Wireless RADIUS Access

1
Wireless RADIUS Access

• Susan Mulholland
• Joseph Paulowskey
• Joseph Woulfe

2
What is a Wi-Fi?

• Stands for Wireless Fidelity
• The wireless networking and networking is called
  802.11
• Can connect PCs, notebooks, and PDAs to enable
  them to share internet connections, printers and
  documents
• Can be up to 300 feet

3
Three kinds of 802.11

• 802.11b
• The first version of 802.11b
• Slowest
• Least expensive
• 802.11a
• The second version
• Can handle up to 54 mega bits per second
• Operates at 5 GHz
• 802.11g
• The third version
• Operates at 2.4 GHz
• Has advantage of higher speeds

4
Advantages of Wi-Fi

• Allows LANs to be deployed without cabling
• Reduce the costs of network deployment and
  expansion.
• Can host wireless LANs.
• Networks support roaming
• Wi-Fi client works in all different countries
• A global set of standards

5
Disadvantages of Wi-Fi

• Power consumption is high
• Concerns about battery life and heat
• Has limited range.
• Access points could be used to steal personal
  information transmitted from Wi-Fi users.
• Wired Equivalent Privacy or WEP is easy to be
  breakable even when correctly configured. WPA2
  Wired Protected Access is improved and better
  than WEP.

6
Wi-Fi Security

• If a hotspot is open, then anyone with a Wi-Fi
  card can access the hotspot. The original
  standard was 64-bit encryption that was easily
  broken.
• If it is secure using 128-bit encryption, then
  the user needs to know a WEP key to connect.
  Using a hotspot at your house, you need a WEP
  128-bit encryption preventing intruders into your
  network.

7
Wi-Fi network in your home

• 802.11b
• Is slightly less expensive and the slowest of the
  three 802.11. For home use, 802.11g costs just a
  little more, but is up to 5 times faster. If you
  will be doing a lot of file transfers between
  computers in your home, 802.11g is definitely the
  way to go.
• 802.11g
• Costs just a little more,
• Up to 5 times faster. If you do a lot of file
  transfers between computers in your home, then
  802.11g is the best the way to go.

8
Two kinds of Wi-Fi

• Commerical Wi-Fi
• Services are available such as Internet cafes,
  Borders bookstore, and more. T-Mobile has many
  hotspots in all Borders and Starbucks.
• Free Wi-Fi
• Many members of local governments have joined
  with local community groups to help expand free
  Wi-Fi networks. Some community groups built their
  Wi-Fi networks based on volunteer efforts and
  donations.

9
About Wi-Fi revolution

• Consultants from Pyramid Research predicted that
  more Americans would use Wi-Fi than cellular
  networks by 2007.
• Last year, approximately 30.2 million Americans
  used Wi-Fi, according to Pyramid comparing with
  213 million mobile-phone customers.
• Demand for Wi-Fi is increasing. However, the
  pace shows signs of slowdown.

10
RADIUS

• Stands for Remote Dial In User Service
• The Certificates are used to authenticate the
  users computer and to authenticate the RADIUS
  server.

11
Deployment Diagram

• This diagram shows how the users wireless device
  will connect through the wireless access point.
  The credentials will then be sent from the access
  point to the radius server which will verify the
  user information using the Network Information
  Service (NIS) server. Upon verification in the
  NIS server the user acceptance will be passed
  back up to the RADIUS server then back up to the
  access point which will put the user back on the
  network. The user will then be allowed to do a
  DHCP request for an IP address and the DHCP
  server will respond.

12
Architectural Design
13
Radiusd.conf

• The radiusd.conf file is the main configuration
  file for the FreeRadius Server
• radiusd.conf file.
• Port 1812 sets the port to listen on to 1812
• Log_auth yes sets the server to log
  authentication requests

14
Clients.conf

• The clients.conf file is a configuration file for
  the FreeRadius server that establishes what
  clients can connect to the radius server.
• The following are the lines that were modified in
  the client.conf file to allow for the single test
  access point to be a client as well as the local
  host to be a client for testing.
• client 134.198.161.212
• secret cmps354
• shortname WAP354
• client localhost
• secret cmps354
• shortname lh

