Security in 802.11 WLANs

(1)

Security in 802.11 WLANs

In this exercise we will set up some features to make our WLAN more secure.

We also will use some WLAN tracking tools to show how much information someone can get from a WLAN.

Security Setup for WLAN 802.11 Introduction

INTRODUCTION

This exercise shows some of the possible features you can use to make a WLAN secure. We asume that you already have made the WLAN Management exercise.

PC vhb12

Radius Server

(2)

192.168.20.159

WLAN 802.11g Interface 192.168.20.101

Ethernet Interface 2 192.168.10.101 To the Internet Ethernet Interface 1

VHB24 is your exercise computer to which you are connected via the Windows Remote Console Interface.

The WLAN interface of the exercise computer is used to test the correct setup of the Access Point (Cisco AP1200).

The exercise computer also has two Ethernet interface which are connected on one side to the Internet and on the other side to the Ethernet interface of the Access Point. This

second Ethernet interface can be used to setup the Cisco AP1200 from the scratch. The setup is done over a web interface of the Access Point.

This exercise computer (vhb24) is also used for other exercises. The exercises 4 (Management Setup) and 6 (QoS) are also done on vhb24.

Security Setup on the Access Point Prerequisits

Connect a RADIUS server Encryption Manager

Enable Authentication Methods

PREREQUISITS

We assume that the basic setup of the Access Point has already be done in the exercise before.

If not, you can download a prepared setup from the file security-config.txt which is located on the Desktop of the exercise computer. This file contains the complete setup from the

"Management and Troubleshooting" exercise before.

vhbWLAN24 192.168.20.0

PC vhb24 WLAN

Cisco AP1200 192.168. 20.40

(3)

In case you want to load the prepared basic setup, click on Durchsuchen and select the file security-config.txt which is located on the Desktop of the current user vhb.

Click on the RestartAP1200 shortcut at the Desktop, because the Restart button on the Access Point's web page DO NOT WORK correctly.

CONNECT A RADIUS SERVER

Open the SECURITY folder and select Server Manager.

(4)

Enter the IP-Address of the RADIUS Server in the Server field above: 192.168.10.64 Enter the Shared Secret in the corresponding field above: secret

Enter the Ports in the corresponding fields above:

Authentication Port: 1812 Accounting Port: 1813

Then click on Apply to activate the settings.

After that you should see the IP-Address of the RADIUS Server (192.168.10.64) in the Current Server List above.

Here follows an explanation of the current setup page created from the Access Point's Helpfiles.

This page enables you to enter the authentication settings. The RADIUS/TACACS+ server on the your network uses EAP to provide authentication service for wireless client devices.

Backup RADIUS Server

Enter the host name or IP address of the access point acting as a local RADIUS server. Other access points on your wireless LAN use this backup authenticator when the main RADIUS server does not respond.

Shared Secret

Enter the shared secret used by your Local/Backup RADIUS server. The shared secret on the device must match the shared secret on the Local/Backup server.

Current Server List

Identifies the servers that are currently available.

Server

Enter the name or IP address of the server.

Shared Secret

Enter the shared secret used by your RADIUS/TACACS+ server. The shared secret on the device must match the shared secret on the RADIUS/TACACS+ server.

Authentication Port (optional)

Enter the port number your RADIUS/TACACS+ server uses for authentication.

The port setting for the Cisco RADIUS server (the Access Control Server [ACS]) is 1645, and the port setting for many RADIUS servers is 1812. Check your server's product documentation to find the correct port setting.

Accounting Port (optional)

Enter the port number your RADIUS server uses for accounting. The port setting for Cisco's RADIUS server (the Access Control Server [ACS]) is 1646, and the port setting for many RADIUS servers is 1813. Check your server's product documentation to find the correct accounting port setting.

EAP Authentication

Select the servers to be used for EAP authentication in order of desired priority.

MAC Authentication

Select the servers to be used for MAC authentication in order of desired priority.

Accounting

Select the servers to be used for Accounting in order of desired priority.

Admin Authentication (RADIUS)

Select the servers to be used for RADIUS admin authentication in order of desired priority.

