Authenticated Wireless Network w/ Open Source Tools


Intro

Wireless network has a various of authentication/encryption methods, but using one of them force you either to share a key, Manage certificates and / OR have a need to do some configuration on clients.

This implementation try to be as simple as it could be to the user, secure (all password are sent encrypted) and authenticated against production directory server(s).

The chillispot server run the following Daemons for managing this wireless network:

Network Topology

How Does it Works

Chillispot is taking eth0 up, then creating a tunnel (tun0) over it, then It's listening there. While a user connects to the Wireless Network his machine request a DHCP address that is distributed by Chillispot.
In this stage the user get an address on Subnet 192.168.1.0 and has http/s access to the chillispot server, and DNS access over the chillispot server. (The DNS access is done via the wireless server routing, that could be NAT or routing - this is done by Iptables that will be explained later).
Then when the user try to connect a web site on port 80 , Chilli "catch" the request and send a reply w/ http redirect headers that redirect the user to a (https) web page on the wireless server for authentication. The authentication is done against the local Radius Server that check the users against the ldap server via ldaps (the s means SSL).
Then while the user is authenticated he can pass the tunnel and be routed via iptables. Iptables is configured for transparent proxying, it means that every request to ports 80 is redirected to the wireless server on port 3128 (where squid listen).
Squid is configured for transparent mode (more details later) and always forward the requests to it's parent proxy - wwwproxy. wwwproxy is configured to allow requests from the wireless network and from the wireless server to get out w/o authentication.
So, the user is authentcating himself once on the connection to the wireless net - then get Internet w/o auth.


Command/Web to See What's Going on

Thanks to Mike Tewner, we've a nice MRTG page here for showing how many people are connected.
There are some important/usefull commands for knowing what's going on here are some examples:

[root@chilli_server root]# radwho
Login      Name              What  TTY  When      From      Location
tsvi       tsvi              shell S3   Tue 15:32 127.0.0.1 192.168.1.58
jonathag   jonathag          shell S0   Tue 13:55 127.0.0.1 192.168.1.56
dar        dar               shell S2   Tue 15:19 127.0.0.1 192.168.1.57
lampert    lampert           shell S1   Tue 12:53 127.0.0.1 192.168.1.51
alshek     alshek            shell S7   Tue 13:49 127.0.0.1 192.168.1.55
[root@chilli_server root]# radlast | head
tsvi     003:localhos 192.168.1.58    Tue Feb  7 15:32   still logged in
dar      002:localhos 192.168.1.57    Tue Feb  7 15:19   still logged in
jonathag 000:localhos 192.168.1.56    Tue Feb  7 13:55   still logged in
alshek   007:localhos 192.168.1.55    Tue Feb  7 13:49   still logged in
braun    006:localhos 192.168.1.53    Tue Feb  7 13:21 - 13:45  (00:24)
braun    006:localhos 192.168.1.52    Tue Feb  7 13:19 - 13:19  (00:00)
lampert  001:localhos 192.168.1.51    Tue Feb  7 12:53   still logged in
danziger 002:localhos 192.168.1.48    Tue Feb  7 12:45 - 13:54  (01:09)
lampert  001:localhos 192.168.1.50    Tue Feb  7 12:41 - 12:53  (00:11)
braun    003:localhos 192.168.1.47    Tue Feb  7 12:27 - 13:47  (01:20)
[root@chilli_server root]# tail /var/log/squid/access.log
1139319398.471      4 192.168.1.57 TCP_MEM_HIT/200 5251 GET http://www.msi.com.tw/images/test/images/download/download_bn_02s.jpg - NONE/- image/jpeg
1139319398.476      4 192.168.1.57 TCP_MEM_HIT/200 791 GET http://www.msi.com.tw/images/test/images/dowmaload-main-bg.jpg - NONE/- image/jpeg
1139319399.391    915 192.168.1.57 TCP_MISS/200 387 GET http://www.msi.com.tw/images/page/download/prolist/modelname_bg.gif - FIRST_PARENT_MISS/wwwproxy.company.com image/gif

Chillispot Configuration
Chilli has one important config file at /etc/chilli.conf that looks like this:
# The radius servers are at localhost radiusserver1 127.0.0.1 radiusserver2 127.0.0.1 # This secret should match the 127.0.0.1 secret from /etc/raddb/clients.conf radiussecret abcd # Network for the tun0 and the dhcp clients net 192.168.1.0/24 # Default domain for the dhcp clients domain company.com # the interface that chilli runs on, and run its DHCP server dhcpif eth0 # the URL of the login page uamserver https://w_auth.company.com/cgi-bin/hotspotlogin.cgi # This should be identical to the passwd at /var/www/cgi-bin/hotspotlogin.cgi # See more info there uamsecret another_passwd

FreeRadius Configuration

The Radius server is configured to authenticate against our LDAP, here is the important lines from /etc/raddb/radiusd.conf, and here is the whole file.

