Wizard (voir les captures d'écran)
L'alternative avec utilisation d'un point d'accès LANCOM nécessite de faire un reset LONG du point d'accès puis de pointer son navigateur sur l'adresse ip par défaut de celui-ci qui est 172.23.56.254
3) Sur le client qui doit se connecter, on doit d'une part installer le certificat du réseau (celui fournit par le serveur radius) et d'autre part lui signifier la méthode d'authentification.
Il convient donc d'installer le certificat fourni par Freeradius.net sur le PC client. Le certificat se trouve dans C:\Freeradius.net\etc\raddb\certs\freerADIUS.net\Democerts\ et se nomme Freeradius.net-CA.crt.
La configuration se fait via windows de la façon suivante:
On the Wireless Network tab, select the network and click Configure to open the network properties. Then
Select the Authentication tab
Select Protected EAP on the drop-down list
Click Properties
Enable "Validate server certificate"
In Trusted Root Certification Authorities list, enable the root.der certificate.
In Select Authentication Method, select "Secured password (EAP-MSCHAPv2)"
Click Configure
On part du principe que les machines sont installées en XP et qu'on n'a pas l'autorisation d'installer un OS plus complet dessus.
Composants:
Un pc fixe XP qui fera office de serveur Freeradius (connexion ethernet classique), serveur DHCP et serveur Web.
Un pc portable avec carte wi-fi supportant le wpa2
Un point d'accès supportant la variante entreprise du WPA (norme IEEE802.11i)
Un commutateur ethernet pour relier le radius au point d'accès
On est sur un réseau indépendant et non connecté à l'Internet
1) Configuration du PC serveur radius, DHCP et web
- téléchargement d'un serveur DHCP:
http://tftpd32.jounin.net/tftpd32_download.html
-téléchargement d'un serveur web:
http://www.cherokee-project.com/download/windows/
Il suffit d'installer par défaut et le serveur tourne sur les différentes interfaces du serveur http://127.0.0.1 et http://x.y.w.z
- téléchargement de freeradius pour windows:
sur le site http://www.freeradius.net/ on trouve un exécutable pour Windows qui est compilé à partir des sources du projet principal freeradius
à la date du 12/11/2007 il s'agit de FreeRADIUS.net-1.1.7-r0.0.2.exe
Après l'installation on se retrouve avec un menu de ce type et une petite icône dans la barre des tâches (zone de notification).
Il faut éditer les fichiers de configuration clients.conf, users.conf et eap.conf. Si l'accès depuis le menu n'est pas fonctionnel les différents fichiers de configuration se trouvent par défaut dans le répertoire suivant:
C:\FreeRADIUS.net\etc\raddb\
Comme éditeur je ne saurais trop recommander d'utiliser gvim afin d'avoir un affichage correct (notepad semble ne pas comprendre les retours charriot du fichier clients.conf) et ne pas risquer de générer des caractères parasites à l'enregistrement (wordpad). Ceci étant je pratique peu notepad et wordpad.
Dans users.conf, on va définir le login/password des utilisateurs qui peuvent se connecter au réseau wi-fi. En environnement de production on utilise en général une solution d'authentification centralisée standardisée comme LDAP ou Active Directory (si on accepte de renoncer à l'interopérabilité) vers laquelle les requêtes sont redirigées. Un utilisateur testuser testpw est défini par défaut, on peut l'utiliser pour tester rapidement sans devoir éditer ce fichier.
testuser User-Password == "testpw"
Dans eap.conf, on va définir ici le type de méthode EAP dans notre cas: peap
default_eap_type = peap
Dans clients.conf, on va définir les points d'accès qui peuvent interroger le serveur radius.
Le fichier de conf clients.conf se trouve par défaut ici:
C:\FreeRADIUS.net\etc\raddb\clients.conf
Il n'y a pas de raccourci dans le menu radius
On ajoute ceci pour permettre au point d'accès 3com qui a pour adresse IP par défaut 169.254.2.2 d'adresser les requêtes. Le secret est fait pour sécuriser les choses.
client 169.254.2.2 {
secret = testing123
shortname = liv1
}
Via le menu de freeradius, lancer le serveur radius en mode debug.
