Some examples of organizing corporate WiFi have already been described. Here I will describe how I implemented a similar solution and the problems that I had to face when connecting on different devices. We will use the existing LDAP with registered users, raise FreeRadius and configure WPA2-Enterprise on the Ubnt controller. Everything seems to be simple. Let's seeβ¦
A little about EAP methods
Before proceeding with the task, we need to decide which authentication method we will use in our solution.
From wikipedia:
EAP is an authentication framework that is often used in wireless networks and point-to-point connections. The format was first described in RFC 3748 and updated in RFC 5247.
EAP is used to select an authentication method, pass keys, and process those keys with plug-ins called EAP methods. There are many EAP methods, both defined with EAP itself and released by individual vendors. EAP does not define the link layer, it only defines the message format. Each protocol using EAP has its own EAP message encapsulation protocol.
The methods themselves:
- LEAP is a proprietary protocol developed by CISCO. Vulnerabilities found. It is currently not recommended to use
- EAP-TLS is well supported among wireless vendors. It is a secure protocol because it is the successor to the SSL standards. Setting up the client is quite complicated. You need a client certificate in addition to the password. Supported on many systems
- EAP-TTLS - widely supported on many systems, offers good security by using PKI certificates only on the authentication server
- EAP-MD5 is another open standard. Offers minimal security. Vulnerable, does not support mutual authentication and key generation
- EAP-IKEv2 - based on Internet Key Exchange Protocol version 2. Provides mutual authentication and session key establishment between client and server
- PEAP is a joint solution of CISCO, Microsoft and RSA Security as an open standard. Widely available in products, provides very good security. Similar to EAP-TTLS, requiring only a certificate on the server side
- PEAPv0/EAP-MSCHAPv2 - after EAP-TLS, this is the second widely used standard in the world. Used client-server relationship in Microsoft, Cisco, Apple, Linux
- PEAPv1/EAP-GTC - Created by Cisco as an alternative to PEAPv0/EAP-MSCHAPv2. Does not protect authentication data in any way. Not supported on Windows OS
- EAP-FAST is a technique developed by Cisco to correct the shortcomings of LEAP. Uses Protected Access Credential (PAC). Completely unfinished
Of all this diversity, the choice is still not great. The authentication method was required: good security, support on all devices (Windows 10, macOS, Linux, Android, iOS) and, in fact, the simpler the better. Therefore, the choice fell on EAP-TTLS in conjunction with the PAP protocol.
The question may arise - Why use PAP? because he transmits passwords in the clear?
Yes that's right. Communication between FreeRadius and FreeIPA will take place in this way. In debug mode, you can track how username and password are sent. Yes, and let them go, only you have access to the FreeRadius server.
You can read more about the work of EAP-TTLS
FreeRADIUS
FreeRadius will be raised on CentOS 7.6. There is nothing complicated here, we set it in the usual way.
yum install freeradius freeradius-utils freeradius-ldap -yVersion 3.0.13 is installed from the packages. The latter can be taken
After that, FreeRadius is already working. You can uncomment the line in /etc/raddb/users
steve Cleartext-Password := "testing"Launch into the server in debug mode
freeradius -XAnd make a test connection from localhost
radtest steve testing 127.0.0.1 1812 testing123Got an answer Received Access-Accept Id 115 from 127.0.0.1:1812 to 127.0.0.1:56081 length 20, it means everything is OK. Go ahead.
We connect the module ldap.
ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldapAnd we'll change it right away. We need FreeRadius to be able to access FreeIPA
mods-enabled/ldap
ldap {
server="ldap://ldap.server.com"
port=636
start_tls=yes
identity="uid=admin,cn=users,dc=server,dc=com"
password=**********
base_dn="cn=users,dc=server,dc=com"
set_auth_type=yes
...
user {
base_dn="${..base_dn}"
filter="(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
}
...Restart the radius server and check the synchronization of LDAP users:
radtest user_ldap password_ldap localhost 1812 testing123
Editing eap in mods-enabled/eap
Here we add two instances of eap. They will differ only in certificates and keys. Below I will explain why this is so.
mods-enabled/eap
eap eap-client { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests}
tls-config tls-common {
private_key_file = ${certdir}/fisrt.key
certificate_file = ${certdir}/first.crt
dh_file = ${certdir}/dh
ca_path = ${cadir}
cipher_list = "HIGH"
cipher_server_preference = no
ecdh_curve = "prime256v1"
check_crl = no
}
ttls {
tls = tls-common
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
}
eap eap-guest {
default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests}
tls-config tls-common {
private_key_passwotd=blablabla
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.crt
dh_file = ${certdir}/dh
ca_path = ${cadir}
cipher_list = "HIGH"
cipher_server_preference = no
ecdh_curve = "prime256v1"
check_crl = no
}
ttls {
tls = tls-common
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
}Further editing site-enabled/default. The authorize and authenticate sections are of interest.
