Aug 01

Ampliem ePineda…

Reading time: 1 – 2 minutes

Gràcies al curro del Toni, el Jordi i el Xavi. Aquest últim el nostre nou usuari a la xarxa sense fils de Torrelavit. Ampliem infraestructura a la part de la xarxa de la Pineda. Concretament ara ho fem a la Pineda vella, o sigui, que ja tenim les dues pinedes cobertes amb aquesta nova incorporació. Al blog del Toni, podeu veure una post d’aquesta notícia.

antenamadro.jpg

El nou mapa de la xarxa de Torrelavit queda així:

May 29

Unim eBosc i ePineda (quasi 1km)

Reading time: 2 – 3 minutes

Segur que ja esteu al corrent de que eBosc esta més viu que mai, això ho hem confirmat aquest cap de setmana unint-lo amb ePineda. Em fet un enllaç estable de quasi 1km (998m) entre la casa del Jordi (carrer del Bosc) i la del Toni (carrer Canigo, a la pineda). Aquí podeu veure el Toni col·locant aquest ’empalme’ al màstil de l’antena de TV per tenir de forma definitiva l’antena directiva (14dB) que enllaça amb l’omnidireccional (7dB) de casa del Jordi:

Realment en Toni s’ho ha currant fent fins hi tot un PoE casolà:

poe.jpg

Com no, una foto aerea del poble on es veu per sobre d’on està passant l’enllaç. Realment una passada,no?

També aprofito el post per comentar-vos que ja he instal·lat una nova placa base al meu servidor i de la xarxa eBosc+ePineda. Amb això espero solucionar definitivament els problemes que porto arrossegant amb aquest tema. Ara hi ha un PIV Centrino a 2,4GHz amb quasi 1Gb de RAM i +500Gb d’HD. Gràcies Byteman pel material, quan es té pressupost reduit val la pena tenir amics que t’ajudin a solucionar problemes d’aquests. A més també l’hi he instal·lat la targeta FXO per l’Asterisk tot i que encara no l’he configurat però això és qüestió de dies ;). Com podeu veure aquest cap de setmana n’hem fet molta de feina i a més encara ens ha sobrat temps per ser sociables…

Apr 19

Proves de cobertura per Torrelavit

Reading time: 1 – 2 minutes

Ahir varem estar fent proves de cobertura per diferents punts del poble per una possible amplicació de la xarxa eBosc a tot Torrelavit. Concretament estan pendents de connectar-se a la xarxa 6 persones més. Així ja seriem unes 13 famílies connectades.

Perquè us feu una idea de que significa això sobre el terreny:

Les proves les varem fer el Jordi i jo, però quan estabem provant la cobertura des de dalt de la creu (a pendre pel sac de casa meva, però amb visió directa) ens varem trobar al Xavi que se’ns va afegir una estoneta:

Les proves tot un èxit, varem encarar malament les antenes de casa meva, ja que no sabiem exactament on queien els punts on fariem les proves. Però malgrat això arribabem amb senyals de -84dB (aprox) o sigui, que si encarem bé les antenes és fàcil aconsegui un -70dB i algo millor fins hi tot. Ja que entre les antenes hi ha visió directa.

Apr 15

Versió en anglès

Reading time: < 1 minute

Fa temps vaig escriure un article titulat:

Xarxa Wifi Segura: freeRadius + WRT54G = 802.1x (WPA-radius EAP/TLS)

i vaig començar a observar que després de que google l’indexes no paraben d’arribar un munt de visites a l’article, concretament des de gener fins ara n’ha tingut més de 2000. Així doncs li vaig demanar al Carles que me’l traduís a l’anglès ja que entenia que la majoria d’aquestes visites ni idea de català així doncs, com podeu veure acabo de penjar la versió en anglès del mateix, gentilesa del carles. GRÀCIES NANO!!!

