Network hackerspace Strassen
Hardfalcon (Talk | contribs) |
(→SSL certificates) |
||
Line 20: | Line 20: | ||
" | " | ||
" | " | ||
− | [[3com Core]] == wall ports in | + | [[3com Core]] == wall ports in syn<sub>2</sub>cat rooms |
|| | || | ||
|| | || | ||
Line 64: | Line 64: | ||
Be sure to use exactly those settings, else it will not work.<br> | Be sure to use exactly those settings, else it will not work.<br> | ||
− | Note: PEAP+MSCHAPv2 will only work if you have changed your password on the | + | Note: PEAP+MSCHAPv2 will only work if you have changed your password on the syn<sub>2</sub>cat server after the 12th of October. Ask an admin for more information. |
=== Basic wpa_supplicant configuration for H4x0roam === | === Basic wpa_supplicant configuration for H4x0roam === | ||
Line 94: | Line 94: | ||
Also make sure permissions are set correctly for wpa_supplicant: | Also make sure permissions are set correctly for wpa_supplicant: | ||
<pre>chmod 0600 /etc/wpa_supplicant.conf</pre> | <pre>chmod 0600 /etc/wpa_supplicant.conf</pre> | ||
− | '''Warning:''' Please note that your | + | '''Warning:''' Please note that your syn<sub>2</sub>cat credentials are stored in '''cleartext''' on the hard disk unless you are using an encrypted hard disk. If you do not have an encrypted hard disk (for example due to a slow CPU), please use the [[Howto: H4x0roam with netcfg and encrypted wpa_supplicant config|advanced method with an encrypted wpa_supplicant configuration and a ramdisk]]. |
If wpa_supplicant throws error messages like | If wpa_supplicant throws error messages like | ||
Line 107: | Line 107: | ||
=== SSL certificates === | === SSL certificates === | ||
− | [https://www.hackerspace.lu/certs/syn2catCA.crt https://www.hackerspace.lu/certs/ | + | There are a total of three certificates of interest.<br/> |
− | [https://www.hackerspace.lu/certs/ | + | We use a chained CA, making for a total of two CA certificates:<br/> |
− | [https://www.hackerspace.lu/certs/ | + | [https://www.hackerspace.lu/certs/syn2catCA.crt rootCA (PEM)]<br/> |
+ | [https://www.hackerspace.lu/certs/syn2catCAMain.crt subCA (PEM)]<br/> | ||
+ | |||
+ | And lastly for your convenience, a bundle of both in one file:<br/> | ||
+ | [https://www.hackerspace.lu/certs/syn2catCAMain_bundle.crt rootCA-subCA bundle (PEM)]<br/> | ||
+ | |||
+ | For completeness, but you probably don't need it, the certificate of the internal server at the space:<br/> | ||
+ | [https://www.hackerspace.lu/certs/lusitania.lan.crt lusitania-certificate (PEM)]<br/> | ||
+ | |||
+ | ==== Nokia/Symbian phones and foo ==== | ||
+ | Nokia/Symbian phones require you to install the CA certificates before they let you connect to a WPA-Enterprise network. | ||
+ | They also mostly only support certificates in DER format.<br/> | ||
+ | So here go the CA certificate from above in DER format:<br/> | ||
+ | [https://www.hackerspace.lu/certs/syn2catCA.der rootCA (DER)]<br/> | ||
+ | [https://www.hackerspace.lu/certs/syn2catCAMain.der subCA (DER)]<br/> | ||
=== OS compatibility === | === OS compatibility === |
Revision as of 21:17, 5 April 2011
Contents |
Overview
Every hackerspace has a network to connect to the Internets, so does syn2cat
Bring your laptop or use one of the available PCs, plug it in and off you go. There's also wireless LAN available.
Layout
Here's the current layout in fancy ASCII art.
DSL -- thomson -- Lusitania :::: miniswitch == wall ports in ADHS rooms || || 3com Rack -- photoborg " " " " 3com Core == wall ports in syn2cat rooms || || OpenDuino, switches, HPprinter, dd-wrt
Legend:
* -- single cable * == more than one cable * "" fiber trunk * ::: VLAN * ... wlan cable
IP
We provide both IPv4 and IPv6 connectivity in the hackerspace.
Wireless
We have two access points (APs).
One of them operates in WPA2-Enterprise mode, the other in WPA2-Personal.
The WPA2-Personal AP uses the formerly published pre-shared-password (you can find it in the space).
The WPA2-Enterprise AP uses a radius server for authenticating users with their WIKI account.
Only paying sy2cat members are able to use their WIKI login to access this AP.
Use the following settings:
Security: WPA2 Enterprise
Authentication: Tunneled TLS (TTLS)
Inner authentication: PAP
Username: <wiki-user>
Password: <wiki-password>
or
Security: WPA2 Enterprise
Authentication: PEAP
Inner authentication: MSCHAPv2
Username: <syn2cat-user>
Password: <syn2cat-password>
Be sure to use exactly those settings, else it will not work.