site-enabled/default
authorize {
filter_username
preprocess
if (&User-Name == "guest") {
eap-guest {
ok = return
}
}
elsif (&User-Name == "client") {
eap-client {
ok = return
}
}
else {
eap-guest {
ok = return
}
}
ldap
if ((ok || updated) && User-Password) {
update {
control:Auth-Type := ldap
}
}
expiration
logintime
pap
}
authenticate {
Auth-Type LDAP {
ldap
}
Auth-Type eap-guest {
eap-guest
}
Auth-Type eap-client {
eap-client
}
pap
}In the authorize section, we remove all modules that we do not need. We leave only ldap. Add client verification by username. That's why we added two instances of eap above.
Multi EAPThe fact is that when connecting some devices, we will use system certificates and specify the domain. We have a certificate and a key from a trusted certificate authority. Personally, in my opinion, such a connection procedure is easier than throwing a self-signed certificate on each device. But even without self-signed certificates, it still did not work out. Samsung devices and Android =< 6 versions cannot use system certificates. Therefore, we create a separate instance of eap-guest for them with self-signed certificates. For all other devices, we will use the eap-client with a trusted certificate. The User-Name is determined by the Anonymous field when the device is connected. Only 3 values ββare allowed: Guest, Client and an empty field. Everything else is discarded. It will be configured in politicians. I'll give an example a little later.
Let's edit the authorize and authenticate sections in site-enabled/inner-tunnel
site-enabled/inner-tunnel
authorize {
filter_username
filter_inner_identity
update control {
&Proxy-To-Realm := LOCAL
}
ldap
if ((ok || updated) && User-Password) {
update {
control:Auth-Type := ldap
}
}
expiration
digest
logintime
pap
}
authenticate {
Auth-Type eap-guest {
eap-guest
}
Auth-Type eap-client {
eap-client
}
Auth-Type PAP {
pap
}
ldap
}Next, you need to specify in the policies which names can be used for anonymous login. Editing policy.d/filter.
You need to find lines similar to this:
if (&outer.request:User-Name !~ /^(anon|@)/) {
update request {
Module-Failure-Message = "User-Name is not anonymized"
}
reject
}And below in elsif add the desired values:
elsif (&outer.request:User-Name !~ /^(guest|client|@)/) {
update request {
Module-Failure-Message = "User-Name is not anonymized"
}
reject
}Now we need to move to the directory certs. Here you need to put the key and certificate from a trusted certificate authority, which we already have and need to generate self-signed certificates for eap-guest.
Change the parameters in the file ca.cnf.
ca.cnf
...
default_days = 3650
default_md = sha256
...
input_password = blablabla
output_password = blablabla
...
countryName = RU
stateOrProvinceNmae = State
localityNmae = City
organizationName = NONAME
emailAddress = [email protected]
commonName = "CA FreeRadius"We write the same values ββin the file server.cnf. We change only
common name:
server.cnf
...
default_days = 3650
default_md = sha256
...
input_password = blablabla
output_password = blablabla
...
countryName = RU
stateOrProvinceNmae = State
localityNmae = City
organizationName = NONAME
emailAddress = [email protected]
commonName = "Server Certificate FreeRadius"Create:
makeReady. Received server.crt ΠΈ server.key we have already registered above in eap-guest.
And finally, let's add our access points to the file client.conf. I have 7 of them. In order not to add each point separately, we will only write the network in which they are located (my access points are in a separate VLAN).
client APs {
ipaddr = 192.168.100.0/24
password = password_AP
}Ubiquiti controller
We raise a separate network on the controller. Let it be 192.168.2.0/24
Go to settings -> profile. We create a new one:
We write the address and port of the radius server and the password that was written in the file clients.conf:
Create a new wireless network name. Select WPA-EAP (Enterprise) as the authentication method and specify the created radius profile:
We save everything, apply and move on.
Setting up clients
Let's start with the most difficult!
Windows 10
The difficulty comes down to the fact that Windows does not yet know how to connect to corporate WiFi via a domain. Therefore, we have to manually upload our certificate to the trusted certificate store. Here you can use both self-signed and from the certification authority. I will use the second one.
Next, you need to create a new connection. To do this, go to the network and Internet settings -> Network and Sharing Center -> Create and configure a new connection or network:
Manually enter the network name and change the type of security. After we click on change connection settings and in the Security tab, select network authentication - EAP-TTLS.
