Network hackerspace Strassen

From syn2cat - HackerSpace.lu
(Difference between revisions)
Jump to: navigation, search
(Howto: H4x0roam with netcfg and encrypted wpa_supplicant config)
 
(36 intermediate revisions by 5 users not shown)
Line 1: Line 1:
 
[[Category:Documentation]]
 
[[Category:Documentation]]
[[Description::This page hosts details on our internal network, wired as well as wireless.]]
+
[[Category:Howto]]
 +
[[Category:Network]]
 +
[[Category:IT_Infrastructure]]
  
 
== Overview ==
 
== Overview ==
Line 11: Line 13:
 
Here's the current layout in fancy ASCII art.
 
Here's the current layout in fancy ASCII art.
  
  DSL -- thomson -- [[Lusitania]] :::: miniswitch == wall ports in [http://www.treffadhs.lu/ ADHS] rooms
+
  DSL -- thomson :::: [[Lusitania]] :::: miniswitch == wall ports in [http://www.treffadhs.lu/ ADHS] rooms
                      ||
+
                                          ||
                      ||
+
                                          ||
                  [[3com Rack]] -- [[photoborg]]
+
                                      [[3com Rack]] == AP
                      "
+
                                          "
                      "
+
                                          "
                      "
+
                                          "
                      "
+
                                          "
                  [[3com Core]] == wall ports in syn2cat rooms
+
                                      [[3com Core]] == wall ports in syn<sub>2</sub>cat rooms
                      ||
+
                                          ||
                      ||
+
                                          ||
                  [[OpenDuino]], switches, HPprinter, dd-wrt
+
                                      [[OpenDuino]], switches, HPprinter, AP
  
 
                                
 
                                
Line 38: Line 40:
  
 
== Wireless ==
 
== Wireless ==
 +
There are several access points (APs) available for people to use. The APs do require authentication though some events feature a temporary open AP for visitors.
  
We have two access points (APs).<br>
+
syn2cat is part of the [http://spacefed.net spacefed] project thus if you have an account with some other participating hackerspace, you may transparently connect using your account to the syn2cat wireless infrastructure.
One of them operates in WPA2-Enterprise mode, the other in WPA2-Personal.
+
The WPA2-Personal AP uses the formerly published pre-shared-password (you can find it in the space).<br>
+
<br>
+
The WPA2-Enterprise AP uses a radius server for authenticating users with their WIKI account.<br>
+
Only paying sy2cat members are able to use their WIKI login to access this AP.<br><br>
+
Use the following settings:<br>
+
Security:                      WPA2 Enterprise<br>
+
Authentication:        Tunneled TLS (TTLS)<br>
+
Inner authentication:  PAP<br>
+
Username:                      <wiki-user><br>
+
Password:                      <wiki-password><br>
+
<br>
+
or
+
<br>
+
<br>
+
Security:                      WPA2 Enterprise<br>
+
Authentication:        PEAP<br>
+
Inner authentication:  MSCHAPv2<br>
+
Username:                      <syn2cat-user><br>
+
Password:                      <syn2cat-password><br>
+
  
 +
Our main access points use WPA2-Enterprise meaning that you do have to authenticate using your syn2cat (or spacefed roaming profile) credentials.
  
 +
Use the following settings:<br>
 +
'''Security''':                      WPA2 Enterprise<br>
 +
'''Authentication''':        PEAP<br>
 +
'''Inner authentication''':  MSCHAPv2<br>
 +
'''Anonymous username/identity''':  anonymous@syn2cat.lu<br>
 +
'''Username/Identity''':                      <syn2cat login>@syn2cat.lu<br>
 +
'''Password''':                      <syn2cat password><br>
  
 
Be sure to use exactly those settings, else it will not work.<br>
 
Be sure to use exactly those settings, else it will not work.<br>
Note: PEAP+MSCHAPv2 will only work if you have changed your password on the syn2cat server after the 12th of October. Ask an admin for more information.
 