Il existe un outil de test pour le serveur radius intitulé NTRadPing téléchargeable ici http://www.dialways.com. On l'utilisera pour valider les choses le cas échéant.
l'adresse ip du serveur radius sera choisie dans le "range" 169.254.0.0/16 conformément à la RFC 3927 (Dynamic configuration of IPv4 Link-local Adresses). C'est une adresse de ce type que windows s'attribue lorsqu'il ne trouve pas de serveur DHCP et qu'il n'a pas d'adresse IP configurée manuellement. Microsoft parle de ce concept sous le vocable APIPA (Automatic Private Internet Protocol Addressing)
Admettons que l'adresse IP soit : 169.254.96.171
Si on le souhaite on peut définir ce PC comme faisant office de serveur DHCP par exemple avec l'outil Tftpd32 by Ph. Jounin
2) configuration du point d'accès 3com modèle 7760
Son comportement est le suivant:
sans serveur DHCP le point d'accès prend l'IP 169.254.2.2 ( admin/password )
avec serveur DHCP le point d'accès prend une IP et il faut la retrouver à partir de la mac
ou bien utiliser l'application (windows seulement)
ensuite on peut se connecter via un navigateur et lancer la configuration de base via le setup Wizard (voir les captures d'écran)
L'alternative avec utilisation d'un point d'accès LANCOM nécessite de faire un reset LONG du point d'accès puis de pointer son navigateur sur l'adresse ip par défaut de celui-ci qui est 172.23.56.254
3) Sur le client qui doit se connecter, on doit d'une part installer le certificat du réseau (celui fournit par le serveur radius) et d'autre part lui signifier la méthode d'authentification.
Il convient donc d'installer le certificat fourni par Freeradius.net sur le PC client. Le certificat se trouve dans C:\Freeradius.net\etc\raddb\certs\freerADIUS.net\Democerts\ et se nomme Freeradius.net-CA.crt.
La configuration se fait via windows de la façon suivante:
On the Wireless Network tab, select the network and click Configure to open the network properties. Then
Select the Authentication tab
Select Protected EAP on the drop-down list
Click Properties
Enable "Validate server certificate"
In Trusted Root Certification Authorities list, enable the root.der certificate.
In Select Authentication Method, select "Secured password (EAP-MSCHAPv2)"
Click Configure
10 novembre 2007
Découverte et cartographie réseau
NetWhistler, qui construit une carte réseau, avec une vérification permanente du plan d'adressage IP
CellWriter: Open source handwriting recognition for Linux
enfin un programme de reconnaissance de caractères en open source....
http://risujin.org/cellwriter/
http://risujin.org/cellwriter/
09 novembre 2007
FreeRadius et client XP
FreeRADIUS/WinXP Authentication Setup
This post describes how to build a FreeRADIUS server for TLS and PEAP authentication, and how to configure the Windows XP clients (supplicants). The server is configured for a home (or test) network.
Three papers have been written about TLS authentication with a FreeRADIUS server:
1) www.missl.cs.umd.edu/wireless/eaptls
2) www.freeradius.org/doc/EAPTLS.pdf
3) www.denobula.com
These papers provide an excellent background, but are somewhat out of date. Where appropriate, I will simply refer to these documents rather than repeating the information. I recommend that you follow the steps I give below rather than the steps in these documents.
In the steps below, I give examples from the FreeRADIUS server that I installed yesterday in my Red Hat 9 computer. If you follow this example, please make the needed changes to the names of the files. I installed the FreeRADIUS and OpenSSL files in special local directories. This ensures that there is no interaction between the base Linux files and the new files. It also allows you to easily remove all of the newly installed files.
One word of caution: Be prepared for some frustration. The FreeRADIUS and OpenSSL snapshots used in constructing the server are beta software. Don't be surprised if you encounter some problems.
1. Download and Install OpenSSL and FreeRADIUS
The first step is to download and install the latest snapshot versions of OpenSSL and FreeRADIUS.
a. OpenSSL -- Download the latest OpenSSL-0.9.7-stable snapshot. I downloaded the OpenSSL snapshot to my home directory. The snapshots are located at:
»ftp://ftp.openssl.org/snapshot/
Then I used the following nine steps:
mkdir -p /usr/src/802/openssl
cd /usr/src/802/openssl
cp /home/jbibe/openssl-0.9.7-stable-SNAP-20040202.tar.gz \
openssl-0.9.7-stable-SNAP-20040202.tar.gz
gunzip openssl-0.9.7-stable-SNAP-20040202.tar.gz
tar xvf openssl-0.9.7-stable-SNAP-20040202.tar
cd openssl-0.9.7-stable-SNAP-20040202
./config shared --prefix=/usr/local/openssl
make
make install
That completes the work with OpenSSL, except for building the required certificates.
