January 25, 2010 -
This one is a bit less complex than http://www.wains.be/index.php/2009/09/13/wpa2-freeradius-eap-tls/
This is actually the most basic RADIUS configuration ever, useful for quick tests. I can only recommend checking the post mentioned above if you want to do something serious.
# apt-get install freeradius
# vim /etc/freeradius/users
login Cleartext-Password := "password"
login2 Cleartext-Password := "password2"
#vim /etc/freeradius/clients.conf
client localhost {
ipaddr = 127.0.0.1
secret = radiuspassword
}
client router {
ipaddr = 10.0.0.1
secret = radiuspassword
}
# /etc/init.d/freeradius restart
Check if RADIUS is working :
# radtest login password localhost 1812 radiuspassword
Sending Access-Request of id 222 to 127.0.0.1 port 1812
User-Name = "login"
User-Password = "password"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=222, length=20
# radtest login2 password2 localhost 1812 radiuspassword
Sending Access-Request of id 1 to 127.0.0.1 port 1812
User-Name = "login2"
User-Password = "password2"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=1, length=20
We expect Access-Accept from the server, not Access-Reject…
Configure your wireless access point :
Usually found under Security tab (or RADIUS, 802.1X, etc.)
Configure your device at 10.0.0.1 to authenticate against the Radius server with password radiuspassword.
Try to connect to your wireless access point using login and password.
September 13, 2009 -
Tested under Debian Lenny
BUILDING AND INSTALLING FREERADIUS WITH TLS SUPPORT
Install the necessary packages :
apt-get install dpkg-dev fakeroot
Download the source :
cd /root
mkdir freeradius-tls
cd freeradius-tls
apt-get source freeradius
Make the changes :
Edit /root/freeradius-tls/debian/rules :
and change
--with
by
--without
for eap_tls, eap_ttls, eap_peap and openssl
Just as :
--with-rlm_eap_tls \
--with-rlm_eap_ttls \
--with-rlm_eap_peap \
--without-rlm_eap_tnc \
--without-rlm_otp \
--with-rlm_sql_postgresql_lib_dir=`pg_config --libdir`\
--with-rlm_sql_postgresql_include_dir=`pg_config --includedir` \
--with-openssl \
--without-rlm_eap_ikev2 \
--without-rlm_sql_oracle \
--without-rlm_sql_unixodbc \
Then, comment the following :
for pkg in ${pkgs} ; do \
if dh_shlibdeps -p $$pkg -- -O 2>/dev/null | grep -q libssl; then \
echo "$$pkg links to openssl" ;\
exit 1 ;\
fi ;\
done
Edit /root/freeradius-tls/debian/control :
On the line beginning by “Build-Depends”
Add the folowing :
", libssl-dev"
at the end of the line (without the quotes)
Install dev libraries :
apt-get install libssl-dev debhelper libgdbm-dev libiodbc2-dev libkrb5-dev libldap2-dev libltdl3-dev libmysqlclient15-dev libpam0g-dev libpcap-dev libperl-dev libpq-dev libsasl2-dev libsnmp-dev python-dev
Build freeradius :
dpkg-buildpackage -rfakeroot
Building will end by a warning message, this is not important.
Put the packages on hold to avoid upgrading with a non-TLS version of FreeRADIUS :
echo “freeradius hold” | dpkg --set-selections
echo "libfreeradius2 hold" | dpkg --set-selections
echo "freeradius-common hold" | dpkg --set-selections
Install the packages we’ve just built :
dpkg --install freeradius-common_2.0.4+dfsg-6_all.deb libfreeradius2_2.0.4+dfsg-6_i386.deb
CERTIFICATES
Creating the CA
apt-get install openssl
Edit /etc/ssl/openssl.cnf
[ CA_default ]
dir = ./PKI
Edit /usr/lib/ssl/misc/CA.sh
CATOP=./PKI
Then type :
cd /etc/ssl
/usr/lib/ssl/misc/CA.sh -newca
Set a challenge password and a passphrase. This is needed.
The CA created will be copied to the server and clients later on.
