Blue Light
Space shortcuts
Child pages
  • 802.1X secured wifi installation
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »

Introduction

Components involved

Installation

Replication of production setup

packages: shorewall

New stuff

FreeRADIUS

packages: freeradius

Modified /etc/freeradius/3.0/mods-available/eap:

commented the following:

....
#       md5 {
#       }
....
#       leap {
#       }
....
#       gtc {
#               #  The default challenge, which many clients
#               #  ignore..
#               #challenge = "Password: "
#
#               #  The plain-text response which comes back
#               #  is put into a User-Password attribute,
#               #  and passed to another module for
#       	#  authentication.  This allows the EAP-GTC
#               #  response to be checked against plain-text,
#               #  or crypt'd passwords.
#               #
#               #  If you say "Local" instead of "PAP", then
#       	#  the module will look for a User-Password
#               #  configured for the request, and do the
#               #  authentication itself.
#               #
#               auth_type = PAP
#       }
....
#       tls {
#               # Point to the common TLS configuration
#               tls = tls-common
#
#       	#
#               # As part of checking a client certificate, the EAP-TLS
#               # sets some attributes such as TLS-Client-Cert-CN. This
#               # virtual server has access to these attributes, and can
#               # be used to accept or reject the request.
#       	#
#       #       virtual_server = check-eap-tls
#       }
....

modified the 'default_eap_type' directive under section 'eap' to be:

default_eap_type = peap

and the 'default_eap_type' directive under section 'ttls' to be:

default_eap_type = mschapv2

Modify /etc/freeradius/3.0/clients.conf, comment the 'client localhost' and 'client localhost_ipv6' section and add a few of these blocks at the end, one for each wifi router:

client test1 { # Replace test1 with a name for the router
       ipaddr = 192.168.9.2 # Replace with IP of the router
       secret = password # Replace with an actual password
}

 

Certificates

as freerad?

Modified "@@@"

as freerad ("@@@" right way to do it?):

cd /etc/freeradius/3.0/certs
make

Modify /etc/freeradius/3.0/mods-available/eap, modify the following directives under section 'tls-config tls-common' to be:

private_key_password = password # Replace password with the password chosen previously
private_key_file = /etc/freeradius/3.0/certs/server.pem
....
certificate_file = /etc/freeradius/3.0/certs/server.pem
....
ca_file = /etc/freeradius/3.0/certs/ca.pem

 

MySQL

Python module / script_launcher.py script

cd /etc/freeradius/3.0/
ln -s mods-available/python mods-enabled/

Put the following in it:

/etc/freeradius/3.0/mods-enabled/python
#
# Make sure the PYTHONPATH environmental variable contains the
# directory(s) for the modules listed below.
#
# Uncomment any func_* which are included in your module. If
# rlm_python is called for a section which does not have
# a function defined, it will return NOOP.
#
python {
	module = script_launcher # @#$dy

	python_path = ${modconfdir}/${.:name}:/usr/lib/python2.7 # @#$dy
	
	mod_post_auth = ${.module} # @#$dy
	func_post_auth = post_auth # @#$dy
}

Modify /etc/freeradius/3.0/sites-enabled/inner-tunnel:

/etc/freeradius/3.0/sites-enabled/inner-tunnel
...
# Add this line just after 'sql' in the 'post-auth' section
python
...

Modify /etc/freeradius/3.0/mods-available/eap, modified the 'copy_request_to_tunnel' directive under both sections 'peap' and 'ttls' to be:

 

copy_request_to_tunnel = yes

 

Place the script_launcher.py script at /etc/freeradius/3.0/mods-config/python/script_launcher.py

Shorewall

sudo

packages: sudo

shwl_add / shwl_del scripts

 packages: arp-scan

apt-get install arp-scan
# Install the scripts in /usr/local/sbin/, and configure settings in each of them
chown root:freerad /usr/local/sbin/shwl_*
chmod 750 /usr/local/sbin/shwl_*

Add the following line to freerad's crontab

*/1 * * * * /usr/local/sbin/shwl_del.sh # @#$dy # @@@ figure out optimal interval

MySQL

pam_to_mysql_update.sh script

Pre-requisites from above steps: sudo, shwl_add / shwl_del scripts MySQL config, FreeRADIUS MySQL config

apt-get install libpam-script sshpass
mkdir /usr/share/libpam-script/pam-script.d/pam_to_mysql_update
cd /usr/share/libpam-script/pam-script.d/pam_to_mysql_update
# Put the script in here, and configure MySQL settings inside
ln -s pam_to_mysql_update.sh pam_script_auth
ln -s pam_to_mysql_update.sh pam_script_passwd
 

Add the following line at the end of /etc/pam.d/common-auth or as may be appropriate to the PAM configuration of the system:

/etc/pam.d/common-auth
...
auth	required                        pam_script.so onerr=fail dir=/usr/share/libpam-script/pam-script.d/pam_to_mysql_update/

Add the following line at the end of /etc/pam.d/common-password or as may be appropriate to the PAM configuration of the system:

/etc/pam.d/common-password
...

password	required                        pam_script.so onerr=fail dir=/usr/share/libpam-script/pam-script.d/pam_to_mysql_update/



  • No labels