Admin Authentication (TACACS+)

Select the servers to be used for TACACS Admin authentication in order of desired priority.

(5)

ENCRYPTION MANAGER

Open the SECURITY folder and select Encryption Manager.

Select Chiper and choose AES CCIP + TKIP + WEP 128. Later we want to use WEP and WPA Key Management.

Delete the Transmit Encryption Key by clearing the input field. This is importand otherwise you would get an error message in the next step.

Click on Apply.

Now follows an explanation of the current setup page created from the Access Point's Helpfiles.

(6)

You use Wired Equivalent Privacy (WEP) to encrypt radio signals sent by the device and decrypt radio signals received by the device. This page enables you to select

authentication types for the access point.

Encryption Modes

Indicate whether clients should use data encryption when communicating with the device. The three options are:

• None - The device communicates only with client devices that are not using WEP.

• WEP Encryption - Choose Optional or Mandatory. If optional, client devices can communicate with this access point or bridge with or without WEP. If mandatory, client devices must use WEP when communicating with the access point. Devices not using WEP are not allowed to communicate. WEP (Wired Equivalent Privacy) is an 802.11 standard encryption algorithm originally designed to provide with a level of privacy experienced on a wired LAN. The standard defines WEP base keys of size 40 bits or 104 bits.

• Cisco Compliant TKIP Features - Temporal Key Integrity Protocol (TKIP) is a suite of algorithms surrounding WEP, designed to achieve the best possible security on legacy hardware build to run WEP. TKIP adds four new enhancements to WEP:

1. A per-packet key mixing function, to defeat weak key attacks.

2. A new IV sequencing discipline to detect replay attacks.

3. A cryptographic message integrity check (MIC) to detect forgeries such as bit flipping and altering of packet source and destination.

4. An extension of IV space, to virtually eliminate the need for a re-key.

• Enable Message Integrity Check (MIC) - MIC prevents attacks on encrypted packets called bit-flip attacks. During a bit-flip attack, an intruder intercepts an encrypted message, alters it slightly, and retransmits it, and the receiver accepts the

retransmitted message as legitimate. The MIC, implemented on both the access point and all associated client devices, adds a few bytes to each packet to make the packets tamper-proof. WEP Encryption must be set to Mandatory for MIC to be enabled.

• Enable Per Packet Keying (PPK)- EAP authentication provides dynamic unicast WEP keys for client devices but uses static keys. With broadcast, or multicast, WEP key rotation enabled, the access point provides a dynamic broadcast WEP key and changes it at the interval you select in the Broadcast Key Change Frequency field.

Broadcast key rotation is an excellent alternative to TKIP if your wireless LAN

supports wireless client devices that are not Cisco devices or that cannot be upgraded to the latest firmware for Cisco client devices.

• Cipher-Cipher suites are sets of encryption and integrity algorithms designed to protect radio communication on your wireless LAN. You must use a cipher suite to enable Wi-Fi Protected Access (WPA) or Cisco Centralized Key Management (CCKM). Because cipher suites provide the protection of communication while also allowing the use of authenticated key management, we recommend that you enable encryption using using the encryption mode cipher command. Use the drop-down menu to choose among TKIP, CKIP, CMIC, and WEP. TKIP is the most secured, and WEP is the least secured cipher suite.

• CKIP- (Cisco Key Integrity Protocol, also known) - Cisco's WEP key permutation technique based on an early algorithm presented in the 802.11i security task group.

• CMIC- (Cisco Message Integrity Check) - CMIC is Cisco's message integrity check mechanism designed to detect forgeries attracts.

Transmit Key

Click Transmit Key and select the WEP key this device will use. Only one key can

(7)

be selected at a time. All set keys can be used to receive data.

Note: The key that you select as the transmit key must also be entered in the same key slot on client devices that associate with the access point or bridge, but it does not have to be selected as the transmit key on the client devices.

Encryption Key (Hexadecimal) 1-4

Enter a WEP key in one of the Encryption Key fields. For 40-bit encryption, enter 10 hexadecimal digits; for 128-bit encryption, enter 26 hexadecimal digits.