15
Eap.conf

• The eap.conf file is a file that handles the
  configuration for the EAP protocols in
  FreeRadius.
• The following lines have to be adjusted.
• default_eap_type tls tls is the
  authentication form that is being used
• The following is from the tls module
• private_key_password
• private_key_file raddbdir/certs/serverkey_cer
  t.pem
• certificate_file raddbdir/certs/serverkey_cer
  t.pem
• CA_file /usr/local/openssl/cmpsCA/cacert.pem
• dhfile /dev/null link to a built in null
  location
• random_file /dev/urandom link to a built in
  random number generator
• The following is from the ttls module
• default_eap_type
• copy_request_to_tunnel yes
• use_tunnled_reply yes

16
Installing OpenSSL

• OpenSSL by default is installed onto the FreeBSD
  5.4 system
• After installing OpenSSL the administrator has to
  go to the directory that contains the
  configuration files for OpenSSL.
• By default on FreeBSD the path is
  /usr/local/openssl/.
• From there you can find the file openssl.cnf this
  file has a number of lines that should be edited
  for ease of use.

17
openssl.cnf

• lines that should be edited for ease of use.
• These are some of the lines that should be
  modified
• CA_default
  
  dir ./cmpsCA Where the CA is
  keptfurther downcountryName_default US
  stateOrProvinceName_default
  Pennsylvania 0.organizationName_default
  Computing Science Department

18
xpextensions

• After editing the defaults of the openssl.cnf
  file another file must be created because these
  certificates are going to be used on Microsoft
  Windows XP computers.
• The file should be created and named
  xpextensions.

19
xpextensions

• The following lines should be added to
  xpextensions
• xpclient_extextendedKeyUsage
  1.3.6.1.5.5.7.3.2
• xpserver_ext extendedKeyUsage
  1.3.6.1.5.5.7.3.1

20
Creating a Certificate Authority

• To create a certificate authority you must edit
  the CA.sh file in the openssl/misc directory
• CATOP./cmpsCA this path should match the dir
  specified in openssl.cnf

21
Creating and Signing Certificates

• The first step for creating the server
  certificates is to make a certificate request
  with this command
• openssl req -new -nodes -keyout server_key.pem
  -out server_req.pem -days 730 -config
  ./openssl.cnf
• After making the request it will prompt the user
  to enter some organization information then the
  request will be created under the file
  server_req.pem
• This server request now has to be signed by your
  created certificate authority and the
  xpextensions needs to be added to the
  certificate. This can be done with the command
• openssl ca -config ./openssl.cnf \-policy
  policy_anything -out server_cert.pem \-extensions
  xpserver_ext -extfile ./xpextensions \-infiles
  ./server_req.pem

22
Creating and Signing Certificates

• client_req.pem
• The client certificate follows the same process
  as the server certificate
• First you must create a signing request.
• openssl req -new -keyout client_key.pem \
  -out client_req.pem -days 730 -config
  ./openssl.cnf
• Then you sign the request with the same
  certificate authority
• openssl ca -config ./openssl.cnf \-policy
  policy_anything -out client_cert.pem \-extensions
  xpclient_ext -extfile ./xpextensions \-infiles
  ./client_req.pem

23
Creating and Signing Certificates

• Finally after you have created your signed
  certificate in the client_cert.pem you have to
  convert it to a .p12 file for windows machines.
• You can do that with this command openssl pkcs12
  -export -in client_cert.pem \-inkey
  client_key.pem -out client_cert.p12 -clcerts

24
Wireless Access Points

• The Wireless Access points need to be configured
  for the network
• Set static IP
• IP address should be reflected in the
  clients.conf file of the radius directory
• The SSID needs to be modified to CMPS

25
Wireless Access Points
26
User Interface Design

• SecureW2 Supplicant
• The SecureW2 client is a WPA supplicant that
  installs onto the users Windows XP computer.
• This is used to authenticate the user through the
  RADIUS server using the TTLS protocol.

27
SecureW2 Installation

• The SecureW2 client can be downloaded from
• http//www.securew2.com/uk/download/index.htm

28
SecureW2 Installation
29
SecureW2 Installation
30
Configuration

• SecureW2 allows for PAP authentication
• SecureW2 also allows you to input a user id and
  password combination for quick reconnecting to
  the network
• This can be used on a personal computer
• The configuration of the SecureW2 Client is shown
  below

31
(No Transcript)
32
(No Transcript)
33
Resources

• http//en.wikipedia.org/wiki/WiFi
• http//www.wi-fihotspotlist.com/
• http//www.wififreespot.com/pa.html
• http//www.wifimaps.com/
• http//www.cs.scranton.edu/7Etjm2f/school/cmps490
  /SystemDocumentation.doc_Toc121278389