  
=== Howto: H4x0roam with netcfg and encrypted wpa_supplicant config ===
+
Tutorials can be found [http://spacefed.net here].
[[Howto: H4x0roam with netcfg and encrypted wpa_supplicant config on Archlinux]]
+
This howto was written for Archlinux users, but it should also work on any other distro. Before trying this, you should make sure that netcfg, openssl, and wpa_supplicant are installed on your machine. Execute all shell commands as root unless specified otherwise.
+
  
The configuration file for wpa_supplicant is going to be stored only in an encrypted form on the hard drive, as it contains you Hackerspace account credentials in clear text.  The decrypted version of the config will *only* be stored in a ramdisk, which is going to be automatically mounted and dismounted upon starting and stopping the h4x0roam network profile.
+
=== SSL certificates ===
 +
There are a total of three certificates of interest.<br/>
 +
We use a chained CA, making for a total of two CA certificates:<br/>
 +
[https://www.hackerspace.lu/certs/syn2catCA.crt rootCA (PEM)]<br/>
 +
[https://www.hackerspace.lu/certs/syn2catCAMain.crt subCA (PEM)]<br/>
  
Create the directory for the ramdisk:
+
And lastly for your convenience, a bundle of both in one file:<br/>
<pre>
+
[https://www.hackerspace.lu/certs/syn2catCAMain_bundle.crt rootCA-subCA bundle (PEM)]<br/>
mkdir -p /etc/network.d/secure/ramdisks/h4x0roam
+
chmod -R 0700 /etc/network.d/secure
+
</pre>
+
  
Create the network profile as '''/etc/network.d/h4x0roam''' with the following content:
+
For completeness, but you probably don't need it, the certificate of the internal server at the space:<br/>
<pre>
+
[https://www.hackerspace.lu/certs/lusitania.lan.crt lusitania-certificate (PEM)]<br/>
CONNECTION='wireless'
+
<br/>
DESCRIPTION='A secure wpa_supplicant configuration based wireless connection'
+
You should use the CA certificates when connecting to the WiFi network (see below, your software manual or ask somebody at the space how-to), but this is not a requirement.
INTERFACE='wlan0'
+
SECURITY='wpa-config'
+
PRE_UP="mount -t ramfs h4x0roam-ramdisk /etc/network.d/secure/ramdisks/h4x0roam/ ; openssl enc -d -aes-256-cbc -in /etc/network.d/secure/h4x0roam.aes -out /etc/network.d/secure/ramdisks/h4x0roam/h4x0roam"
+
PRE_DOWN="cat /etc/network.d/secure/h4x0roam.aes > /etc/network.d/secure/ramdisks/h4x0roam/h4x0roam ; umount h4x0roam-ramdisk"
+
WPA_CONF='/etc/network.d/secure/ramdisks/h4x0roam/h4x0roam'
+
IP='dhcp'
+
</pre>
+
  
Now we temporarily mount a ramdisk where we will create the configuration file for wpa_supplicant:
+
=== OS compatibility ===
<pre>
+
* Linux works out of the box<br>
mount -t ramfs h4x0roam-ramdisk /etc/network.d/secure/ramdisks/h4x0roam/
+
in some versions end of 2013, eg ubuntu 13.04, was/is a [https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1104476 bug] where you need to remove the line <tt>system-ca-certs=true</tt> from to the relevant Network Manager config file (e.g. /etc/NetworkManager/system-connections/spacenet-kali).
</pre>
+
* Windows works out of the box<br>
 +
* OSX works out of the box<br>
 +
* iphone works out of the box<br>
 +
* Android works out of the box<br>
 +
* Symbian works fine (need to install CA certificates!, see earlier)<br>
 +
* Maemo OS works out of the box<br>
 +
 
 +
=== OS specific hints ===
 +
==== Arch Linux ====
 +
[[Howto: H4x0roam with netcfg and encrypted wpa supplicant config]]
 +
==== Linux - WICD template ====
 +
 
 +
Save this as "/etc/wicd/encryption/templates/peap-mschapv2" and add the filename to "/etc/wicd/encryption/templates/active".<br/>
 +
 
