Child pages
  • 802.1X secured wifi installation

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
root@debian9-base:~# cat /etc/dnsmasq.conf | grep -v "^#" | grep -v "^$"
strict-order
interface=enp0s8
expand-hosts
domain=test.av
log-queries
log-facility=/var/log/dnsmasq
 
root@debian9-base:~# cat /etc/logrotate.d/dnsmasq
/var/log/dnsmasq
{
	rotate 730
	daily
	nomissingok	
	notifempty
	delaycompress
	compress
	dateext
	postrotate
		reload rsyslog >/dev/null 2>&1 || true
	endscript
}
 
root@debian9-base:~# cat /etc/hostname
debian9-base.test.av
 
root@debian9-base:~# cat /etc/hosts
127.0.0.1	localhost

192.168.9.1	test.av
192.168.9.1	server.test.av	server

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

 

New stuff

Shorewall

Added Add to /etc/shorewall/hosts:

Code Block
wifi1 enp0s8:dynamic


Modified Modify /etc/shorewall/policy:

Code Block
# Just after: wifi		all		REJECT
# Added:
wifi1		net		ACCEPT		INFO
wifi1		$FW		ACCEPT		INFO(uid)
$FW		wifi1		ACCEPT		INFO(uid)
# Before: net		all		DROP		INFO


Added Add to /etc/shorewall/zones:

Code Block
....
wifi1:wifi ipv4 dynamic_shared

...

Code Block
SAVE_IPSETS=Yes

FreeRADIUS

packages: freeradius

Code Block
apt-get install freeradius

 

Modified Modify /etc/freeradius/3.0/mods-available/eap:

commented comment the following:

Code Block
....
#       md5 {
#       }
....
#       leap {
#       }
....
#       gtc {
#               #  The default challenge, which many clients
#               #  ignore..
#               #challenge = "Password: "
#
#               #  The plain-text response which comes back
#               #  is put into a User-Password attribute,
#               #  and passed to another module for
#       	#  authentication.  This allows the EAP-GTC
#               #  response to be checked against plain-text,
#               #  or crypt'd passwords.
#               #
#               #  If you say "Local" instead of "PAP", then
#       	#  the module will look for a User-Password
#               #  configured for the request, and do the
#               #  authentication itself.
#               #
#               auth_type = PAP
#       }
....
#       tls {
#               # Point to the common TLS configuration
#               tls = tls-common
#
#       	#
#               # As part of checking a client certificate, the EAP-TLS
#               # sets some attributes such as TLS-Client-Cert-CN. This
#               # virtual server has access to these attributes, and can
#               # be used to accept or reject the request.
#       	#
#       #       virtual_server = check-eap-tls
#       }
....

modified modify the 'default_eap_type' directive under section 'eap' to be:

...

Uncomment the following line in the 'authorize' section, and added add it at the end of the 'post-auth' section:

...

Code Block
client test1 { # Replace test1 with a name for the router
       ipaddr = 192.168.9.2 # Replace with IP of the router
       secret = password # Replace with an actual password
}

logrotate config '@@@'

Certificates

as freerad?

Modified Modify /etc/freeradius/3.0/certs/ca.cnf, set the following settings:

Code Block
...
[ req ]
...
input_password	= password # Replace with an actual password
output_password	= password # Replace with an actual password
...

[certificate_authority]
countryName	= IN
stateOrProvinceName	= Tamil Nadu
localityName	= Auroville
organizationName	= Test
emailAddress	= admin@test.av
commonName	= "Test Certificate Authority"
...

Modified Modify /etc/freeradius/3.0/certs/server.cnf, set the following settings:

...

In the authorize section, comment it out.

 

add to few places "@@@" review

Python module / script_launcher.py script

...

Modify /etc/freeradius/3.0/mods-available/eap, modified  modify the 'copy_request_to_tunnel' directive under both sections 'peap' and 'ttls' to be:

...

Place the script_launcher.py script at /etc/freeradius/3.0/mods-config/python/script_launcher.py

sudo

packages: sudo 

Code Block
apt-get install sudo

Created Create /etc/sudoers.d/shwl_add, permissions 640 root:root, with:

...

shwl_add / shwl_del scripts

 packages: arp-scan

Code Block
apt-get install arp-scan
# Install the scripts in /usr/local/sbin/, and configure settings in each of them
chown root:freerad /usr/local/sbin/shwl_*
chmod 750 /usr/local/sbin/shwl_*
mkdir /var/local/shwl_add
chown freerad:freerad /var/local/shwl_add
chmod 700 /var/local/shwl_add
chmod a-s /var/local/shwl_add

...

Add the following line at the end of /etc/pam.d/common-auth or as may be appropriate to the PAM configuration of the system:

Code Block
title/etc/pam.d/common-auth
...
auth	required                        pam_script.so onerr=fail dir=/usr/share/libpam-script/pam-script.d/pam_to_mysql_update/

Add the following line at the end of /etc/pam.d/common-password or as may be appropriate to the PAM configuration of the system:

Code Block
title/etc/pam.d/common-password
...

password	required                        pam_script.so onerr=fail dir=/usr/share/libpam-script/pam-script.d/pam_to_mysql_update/

...