Network hackerspace Strassen

From syn2cat - HackerSpace.lu
(Difference between revisions)
Jump to: navigation, search
m (Layout)
(Added Archlinux howto)
Line 65: Line 65:
 
Be sure to use exactly those settings, else it will not work.<br>
 
Be sure to use exactly those settings, else it will not work.<br>
 
Note: PEAP+MSCHAPv2 will only work if you have changed your password on the syn2cat server after the 12th of October. Ask an admin for more information.
 
Note: PEAP+MSCHAPv2 will only work if you have changed your password on the syn2cat server after the 12th of October. Ask an admin for more information.
 +
 +
=== Howto on Archlinux using netcfg and encrypted wpa_supplicant configuration file ===
 +
This requires netcfg, openssl, and wpa_supplicant to be installed. Execute all shell commands as root unless specified otherwise.
 +
The configuration file for wpa_supplicant is going to be stored only in an encrypted form on the hard drive, as it contains you Hackerspace account credentials in clear text.  The decrypted version of the config will *only* be stored in a ramdisk, which is going to be automatically mounted and dismounted upon starting and stopping the h4x0roam network profile.
 +
 +
Create the directory for the ramdisk:
 +
<pre>
 +
mkdir -p /etc/network.d/secure/ramdisks/h4x0roam
 +
chmod -R 0700 /etc/network.d/secure
 +
</pre>
 +
 +
Create the network profile as '''/etc/network.d/h4x0roam''' with the following content:
 +
<pre>
 +
CONNECTION='wireless'
 +
DESCRIPTION='A secure wpa_supplicant configuration based wireless connection'
 +
INTERFACE='wlan0'
 +
SECURITY='wpa-config'
 +
PRE_UP="mount -t ramfs h4x0roam-ramdisk /etc/network.d/secure/ramdisks/h4x0roam/ ; openssl enc -d -aes-256-cbc -in /etc/network.d/secure/h4x0roam.aes -out /etc/network.d/secure/ramdisks/h4x0roam/h4x0roam"
 +
PRE_DOWN="cat /etc/network.d/secure/h4x0roam.aes > /etc/network.d/secure/ramdisks/h4x0roam/h4x0roam ; umount h4x0roam-ramdisk"
 +
WPA_CONF='/etc/network.d/secure/ramdisks/h4x0roam/h4x0roam'
 +
IP='dhcp'
 +
</pre>
 +
 +
Now we temporarily mount a ramdisk where we will create the configuration file for wpa_supplicant:
 +
<pre>
 +
mount -t ramfs h4x0roam-ramdisk /etc/network.d/secure/ramdisks/h4x0roam/
 +
</pre>
 +
 +
Create a file '''/etc/network.d/secure/ramdisks/h4x0roam/h4x0roam''' with the following content (you'll obviously have to fill in your own username and password):
 +
<pre>
 +
ctrl_interface=/var/run/wpa_supplicant
 +
network={
 +
ssid="h4x0roam"
 +
bssid=00:21:29:E9:D1:AA
 +
key_mgmt=WPA-EAP
 +
eap=PEAP
 +
identity="YOUR HACKERSPACE USERNAME"
 +
password="YOUR HACKERSPACE PASSWORD"
 +
phase2="auth=MSCHAPV2"
 +
ca_cert="/etc/ssl/h4x0roam/combined-ca.pem"
 +
client_cert="/etc/ssl/h4x0roam/lusitania.int.hackerspace.lu_infr.crt"
 +
}
 +
</pre>
 +
 +
Save an encrypted version of the file to '''/etc/network.d/secure/h4x0roam.aes''' (remember the encryption password!) and dismount the ramdisk:
 +
<pre>
 +
openssl enc -aes-256-cbc -salt -in /etc/network.d/secure/ramdisks/h4x0roam/h4x0roam -out /etc/network.d/secure/h4x0roam.aes
 +
chmod 0600 /etc/network.d/secure/h4x0roam.aes
 +
cat /etc/network.d/secure/h4x0roam.aes > /etc/network.d/secure/ramdisks/h4x0roam/h4x0roam
 +
umount /etc/network.d/secure/ramdisks/h4x0roam/
 +
</pre>
 +
 +
Install h4x0roam's SSL certificate chain (you need to be in the hackerspace to do this):
 +
<pre>
 +
mkdir -p /etc/ssl/h4x0roam
 +
mkdir /mnt/lusitania
 +
mount -t nfs lusitania.lan:/ /mnt/lusitania
 +
cp /mnt/lusitania/mnt/lusitania/public/WiFi_Certs/* /etc/ssl/h4x0roam
 +
mv /etc/ssl/h4x0roam/syn2catInfr.crt /etc/ssl/h4x0roam/combined-ca.pem
 +
cat /etc/ssl/h4x0roam/syn2catCA.crt >> /etc/ssl/h4x0roam/combined-ca.pem
 +
chmod 0644 /etc/ssl/h4x0roam/*
 +
umount /mnt/lusitania
 +
</pre>
 +
 +
Now you should be ready to go, so let's test your new network profile:
 +
<pre>
 +
netcfg h4x0roam
 +
</pre>
  