Hexadecimal digits are a set of characters that includes numbers 0 through 9, lowercase letters a through f, and uppercase letters A through F. Your WEP keys can contain combinations of any of these characters. WEP keys are not case- sensitive.

You can enter up to four WEP keys. The key that you select as the transmit key must also be entered in the same key slot on client devices that associate with the access point or bridge, but it does not have to be selected as the transmit key on the client devices.

If you have four WEP keys configured and WEP key 2 is selected as the transmit key, WEP key 2 on the client device must contain the same contents. If WEP key 4 on the device client is set, but is not selected as the transmit key, WEP key 4 on the access point does not need to be set at all.

Key Size

Select 40-bit or 128-bit encryption for each key.

Broadcast Key Rotation Interval

Allows the access point to generate best possible random group key and update all the key-management capable stations periodically. Broadcast key rotation does not work for static WEP clients. This feature keeps the group key private to

currently active members only. However, it may generate some overhead if clients in your network roam frequently.

WPA Group Key Update

Check the appropriate checkbox to determine how frequently the access point changes and distributes the group key to WPA-enabled client devices.

Enable Group Key Update on Membership Termination -

The access point generates and distributes a new group key when any

authenticated station disassociates from the access point. This feature keeps the group key private to only currently active members. However, it may generate some overhead if clients in your network roam frequently. You should not enable this feature if clients roam frequently among access points.

Enable Group Key Update on Member's Capability Change -

The access point generates and distributes a dynamic group key when the last non- key management (static WEP) client disassociates, and it distributes the statically configured WEP key when the first non-key management (static WEP) client authenticates. In WPA migration mode, this feature significantly improves the security of the key management capable clients when there are no legacy clients associated to the access point.

ENABLE AUTHENTICATION METHODS

(8)

Select the SSID Manager folder.

Select the vhbwlan24 in the Current SSID List.

Then scroll down the page to see the following informations.

Check the Open Authentication and choose with EAP ! Check the Network EAP and choose <NO ADDITION> !

Select Customize in the EAP Authentication Server settings and choose 192.168.10.64 as the most prior radius server.

Scroll down a little bit until you see the following displayed.

(9)

Choose Key Management with Optional and check WPA. This enables the WPA Key Management additional to the other authentication methods.

Leave the other settings to it's defaults.

Click on Apply to activate the settings. Depending on the setup the Access Point may do a reboot. So wait 1 minut and continue with the exercise.

Here follows an explanation of the current setup page created from the Access Point's Helpfiles.

Current SSID List

Enter the unique identifier that client devices use to associate with the access point. The SSID helps client devices distinguish between multiple wireless networks in the same vicinity. The SSID can be any alphanumeric, case-sensitive entry from 2 to 32 characters.

SSID

The service set identifier (SSID) - also called the radio SSID - is a unique identifier that clients use to associate with the radio. You can add up to 16 SSIDs.

Note: In this text field, the following six characters are not allowed: ?, ", $, [, \, ], and +. In addition, the following three characters cannot be the first character: !,

#, and ;.

VLAN

A VLAN is a switched network that is logically segmented, by functions, project teams, or applications rather than on a physical or geographical basis. For

example, all workstations and servers used by a particular workgroup team can be connected to the same VLAN regardless of their physical connections to the

network or the fact that they might be intermingled with other teams.

Define VLANs

Click this link to move to the Services: VLAN page. If any configuration changes were not applied before clicking this link, those changes will be lost. On this page you set default VLANs and assign current VLANs and their ID and information.

For instance, enterprise customers can use different VLANs to segregate employee traffic from guest traffic, and further segregate those traffic groups from that of high-priority voice. Traffic to and from wireless clients with varying security capabilities can be segregated into VLANs with varying security policies.

Network ID

Specifies the Layer 3 mobility network identification number for the SSID.