When you perform the config, make, and make-install here and in the FreeRADIUS install described below, I recommend that you log the information. For example, instead of using the simple "make" command, use:
make > mymake.log 2>&1
If you encounter problems, you can review mymake.log (or myconfig.log, or myinstall.log) for errors.
b. FreeRadius -- Download the latest FreeRADIUS snapshot. Again, I downloaded the file to my home directory. The snapshot is located at:
»ftp://ftp.freeradius.org/pub/radius/CVS-snapshots/
Then I used the following nine steps:
mkdir -p /usr/src/802/radius
cd /usr/src/802/radius
cp /home/jbibe/freeradius-snapshot-20040203.tar.gz \
freeradius-snapshot-20040203.tar.gz
gunzip freeradius-snapshot-20040203.tar.gz
tar xvf freeradius-snapshot-20040203.tar
cd freeradius-snapshot-20040203
./configure --with-openssl-includes=/usr/local/openssl/include \
--with-openssl-libraries=/usr/local/openssl/lib \
--prefix=/usr/local/radius
make
make install
That completes the work with FreeRADIUS, except for building certificates, making the changes to the FreeRADIUS configuration files, moving the server certificates to their final location, and building a wrapper for radiusd.
2. Produce Certificates
Server and client certificates are needed for TLS and PEAP. To produce the required certificates, I recommend that you use CA.all that is included with FreeRADIUS. CA.all uses the configuration information in openssl.cnf.
a. openssl.cnf -- Update openssl.cnf for your configuration. The configuration file is located at:
/usr/local/openssl/ssl
A portion of the information from my openssl.cnf is given below. (The company information is does not describe an actual company located in Brentwood, TN.) Note that the configuration information includes the password "whatever". It is the certificate password.
When CA.all executes, it uses this information three times. The first pass through this information produces the root certificates. If you set up your configuration as shown below, you will be able to accept all of the settings in the first pass. The second pass through this information produces the client certificates. You only need to change the commonName to the client name. In my case, I changed the commonName to jbibe. The third pass through this information produces the server certificates. You only need to change the commonName to the server name. In my case, I changed the commonName to micron.
----- Example -------------------------------------------
---------------------------------------------------------
b. CA.all -- Update the CA.all script for your requirements. The file is located at:
/usr/src/802/radius/freeradius-snapshot-20040203/scripts
If you use the default password "whatever", you only need to verify that the path in the script points to the installed openssl information. No changes should be necessary, but there is one gotcha. At about line 30, the path will probably be in error. Look for the following line and update the path as needed.
echo "newreq.pem" | /usr/local/openssl/ssl/misc/CA.pl -newca
When CA.all executes, it produces nine certificates:
root.pem, root.p12, root.der
cert-clt.pem, cert-clt.p12, cert-clt.der
cert-srv.pem, cert-srv.p12, cert-srv.der
For TLS and PEAP, the server needs root.pem and cert-srv.pem. For TLS, the Windows XP client needs root.der and cert-clt.p12. For PEAP, the Windows XP client needs root.der.
In the event that you want to use TLS authentication with multiple clients, Document 3 provides the needed script. Look for the CA.clt script in Section 6.
3. Configure Server for TLS
There are only a few changes and additions needed for TLS authentication. The clients.conf, users, and radiusd.conf are located at:
/usr/local/radius/etc/raddb
a. clients.conf -- This file contains the basic configuration for the Access Point. Look for the following line then uncomment and modify as appropriate:
#client 192.168.0.0/24 {
b. users -- This file contains the basic user information. Look for the following line and then add the user name:
#"John Doe" Auth-Type := Local, User-Password == "hello"
#
jbibe
Note that for TLS, you should not include an Auth-Type or a password. The server is able to determine the correct Auth-Type, and a password is not needed because the client uses a client certificate for authentication.
c. radiusd.conf -- This file contains the server configuration information. Look for the following lines and then change the default_eap_type from md5 to tls:
Change md5 to tls.
