Paranoid Penguin - Securing Your WLAN with WPA and FreeRADIUS, Part II
Last month, I described the new wireless LAN security protocol, Wi-Fi Protected Access (WPA). I showed how it adds strong and flexible authentication, plus dynamic encryption-key negotiation, to the otherwise-insecure WEP protocol. I also showed how WPA's component protocols, including 802.1x, the various flavors of EAP and RADIUS, interrelate. In this month's column I start to show how to create your own authentication server for WPA and other 802.1x scenarios, using FreeRADIUS and OpenSSL.
WPA, you may recall, is more modular than WEP. Whereas authentication and encryption in WEP both are achieved through a shared secret used by all wireless clients, authentication in WPA normally is achieved by using the 802.1x protocol. The pre-shared key (PSK) mode, which works more like WEP, also is an option. With WPA, unique encryption keys for each client are generated dynamically and refreshed periodically by the access point.
802.1x is a flexible authentication protocol that depends on the Extensible Authentication Protocol (EAP). Many different flavors of EAP, including EAP-TLS and PEAP, are supported in WPA-enabled products. If you choose to skip 802.1x and deploy WPA in the much simpler PSK mode, which gives you dynamic encryption key generation but exposes authentication credentials by transmitting them in clear text, all you need to do is configure your access point and wireless clients with the same pre-shared key.
If, however, you want to use WPA to its full potential by employing the much-stronger authentication mechanisms in 802.1x, you need a RADIUS server. Commercial tools are available for this work, such as Funk Software's Steel Belted RADIUS. But if you prefer a free and open-source RADIUS application, FreeRADIUS supports all major flavors of EAP and is both stable and secure. Here's how you can put it to work.
Naturally, I don't have enough space to describe all possible uses of FreeRADIUS with 802.1x or even specifically with wireless scenarios. Therefore, let's start with a description of an example usage scenario that subsequent procedures can implement.
The most important choice to make when implementing WPA is which flavor of EAP to use. This is limited not only by what your RADIUS server software supports but also by your client platforms. Your wireless access point, interestingly, is EAP-agnostic—assuming it supports 802.1x and/or WPA in the first place. It simply passes EAP traffic from clients to servers, without requiring explicit support for any particular EAP subtype.
What your client platform supports is a function both of your client operating system and of its wireless hardware. For example, a Microsoft Windows XP system with an Intel Pro/2100 (Centrino) chipset supports EAP-TLS and PEAP, but EAP-TTLS isn't an option. But if you run Linux with wpa_supplicant (see the on-line Resources), you have a much wider range of choices available.
In our example scenario, I cover EAP-TLS. EAP-TLS requires client certificates, which in turn requires you to set up a certificate authority (CA). But there are several good reasons to use EAP-TLS. First, EAP-TLS is supported widely. Second, TLS (X.509 certificate) authentication provides strong security. Third, it really doesn't require that much work to use OpenSSL to create your own CA.
Our example scenario, therefore, involves Windows XP clients using EAP-TLS to connect to a WPA-enabled access point. The access point, in turn, is configured to authenticate off of a FreeRADIUS 1.0.1 server running Linux.
SuSE 9.2, Fedora Core 3 and Red Hat Enterprise Linux each has its own FreeRADIUS RPM package, called freeradius. Debian Sarge (Debian-testing) has a DEB package by the same name. With Red Hat, Fedora and Debian-testing, additional packages are available if you want to use a MySQL authentication database. In addition, Debian-testing has a few other features broken out into still more packages. With all four distributions, however, the only package you should need for 802.1x authentication is the base freeradius package. If your favorite Linux distribution doesn't have its own FreeRADIUS package, or if it does but not a recent enough version to meet your needs, you can download the latest FreeRADIUS source code from the Web site (see Resources).
Compiling FreeRADIUS is simple: it's the common ./configure && make && make install routine. If you're new to the compiling game, see the source distribution's INSTALL file for more detailed instructions. You should execute the configure and make commands as some nonroot user and execute only make install as root.
Notice that, by default, the configure script installs FreeRADIUS into subdirectories of /usr/local. Because the Makefile has no uninstall action, I recommend leaving this setting unchanged, as it simplifies removing FreeRADIUS later, should that become necessary.
|Designing Electronics with Linux||May 22, 2013|
|Dynamic DNS—an Object Lesson in Problem Solving||May 21, 2013|
|Using Salt Stack and Vagrant for Drupal Development||May 20, 2013|
|Making Linux and Android Get Along (It's Not as Hard as It Sounds)||May 16, 2013|
|Drupal Is a Framework: Why Everyone Needs to Understand This||May 15, 2013|
|Home, My Backup Data Center||May 13, 2013|
- RSS Feeds
- Dynamic DNS—an Object Lesson in Problem Solving
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- Designing Electronics with Linux
- Using Salt Stack and Vagrant for Drupal Development
- New Products
- A Topic for Discussion - Open Source Feature-Richness?
- Drupal Is a Framework: Why Everyone Needs to Understand This
- Validate an E-Mail Address with PHP, the Right Way
- What's the tweeting protocol?
- Kernel Problem
4 hours 42 min ago
- BASH script to log IPs on public web server
9 hours 9 min ago
12 hours 45 min ago
- Reply to comment | Linux Journal
13 hours 17 min ago
- All the articles you talked
15 hours 41 min ago
- All the articles you talked
15 hours 44 min ago
- All the articles you talked
15 hours 45 min ago
20 hours 10 min ago
- Keeping track of IP address
22 hours 1 min ago
- Roll your own dynamic dns
1 day 3 hours ago
Enter to Win an Adafruit Pi Cobbler Breakout Kit for Raspberry Pi
It's Raspberry Pi month at Linux Journal. Each week in May, Adafruit will be giving away a Pi-related prize to a lucky, randomly drawn LJ reader. Winners will be announced weekly.
Fill out the fields below to enter to win this week's prize-- a Pi Cobbler Breakout Kit for Raspberry Pi.
Congratulations to our winners so far:
- 5-8-13, Pi Starter Pack: Jack Davis
- 5-15-13, Pi Model B 512MB RAM: Patrick Dunn
- 5-21-13, Prototyping Pi Plate Kit: Philip Kirby
- Next winner announced on 5-27-13!
Free Webinar: Hadoop
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?