Open Authentication

Choose Open Authentication by checking the check box. This enables any device to authenticate and then attempt to communicate with the access point. If the

(10)

access point is using WEP and the other device is not, the other device does not attempt to authenticate. If the other device is using WEP but its WEP keys do not match the keys on the access point, the other device authenticates with the access point but does not pass data through it.

After you choose Open Authentication, you can select the additional method to use from the drop-down menu. The options in the drop-down are MAC

authentication, EAP, MAC authentication and EAP, or MAC authentication or EAP. To fully enable EAP, EAP Authentication Servers must be set on this window or in the Server Manager window. To fully enable MAC Authentication, you must either enter the MAC address locally or select the Authentication Server Only option on the Advanced Security window. In the case of Authentication Server Only option, MAC Authentication Servers must be set in this page or in the Server Manager page.

Note: Although an access point can use Open Authentication with EAP method to authenticate a wireless client device, an access point cannot use EAP to

authenticate another access point. In other words, access points must authenticate each other using either open, shared, or Network EAP authentication methods.

Shared Authentication

Choose shared authentication by checking the Shared Authentication check box.

The access point sends an unencrypted challenge string to any device attempting to communicate with the access point. The device requesting authentication encrypts the challenge text and sends it back to the access point. If the challenge text is encrypted correctly, the access point enables the requesting device to authenticate. Both the unencrypted challenge and the encrypted challenge can be monitored; however, this leaves the access point open to attack from an intruder who guesses the WEP key by comparing the unencrypted and encrypted text strings. Because of this weakness, shared key authentication can be less secure than open authentication. Only one SSID can use shared authentication.

After you choose Shared Authentication, you can select the method to use from the drop-down menu. The choices are MAC Authentication, EAP, or MAC

Authentication and EAP.

Network EAP

Choose network EAP by checking the Network EAP check box. The device uses the Extensible Authentication Protocol (EAP) to interact with an EAP-compatible RADIUS server on your network to provide authentication for wireless client devices. Client devices use dynamic WEP keys to authenticate to the network.

After you choose Network EAP, you can select MAC Authentication. To fully enable MAC authentication, you must either enter the MAC address locally or select the Authentication Server Only option on the Advanced Security window.

In the case of Authentication Server Only option, MAC Authentication Servers must be set in this window or in the Server Manager window.

EAP Authentication Servers must be set in this window or in the Server Manager window.

Server Priorities: Determine how you are going to use specific RADIUS servers on

(11)

this SSID. In the EAP and MAC Authentication Server sections, you can choose to use the defaults or customize the priority by using the drop-down menu. If you click to enable the use of the defaults, click the Define Defaults link to move into the Server Manager window.

Authenticated Key Management

WPA and CCKM are the new authenticated key management solutions. Wi-Fi Protected Access (WPA) is the new interim solution from the Wireless Ethernet Compatibility Alliance (WECA). WPA, mostly synonymous to Simple Security Network (SSN), relies on the interim version of IEEE standard 802.11i. WPA supports TKIP and WEP encryption algorithms as well as 802.1X and EAP for simple integration with existing authentication system. WPA key management uses a combination of encryption methods to protect communication between client devices and the access point. Currently, WPA key management supports two mutually exclusive authenticated key management: WPA and WPA-PSK.

If authentication key management is WPA, the client and authentication server authenticate to each other using an EAP authentication method (such as EAP-TLS) and generate a Pairwise Master Key (PMK). If authentication key management is WPA-PSK, the pre-shared key is used directly as the PMK.

Using Cisco Centralized Key Management (CCKM), authenticated client devices can roam from one access point to another without any perceptible delay during reassociation. An access point on your network acts as a wireless domain service (WDS) and creates a cache of security credentials for CCKM-enabled client devices on the subnet. The WDS cache of credentials dramatically reduces the time required for reassociation when a CCKM-enabled client device roams to a new access point.

To enable CCKM for an SSID, you must configure network-EAP authentication.

To enable WPA for an SSID, you must also enable open authentication or network- EAP or both.

Note: Before you can enable CCKM or WPA, you must set the encryption mode for the SSIDs VLAN to one of the cipher suite options.