 +
'''Note: outdated configuration, needs anonymous identity'''
  
Create a file '''/etc/network.d/secure/ramdisks/h4x0roam/h4x0roam''' with the following content (you'll obviously have to fill in your own username and password):
 
 
<pre>
 
<pre>
 +
name = PEAP with MSCHAPv2
 +
author = syn<sub>2</sub>cat version = 1
 +
require identity *Identity password *Password
 +
optional ca_cert *Path_to_CA_Cert
 +
-----
 
ctrl_interface=/var/run/wpa_supplicant
 
ctrl_interface=/var/run/wpa_supplicant
 
network={
 
network={
ssid="h4x0roam"
+
ssid="$_ESSID"
bssid=00:21:29:E9:D1:AA
+
scan_ssid=$_SCAN
key_mgmt=WPA-EAP
+
proto=RSN
eap=PEAP
+
key_mgmt=WPA-EAP
identity="YOUR HACKERSPACE USERNAME"
+
pairwise=CCMP
password="YOUR HACKERSPACE PASSWORD"
+
eap=PEAP
phase2="auth=MSCHAPV2"
+
phase1="peaplabel=0"
ca_cert="/etc/ssl/h4x0roam/combined-ca.pem"
+
phase2="auth=MSCHAPV2"
client_cert="/etc/ssl/h4x0roam/lusitania.int.hackerspace.lu_infr.crt"
+
identity="$_IDENTITY"
 +
password="$_PASSWORD"
 +
ca_cert="$_CA_CERT"
 
}
 
}
 
</pre>
 
</pre>
  
Save an encrypted version of the file to '''/etc/network.d/secure/h4x0roam.aes''' (remember the encryption password!) and dismount the ramdisk:
+
After saving and activating the template, make sure to restart the wicd daemon and client. Next do a WiFi scan and configure an AP from the space, while using the newly created template !<br/>
<pre>
+
You may specify a path to the CA certificate (see above)....you should do this actually, but still it's optional.
openssl enc -aes-256-cbc -salt -in /etc/network.d/secure/ramdisks/h4x0roam/h4x0roam -out /etc/network.d/secure/h4x0roam.aes
+
chmod 0600 /etc/network.d/secure/h4x0roam.aes
+
cat /etc/network.d/secure/h4x0roam.aes > /etc/network.d/secure/ramdisks/h4x0roam/h4x0roam
+
umount /etc/network.d/secure/ramdisks/h4x0roam/
+
</pre>
+
  
Install h4x0roam's SSL certificate chain:
+
==== Linux - wpasupplicant ====
 +
First install the H4x0roam SSL certificate chain:
 
<pre>
 
<pre>
 
mkdir -p /etc/ssl/h4x0roam
 
mkdir -p /etc/ssl/h4x0roam
 
wget http://www.hackerspace.lu/certs/syn2catCA.crt -O /etc/ssl/h4x0roam/syn2catCA.crt
 
wget http://www.hackerspace.lu/certs/syn2catCA.crt -O /etc/ssl/h4x0roam/syn2catCA.crt
 
wget http://www.hackerspace.lu/certs/syn2catInfr.crt -O /etc/ssl/h4x0roam/syn2catInfr.crt
 
wget http://www.hackerspace.lu/certs/syn2catInfr.crt -O /etc/ssl/h4x0roam/syn2catInfr.crt
wget http://www.hackerspace.lu/certs/lusitania.int.hackerspace.lu_infr.crt -O /etc/ssl/h4x0roam/lusitania.int.hackerspace.lu_infr.crt
+
wget http://www.hackerspace.lu/certs/lusitania.lan.crt -O /etc/ssl/h4x0roam/lusitania.lan.crt
 
cat /etc/ssl/h4x0roam/syn2catInfr.crt /etc/ssl/h4x0roam/syn2catCA.crt > /etc/ssl/h4x0roam/combined-ca.pem
 
cat /etc/ssl/h4x0roam/syn2catInfr.crt /etc/ssl/h4x0roam/syn2catCA.crt > /etc/ssl/h4x0roam/combined-ca.pem
 
chmod 0644 /etc/ssl/h4x0roam/*
 
chmod 0644 /etc/ssl/h4x0roam/*
 
</pre>
 
</pre>
 +
Please note that the 2 CA certificates have to be concatenated into a single file (this does only work with PEM certificated and not with DER certificates) to make wpa_supplicant accept tier 2 certifiactes (aka "certificates issued by a sub CA or intermediate CA").
  
