Hack 44. Authenticate Wireless Users

Step up to using WPA Enterprise with FreeRADIUS for real user authentication and wireless security.

WPA is a big step up from WEP, security-wise. WPA's Pre-Shared Key mode (called WPA Personal, if you have an Apple AirPort) is handy and easy to set up. However, it allows only one key for all users. If you want to have different passwords for different users, or if you want real authentication, you'll need to use the full 802.11x-based WPA Enterprise protocol, and that means that you'll need a RADIUS server.

If you came here from "Control Wireless Access by MAC" [Hack #43], you've already got some fundamentals on how RADIUS works and where to configure it. If you haven't yet read that hack, now would be a good time to back up.

This hack is about setting up EAP/TTLS authentication via FreeRADIUS. EAP/TTLS isn't the only flavor of authentication protocol, but it is the easiest to set up and has the lowest per-client overhead. EAP/TLS is also good, but it requires each client to have its own certificate. EAP/PEAP is comparable to EAP/TTLS and is more commonly found in large enterprise networks.

FreeRADIUS is available at http://www.freeradius.org and is also available as a package in most flavors of Linux and BSD. Solaris and Mac OS X users will want to compile from source.

3.6.1. FreeRADIUS Configuration

As in "Control Wireless Access by MAC" [Hack #43], our example system configuration for FreeRADIUS is located in /etc/raddb. Again, the first requirement is to allow your access point to talk to the RADIUS server. This setup happens in the /etc/raddb/clients.conf file. Our sample configuration looks like this:

	client {
		secret = letmein
		shortname = travellingcircus

You'll also need an SSL certificate for the server. If you have a central place on the system for all of your various server certificates, you can place it there. If not, I recommend putting the certificate and private key in /etc/raddb/certs. If you don't already have a certificate, you can use the certs.sh script in the FreeRADIUS distribution to help you generate one.

Both the private key and the certificate should be in PEM format and can even be in the same file. The permissions on the private key are important; only the RADIUS server should be able to read it. If you run your RADIUS server as a non-root user (you should), just make sure that the RADIUS user owns the file and that its permissions are set to 400.

The /etc/raddb/eap.conf file that comes with the FreeRADIUS distribution might require only a little customization, or you can use the minimal version shown here. Either way, you'll need to set the location of the private key file and the certificate file. This configuration happens in the tls section, which should be inside the eap section:

	eap {
		default_eap_type = md5
		timer_expire = 60
		ignore_unknown_eap_types = no
		cisco_accounting_username_bug = no
		md5 {

		tls { 
			private_key_password = blah
			private_key_file = ${raddbdir}/certs/radius.pem
			certificate_file = ${raddbdir}/certs/radius.pem
			CA_file = ${raddbdir}/certs/cacert.pem
			dh_file = ${raddbdir}/certs/dh
			random_file = ${raddbdir}/certs/random
		ttls {
			default_eap_type = md5
			copy_request_to_tunnel = yes
			use_tunneled_reply = yes


		peap {
			copy_request_to_tunnel = yes
			use_tunneled_reply = yes
			default_eap_type = md5


The key pieces here you need to modify are here:

	private_key_file = ${raddbdir}/certs/radius.pem
	certificate_file = ${raddbdir}/certs/radius.pem

If your private key has a password, you can set that also:

	private_key_password = blah

Since that's pretty sensitive information, it should be protected in the same way as the private key filethat is, owned by the RADIUS user and chmod 400.

You'll also need to have a pointer to your Certificate Authority's certificate, which you can set like this:

	CA_file = ${raddbdir}/certs/cacert.pem

Lastly, in the TTLS section, make sure that both of these lines are set to yes:

	copy_request_to_tunnel = yes 
	use_tunneled_reply = yes

Otherwise, all of the attributes that the base station sends will not be available for use by the authentication module. In a basic setup, these settings might not be necessary. As you'll see later, the AP sends quite a lot of extra information that you can use to fine-tune permissions regarding who can access your network using which AP.

The only other configuration file that needs to be changed is /etc/raddb/radiusd.conf. In the modules section, make sure that the files module points to your users file:

	files {
			usersfile = ${confdir}/users
			compat = no


Next, make sure to include eap.conf:

	$INCLUDE ${confdir}/eap.conf

The authorize module should list both files and eap:

	authorize {


And finally, the authenticate module should list eap:

	authenticate {

That's it for setting up the configuration files. Now, you'll need to set up a user. This part isn't any different than setting up any other RADIUS user. At a minimum, you need to list a user password (User-Password) and an authentication type (Auth-Type). The Auth-Type should always be Local.