Key Management

Use the drop-down menu to determine if you want key management to be mandatory or optional. You can select CCKM and WPA authentication key management at the same time for radio 802.11b or 802.11g. For radio 802.11a, only one key management can be selected.

WPA Pre-shared Key

To support client devices using static WEP keys and WPA key management, you must configure a pre-shared key on the access point. Enter the key and indicate whether it is represented as CCKM or WPA. For the 802.11b or g radio, you can select WPA and CCKM concurrently for your authentication key management.

Enable Accounting

Indicate whether you want this server to record usage data of clients associating with the access point. Some usage data may be used for billing or usage tracking.

(12)

Accounting Server Priorities

You can choose to use the defaults or customize the priority by using the drop- down menu. If you choose to enable the use of the defaults, click the Define Defaults link to move into the Server Manager screen.

Advertise Extended Capabilities of this SSID

This check box allows you to include the SSID name and capabilities in the Wireless Provisioning Service (WPS) information element.

Advertise Wireless Provisioning Services (WPS) Support

This check box allows you to enable the WPS capability flag in the WPS information element.

Advertise this SSID as a Secondary Broadcast SSID

This check box allows you to include the SSID name and capabilities in the WPS information element.

Enable IP Redirection on this SSID

When you configure IP redirection for an SSID, the access point redirects all packets sent from client devices associated to that SSID to a specific IP address.

You can redirect all packets from client devices associated using an SSID or redirect only packets directed to specific TCP or UDP ports. When you configure the access point to redirect only packets addressed to specific ports, the access point redirects those packets from clients using the SSID and drops all other packets from clients using the SSID.

IP Address

Enter the IP address of the destination for redirected packets.

IP Filtre

After you enable IP redirection and enter the IP address, click Define Filter to move to the IP Filters page where you can specify the appropriate TCP or UDP ports for redirection. If you do not specify TCP or UDP ports, the access point redirects all packets that it receives from client devices.

Association Limit (optional)

The maximum number of clients that may associate to a particular SSID. This limit prevents access points from getting overloaded and helps to provide an adequate level of service to associated clients.

EAP Client (optional)

Username: Indicates the username used for Network EAP authentication when the repeater access point is associating with a parent access point or when a Hot Standby access point is associating with a monitored access point.

Password: Indicates the password used for Network EAP authentication when the repeater access point is associating with a parent access point or when a Hot Standby access point is associating with a monitored access point.

Note: The following six characters are not allowed: ?, ", $, [, and + in passwords.

Set Guest Mode SSID

Displays the SSID in plain text in the access point beacon messages (broadcast SSID). Setting guest mode enables clients without any SSID to associate to this access point; therefore, use caution when setting this parameter.

Set Infrastructure SSID

When the access point is in repeater mode, this SSID is used to associate with a parent access point.

Check the check box by the drop-down menu if you want to force infrastructure devices to associate only to this SSID.

(13)

Open the ASSOCIATION folder and see whether a client is Associated.

You can recognize, that the client from exercise before (Management and Troubleshooting) is now in the Assosiation Processing state. Because the new authentication settings are not jet done on that client, it can no longer associate to the Access Point.

Open the EVENT LOG folder .

In the Event log you can recognize, that the client failed autheticating in the WLAN.

Security Setup on the Client Installing Certificates

LEAP Security EAP-TLS Security

PEAP (MSCHAPv2) Security Using WPA Key Management

INSTALLING CERTIFICATES ROOT CERTIFICATE

This part shows how you can install a certificate, which you can use for the EAP-TLS authentification in a later exercise.

Double click on the root certificate, which you can find on the desktop.

(14)

The Certificate Wizard starts and leads you through the installation process.

Click on Install Certificate!

(15)

Click on Next!

Select Place all certificates in the following store!

Click on Browse to select the desired Certificate Store : Trusted Root Certificate Authoroties

(16)

Select the desired Certificate Store : Trusted Root Certificate Authorities and click OK !

Click on Finish.

(17)

Click on Yes !

Click on OK !. Now the root certificate has been installed successfully. Now you can continue to install the client certificate.