Secure wi-fi Net : freeRadius + WRT54G = 802.1x (WPA-radius EAP/TLS)

Apr 15

Secure wi-fi Net : freeRadius + WRT54G = 802.1x (WPA-radius EAP/TLS)

Reading time: 8 – 12 minutes

wifi.gif

I wanted to make a high level secure WI-FI network, not like is
been made now with WEP and other foolishness. Then I installed a
FreeRadius server to work with a Linksys
WRT54G. The basic idea is to install a HyperWRT to the WRT54G
(Pof’d advice). After I configure it as WPA-Radius to the firewall were
I installed Freeradius. This
last step is optional because standard WRT54G firmware supports
WPA-Radius.

Network diagram; pay attention at the firewall and AP, the rest it
is not important:

wpa-eaptls.gif

To configure everything I just follow the instructions from the 802.1x HOWTO.
Anyway I made a small guide:

  • Install Freeradius in the firewall: emerge freeradius
  • Configure Freeradius to work with EAP/TLS
  • Generate certificates
  • Check freeradius works propertly
  • Configure the AP (Linksys WRT54G)
  • Configure Windows XP with SP2 clients
  • Configure Linux clients

The configuration files I used for freeradius are the next ones:

  • /etc/raddb/radiusd.conf:
    General Radius configuration file, we must define auth systems and
    others to use. There are a lot of parts I haven’t used so I left it as
    was coming. I want to thank Pof’s help on borrowing me his
    configuration files in order to configure mines.
  • /etc/raddb/clients.conf:
    IPs and network systems that can be radius clients; in our case the AP
    (172.16.1.253).

Although the radius power, documentation and lack of time to
experiment gives you this, but if someone can do it better I would
apreciate to know it.

For the generation of certificates the idea is to made them from a
certified entity, but this only happens in films and big companies.
Let’s take OpenSSL and do our work.
If you still haven’t got it, you know: emerge openssl. Sure enough we
aren’t good at PKI and other similar things, then it is better to learn
using freeradius and openssl scripts, because with some modifications
we can create certificates to work with our secure wi-fi networks.

As I was saying wea re going to use the freeradius and openssl
scripts to generate certifieds, then first of all let’s go to the
freeradius folder were we can find a folder called “scripts” with:
CA.certs, certs.sh and xpextensions. I recomend checking order
locations inside scripts because I had problems with this. If you are
lazy to look at the files, you can check mine in this small package: certs.tar.gz
this files are modified to work from the same folder we are working in,
I recomend creating a new and empty folder. Once we have identified the
files, we must have in PATH the script CA.pl, that is a perl script,
but not many times is copied to the PATH so I copied to /usr/bin and I
deleted it after generating the certifieds. I also included the file in
the package, if you are lazy…

Once we have all things in a folder ready to work we can edit
CA.certs to include our information to the variables at the begining of
the file. There is no need to change more variables, it is done
automaticly. Don’t forget the password because we will need it when
configuring the server and the clients.

To generate the certifications just:

# ./certs.sh

and the output will be something like that:

Generating DH parameters, 512 bit long safe prime, generator 2
This is going to take a long time
........................+......................................................+...........+................................+..........+.......................+...+...........................................+...............................+............+..............+.................................+.......+..+.................................................+....+....................+.........................................+..+......+................................................+........+.....+...............+...........+.+..................+...........+..................................................+............+......+.+.................+.+.........................+....+................+....+....+.....+.........................+............+......+.+..........................................................+..+...........................................+.........................+.............................+..................................................+...+...++*++*++*++*++*++*
See the 'certs' directory for the certificates.
The 'certs' directory should be copied to .../etc/raddb/
All passwords have been set to 'whatever'

Don’t care about the messages, just in case any error happen. Now
you’ll have a new folder inside the folder were you are, called certs
and inside can find all the certifications for the server and the
client. I recomend coppying the contents from ./certs to
/etc/raddb/certs then you’ll not have to change the configuration files
I give you.