# authorization and authentication (Auth-Type := LDAP) # # See doc/rlm_ldap for description of configuration options # and sample authorize{} and authenticate{} blocks ldap { server = "ldap.company.com" # identity = "cn=admin,o=My Org,c=UA" # password = mypass basedn = "ou=Staff,dc=company,dc=com" # filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" filter = "(uid=%u)" # base_filter = "(objectclass=radiusprofile)" # forcing connection to ldaps port (SSL) port = 636 # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # tls_cacertfile = /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = "demand" # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" # access_attr = "dialupAccess" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5

Iptables Configuration

Iptables has three roles in this configuration

Redhat based system has /etc/sysconfig/iptables as a config file of the Iptables service, here is the file:

# Generated by iptables-save v1.2.8 on Tue Jan 31 20:19:08 2006 *filter :INPUT DROP [98:9891] :FORWARD ACCEPT [62452:12516145] :OUTPUT ACCEPT [28235:10386076] :LOGDROP - [0:0] -A LOGDROP -j LOG -A LOGDROP -j DROP -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth1 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT -A INPUT -i eth1 -p udp -m udp --dport 1812 -j ACCEPT -A INPUT -i eth1 -p udp -m udp --dport 1813 -j ACCEPT -A INPUT -i eth1 -p udp -m udp --dport 1814 -j ACCEPT -A INPUT -i eth1 -j LOGDROP -A INPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 3990 --tcp-flags SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 3128 --tcp-flags SYN,RST,ACK SYN -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -j LOGDROP -A FORWARD -i eth0 -j LOGDROP -A FORWARD -o eth0 -j LOGDROP COMMIT # Completed on Tue Jan 31 20:19:08 2006 # Generated by iptables-save v1.2.8 on Tue Jan 31 20:19:08 2006 *nat :PREROUTING ACCEPT [4569:305698] :POSTROUTING ACCEPT [415:33518] :OUTPUT ACCEPT [634:47605] -A PREROUTING -d ! 192.168.1.1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 # Transparent proxy do not work on https #-A PREROUTING -d ! 192.168.1.1 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3128 # SSH -A POSTROUTING -o eth1 -p tcp -m tcp --dport 22 -j MASQUERADE # Direct access to JCT squid -A POSTROUTING -d 147.161.1.25 -o eth1 -p tcp -m tcp --dport 3128 -j MASQUERADE # DNS -A POSTROUTING -o eth1 -p tcp -m tcp --dport 53 -j MASQUERADE -A POSTROUTING -o eth1 -p udp -m udp --dport 53 -j MASQUERADE # POP IMAP -A POSTROUTING -o eth1 -p tcp -m tcp --dport 993 -j MASQUERADE -A POSTROUTING -o eth1 -p tcp -m tcp --dport 995 -j MASQUERADE -A POSTROUTING -o eth1 -p tcp -m tcp --dport 110 -j MASQUERADE -A POSTROUTING -o eth1 -p tcp -m tcp --dport 143 -j MASQUERADE # SMTP -A POSTROUTING -o eth1 -p tcp -m tcp --dport 25 -j MASQUERADE -A POSTROUTING -o eth1 -p tcp -m tcp --dport 587 -j MASQUERADE # https -A POSTROUTING -o eth1 -p tcp -m tcp --dport 443 -j MASQUERADE COMMIT # Completed on Tue Jan 31 20:19:08 2006

Squid configuration

Squid here is listening in transparent mode and forward all the requests to wwwproxy. (Note that wwwproxy is configured to allow access from the wireless network (192.168.1.0) and from Chilli_Server IP w/o auth)
Squid Transparent more is well documented at http://squid.visolve.com/squid/trans_caching.htm.
Here are the important lines from squid.conf file: (the full file could be seen here)

################################################################# # Let this squid use the school proxy as parent # Yedidia 2006Jan26 cache_peer wwwproxy.company.com parent 3128 3130 default # # Disallow direct access # Yedidia 2006Jan26 acl all src 0.0.0.0/0.0.0.0 never_direct allow all # ----------------------------------------------------------------------------- # TAG: httpd_accel_host # TAG: httpd_accel_port # If you want to run Squid as an httpd accelerator, define the # host name and port number where the real HTTP server is. # # If you want IP based virtual host support then specify the # hostname as "virtual". This will make Squid use the IP address # where it accepted the request as hostname in the URL. # # If you want virtual port support then specify the port as "0". # # NOTE: enabling httpd_accel_host disables proxy-caching and # ICP. If you want these features enabled also, then set # the 'httpd_accel_with_proxy' option. # #Default: # httpd_accel_port 80 ##################################################### # Added By Yedidia for reverse proxying # 2006JAN29 httpd_accel_host virtual httpd_accel_port 80 ##################################################### # TAG: httpd_accel_with_proxy on|off # If you want to use Squid as both a local httpd accelerator # and as a proxy, change this to 'on'. Note however that your # proxy users may have trouble to reach the accelerated domains # unless their browsers are configured not to use this proxy for # those domains (for example via the no_proxy browser configuration # setting) # #Default: ######################################### # Enabled for tranparent proxying (2006JAN29-Yedidia) httpd_accel_with_proxy on # TAG: httpd_accel_uses_host_header on|off # HTTP/1.1 requests include a Host: header which is basically the # hostname from the URL. The Host: header is used for domain based # virutal hosts. If your accelerator needs to provide domain based # virtual hosts on the same IP address then you will need to turn this # on. # # Note that Squid does NOT check the value of the Host header matches # any of your accelerated server, so it may open a big security hole # unless you take care to set up access controls proper. We recommend # that this option remain disabled unless you are sure of what you # are doing. # # However, you will need to enable this option if you run Squid # as a transparent proxy. Otherwise, virtual servers which # require the Host: header will not be properly cached. # #Default: # httpd_accel_uses_host_header off ######################################### # Enabled for tranparent proxying (2006JAN29-Yedidia) httpd_accel_uses_host_header on


Page Created By Yedidia at 2006FEB07