CLIENT CERTIFICATE

Double click on the client certificate, which you can find on the desktop.

The Certificate Wizard starts again helping you to install the selected client certificate.

(18)

Click on Next!

Enter the Password: wicnet Click on Next!

(19)

Select Automatically select... and click on Next!

Click on Finish!

(20)

Click on OK! Now the installation of the client certificate was sucessful. The WICNET certificate can be used for later authentication.

LEAP SECURITY

Open the ACU utility.

Open the Profile Management folder.

Klick on New...

Now you can create a new profile!

Enter Profile Name: LEAP.

Enter SSID1: vhbwlan24.

Open the Security folder.

Select 802.1x

(21)

Choose 802.1x EAP-Type: LEAP.

Click on Configure.

Select Use Temporary User Name...

Select Manually Prompt for LEAP...

Unckeck the two checkboxes in the bottom area of the window Click OK to close that window.

Open the Advanced folder.

(22)

Choose the Transmit Power Level: 10mW.

Choose the Power Save Mode: CAM.

Choose the Network Type: Infrastructure.

Select 802.11b Preamble: Short&Long.

Unckeck Wireless Mode 5GHz.

Click on OK to return back to the Profile Management folder

Select the newly created Profile LEAP and click on Activate.

You got prompted to enter the LEAP username and password!

(23)

Enter the username: vhb with the password: wicnet. Let the last field empty and click OK.

Open the Current Status folder to see whether the connection with the new profile works.

If it would not work, use Troubleshooting to test how the client enters to the WLAN.

View the EVENT LOG on the Access Point. You should finde there, that the client has successfully authenticated. Otherwise you should find some error information there.

(24)

Also the ASSOCIATION list should tell you that the client is successfully associatet.

EAP-TLS SECURITY

Klick on New...

Enter Profile Name: TLS Enter SSID1: vhbwlan24 Open the Security folder.

(25)

Select 802.1x

Choose 802.1x EAP-Type: EAP-TLS.

Click on Configure.

Choose the WICNET Server certificate which you have already installed on this exercise computer.

Click OK to close that window and then select the Advanced folder.

(26)

Choose the Network Type: Infrastructure Select 802.11b Preamble: Short&Long.

Select the newly created Profile MSCHAPv2 and click on Activate.

(27)

PEAP (MSCHAPV2) SECURITY

Klick on New...

Enter Profile Name: MSCHAPv2 Enter SSID1: vhbwlan24

Select 802.1x

Schoose 802.1x EAP-Type: PEAP (EAP-MSCHAP V2).

Click on Configure.

(28)

Uncheck Use Machine Information ... in the first line.

Choose the WICNET Client certificate which you have already installed on this exercise computer.

Enter the username: vhb.

Enter the password: wicnet

Click OK to close that window and then select the Advanced folder.

Choose the Network Type: Infrastructure Select 802.11b Preamble: Short&Long.

(29)

Select the newly created Profile MSCHAPv2 and click on Activate.

USING WPA KEY MANAGEMENT

It is possible to use the WPA key management together with the othr 802.1x authentication methods from bevor. The setup is similar to the setup from befor, except that you have to choose WPA EAP Type instead of 802.1x EAP Type. The following shows the setup of LEAP with WPA.

After that you should be able to configure EAP-TLS and PEAP (MSChapv2) with WPA by yourself!

(30)

Klick on New...

Enter Profile Name: WPA-LEAP.

Enter SSID1: vhbwlan24.

Select WPA

Choose WPA EAP-Type: LEAP.

Click on Configure.

(31)

Select Use Temporary User Name...

Select Manually Prompt for LEAP...

Unckeck the two checkboxes in the bottom area of the window Click OK to close that window.

Open the Advanced folder.

(32)

Choose the Network Type: Infrastructure.

Select 802.11b Preamble: Short&Long.

Select the newly created Profile WPA-LEAP and click on Activate.

You got prompted to enter the LEAP username and password!

Enter the username: vhb with the password: wicnet. Let the last field empty and click OK.