We go into the parameters, prescribe the confidentiality of authentication - client. As a trusted certification authority, select the certificate we added, check the box "Do not issue an invitation to the user if the server cannot be authorized" and select the authentication method - unencrypted password (PAP).
Next, go to the advanced settings, put a tick on "Specify the authentication mode." Select "User Authentication" and click on save credentials. Here you will need to enter username_ldap and password_ldap
We save everything, apply, close. You can connect to a new network.
Linux
I tested on Ubuntu 18.04, 18.10, Fedora 29, 30.
First, let's download our certificate. I did not find in Linux whether it is possible to use system certificates and whether there is such a store at all.
Let's connect to the domain. Therefore, we need a certificate from the certification authority from which our certificate was purchased.
All connections are made in one window. Selecting our network:
anonymous-client
domain - the domain for which the certificate is issued
Android
non-Samsung
From version 7, when connecting WiFi, you can use system certificates by specifying only the domain:
domain - the domain for which the certificate is issued
anonymous-client
Samsung
As I wrote above, Samsung devices do not know how to use system certificates when connecting to WiFi, and they do not have the ability to connect via a domain. Therefore, you must manually add the root certificate of the certification authority (ca.pem, we take it on the Radius server). Here is where self-signed will be used.
Download the certificate to your device and install it.
Certificate Installation
At the same time, you will need to set the screen unlock pattern, pin code or password, if it is not already set:
I showed a complicated version of installing a certificate. On most devices, simply click on the downloaded certificate.
When the certificate is installed, you can proceed to the connection:
certificate - indicate the one that was installed
anonymous user - guest
MacOS
Apple devices out of the box can only connect to EAP-TLS, but you still need to throw a certificate at them. To specify a different connection method, you need to use Apple Configurator 2. Accordingly, you must first download it to your Mac, create a new profile and add all the necessary WiFi settings.
Apple Configuration
Enter your network name here
Security Type - WPA2 Enterprise
Accepted EAP Types - TTLS
User Name and Password - leave empty
Inner Authentication - PAP
Outer Identity-client
Trust tab. Here we specify our domain
All. The profile can be saved, signed and distributed to devices
After the profile is ready, you need to download it to the poppy and install it. During the installation process, you will need to specify the usernmae_ldap and password_ldap of the user:
iOS
The process is similar to macOS. You need to use a profile (you can use the same one as for macOS. How to create a profile in Apple Configurator, see above).
Download profile, install, enter credentials, connect:
That's all. We set up a Radius server, synced it with FreeIPA, and told Ubiquiti APs to use WPA2-EAP.
Possible questions
Π: how to transfer a profile/certificate to an employee?
A: I store all certificates/profiles on ftp with web access. Raised a guest network with a speed limit and access only to the Internet, with the exception of ftp.
Authentication lasts for 2 days, after which it is reset and the client is left without the Internet. That. when an employee wants to connect to WiFi, he first connects to the guest network, accesses FTP, downloads the certificate or profile he needs, installs it, and then can connect to the corporate network.
Π: why not use schema with MSCHAPv2? She's safer!
A: Firstly, such a scheme works well on NPS (Windows Network Policy System), in our implementation it is necessary to additionally configure LDAP (FreeIpa) and store password hashes on the server. Add. it is not advisable to make settings, because. this can lead to various problems of synchronizing the ultrasound. Second, the hash is MD4, so it doesn't add much security.
Π: is it possible to authorize devices by mac-addresses?
A: NO, this is not safe, an attacker can change MAC addresses, and even more so authorization by MAC addresses is not supported on many devices
Π: what for generally all these certificates to use? can you join without them?
A: certificates are used to authorize the server. Those. when connecting, the device checks whether it is a server that can be trusted or not. If it is, then the authentication goes on, if not, the connection is closed. You can connect without certificates, but if an attacker or neighbor sets up a radius server and an access point with the same name as ours at home, he can easily intercept the user's credentials (do not forget that they are transmitted in clear text). And when a certificate is used, the enemy will see in his logs only our fictitious User-Name - guest or client and a type error - Unknown CA Certificate
a little more about macOSUsually on macOS, reinstalling the system is done via the Internet. In recovery mode, the Mac must be connected to WiFi, and neither our corporate WiFi nor the guest network will work here. Personally, I raised another network, the usual WPA2-PSK, hidden, only for technical operations. Or you can still make a bootable USB flash drive with the system in advance. But if the poppy is after 2015, you will still need to find an adapter for this flash drive)
Source: habr.com