Move down to the following line, and then uncomment and modify the information, as shown below. Note that I placed the server certificates, dh file and random file in a new directory 1x on my system. Modify the path as needed for your server:
#tls {
No other changes are needed in radiusd.conf for TLS.
d. Server Certificates, DH File, and Random File -- I added a new directory 1x in the radius etc directory, and then copied the server certificates (root.pem and cert-srv.pem) into the directory. Finally, I used the following trick to produce dh and random:
date > dh
date > random
If you prefer, use your keyboard to enter some random characters in these files. Or even better, use the OpenSSL tools to produce the random information for these files.
e. Run-Radius -- The only server addition remaining is wrapper for radiusd. I added a new file run-radius in the /usr/local/radius/sbin directory. The script is from Document 3:
----- Wrapper Script ------------------------------------
#!/bin/sh -x
LD_LIBRARY_PATH=/usr/local/openssl/lib
LD_PRELOAD=/usr/local/openssl/lib/libcrypto.so
export LD_LIBRARY_PATH LD_PRELOAD
/usr/local/radius/sbin/radiusd $@
---------------------------------------------------------
After entering and saving the script, make run-radius executable:
chmod u=rwx run-radius
The server is complete.
4. Install Windows XP Certificates and Setup Client for TLS
The Windows XP certificates need to be installed, and client needs to be configured. I recommend that you follow Raymond McKay's example in Document 3, Section 10, XP Client (Supplicant) Setup. When this step is complete, the client is ready.
5. AP Setup
The AP configuration needs to be modified. This is the setup I used with my ZyXEL B-1000v2. (I assume that the B-1000 has been configured previously to use WEP keys and MAC addresses.)
At the wireless 802.1x tab:
Wireless Port Control = Authentication Required
ReAuthentication Timer = 1800 seconds
Idle Timeout = 3600 seconds
Authentication Database = RADIUS only
Dynamic WEP Key Exchange = 128-bit WEP
At the RADIUS tab for authentication:
Active = Yes
Server IP = 192.168.1.10
Port Number = 1812
Shared Secret = AP_Shared_Secret
6. Test TLS
The final step is to test the server. With Windows XP computer off, start the server in the debug mode by entering:
/usr/local/radius/sbin/run-radius -X -A
The server should start, displaying various debug information before it displays:
----- Example --------------------------------------------
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp.
Ready to process requests
----------------------------------------------------------
If you don't see the message, look through the debug information for errors and missing information. If you see this message, start the Windows XP computer.
When the Windows XP starts, you will see various messages and certificates exchanged between the client and the server. If all is well, you should see the client authenticated and the user logged on. The following partial example is from Document 3. It shows the last few lines of a successful authentication:
----- Example ---------------------------------------------
...
MS-MPPE-Recv-Key = 0xe032765ca06c052e5fe7c2a7534a4252daec44a08505bdb459d4
fa81e70390f2221d2b06071eb0625e0ba67452a890909662
MS-MPPE-Send-Key = 0xe03131ce085bc266127528e749bd4753d3e1702df2d4d8c080351
380f52eae2c24a9fa78015c24e0d140bcd01b23d6c0cacc
EAP-Message = "\003_\000\004"
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 5
Going to the next request
-----------------------------------------------------------
If you see MS-MPPE-Recv-Key and MS-MPPE-Send-Key, the server authenticated the client. You should be able to surf.
7. Change Server Configuration for PEAP
To change the server for PEAP authentication, only a few changes need to be made.
a. users -- Return to the users file and add the user password:
jbibe User-Password == "My-XP-Password"
b. Radiusd.conf -- Return to the radiusd.conf file and make the following changes:
Change the default_eap_type from tls to peap:
Move to the PEAP section below the TLS section and uncomment the following lines:
The server is now ready for PEAP authentication.
8. Change Windows XP for PEAP
On the Wireless Network tab, select the network and click Configure to open the network properties. Then
Select the Authentication tab
Select Protected EAP on the drop-down list
Click Properties
Enable "Validate server certificate"
In Trusted Root Certification Authorities list, enable the root.der certificate.
In Select Authentication Method, select "Secured password (EAP-MSCHAPv2)"
Click Configure
If desired, enable "Automatically use my Windows logon name and password".
I did not enable "Automatically use my Windows ..." In my HP laptop, the software adds HP\\ before the user name; e.g., HP\\jbibe. If you don't enable this option, windows will ask for your user name and password the first time the laptop tries to connect to the network. The computer will then use the user name and password exactly as entered.
On the original Authentication screen, I disabled the "Authenticate as computer when computer information is available"
Windows XP is now ready for testing.
