Child pages
  • 802.1X secured wifi installation

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Introduction

Components involved

Installation

Replication of production setup

Here, we replicate the relevant parts of the present installation as a starting point.

Imported ~/Documents/Debian9-base.ova as Debian9-base_8021x, re-initializing all MAC addresses
Added eth adapter 2, re-init MAC
CPU, increase to 2

added eth1 mac address to server DHCP config, 192.168.10.52

server shwl add 52

Booted, disconnected eth2 because of errors

Logged in to GUI, connected DHCP

apt-get update
apt-get upgrade
reboot VM
rm 02proxy
set better ls and root passwords
installed ssh pub key in root

Code Block
apt-get install shorewall
apt-get install ipset
mv /etc/shorewall{,-orig}
mkdir /etc/shorewall
root@server.lastschl:~# scp /etc/shorewall/* root@192.168.10.52:/etc/shorewall/
#commented all entries related to loc and vpn zones (including dynamic zone man) in all files
#removed all MAC addresses of wifi clients

Code Block
cp -r shorewall{,-remove-loc-vpn-man-wifimac}
updated interface names in interfaces, masq
cp -r shorewall{,-updated-interfaces}
/etc/default/shorewall startup=1



removed postfix, proxy rules (did not update config backups)
root@server.lastschl:~# scp /etc/rsyslog.d/40-shorewall.conf  192.168.10.52:/etc/rsyslog.d/
root@server.lastschl:~# scp /etc/logrotate.d/shorewall 192.168.10.52:/etc/logrotate.d/
root@server.lastschl:~# scp /etc/logrotate.d/rsyslog 192.168.10.52:/etc/logrotate.d/
root@server.lastschl:~# scp /etc/logrotate.conf 192.168.10.52:/etc/

systemctl enable shorewall.service




added shorewall rules _apt

Configure network and DHCP (based on LASTSCHL-212):

Code Block
systemctl disable network-manager.service
systemctl disable NetworkManager.service

/etc/network/interfaces

Code Block
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The external interface
auto enp0s3
iface enp0s3 inet static
address 192.168.10.52
network 192.168.10.0
netmask 255.255.255.0
broadcast 192.168.10.255
gateway 192.168.10.1
  
# The wifi interface
auto enp0s8
iface enp0s8 inet static
address 192.168.9.1
netmask 255.255.255.0
broadcast 192.168.9.255
Code Block
unlink /etc/resolv.conf
echo nameserver 192.168.10.1 > /etc/resolv.conf
mkdir /etc/ltsp
root@server.lastschl:~# scp /etc/dhcp/dhcpd.conf 192.168.10.52:/etc/dhcp/

 

/etc/ltsp/dhcpd.conf

Code Block
#
# Default LTSP dhcpd.conf config file.
#

authoritative;

subnet 192.168.9.0 netmask 255.255.255.0 {
    range 192.168.9.40 192.168.9.250;
    option domain-name "test.av";
    option domain-name-servers 192.168.9.1;
    option broadcast-address 192.168.9.255;
    option routers 192.168.9.1;
    option subnet-mask 255.255.255.0;
    option root-path "/opt/ltsp/amd64";
    if substring( option vendor-class-identifier, 0, 9 ) = "PXEClient" {
        filename "/ltsp/amd64/pxelinux.0";
    } else {
        filename "/ltsp/amd64/nbi.img";
    }

}

 

 

In /etc/default/isc-dhcp-server, set:

Code Block
INTERFACESv4="enp0s8"
Code Block
apt-get install isc-dhcp-server

 

 

 

Configure DNS (based on LASTSCHL-211):

Code Block
apt-get install dnsmasq
touch /var/log/dnsmasq
chmod 640 /var/log/dnsmasqSet in /etc/dnsmasq.conf
Code Block
strict-order
interface=enp0s8
expand-hosts
domain=test.av
log-queries
log-facility=/var/log/dnsmasq

/etc/logrotate.d/dnsmasq
Code Block
/var/log/dnsmasq
{
	rotate 730
	daily
	nomissingok	
	notifempty
	delaycompress
	compress
	dateext
	postrotate
		reload rsyslog >/dev/null 2>&1 || true
	endscript
}

/etc/hostname

Code Block
debian9-base.test.av

/etc/hosts

Code Block
127.0.0.1	localhost

192.168.9.1	test.av
192.168.9.1	server.test.av	server

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

 

 

packages: shorewall

New stuff

FreeRADIUS

packages: freeradius

Modified /etc/freeradius/3.0/mods-available/eap:

commented the following:

Code Block
....
#       md5 {
#       }
....
#       leap {
#       }
....
#       gtc {
#               #  The default challenge, which many clients
#               #  ignore..
#               #challenge = "Password: "
#
#               #  The plain-text response which comes back
#               #  is put into a User-Password attribute,
#               #  and passed to another module for
#       	#  authentication.  This allows the EAP-GTC
#               #  response to be checked against plain-text,
#               #  or crypt'd passwords.
#               #
#               #  If you say "Local" instead of "PAP", then
#       	#  the module will look for a User-Password
#               #  configured for the request, and do the
#               #  authentication itself.
#               #
#               auth_type = PAP
#       }
....
#       tls {
#               # Point to the common TLS configuration
#               tls = tls-common
#
#       	#
#               # As part of checking a client certificate, the EAP-TLS
#               # sets some attributes such as TLS-Client-Cert-CN. This
#               # virtual server has access to these attributes, and can
#               # be used to accept or reject the request.
#       	#
#       #       virtual_server = check-eap-tls
#       }
....

modified the 'default_eap_type' directive under section 'eap' to be:

Code Block
default_eap_type = peap

and the 'default_eap_type' directive under section 'ttls' to be:

Code Block
default_eap_type = mschapv2

Modify /etc/freeradius/3.0/clients.conf, comment the 'client localhost' and 'client localhost_ipv6' section and add a few of these blocks at the end, one for each wifi router:

Code Block
client test1 { # Replace test1 with a name for the router
       ipaddr = 192.168.9.2 # Replace with IP of the router
       secret = password # Replace with an actual password
}

 

Certificates

as freerad?

Modified "@@@"

as freerad ("@@@" right way to do it?):

Code Block
cd /etc/freeradius/3.0/certs
make

Modify /etc/freeradius/3.0/mods-available/eap, modify the following directives under section 'tls-config tls-common' to be:

Code Block
private_key_password = password # Replace password with the password chosen previously
private_key_file = /etc/freeradius/3.0/certs/server.pem
....
certificate_file = /etc/freeradius/3.0/certs/server.pem
....
ca_file = /etc/freeradius/3.0/certs/ca.pem

 

MySQL

Python module / script_launcher.py script

Code Block
cd /etc/freeradius/3.0/
ln -s mods-available/python mods-enabled/

Put the following in it:

Code Block
title/etc/freeradius/3.0/mods-enabled/python
#
# Make sure the PYTHONPATH environmental variable contains the
# directory(s) for the modules listed below.
#
# Uncomment any func_* which are included in your module. If
# rlm_python is called for a section which does not have
# a function defined, it will return NOOP.
#
python {
	module = script_launcher # @#$dy

	python_path = ${modconfdir}/${.:name}:/usr/lib/python2.7 # @#$dy
	
	mod_post_auth = ${.module} # @#$dy
	func_post_auth = post_auth # @#$dy
}

Modify /etc/freeradius/3.0/sites-enabled/inner-tunnel:

Code Block
title/etc/freeradius/3.0/sites-enabled/inner-tunnel
...
# Add this line just after 'sql' in the 'post-auth' section
python
...

Modify /etc/freeradius/3.0/mods-available/eap, modified the 'copy_request_to_tunnel' directive under both sections 'peap' and 'ttls' to be:

 

Code Block
copy_request_to_tunnel = yes

 

Place the script_launcher.py script at /etc/freeradius/3.0/mods-config/python/script_launcher.py

Shorewall

sudo

packages: sudo

shwl_add / shwl_del scripts

 packages: arp-scan

Code Block
apt-get install arp-scan
# Install the scripts in /usr/local/sbin/, and configure settings in each of them
chown root:freerad /usr/local/sbin/shwl_*
chmod 750 /usr/local/sbin/shwl_*

Add the following line to freerad's crontab

Code Block
*/1 * * * * /usr/local/sbin/shwl_del.sh # @#$dy # @@@ figure out optimal interval

MySQL

pam_to_mysql_update.sh script

Pre-requisites from above steps: sudo, shwl_add / shwl_del scripts MySQL config, FreeRADIUS MySQL config

Code Block
apt-get install libpam-script sshpass
mkdir /usr/share/libpam-script/pam-script.d/pam_to_mysql_update
cd /usr/share/libpam-script/pam-script.d/pam_to_mysql_update
# Put the script in here, and configure MySQL settings inside
ln -s pam_to_mysql_update.sh pam_script_auth
ln -s pam_to_mysql_update.sh pam_script_passwd
 

Add the following line at the end of /etc/pam.d/common-auth or as may be appropriate to the PAM configuration of the system:

Code Block
title/etc/pam.d/common-auth
...
auth	required                        pam_script.so onerr=fail dir=/usr/share/libpam-script/pam-script.d/pam_to_mysql_update/

Add the following line at the end of /etc/pam.d/common-password or as may be appropriate to the PAM configuration of the system:

Code Block
title/etc/pam.d/common-password
...

password	required                        pam_script.so onerr=fail dir=/usr/share/libpam-script/pam-script.d/pam_to_mysql_update/

Child page description:

Overview - Description of the solution and documentation of custom scripts

Installation - Instructions on installing, and attachment containing scripts