Now you should be ready to go, so let's test your new network profile:
+
Now add the following section to your '''/etc/wpa_supplicant.conf''' (you'll obviously have to fill in your own username and password):
 
<pre>
 
<pre>
netcfg h4x0roam
+
network={
 +
ssid="h4x0roam-kali"
 +
key_mgmt=WPA-EAP
 +
eap=PEAP
 +
identity="YOUR HACKERSPACE USERNAME"
 +
password="YOUR HACKERSPACE PASSWORD"
 +
phase2="auth=MSCHAPV2"
 +
ca_cert="/etc/ssl/h4x0roam/combined-ca.pem"
 +
client_cert="/etc/ssl/h4x0roam/lusitania.lan.crt"
 +
}
 +
network={
 +
ssid="h4x0roam-pussy"
 +
key_mgmt=WPA-EAP
 +
eap=PEAP
 +
identity="YOUR HACKERSPACE USERNAME"
 +
password="YOUR HACKERSPACE PASSWORD"
 +
phase2="auth=MSCHAPV2"
 +
ca_cert="/etc/ssl/h4x0roam/combined-ca.pem"
 +
client_cert="/etc/ssl/h4x0roam/lusitania.lan.crt"
 +
}
 
</pre>
 
</pre>
  
=== SSL certificates ===
+
'''Note: outdated configuration, needs anonymous identity'''
[https://www.hackerspace.lu/certs/lusitania.int.hackerspace.lu_infr.crt https://www.hackerspace.lu/certs/lusitania.int.hackerspace.lu_infr.crt] (updated 2010.10.12)
+
  
=== OS compatibility ===
+
Also make sure permissions are set correctly for wpa_supplicant:
* Linux works out of the box<br>
+
<pre>chmod 0600 /etc/wpa_supplicant.conf</pre>
* Windows works out of the box<br>
+
'''Warning:''' Please note that your syn<sub>2</sub>cat credentials are stored in '''cleartext''' on the hard disk unless you are using an encrypted hard disk.
* OSX works out of the box<br>
+
* iphone works out of the box<br>
+
* Android works fine with v1.6+<br>
+
* Symbian works fine<br>
+
* Maemo OS works fine<br>
+
 
+
=== WICD template ===
+
 
+
Save this as "/etc/wicd/encryption/templates/eap-ttls" and add the filename to "/etc/wicd/encryption/templates/active".
+
  
 +
If wpa_supplicant throws error messages like
 +
<pre>Failed to connect to wpa_supplicant - wpa_ctrl_open: No such file or directory</pre>
 +
add the following line '''before''' the ''network={}'' section in your '''/etc/wpa_supplicant.conf''':
 
<pre>
 
<pre>
name = EAP-TTLS
 
author = username
 
version = 1
 
require identity *Identity password *Password auth *Authentication
 
-----
 
 
ctrl_interface=/var/run/wpa_supplicant
 
ctrl_interface=/var/run/wpa_supplicant
network={
 
        ssid="$_ESSID"
 
        scan_ssid=$_SCAN
 
        eap=TTLS
 
        key_mgmt=WPA-EAP
 
        identity="$_IDENTITY"
 
        password="$_PASSWORD"
 
        phase2="auth=$_AUTH"
 