9. Test PEAP
The final step is to test the server. With Windows XP computer off, start the server in the debug mode by entering:
/usr/local/radius/sbin/run-radius -X -A
The server should start, displaying various debug information. If it displays "Ready to process requests", the server is running. This message is identical to the TLS start message. If you review the debug information, you will see additional messages as peap and mschapv2 start.
If you see the Ready message, start the Windows XP computer. As the client and server communicate, you will see various messages exchanged. If all is well, you should see the client authenticated and the user logged on. Again you will see the MS-MPPE-Recv-Key and the MS-MPPE-Send-Key.
If you review the debug messages, you will see the TLS tunnel being built. Once it is built, you will see verification that messages are passing through the tunnel. Finally, you will see the user authenticated.
This post describes how to build a FreeRADIUS server for TLS and PEAP authentication, and how to configure the Windows XP clients (supplicants). The server is configured for a home (or test) network.
Three papers have been written about TLS authentication with a FreeRADIUS server:
1) www.missl.cs.umd.edu/wireless/eaptls
2) www.freeradius.org/doc/EAPTLS.pdf
3) www.denobula.com
These papers provide an excellent background, but are somewhat out of date. Where appropriate, I will simply refer to these documents rather than repeating the information. I recommend that you follow the steps I give below rather than the steps in these documents.
In the steps below, I give examples from the FreeRADIUS server that I installed yesterday in my Red Hat 9 computer. If you follow this example, please make the needed changes to the names of the files. I installed the FreeRADIUS and OpenSSL files in special local directories. This ensures that there is no interaction between the base Linux files and the new files. It also allows you to easily remove all of the newly installed files.
One word of caution: Be prepared for some frustration. The FreeRADIUS and OpenSSL snapshots used in constructing the server are beta software. Don't be surprised if you encounter some problems.
1. Download and Install OpenSSL and FreeRADIUS
The first step is to download and install the latest snapshot versions of OpenSSL and FreeRADIUS.
a. OpenSSL -- Download the latest OpenSSL-0.9.7-stable snapshot. I downloaded the OpenSSL snapshot to my home directory. The snapshots are located at:
»ftp://ftp.openssl.org/snapshot/
Then I used the following nine steps:
mkdir -p /usr/src/802/openssl
cd /usr/src/802/openssl
cp /home/jbibe/openssl-0.9.7-stable-SNAP-20040202.tar.gz \
openssl-0.9.7-stable-SNAP-20040202.tar.gz
gunzip openssl-0.9.7-stable-SNAP-20040202.tar.gz
tar xvf openssl-0.9.7-stable-SNAP-20040202.tar
cd openssl-0.9.7-stable-SNAP-20040202
./config shared --prefix=/usr/local/openssl
make
make install
That completes the work with OpenSSL, except for building the required certificates.
When you perform the config, make, and make-install here and in the FreeRADIUS install described below, I recommend that you log the information. For example, instead of using the simple "make" command, use:
make > mymake.log 2>&1
If you encounter problems, you can review mymake.log (or myconfig.log, or myinstall.log) for errors.
b. FreeRadius -- Download the latest FreeRADIUS snapshot. Again, I downloaded the file to my home directory. The snapshot is located at:
»ftp://ftp.freeradius.org/pub/radius/CVS-snapshots/
Then I used the following nine steps:
mkdir -p /usr/src/802/radius
cd /usr/src/802/radius
cp /home/jbibe/freeradius-snapshot-20040203.tar.gz \
freeradius-snapshot-20040203.tar.gz
gunzip freeradius-snapshot-20040203.tar.gz
tar xvf freeradius-snapshot-20040203.tar
cd freeradius-snapshot-20040203
./configure --with-openssl-includes=/usr/local/openssl/include \
--with-openssl-libraries=/usr/local/openssl/lib \
--prefix=/usr/local/radius
make
make install
That completes the work with FreeRADIUS, except for building certificates, making the changes to the FreeRADIUS configuration files, moving the server certificates to their final location, and building a wrapper for radiusd.
2. Produce Certificates
Server and client certificates are needed for TLS and PEAP. To produce the required certificates, I recommend that you use CA.all that is included with FreeRADIUS. CA.all uses the configuration information in openssl.cnf.
a. openssl.cnf -- Update openssl.cnf for your configuration. The configuration file is located at:
/usr/local/openssl/ssl
A portion of the information from my openssl.cnf is given below. (The company information is does not describe an actual company located in Brentwood, TN.) Note that the configuration information includes the password "whatever". It is the certificate password.