 
=== SSL certificates ===
 
=== SSL certificates ===

Revision as of 17:13, 3 November 2010

This page hosts details on our internal network, wired as well as wireless.

Contents

Overview

Every hackerspace has a network to connect to the Internets, so does syn2cat

Bring your laptop or use one of the available PCs, plug it in and off you go. There's also wireless LAN available.


Layout

Here's the current layout in fancy ASCII art.

DSL -- thomson -- Lusitania :::: miniswitch == wall ports in ADHS rooms
                      ||
                      ||
                  3com Rack -- photoborg
                      "
                      "
                      "
                      "
                  3com Core == wall ports in syn2cat rooms
                      ||
                      ||
                  OpenDuino, switches, HPprinter, dd-wrt



Legend:

  * -- single cable
  * == more than one cable
  * "" fiber trunk
  * ::: VLAN
  * ... wlan cable

IP

We provide both IPv4 and IPv6 connectivity in the hackerspace.

Wireless

We have two access points (APs).
One of them operates in WPA2-Enterprise mode, the other in WPA2-Personal. The WPA2-Personal AP uses the formerly published pre-shared-password (you can find it in the space).

The WPA2-Enterprise AP uses a radius server for authenticating users with their WIKI account.
Only paying sy2cat members are able to use their WIKI login to access this AP.

Use the following settings:
Security: WPA2 Enterprise
Authentication: Tunneled TLS (TTLS)
Inner authentication: PAP
Username: <wiki-user>
Password: <wiki-password>

or

Security: WPA2 Enterprise
Authentication: PEAP
Inner authentication: MSCHAPv2
Username: <syn2cat-user>
Password: <syn2cat-password>


Be sure to use exactly those settings, else it will not work.
Note: PEAP+MSCHAPv2 will only work if you have changed your password on the syn2cat server after the 12th of October. Ask an admin for more information.

Howto on Archlinux using netcfg and encrypted wpa_supplicant configuration file

This requires netcfg, openssl, and wpa_supplicant to be installed. Execute all shell commands as root unless specified otherwise. The configuration file for wpa_supplicant is going to be stored only in an encrypted form on the hard drive, as it contains you Hackerspace account credentials in clear text. The decrypted version of the config will *only* be stored in a ramdisk, which is going to be automatically mounted and dismounted upon starting and stopping the h4x0roam network profile.