Optional : if you have Windows XP clients
Create /etc/openssl/PKI/xpextensions
[xpclient_ext]
extendedKeyUsage=1.3.6.1.5.5.7.3.2
[xpserver_ext]
extendedKeyUsage=1.3.6.1.5.5.7.3.1
Server certificate signing request :
cd /etc/ssl
openssl req -new -nodes -keyout PKI/server_key.pem -out PKI/server_req.pem -days 730 -config openssl.cnf
Set a challenge password
Sign the server certificate request (if winxp clients) :
cd /etc/ssl
openssl ca -config openssl.cnf -policy policy_anything -out PKI/server_cert.pem -extensions xpserver_ext -extfile PKI/xpextensions -infiles PKI/server_req.pem
Mac clients :
openssl ca -config openssl.cnf -policy policy_anything -out PKI/server_cert.pem -infiles PKI/server_req.pem
Then :
cp server_cert.pem server_cert.pem-backup
Edit server_cert.pem
Remove everything before the line —–BEGIN CERTIFICATE—– (this is needed for winxp clients)
Next :
cat server_key.pem server_cert.pem > server_keycert.pem
Create a client certificate signing request :
cd /etc/ssl
openssl req -new -keyout PKI/client_key.pem -out PKI/client_req.pem -days 730 -config openssl.cnf
Sign client cert request :
cd /etc/ssl
Windows xp client :
openssl ca -config openssl.cnf -policy policy_anything -out PKI/client_cert.pem -extensions xpclient_ext -extfile PKI/xpextensions -infiles PKI/client_req.pem
Mac OS X client :
openssl ca -config openssl.cnf -policy policy_anything -out PKI/client_cert.pem -infiles PKI/client_req.pem
Export P12 certs (Windows and Mac clients ) :
openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client_cert.p12 -clcerts
FREERADIUS CONFIG
FreeRadius
Do :
cp /etc/ssl/PKI/cacert.pem /etc/freeradius/certs/cacert.pem
cp /etc/ssl/PKI/server_keycert.pem /etc/freeradius/certs/server_keycert.pem
Then :
cd /etc/freeradius/certs
openssl dhparam -check -text -5 512 -out dh
dd if=/dev/urandom of=random count=2
chown freerad dh
chmod o-w dh
Next :
cp /etc/freeradius/eap.conf /etc/freeradius/eap.conf-default
/etc/freeradius/eap.conf :
eap {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = ${certdir}/server_keycert.pem
certificate_file = ${certdir}/server_keycert.pem
CA_file = ${cadir}/cacert.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
fragment_size = 1024
include_length = yes
check_cert_cn = %{User-Name}
cipher_list = "DEFAULT"
}
}
Edit /etc/freeradius/clients.conf
We will consider the access-point that will authenticate users against the RADIUS server has the IP 192.168.7.45 :
client localhost {
ipaddr = 127.0.0.1
secret = testing123
require_message_authenticator = no
nastype = other # localhost isn't usually a NAS...
}
client 192.168.7.45 {
secret = suchasecurepassword
shortname = linksys
}
Start FreeRADIUS :
freeradius -X -f
Set up wifi access point for authentication against our new RADIUS server
It depends on your hardware here.
You must usually go under the security panel of your device, where you can specify the IP/hostname and port of the RADIUS server, and the password (in our example : suchasecurepassword)
Configure clients
This will be the subject of a separate post as I will try to publish the method for all majors OSes (Linux, Mac and Windows) but don’t have much time for now.
Stay tuned !
This post is a stripped down version of the following howto by my colleague Jérôme :
http://hanoteau.blogspot.com/2009/03/howto-setup-eap-tls-wpa-network-with.html
April 24, 2009 -
The following article has been tested on Debian Etch (server) and Debian Lenny and Mac OS X (clients).
I’m not gonna explain what dns2tcp is, just how to get it running in less than 30 minutes.
You need :
- a public server, reachable from anywhere, its UDP/53 port must be available (no DNS service running) and reachable (not filtered)
- a domain name or subdomain dedicated for dns2tcp
- a client computer, your laptop usually
- a “restricted” network (captive portal, firewalled network, paying hotspot)
Considerations :
dns2tcp server public IP : 1.2.3.4
dns2tcp domain : example.org
dns2tcp resources : SSH on TCP/22 at 1.2.3.4 (same machine as dns2tcp), SSH on TCP/22 at 4.3.2.1
DNS :
Create a NS record for the domain example.org pointing to IP 1.2.3.4, obviously you just can’t replace your current NS on your current domain 
The NS you specify is NOT a DNS server, it’s the dns2tcp server IP address ! This means that you won’t be able to host a website or anything else at example.org.
As a result and only if your control panel allows it or if you have CLI access to your DNS, I recommend using a subdomain of example.org, for example : dns2tcp.example.org.
This way you don’t reserve a whole domain name for the only dns2tcp application.
Hint : everyDNS allows to create NS records for subdomains. Not all control panels do.
Server :
Install dns2tcp on the machine (apt-get install dns2tcp on Debian)
Edit the file /etc/dns2tcpd.conf like this :
listen = 0.0.0.0
port = 53
user = nobody
chroot = /some/directory/
domain = example.org
ressources = ssh-home:127.0.0.1:22 , ssh-work:4.3.2.1:22
Start dns2tcp server with /etc/init.d/dns2tcp start
Client :
Don’t forget the client must already be installed on your computer when you are on the restricted network
Install it right now : apt-get install dns2tcp on Debian or build it through macports on Mac OS X.