The most important thing now is checking the configuration files I
gave you first and check that the radius server starts without
problems, that unfortunately never happens. About the radiusd.conf I
don’t think you might have lots of problems, just check that paths to
the certifications are the correct ones you just have created. Also
check the parameter: private_key_password = whatever.
Change ‘whatever’ for your password, the one you have used for the
variable PASSWORD inside the CA.certs file. If you don’ do that, once
you start the daemon with radiusd -X you will be
asked for a key used to symetricaly crypt the files with a private key,
as is the password I am talking about. If you don’t do that when /etc/init.d/radiusd
start
you’ll have an error because the server would not use
the keys to access the certifications.

Just do : radiusd -X and if you get the next
output:

Ready to process requests.

everything works fine. Just do CRTL+C and start the Gentoo daemon (/etc/init.d/radiusd
start
)
or just leave it like it as it is in a terminal client then you can see
the logs been generated in order to check if everything works ok. If
you want to check the history logs while the daemon is on, just find
them at /var/log/radius/. The start daemon logs are
in startup.log and the connection ones in radius.log.
To see the log in real time just do: tail
-f /var/log/raddb/radius.log

Before configuring the users you need to configure the AP as
radius client. You can configure the AP as you want but I configured it
as a router between two networks; the user’s network with DHCP
(192.168.2.0/24) and the called Internet by the AP (172.16.1.253). I
like configuring this way the network; a cable that is going to the
firewall where can comunicate with the freeRadius. For example; the
firewall interface with IP 172.16.1.254 and the ‘Internet’ interface
from the WRT54G with IP 172.16.1.253. Then you need to make sure that
the IP is allowed  to work with radius editing file /etc/raddb/clients.conf
like in the next example:

client 172.16.1.253/32 {
secret = SharedSecret99
shortname = localhost
}

See that here appears another password, this ‘pre-shared
key’ is used by the WPA-client (WRT54G) and the radius server
(freeRadius) to crypt their communications. Then you have to make sure
this key is inserted in the AP configuration. Here I am attaching a
screenshot of how the AP wireless security configuration must be to
work with radius server:

wpa-radius.jpg

For the configuration of the Windows client first of all you have
to check if the wifi network card has the correct firmware to work with
WPA with EAP/TLS. If you don’t know it, just use the next manual of how
to configure a WXP and if you cannot find the options I show it is that
your card isnt’ valid. I just tryed in a WXP SP2, for all the rest, I
don’t know.

I made a PDF file with lots of screenshots to easy configure the
WXP client. You have to install two certification files; root.der
and root.p12. You should create them before and can
be find at /etc/raddb/certs.
I recomend you copying this files into a pendrive and use it for all
clients.

How
to install the EAP/TLS clients with Windows XP SP2
in PDF format.
This document is based in: HOWTO:
EAP//TLS Setup for FreeRADIIUS and Wiindows XP Supplliicant
in PDF
format too.

About Linux configuration; I haven’t tryed yet because my PCMCIA
wifi card firmware is old. But I am going to try the card integrated in
my laptop that works with ndiswrapper or linuxant Linux drivers, both
of them prepared to use wap_suplicant, necessary for the WPA/TLS
authentication in a Linux box.  When I get to the point don’t
worry, I’ll tell you. Don’t want to work much with Windows, I got
nervous at work seing that kaos.

I attach you some references I used to help me:

  • 8021X-HOWTO

    This document describes the software and procedures to set up and use
    IEEE 802.1X Port-Based Network Access Control using Xsupplicant as
    Supplicant with FreeRADIUS as a back-end Authentication Server.
  • FreeRADIUS/WinXP
    Authentication Setup
    – This post describes how to build a
    FreeRADIUS server for TLS and PEAP authentication, and how to configure
    the Windows XP clients (supplicants). The server is configured for a
    home (or test) network.
  • HOWTO on
    EAP/TLS authentication between FreeRADIUS and XSupplicant
    – This
    document describes how to setup strong cryptographic authentication
    between XSupplicant and FreeRADIUS. This is accomplished using part of
    802.1x authentication for wireless network. In particular it uses
    EAP/TLS extension, and TLS handshake.

I pretend this helps as much people as possible. Thank you for
your patience.