}
 
 
</pre>
 
</pre>
 +
 +
==== Nokia/Symbian phones and foo ====
 +
Nokia/Symbian phones require you to install the CA certificates before they let you connect to a WPA-Enterprise network.
 +
They also mostly only support certificates in DER format.<br/>
 +
So here go the CA certificate from above in DER format:<br/>
 +
[https://www.hackerspace.lu/certs/syn2catCA.der rootCA (DER)]<br/>
 +
[https://www.hackerspace.lu/certs/syn2catCAMain.der subCA (DER)]<br/>
  
 
=== Dev Links ===
 
=== Dev Links ===
Line 180: Line 184:
 
* http://www.mail-archive.com/freeradius-users@lists.cistron.nl/msg14674.html
 
* http://www.mail-archive.com/freeradius-users@lists.cistron.nl/msg14674.html
 
* http://svn.dd-wrt.com:8000/dd-wrt/browser/src/router/freeradius/src/modules/rlm_python/prepaid.py
 
* http://svn.dd-wrt.com:8000/dd-wrt/browser/src/router/freeradius/src/modules/rlm_python/prepaid.py
 +
 +
== Backend ==
 +
 +
Most of our services run on an LDAP backend. We have some information on our [[Registry|OID Registry]].
 +
 +
{{#set: Has description=This page hosts details on our internal network, wired as well as wireless. }}

Latest revision as of 20:56, 3 September 2016


Contents

[edit] Overview

Every hackerspace has a network to connect to the Internets, so does syn2cat

Bring your laptop or use one of the available PCs, plug it in and off you go. There's also wireless LAN available.


[edit] Layout

Here's the current layout in fancy ASCII art.

DSL -- thomson :::: Lusitania :::: miniswitch == wall ports in ADHS rooms
                                          ||
                                          ||
                                      3com Rack == AP
                                          "
                                          "
                                          "
                                          "
                                      3com Core == wall ports in syn2cat rooms
                                          ||
                                          ||
                                      OpenDuino, switches, HPprinter, AP



Legend:

  * -- single cable
  * == more than one cable
  * "" fiber trunk
  * ::: VLAN
  * ... wlan cable

[edit] IP

We provide both IPv4 and IPv6 connectivity in the hackerspace.

[edit] Wireless

There are several access points (APs) available for people to use. The APs do require authentication though some events feature a temporary open AP for visitors.

syn2cat is part of the spacefed project thus if you have an account with some other participating hackerspace, you may transparently connect using your account to the syn2cat wireless infrastructure.

Our main access points use WPA2-Enterprise meaning that you do have to authenticate using your syn2cat (or spacefed roaming profile) credentials.

Use the following settings:
Security: WPA2 Enterprise
Authentication: PEAP
Inner authentication: MSCHAPv2
Anonymous username/identity: anonymous@syn2cat.lu
Username/Identity: <syn2cat login>@syn2cat.lu
Password: <syn2cat password>

Be sure to use exactly those settings, else it will not work.

Tutorials can be found here.

[edit] SSL certificates

There are a total of three certificates of interest.
We use a chained CA, making for a total of two CA certificates:
rootCA (PEM)
subCA (PEM)

And lastly for your convenience, a bundle of both in one file:
rootCA-subCA bundle (PEM)

For completeness, but you probably don't need it, the certificate of the internal server at the space:
lusitania-certificate (PEM)

You should use the CA certificates when connecting to the WiFi network (see below, your software manual or ask somebody at the space how-to), but this is not a requirement.

[edit] OS compatibility

  • Linux works out of the box

in some versions end of 2013, eg ubuntu 13.04, was/is a bug where you need to remove the line system-ca-certs=true from to the relevant Network Manager config file (e.g. /etc/NetworkManager/system-connections/spacenet-kali).

  • Windows works out of the box
  • OSX works out of the box
  • iphone works out of the box
  • Android works out of the box
  • Symbian works fine (need to install CA certificates!, see earlier)
  • Maemo OS works out of the box

[edit] OS specific hints

[edit] Arch Linux

Howto: H4x0roam with netcfg and encrypted wpa supplicant config

[edit] Linux - WICD template

Save this as "/etc/wicd/encryption/templates/peap-mschapv2" and add the filename to "/etc/wicd/encryption/templates/active".