An entry in the users file looks like this:

	cloyce Auth-Type := Local, User-Password == "sushi"

This says that for user cloyce, the Auth-Type is Local and the password must be sushi; otherwise, the access request will be denied.

Now that the files are all set up, it's time to start radiusd with the -X flag to get debugging output. If all goes well, you'll see output at the bottom:

	Listening on authentication *:1812
	Listening on accounting *:1813
	Ready to process requests.


3.6.2. Access Point Configuration

Assuming that your RADIUS server started up, it's time to configure your AP. This section covers an Apple AirPort configuration, using the AirPort Admin Utility, as shown in Figure 3-7.

Click the Change Wireless Security… button and change the pull-down item at the top to WPA Enterprise. When that's done, the panel should change and have entries for a primary and secondary RADIUS server, as shown in Figure 3-8.

Note that WPA Enterprise is not compatible with using RADIUS for MAC addressbased access control, [Hack #43]. It's no loss, because WPA Enterprise provides for much finer-grained access control as well as authentication and encryption.

You must specify three pieces of information on this panel: the IP address of your RADIUS server, the port it's listening on, and the shared secret. The shared secret should match what you put in to the /etc/raddb/clients.conf file. The port number to use is the one that radiusd reported as its authentication port when you started in debug mode.

Figure 3-7. AirPort Admin Utility

Hit the Update button, wait for your AP to reboot, and then try to associate with it. Your client should prompt you for authentication of your username and password.

Here's some output from an access request that shows the attributes that the AirPort Express sends along with the username and password:

	rlm_eap_ttls: Session established. Proceeding to decode tunneled
	 TTLS: Got tunneled request
			User-Name = "cloyce"
			User-Password = "sushi"
			FreeRADIUS-Proxied-To =
	 TTLS: Sending tunneled request
			User-Name = "cloyce"
			User-Password = "sushi"
			FreeRADIUS-Proxied-To =
			Framed-MTU = 1466
			NAS-IP-Address =
			NAS-Identifier = "Travelling Circus"
			Service-Type = Framed-User
			NAS-Port = 255
			NAS-Port-Type = Ethernet
			NAS-Port-Id = "wl0"
			Called-Station-Id = "00-11-24-03-45-77"
			Calling-Station-Id = "00-30-65-24-e6-63"
			Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
	Processing the authorize section of radiusd.conf

Figure 3-8. WPA Enterprise with RADIUS

The AirPort Extreme sends similar attributes; if you don't have an AirPort base station, just generate a request through your access point and see what it sends to the RADIUS server. This particular snippet is from deep within the request. If you read the comments in eap.conf, you'll have seen that EAP/TTLS request is actually wrapped four times: RADIUS inside of EAP, inside of TLS, inside of Diameter, and inside of EAP. The attributes are printed each time the RADIUS server undoes another layer of wrapping. Look at the last instance to see exactly what's available to use for access control.

You can see my User-Name (cloyce) and my User-Password (sushi). Those are the only attributes that I supplied. Look at all the other stuff that the AP has added! Some of it isn't very useful, such as Framed-MTU, Service-Type, and NAS-Port. Other things, such as NAS-Identifier (the SNMP name you've assigned to the AP), Called-Station-Id (the MAC address of the AP's wireless interface), and Calling-Station-Id (the MAC address of the wireless device that I'm using to connect) can be useful. For example, if I want to make sure that I can use this AP only from my PowerBook, I just change my entry in the users file to this:

	cloyce Auth-Type := Local, User-Password == "sushi", Calling-Station-Id ==

If every user entry requires a match to a particular Calling-Station-Id, you've just effectively replicated the functionality of MAC addressbased access control, but with WPA Enterprise, you've also got authentication and encryption.

Cloyce Spradling

Bluetooth, Mobile Phones, and GPS

Network Discovery and Monitoring

Wireless Security

Hardware Hacks

Software Hacks

Do-It-Yourself Antennas

Wireless Network Design

Appendix A. Wireless Standards

Appendix B. Wireless Hardware Guide

Wireless Hacks
Wireless Hacks: Tips & Tools for Building, Extending, and Securing Your Network
ISBN: 0596101449
EAN: 2147483647
Year: 2004
Pages: 178

Similar book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net