When CA.all executes, it uses this information three times. The first pass through this information produces the root certificates. If you set up your configuration as shown below, you will be able to accept all of the settings in the first pass. The second pass through this information produces the client certificates. You only need to change the commonName to the client name. In my case, I changed the commonName to jbibe. The third pass through this information produces the server certificates. You only need to change the commonName to the server name. In my case, I changed the commonName to micron.
----- Example -------------------------------------------
...
# req_extensions = v3_req
# The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Tennessee
localityName = Locality Name (eg, city)
localityName_default = Brentwood
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Helava
organizationalUnitName = Organizational Unit Name
organizationalUnitName_default = Engineering
commonName = Common Name (eg, YOUR name)
commonName_max = 64
commonName_default = HAI
emailAddress = Email Address
emailAddress_max = 40
emailAddress_default = ohb@cmcast.net
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
challengePassword_default = whatever
unstructuredName = An optional company name
---------------------------------------------------------
b. CA.all -- Update the CA.all script for your requirements. The file is located at:
/usr/src/802/radius/freeradius-snapshot-20040203/scripts
If you use the default password "whatever", you only need to verify that the path in the script points to the installed openssl information. No changes should be necessary, but there is one gotcha. At about line 30, the path will probably be in error. Look for the following line and update the path as needed.
echo "newreq.pem" | /usr/local/openssl/ssl/misc/CA.pl -newca
When CA.all executes, it produces nine certificates:
root.pem, root.p12, root.der
cert-clt.pem, cert-clt.p12, cert-clt.der
cert-srv.pem, cert-srv.p12, cert-srv.der
For TLS and PEAP, the server needs root.pem and cert-srv.pem. For TLS, the Windows XP client needs root.der and cert-clt.p12. For PEAP, the Windows XP client needs root.der.
In the event that you want to use TLS authentication with multiple clients, Document 3 provides the needed script. Look for the CA.clt script in Section 6.
3. Configure Server for TLS
There are only a few changes and additions needed for TLS authentication. The clients.conf, users, and radiusd.conf are located at:
/usr/local/radius/etc/raddb
a. clients.conf -- This file contains the basic configuration for the Access Point. Look for the following line then uncomment and modify as appropriate:
#client 192.168.0.0/24 {
client 192.168.1.0/24 {
secret = AP_Shared_Secret
shortname = WLAN
}
b. users -- This file contains the basic user information. Look for the following line and then add the user name:
#"John Doe" Auth-Type := Local, User-Password == "hello"
#
jbibe
Note that for TLS, you should not include an Auth-Type or a password. The server is able to determine the correct Auth-Type, and a password is not needed because the client uses a client certificate for authentication.
c. radiusd.conf -- This file contains the server configuration information. Look for the following lines and then change the default_eap_type from md5 to tls:
eap {
default_eap_type = md5
Change md5 to tls.
Move down to the following line, and then uncomment and modify the information, as shown below. Note that I placed the server certificates, dh file and random file in a new directory 1x on my system. Modify the path as needed for your server:
#tls {
tls {
private_key_password = whatever
private_key_file = /usr/local/radius/etc/1x/cert-srv.pem
certificate_file = /usr/local/radius/etc/1x/cert-srv.pem
CA_file = /usr/local/radius/etc/1x/root.pem
dh_file = /usr/local/radius/etc/1x/dh
random_file = /usr/local/radius/etc/1x/random
fragment_size = 1024
include_length = yes
}
No other changes are needed in radiusd.conf for TLS.
d. Server Certificates, DH File, and Random File -- I added a new directory 1x in the radius etc directory, and then copied the server certificates (root.pem and cert-srv.pem) into the directory. Finally, I used the following trick to produce dh and random:
date > dh
date > random
If you prefer, use your keyboard to enter some random characters in these files. Or even better, use the OpenSSL tools to produce the random information for these files.
e. Run-Radius -- The only server addition remaining is wrapper for radiusd. I added a new file run-radius in the /usr/local/radius/sbin directory. The script is from Document 3:
----- Wrapper Script ------------------------------------
#!/bin/sh -x
LD_LIBRARY_PATH=/usr/local/openssl/lib
LD_PRELOAD=/usr/local/openssl/lib/libcrypto.so
export LD_LIBRARY_PATH LD_PRELOAD
/usr/local/radius/sbin/radiusd $@
---------------------------------------------------------
After entering and saving the script, make run-radius executable:
chmod u=rwx run-radius
The server is complete.