Note: outdated configuration, needs anonymous identity

name = PEAP with MSCHAPv2
author = syn<sub>2</sub>cat version = 1
require identity *Identity password *Password
optional ca_cert *Path_to_CA_Cert
-----
ctrl_interface=/var/run/wpa_supplicant
network={
ssid="$_ESSID"
scan_ssid=$_SCAN
proto=RSN
key_mgmt=WPA-EAP
pairwise=CCMP
eap=PEAP
phase1="peaplabel=0"
phase2="auth=MSCHAPV2"
identity="$_IDENTITY"
password="$_PASSWORD"
ca_cert="$_CA_CERT"
}

After saving and activating the template, make sure to restart the wicd daemon and client. Next do a WiFi scan and configure an AP from the space, while using the newly created template !
You may specify a path to the CA certificate (see above)....you should do this actually, but still it's optional.

[edit] Linux - wpasupplicant

First install the H4x0roam SSL certificate chain:

mkdir -p /etc/ssl/h4x0roam
wget http://www.hackerspace.lu/certs/syn2catCA.crt -O /etc/ssl/h4x0roam/syn2catCA.crt
wget http://www.hackerspace.lu/certs/syn2catInfr.crt -O /etc/ssl/h4x0roam/syn2catInfr.crt
wget http://www.hackerspace.lu/certs/lusitania.lan.crt -O /etc/ssl/h4x0roam/lusitania.lan.crt
cat /etc/ssl/h4x0roam/syn2catInfr.crt /etc/ssl/h4x0roam/syn2catCA.crt > /etc/ssl/h4x0roam/combined-ca.pem
chmod 0644 /etc/ssl/h4x0roam/*

Please note that the 2 CA certificates have to be concatenated into a single file (this does only work with PEM certificated and not with DER certificates) to make wpa_supplicant accept tier 2 certifiactes (aka "certificates issued by a sub CA or intermediate CA").

Now add the following section to your /etc/wpa_supplicant.conf (you'll obviously have to fill in your own username and password):

network={
	ssid="h4x0roam-kali"
	key_mgmt=WPA-EAP
	eap=PEAP
	identity="YOUR HACKERSPACE USERNAME"
	password="YOUR HACKERSPACE PASSWORD"
	phase2="auth=MSCHAPV2"
	ca_cert="/etc/ssl/h4x0roam/combined-ca.pem"
	client_cert="/etc/ssl/h4x0roam/lusitania.lan.crt"
}
network={
	ssid="h4x0roam-pussy"
	key_mgmt=WPA-EAP
	eap=PEAP
	identity="YOUR HACKERSPACE USERNAME"
	password="YOUR HACKERSPACE PASSWORD"
	phase2="auth=MSCHAPV2"
	ca_cert="/etc/ssl/h4x0roam/combined-ca.pem"
	client_cert="/etc/ssl/h4x0roam/lusitania.lan.crt"
}

Note: outdated configuration, needs anonymous identity

Also make sure permissions are set correctly for wpa_supplicant:

chmod 0600 /etc/wpa_supplicant.conf

Warning: Please note that your syn2cat credentials are stored in cleartext on the hard disk unless you are using an encrypted hard disk.

If wpa_supplicant throws error messages like

Failed to connect to wpa_supplicant - wpa_ctrl_open: No such file or directory

add the following line before the network={} section in your /etc/wpa_supplicant.conf:

ctrl_interface=/var/run/wpa_supplicant

[edit] Nokia/Symbian phones and foo

Nokia/Symbian phones require you to install the CA certificates before they let you connect to a WPA-Enterprise network. They also mostly only support certificates in DER format.
So here go the CA certificate from above in DER format:
rootCA (DER)
subCA (DER)

[edit] Dev Links

[edit] Backend

Most of our services run on an LDAP backend. We have some information on our OID Registry.


Personal tools
Namespaces

Variants
Actions
Navigation
syn2cat
Hackerspace
Activities
Initiatives
Community
Tools
Tools