(33)

Create a prifile with the name WPA-TLS wich uses EAP-TLS and WPA.

Create a profile with the name WPA-PEAP which uses PEAP (MSCHAPv2) and WPA.

It has been tested befor that both profiles will work in this environment!

Installing a RADIUS Server Setup a RADIUS Server

SETUP A RADIUS SERVER

The following despribes how the internal RADIUS server is configured to work with the Cisco AP1200 Access Point suporting EAP authentication.

1. Changing the configuration of the RADIUS Server

The only files that were modified during the configuration of the RADIUS server were (you can find them in the etc/ directory of the installation and should be included with this document):

openssl.conf CA.all CA.certs

(34)

clients.conf eap.conf

users

2. Produce Certificates

Server and client certificates are needed for TLS and PEAP. To produce the required certificates, you can use CA.all that is included with FreeRADIUS. CA.all uses the configuration information in openssl.cnf.

a. openssl.cnf -- Update openssl.cnf for your configuration. The configuration file is located at:

/usr/local/openssl/ssl

A portion of the information from my openssl.cnf is given below. (The company information does not describe an actual company located in Brentwood, TN.) Note that the configuration information includes the password "whatever". It is the certificate password.

When CA.all executes, it uses this information three times. The first pass through this information produces the root certificates. If you set up your configuration as shown below, you will be able to accept all of the settings in the first pass. The second pass through this information produces the client certificates. You only need to change the commonName to the client name. For example change the commonName to WICNET. The third pass through this information produces the server certificates. You only need to change the commonName to the server name.

b. CA.all -- Update the CA.all script for your requirements. The file is located at:

/home/wicnet/Work/WICNET/freeradius-snapshot-20040203/scripts Don't use the default password "whatever". Then you only need to verify that the path in the script points to the installed openssl information.

echo "newreq.pem" | /usr/local/openssl/ssl/misc/CA.pl -newca

When CA.all executes, it produces nine certificates:

root.pem, root.p12, root.der

cert-clt.pem, cert-clt.p12, cert-clt.der cert-srv.pem, cert-srv.p12, cert-srv.der

For TLS and PEAP, the server needs root.pem and cert-srv.pem. For TLS, the Windows XP client needs root.der and cert-clt.p12. For PEAP, the Windows XP client needs root.der. This files have been copied to the exercise computer an renamed to cert-root.der and cert-

client.p12.

3. Configure Server for TLS

(35)

There are only a few changes and additions needed for TLS authentication. The clients.conf, users, and radiusd.conf are located at:

/usr/local/radius/etc/raddb

a.

clients.conf -- This file contains the basic configuration for the Access Point. Look for the following line then uncomment and modify as appropriate:

#client 192.168.0.0/24 {

client 192.168.1.0/24 { secret = secret shortname = WICNET }

b.

users -- This file contains the basic user information. Look for the following line and then add the user name:

#"John Doe" Auth-Type := Local, User-Password == "hello"

#

vhb User-Password == "wicnet"

Note that for TLS, you should not include an Auth-Type or a password. The server is able to determine the correct Auth-Type, and a password is not needed because the client uses a client certificate for authentication.

c

. eap.conf-- This file contains the server configuration information. Look for the following lines and then change the default_eap_type from md5 to tls:

eap {

default_eap_type = md5

Change md5 to tls.

Move down to the following line, and then uncomment and modify the information, as shown below. Note that I placed the server certificates, dh file and random file in a new directory 1x on my system. Modify the path as needed for your server:

#tls {

tls {

private_key_password = whatever

private_key_file = /usr/local/radius/etc/certs/cert- srv.pem

certificate_file = /usr/local/radius/etc/certs/cert- srv.pem

CA_file = /usr/local/radius/etc/certs/root.pem dh_file = /usr/local/radius/etc/certs/dh

random_file = /usr/local/radius/etc/certs/random

(36)

fragment_size = 1024 include_length = yes }

No other changes are needed in radiusd.conf for TLS.

d.