Create the directory for the ramdisk:

mkdir -p /etc/network.d/secure/ramdisks/h4x0roam
chmod -R 0700 /etc/network.d/secure

Create the network profile as /etc/network.d/h4x0roam with the following content:

CONNECTION='wireless'
DESCRIPTION='A secure wpa_supplicant configuration based wireless connection'
INTERFACE='wlan0'
SECURITY='wpa-config'
PRE_UP="mount -t ramfs h4x0roam-ramdisk /etc/network.d/secure/ramdisks/h4x0roam/ ; openssl enc -d -aes-256-cbc -in /etc/network.d/secure/h4x0roam.aes -out /etc/network.d/secure/ramdisks/h4x0roam/h4x0roam"
PRE_DOWN="cat /etc/network.d/secure/h4x0roam.aes > /etc/network.d/secure/ramdisks/h4x0roam/h4x0roam ; umount h4x0roam-ramdisk"
WPA_CONF='/etc/network.d/secure/ramdisks/h4x0roam/h4x0roam'
IP='dhcp' 

Now we temporarily mount a ramdisk where we will create the configuration file for wpa_supplicant:

mount -t ramfs h4x0roam-ramdisk /etc/network.d/secure/ramdisks/h4x0roam/

Create a file /etc/network.d/secure/ramdisks/h4x0roam/h4x0roam with the following content (you'll obviously have to fill in your own username and password):

ctrl_interface=/var/run/wpa_supplicant
network={
	ssid="h4x0roam"
	bssid=00:21:29:E9:D1:AA
	key_mgmt=WPA-EAP
	eap=PEAP
	identity="YOUR HACKERSPACE USERNAME"
	password="YOUR HACKERSPACE PASSWORD"
	phase2="auth=MSCHAPV2"
	ca_cert="/etc/ssl/h4x0roam/combined-ca.pem"
	client_cert="/etc/ssl/h4x0roam/lusitania.int.hackerspace.lu_infr.crt"
}

Save an encrypted version of the file to /etc/network.d/secure/h4x0roam.aes (remember the encryption password!) and dismount the ramdisk:

openssl enc -aes-256-cbc -salt -in /etc/network.d/secure/ramdisks/h4x0roam/h4x0roam -out /etc/network.d/secure/h4x0roam.aes
chmod 0600 /etc/network.d/secure/h4x0roam.aes
cat /etc/network.d/secure/h4x0roam.aes > /etc/network.d/secure/ramdisks/h4x0roam/h4x0roam
umount /etc/network.d/secure/ramdisks/h4x0roam/

Install h4x0roam's SSL certificate chain (you need to be in the hackerspace to do this):

mkdir -p /etc/ssl/h4x0roam
mkdir /mnt/lusitania
mount -t nfs lusitania.lan:/ /mnt/lusitania
cp /mnt/lusitania/mnt/lusitania/public/WiFi_Certs/* /etc/ssl/h4x0roam
mv /etc/ssl/h4x0roam/syn2catInfr.crt /etc/ssl/h4x0roam/combined-ca.pem
cat /etc/ssl/h4x0roam/syn2catCA.crt >> /etc/ssl/h4x0roam/combined-ca.pem
chmod 0644 /etc/ssl/h4x0roam/*
umount /mnt/lusitania

Now you should be ready to go, so let's test your new network profile:

netcfg h4x0roam

SSL certificates

https://www.hackerspace.lu/certs/lusitania.int.hackerspace.lu_infr.crt (updated 2010.10.12)

OS compatibility

  • Linux works out of the box
  • Windows works out of the box
  • OSX works out of the box
  • iphone works out of the box
  • Android works fine with v1.6+
  • Symbian works fine
  • Maemo OS works fine

WICD template

Save this as "/etc/wicd/encryption/templates/eap-ttls" and add the filename to "/etc/wicd/encryption/templates/active".

name = EAP-TTLS
author = username
version = 1
require identity *Identity password *Password auth *Authentication
-----
ctrl_interface=/var/run/wpa_supplicant
network={
        ssid="$_ESSID"
        scan_ssid=$_SCAN
        eap=TTLS
        key_mgmt=WPA-EAP
        identity="$_IDENTITY"
        password="$_PASSWORD"
        phase2="auth=$_AUTH"
}

Dev Links

Personal tools
Namespaces

Variants
Actions
Navigation
syn2cat
Hackerspace
Activities
Initiatives
Community
Tools
Tools