Connect to the restricted network.
Run the command :
dns2tcpc -z example.org 4.2.2.4
If the system is working you should see :
Available connection(s) :
ssh-home
ssh-work
Run the full command now :
dns2tcpc -z example.org -l 8888 -r ssh-home 4.2.2.4
4.2.2.4 is the DNS that will relay the actual DNS requests.
If the network restricts the use of external DNS servers, check your /etc/resolv.conf to get the DNS servers on the local network.
Now dns2tcp will listen on port TCP/8888 and will give you access to the resource “ssh-home” through that port.
Now connect to your SSH server through dns2tcp on port TCP/8888 :
ssh user@localhost -p 8888 -D 1080
You should connect to your home server !
The -D 1080 option will create a SOCKS proxy on your local machine on port TCP/1080.
Now set up your browser or any other program (like Pidgin if you want to chat) to use the SOCKS proxy at address 127.0.0.1 and port 1080.
You can also set the systemwide parameter for SOCKS proxy from the preferences panel of your OS.
You should now be able to browse the internet.
You can store a config file on the client computer if you don’t want to type the command everytime.. this is the config corresponding to the command :
/home/USER/.dns2tcprc :
domain = example.org
ressource = ssh-home
local_port = 8888
server = 4.2.2.4
This way, you just need to run dns2tcpc without argument.
If you store the config file somewhere else, run dns2tcpc -f /where/the/config/resides/dns2tcp.conf
Please note :
Your traffic is encapsulated inside small DNS packets (some firewalls can drop unusually large DNS packets), is encrypted because of SSH, etc.
This adds overhead, which makes browsing the web a bit slow but still convenient.
I’ve been able to reach 25 KB/s down and 20 KB/s BUT I haven’t been able to transfer large files though, it was taking forever to attach a 3 MB pictures to a mail in Gmail (wifi + UDP + small packets is a terrible mix)
A good idea is to use mobile versions of websites, they load faster.
To give you an idea, it can take up to a minute to display maps on Google Maps.
Since you are going through the SOCKS proxy created by the SSH connection, your traffic is encrypted and wifi users can’t snoop on you.
Obviously you can define anything as a resource in dns2tcp, for example you can point to a public web proxy but your traffic wouldn’t be encrypted !
The owner of the restricted network may notice unusually high DNS traffic while you are surfing (especially if you’re the only person using the wifi network in the hotel).
August 18, 2007 -
I was not able to get the bridging network mode working for my virtual machines under VMWare Server.
Then, I figured out I was using the eth1 interface (the wireless interface), while the bridge mode was probably bound to eth0 (wire interface).
This is how to fix the issue :
$ sudo vmware-config-network.pl
Would you like to skip networking setup and keep your old settings as they are?
(yes/no) [yes] no
Do you want networking for your virtual machines? (yes/no/help) [yes] yes
Would you prefer to modify your existing networking configuration using the
wizard or the editor? (wizard/editor/help) [wizard] w
The following bridged networks have been defined:
. vmnet0 is bridged to eth0
Do you wish to configure another bridged network? (yes/no) [no] yes
Configuring a bridged network for vmnet2.
Your computer has multiple ethernet network interfaces available: eth1, vmnet1,
vmnet8. Which one do you want to bridge to vmnet2? [eth0] eth1
The following bridged networks have been defined:
. vmnet0 is bridged to eth0
. vmnet2 is bridged to eth1
Voilà, now set up your virtual machine to use vmnet2 as networking device, the virtual machine will now be a part of your LAN.
July 13, 2007 -
From : original link
By default, if your wireless network is secured by WPA or such, you have to save the info in your keyring manager, which is protected by a password.
I personally have the same password for my Ubuntu session but also for the keyring manager.
Whenever I log in, I have to authenticate with my user and password, then Gnome tries to connect to my wireless network and prompts me to unlock the keyring. This is tedious since I have the same password for both the session and keyring manager.
Now, you can avoid having to unlock the keyring, read on…
March 5, 2006 -
According to http://www.wains.be/?p=25, it was quite a pain to get the orinoco drivers with scan and monitor capabilities..
November 5, 2005 -
I installed a fresh copy of Ubuntu Breezy on my laptop
I had to recompile the orinoco drivers to get the monitoring capabilities of the card…
June 17, 2005 -
When inserting my Orinoco card into my laptop, dmesg was telling my card was able to do WEP 128 bits. After several failed attempts, I went with WEP 64 bits that worked fine.
-
Since this article, I switched my laptop to CentOS 4
My Orinoco experiences under CentOS are available at : http://www.wains.be/?p=68
MONITOR MODE ONLY
I’ve been using the default ubuntu drivers for my orinoco card for a while.
I used a patch available on kismet website to get monitor capabilities.
