Network hackerspace Strassen
m (Protected "Network": Official information which should not be changed by anybody else then admins. ([edit=sysop] (indefinite) [move=sysop] (indefinite))) |
(added link to registry) |
||
Line 174: | Line 174: | ||
* http://www.mail-archive.com/freeradius-users@lists.cistron.nl/msg14674.html | * http://www.mail-archive.com/freeradius-users@lists.cistron.nl/msg14674.html | ||
* http://svn.dd-wrt.com:8000/dd-wrt/browser/src/router/freeradius/src/modules/rlm_python/prepaid.py | * http://svn.dd-wrt.com:8000/dd-wrt/browser/src/router/freeradius/src/modules/rlm_python/prepaid.py | ||
+ | |||
+ | == Backend == | ||
+ | |||
+ | Most of our services run on an LDAP backend. We have some information on our [[Registry|OID Registry]]. | ||
{{#set: Has description=This page hosts details on our internal network, wired as well as wireless. }} | {{#set: Has description=This page hosts details on our internal network, wired as well as wireless. }} |
Revision as of 14:15, 13 April 2011
Contents |
Overview
Every hackerspace has a network to connect to the Internets, so does syn2cat
Bring your laptop or use one of the available PCs, plug it in and off you go. There's also wireless LAN available.
Layout
Here's the current layout in fancy ASCII art.
DSL -- thomson :::: Lusitania :::: miniswitch == wall ports in ADHS rooms || || 3com Rack -- photoborg " " " " 3com Core == wall ports in syn2cat rooms || || OpenDuino, switches, HPprinter
Legend:
* -- single cable * == more than one cable * "" fiber trunk * ::: VLAN * ... wlan cable
IP
We provide both IPv4 and IPv6 connectivity in the hackerspace.
Wireless
We have two access points (APs).
The WPA2-Enterprise APs use a radius server for authenticating users with their syn2cat member account.
Use the following settings:
Security: WPA2 Enterprise
Authentication: PEAP
Inner authentication: MSCHAPv2
Username: <syn2cat login>
Password: <syn2cat password>
Be sure to use exactly those settings, else it will not work.
SSL certificates
There are a total of three certificates of interest.
We use a chained CA, making for a total of two CA certificates:
rootCA (PEM)
subCA (PEM)
And lastly for your convenience, a bundle of both in one file:
rootCA-subCA bundle (PEM)
For completeness, but you probably don't need it, the certificate of the internal server at the space:
lusitania-certificate (PEM)
You should use the CA certificates when connecting to the WiFi network (see below, your software manual or ask somebody at the space how-to), but this is not a requirement.
OS compatibility
- Linux works out of the box
- Windows works out of the box
- OSX works out of the box
- iphone works out of the box
- Android works out of the box
- Symbian works fine (need to install CA certificates!, see earlier)
- Maemo OS works out of the box
OS specific hints
Arch Linux
[Howto: H4x0roam with netcfg and encrypted wpa supplicant config]]
Linux - WICD template
Save this as "/etc/wicd/encryption/templates/peap-mschapv2" and add the filename to "/etc/wicd/encryption/templates/active".
name = PEAP with MSCHAPv2 author = syn<sub>2</sub>cat version = 1 require identity *Identity password *Password optional ca_cert *Path_to_CA_Cert ----- ctrl_interface=/var/run/wpa_supplicant network={ ssid="$_ESSID" scan_ssid=$_SCAN proto=RSN key_mgmt=WPA-EAP pairwise=CCMP eap=PEAP phase1="peaplabel=0" phase2="auth=MSCHAPV2" identity="$_IDENTITY" password="$_PASSWORD" ca_cert="$_CA_CERT" }
After saving and activating the template, make sure to restart the wicd daemon and client. Next do a WiFi scan and configure an AP from the space, while using the newly created template !
You may specify a path to the CA certificate (see above)....you should do this actually, but still it's optional.
Linux - wpasupplicant
First install the H4x0roam SSL certificate chain:
mkdir -p /etc/ssl/h4x0roam wget http://www.hackerspace.lu/certs/syn2catCA.crt -O /etc/ssl/h4x0roam/syn2catCA.crt wget http://www.hackerspace.lu/certs/syn2catInfr.crt -O /etc/ssl/h4x0roam/syn2catInfr.crt wget http://www.hackerspace.lu/certs/lusitania.lan.crt -O /etc/ssl/h4x0roam/lusitania.lan.crt cat /etc/ssl/h4x0roam/syn2catInfr.crt /etc/ssl/h4x0roam/syn2catCA.crt > /etc/ssl/h4x0roam/combined-ca.pem chmod 0644 /etc/ssl/h4x0roam/*
Please note that the 2 CA certificates have to be concatenated into a single file (this does only work with PEM certificated and not with DER certificates) to make wpa_supplicant accept tier 2 certifiactes (aka "certificates issued by a sub CA or intermediate CA").
Now add the following section to your /etc/wpa_supplicant.conf (you'll obviously have to fill in your own username and password):
network={ ssid="h4x0roam-kali" key_mgmt=WPA-EAP eap=PEAP identity="YOUR HACKERSPACE USERNAME" password="YOUR HACKERSPACE PASSWORD" phase2="auth=MSCHAPV2" ca_cert="/etc/ssl/h4x0roam/combined-ca.pem" client_cert="/etc/ssl/h4x0roam/lusitania.lan.crt" } network={ ssid="h4x0roam-pussy" key_mgmt=WPA-EAP eap=PEAP identity="YOUR HACKERSPACE USERNAME" password="YOUR HACKERSPACE PASSWORD" phase2="auth=MSCHAPV2" ca_cert="/etc/ssl/h4x0roam/combined-ca.pem" client_cert="/etc/ssl/h4x0roam/lusitania.lan.crt" }
Also make sure permissions are set correctly for wpa_supplicant:
chmod 0600 /etc/wpa_supplicant.conf
Warning: Please note that your syn2cat credentials are stored in cleartext on the hard disk unless you are using an encrypted hard disk.
If wpa_supplicant throws error messages like
Failed to connect to wpa_supplicant - wpa_ctrl_open: No such file or directory
add the following line before the network={} section in your /etc/wpa_supplicant.conf:
ctrl_interface=/var/run/wpa_supplicant
Nokia/Symbian phones and foo
Nokia/Symbian phones require you to install the CA certificates before they let you connect to a WPA-Enterprise network.
They also mostly only support certificates in DER format.
So here go the CA certificate from above in DER format:
rootCA (DER)
subCA (DER)
Dev Links
- http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol
- http://en.wikipedia.org/wiki/Protected_Extensible_Authentication_Protocol
- http://tldp.org/HOWTO/8021X-HOWTO/freeradius.html
- http://wiki.freeradius.org/WPA_HOWTO
- http://wiki.freeradius.org/SQL_HOWTO
- http://www.dslreports.com/forum/remark,9286052~mode=flat
- http://ubuntuforums.org/showthread.php?t=478804
- http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg18906.html
- http://wiki.freeradius.org/Modules
- http://www.mail-archive.com/freeradius-users@lists.cistron.nl/msg14674.html
- http://svn.dd-wrt.com:8000/dd-wrt/browser/src/router/freeradius/src/modules/rlm_python/prepaid.py
Backend
Most of our services run on an LDAP backend. We have some information on our OID Registry.