4. Install Windows XP Certificates and Setup Client for TLS
The Windows XP certificates need to be installed, and client needs to be configured. I recommend that you follow Raymond McKay's example in Document 3, Section 10, XP Client (Supplicant) Setup. When this step is complete, the client is ready.
5. AP Setup
The AP configuration needs to be modified. This is the setup I used with my ZyXEL B-1000v2. (I assume that the B-1000 has been configured previously to use WEP keys and MAC addresses.)
At the wireless 802.1x tab:
Wireless Port Control = Authentication Required
ReAuthentication Timer = 1800 seconds
Idle Timeout = 3600 seconds
Authentication Database = RADIUS only
Dynamic WEP Key Exchange = 128-bit WEP
At the RADIUS tab for authentication:
Active = Yes
Server IP = 192.168.1.10
Port Number = 1812
Shared Secret = AP_Shared_Secret
6. Test TLS
The final step is to test the server. With Windows XP computer off, start the server in the debug mode by entering:
/usr/local/radius/sbin/run-radius -X -A
The server should start, displaying various debug information before it displays:
----- Example --------------------------------------------
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp.
Ready to process requests
----------------------------------------------------------
If you don't see the message, look through the debug information for errors and missing information. If you see this message, start the Windows XP computer.
When the Windows XP starts, you will see various messages and certificates exchanged between the client and the server. If all is well, you should see the client authenticated and the user logged on. The following partial example is from Document 3. It shows the last few lines of a successful authentication:
----- Example ---------------------------------------------
...
MS-MPPE-Recv-Key = 0xe032765ca06c052e5fe7c2a7534a4252daec44a08505bdb459d4
fa81e70390f2221d2b06071eb0625e0ba67452a890909662
MS-MPPE-Send-Key = 0xe03131ce085bc266127528e749bd4753d3e1702df2d4d8c080351
380f52eae2c24a9fa78015c24e0d140bcd01b23d6c0cacc
EAP-Message = "\003_\000\004"
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 5
Going to the next request
-----------------------------------------------------------
If you see MS-MPPE-Recv-Key and MS-MPPE-Send-Key, the server authenticated the client. You should be able to surf.
7. Change Server Configuration for PEAP
To change the server for PEAP authentication, only a few changes need to be made.
a. users -- Return to the users file and add the user password:
jbibe User-Password == "My-XP-Password"
b. Radiusd.conf -- Return to the radiusd.conf file and make the following changes:
Change the default_eap_type from tls to peap:
eap {
default_eap_type = peap
Move to the PEAP section below the TLS section and uncomment the following lines:
peap {
default_eap_type = mschapv2
}
The server is now ready for PEAP authentication.
8. Change Windows XP for PEAP
On the Wireless Network tab, select the network and click Configure to open the network properties. Then
Select the Authentication tab
Select Protected EAP on the drop-down list
Click Properties
Enable "Validate server certificate"
In Trusted Root Certification Authorities list, enable the root.der certificate.
In Select Authentication Method, select "Secured password (EAP-MSCHAPv2)"
Click Configure
If desired, enable "Automatically use my Windows logon name and password".
I did not enable "Automatically use my Windows ..." In my HP laptop, the software adds HP\\ before the user name; e.g., HP\\jbibe. If you don't enable this option, windows will ask for your user name and password the first time the laptop tries to connect to the network. The computer will then use the user name and password exactly as entered.
On the original Authentication screen, I disabled the "Authenticate as computer when computer information is available"
Windows XP is now ready for testing.
9. Test PEAP
The final step is to test the server. With Windows XP computer off, start the server in the debug mode by entering:
/usr/local/radius/sbin/run-radius -X -A
The server should start, displaying various debug information. If it displays "Ready to process requests", the server is running. This message is identical to the TLS start message. If you review the debug information, you will see additional messages as peap and mschapv2 start.
If you see the Ready message, start the Windows XP computer. As the client and server communicate, you will see various messages exchanged. If all is well, you should see the client authenticated and the user logged on. Again you will see the MS-MPPE-Recv-Key and the MS-MPPE-Send-Key.
If you review the debug messages, you will see the TLS tunnel being built. Once it is built, you will see verification that messages are passing through the tunnel. Finally, you will see the user authenticated.
Inscription à :
Articles (Atom)