Note: PEAP+MSCHAPv2 will only work if you have changed your password on the syn2cat server after the 12th of October. Ask an admin for more information.
Basic wpa_supplicant configuration for H4x0roam
First install the H4x0roam SSL certificate chain:
mkdir -p /etc/ssl/h4x0roam wget http://www.hackerspace.lu/certs/syn2catCA.crt -O /etc/ssl/h4x0roam/syn2catCA.crt wget http://www.hackerspace.lu/certs/syn2catInfr.crt -O /etc/ssl/h4x0roam/syn2catInfr.crt wget http://www.hackerspace.lu/certs/lusitania.int.hackerspace.lu_infr.crt -O /etc/ssl/h4x0roam/lusitania.int.hackerspace.lu_infr.crt cat /etc/ssl/h4x0roam/syn2catInfr.crt /etc/ssl/h4x0roam/syn2catCA.crt > /etc/ssl/h4x0roam/combined-ca.pem chmod 0644 /etc/ssl/h4x0roam/*
Please note that the 2 CA certificates have to be concatenated into a single file (this does only work with PEM certificated and not with DER certificates) to make wpa_supplicant accept tier 2 certifiactes (aka "certificates issued by a sub CA or intermediate CA").
Now add the following section to your /etc/wpa_supplicant.conf (you'll obviously have to fill in your own username and password):
network={ ssid="h4x0roam" bssid=00:21:29:E9:D1:AA key_mgmt=WPA-EAP eap=PEAP identity="YOUR HACKERSPACE USERNAME" password="YOUR HACKERSPACE PASSWORD" phase2="auth=MSCHAPV2" ca_cert="/etc/ssl/h4x0roam/combined-ca.pem" client_cert="/etc/ssl/h4x0roam/lusitania.int.hackerspace.lu_infr.crt" }
Also make sure permissions are set correctly for wpa_supplicant:
chmod 0600 /etc/wpa_supplicant.conf
Warning: Please note that your syn2cat credentials are stored in cleartext on the hard disk unless you are using an encrypted hard disk. If you do not have an encrypted hard disk (for example due to a slow CPU), please use the advanced method with an encrypted wpa_supplicant configuration and a ramdisk.
If wpa_supplicant throws error messages like
Failed to connect to wpa_supplicant - wpa_ctrl_open: No such file or directory
add the following line before the network={} section in your /etc/wpa_supplicant.conf:
ctrl_interface=/var/run/wpa_supplicant
More advanced configurations
Howto: H4x0roam with netcfg and encrypted wpa supplicant config
SSL certificates
There are a total of three certificates of interest.
We use a chained CA, making for a total of two CA certificates:
rootCA (PEM)
subCA (PEM)
And lastly for your convenience, a bundle of both in one file:
rootCA-subCA bundle (PEM)
For completeness, but you probably don't need it, the certificate of the internal server at the space:
lusitania-certificate (PEM)
Nokia/Symbian phones and foo
Nokia/Symbian phones require you to install the CA certificates before they let you connect to a WPA-Enterprise network.
They also mostly only support certificates in DER format.
So here go the CA certificate from above in DER format:
rootCA (DER)
subCA (DER)
OS compatibility
- Linux works out of the box
- Windows works out of the box
- OSX works out of the box
- iphone works out of the box
- Android works fine with v1.6+
- Symbian works fine
- Maemo OS works fine
WICD template
Save this as "/etc/wicd/encryption/templates/eap-ttls" and add the filename to "/etc/wicd/encryption/templates/active".
Warning: This template lacks support for SSL certificates, so MITM attacks using a spoofed H4x0roam access point during authentication are possible! Please don't use this WICD template until support for SSL certificates is added!
name = EAP-TTLS author = username version = 1 require identity *Identity password *Password auth *Authentication ----- ctrl_interface=/var/run/wpa_supplicant network={ ssid="$_ESSID" scan_ssid=$_SCAN eap=TTLS key_mgmt=WPA-EAP identity="$_IDENTITY" password="$_PASSWORD" phase2="auth=$_AUTH" }
Dev Links
- http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol
- http://en.wikipedia.org/wiki/Protected_Extensible_Authentication_Protocol
- http://tldp.org/HOWTO/8021X-HOWTO/freeradius.html
- http://wiki.freeradius.org/WPA_HOWTO
- http://wiki.freeradius.org/SQL_HOWTO
- http://www.dslreports.com/forum/remark,9286052~mode=flat
- http://ubuntuforums.org/showthread.php?t=478804
- http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg18906.html
- http://wiki.freeradius.org/Modules
- http://www.mail-archive.com/freeradius-users@lists.cistron.nl/msg14674.html
- http://svn.dd-wrt.com:8000/dd-wrt/browser/src/router/freeradius/src/modules/rlm_python/prepaid.py