Server Certificates, DH File, and Random File -- All are added to the directory certs/raddb in the radius etc directory, and then copied the server certificates (root.pem and cert-srv.pem) into the directory. You can use the following trick to produce dh and random:

date > dh date > random

If you prefer, use your keyboard to enter some random characters in these files. Or even better, use the OpenSSL tools to produce the random information for these files.

e.

Run-Radius -- The only server addition remaining is wrapper for radiusd.

For example a new file run-radius in the /usr/local/radius/bin directory.

--- Wrapper Script ---

#!/bin/sh -x

LD_LIBRARY_PATH=/usr/local/openssl/lib

LD_PRELOAD=/usr/local/openssl/lib/libcrypto.so export LD_LIBRARY_PATH LD_PRELOAD

/usr/local/radius/sbin/radiusd $@

---

After entering and saving the script, make run-radius executable:

chmod u=rwx run-radius The server is complete.

(37)

4. Test TLS

The final step is to test the server. With Windows XP computer off, start the server in the debug mode by entering:

/usr/local/radius/sbin/run-radius -X -A

The server should start, displaying various debug information before it displays:

--- Example ---

Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp.

Ready to process requests

---

If you don't see the message, look through the debug information for errors and missing information. If you see this message, start the Windows XP computer.

When the Windows XP starts, you will see various messages and certificates exchanged between the client and the server. If all is well, you should see the client authenticated and the user logged on. The following partial example is from Document 3. It shows the last few lines of a successful authentication:

--- Example --- ...

MS-MPPE-Recv-Key =

0xe032765ca06c052e5fe7c2a7534a4252daec44a08505bdb459d4 fa81e70390f2221d2b06071eb0625e0ba67452a890909662

MS-MPPE-Send-Key =

0xe03131ce085bc266127528e749bd4753d3e1702df2d4d8c080351 380f52eae2c24a9fa78015c24e0d140bcd01b23d6c0cacc

EAP-Message = "\003_\000\004"

Message-Authenticator = 0x00000000000000000000000000000000 Finished request 5

Going to the next request

---

If you see MS-MPPE-Recv-Key and MS-MPPE-Send-Key, the server authenticated the client. You should be able to surf.

5. Change Server Configuration for PEAP

To change the server for PEAP authentication, only a few changes need to be made.

a. users -- Return to the users file and add the user password:

(38)

vhb User-Password == "wicnet"

b. eap.conf -- Return to the radiusd.conf file and make the following changes:

Change the default_eap_type from tls to peap:

eap {

default_eap_type = peap

Move to the PEAP section below the TLS section and uncomment the following lines:

peap {

default_eap_type = mschapv2 }

The server is now ready for PEAP authentication.

6. Test PEAP

The final step is to test the server. With Windows XP computer off, start the server in the debug mode by entering:

/usr/local/radius/sbin/run-radius -X -A

The server should start, displaying various debug information. If it displays "Ready to process requests", the server is running. This message is identical to the TLS start message. If you review the debug information, you will see additional messages as peap and mschapv2 start.

If you see the Ready message, start the Windows XP computer. As the client and server communicate, you will see various messages exchanged. If all is well, you should see the client authenticated and the user logged on. Again you will see the MS-MPPE-Recv-Key and the MS-MPPE-Send-Key.

If you review the debug messages, you will see the TLS tunnel being built. Once it is built, you will see verification that messages are passing through the tunnel. Finally, you will see the user authenticated.

Working with Cisco software (Leap) and how it coexists with Windows wireless software

The Cisco software should only be installed in order to be able to use LEAP as authentication mechanism. Don't install Cisco PEAP because it will break Windows version and the Cisco version is not working with the freeradius.

I created 2 profiles in the cisco software, one that used LEAP authentication and other set to TLS. For the last one the Cisco software lets Windows do its authentication. That means that for PEAP MSCHAPv2 and EAP-TLS all the settings are done in the windows configuration pages.

(39)

I tested LEAP using the profile LEAP from CISCO and then setting another profile which had TLS set, and set then from Windows PEAP MSCHAPv2 and EAP-TLS .

Currently the RADIUS server is set to support all this 3 authentication methods.