Hi German,
You've already had much wisdom; I'm going to try a comprehensive reply
to the whole problem.
In message <[EMAIL PROTECTED]>, gkalinec
<[EMAIL PROTECTED]> writes
I work for a mid-size private school (about 700-800 people on campus), and
I'm trying to set up a way to limit the use of our wireless to our
students/staff. The main problem that I'm encountering is finding a
solution that will fit our needs.
Yours is hardly the biggest wireless deployment; there are solutions
that exist for this.
A little background first...
When I first started (about a year ago, and I'm still the only IT person
managing the whole school network) we had crappy wireless at different
places on campus for students and staff to access our network. The person
who set these up (my current boss) simply did a MAC access control list on
each AP and made the students and staff come to him to register their
computers. This was a major pain since each of our APs (7 of them) had to
have the new MAC address manually added to each AP every time we had a new
laptop. The problem with this solution (aside from having to enter the MACs
7 times) was that we eventually run out of room in the MAC table.
MAC authentication is trivially broken. Most wireless cards can work
with a spoofed MAC address, and MAC addresses are trivially sniffed from
the air.
As you've also found out, maintainability of MAC tables is an issue.
Some APs (including the 3Com 8760 - more about that in a minute) support
MAC authentication against a RADIUS server, but it's usually not worth
the effort, as it provides little if any extra security on top of WPA.
In fact, the 3Com 8760 doesn't support MAC authentication against a
RADIUS server when using 802.1x. You could configure the RADIUS server
to verify the MAC address when dealing with EAP, but this adds so little
to security it isn't worth the hassle and the maintenance effort in my
opinion.
After
some negotiating we got new wireless, but still not top of the line (I
wanted CISCOs, we got Netgear WPN802s instead), and I found that we still
run out space in the table (it now help 50, we now have about 100+ laptops
being used by students).
It doesn't have to be Cisco to be decent; there are some reasonable
enough enterprise APs from other vendors.
The latest AP I bought was a 3Com 8760, which is a dual band (802.11a
and 802.11b/g) AP, capable of WPA and WPA2 with four virtual access
points per band (each with a different SSID, encryption and
authentication settings, and optionally a different VLAN as well). It
supports 802.1q tagged VLAN operation, RADIUS authentication and
accounting, and you can return which VLAN to connect a user to in the
Access-Accept packet from your RADIUS server. The 8760 is a Power over
Ethernet device, and is supplied with simple Power over Ethernet
injector.
The only drawbacks I've found are that the web interface doesn't work
perfectly in Firefox (it's documented as IE only in the current firmware
release), RADIUS accounting has to be set at the CLI (again, documented
as a limitation in the current firmware) and the PoE injector isn't
fully 802.3af compliant, in that it doesn't employ any resistive sensing
and is permanently live instead (which means you have to be careful what
you connect it to - I inadvertently blew up a cheap network tester by
connecting it to the other end of one of these).
It's not just the RADIUS accounting that you need to set up in the CLI -
in fact, there's a few useful bits and pieces not supported in the web
interface. Things like WPA2 pre-authentication are most easily
configured in the CLI. Fortunately the user guide has full documentation
of all the CLI commands.
There is a single band version of the 8760, the 7760 (capable of 802.11a
or 802.11b/g, but not both at once unlike the 8760).
I had a quick look at the manual of the Netgear WPN802v1, and it's a
device that I'd class only as a consumer grade AP - in fact, it falls
well short of what most consumer grade APs can achieve. Despite the
documentation of EAP and WPA2 in the appendix to the manual, it doesn't
appear from the specification to support anything higher than WPA-PSK,
which is useless in this context. Handing out a passphrase to 100+ users
just isn't on.
You hint later that the Netgear APs have WPA Enterprise support - that's
WPA with RADIUS rather than a Pre Shared Key. If not, you're going to
need new APs - indeed, you may find the that existing APs really aren't
up to the job even if they do have WPA Enterprise support. The 'sales'
pitch is that you will be securing your wireless network properly. I'd
go for a proper enterprise AP this time, and you could certainly
evaluate the 3Com units I've mentioned.
Just to indicate how an enterprise grade AP needn't cost a fortune,
current pricing in the UK is around GBP75 for the Netgear WPN802, whilst
the 3Com 7760 can be had for GBP110 and the 3Com 8760 for GBP175. Power
over Ethernet makes installation much easier. Overall, the price of
decent network infrastructure is coming down; a decent 24 port 10/100
plus 2 port 10/100/1000 L2 managed switch such as a HP Procurve 2510-24
is around GBP200 now.
If everything has WPA2 support, deploy WPA2, but you may have some
clients that only support WPA AES, in which case WPA2-Mixed mode may
come to the rescue. If you have some clients that only support WPA TKIP,
you'll probably have to use WPA Enterprise TKIP.
It's in this sort of scenario that the virtual APs of the 3Com units are
useful - you can use WPA2 when possible, whilst accommodating kit that
can't manage WPA2 as well, optionally on a separate VLAN that maybe
doesn't have access to more secure internal services.
Indeed, you can use the 3Com APs to provide simultaneous wireless
hotspot service via a captive portal setup (such as Chillispot) and
RADIUS authenticated access to the internal network for authorised users
- again, it's the virtual AP feature that comes in so useful.
I know that the solution is to implement a radius
authentication with the APs that we have. The APs support radius servers
using either WAP or legacy 802.1X (with WEP keys). I did tons of research
on WAP (being the preferred method), but I could not get around the fact
that certificates MUST be installed in the client computer in order for the
protocol to work. This is simply impossible since most of our students (and
staff for that matter) are unable to install certificates (or unwilling) and
having to install certificates manualy myself is just too time consuming.
You mean WPA, not WEP.
So my first questions is what methods would you suggest for this kind of set
up?
Many wireless supplicants, such as the Microsoft one built into Windows
XP, only support EAP-TLS and "PEAP" (technically PEAPv0/EAP-MSCHAPv2).
There are other forms of EAP, such as EAP-TTLS, but without broad
supplicant support, they're no use to you.
EAP-TLS requires client side certificates. I use it - but for you it's
out of the question. You need a robust infrastructure to issue client
certificates and the support burden is heavy, too.
You should therefore look at PEAP - the only certificate required in
that case is one for the RADIUS server, with the clients using user
names and passwords.
As others have said, if you have an authentication database already, you
may be able to leverage that for PEAP in FreeRADIUS (using SQL, LDAP,
Active Directory or Kerberos as appropriate). It depends on the password
format, mainly.
You may be able to get away with creating your own CA (or using an
existing CA under your control) when creating the server certificate,
but that may require you to install root certificates on at least some
machines. There's no harm testing with a certificate issued on your own
CA - if it causes problems, get a certificate for the RADIUS server from
a CA whose root certificate is in all the operating systems in question.
Make sure the certificate signing request has the appropriate
extensions, however!
Using PEAP may give you problems with Windows XP machines that aren't
upgraded to SP2 (and you may additionally need the KB885453 hotfix). You
can probably get away with setting the cipher_list in eap.conf to HIGH
for added security; certainly that works with all my wireless clients,
though it does depend which ciphers your wireless supplicants support.
My original idea was to implement the legacy 802.1x option. i managed to
set up the AP correctly and the radius server to authenticate based on MAC
addresses, but I could not find a way to get the WEP key back to the client
laptop. I'm not even sure it is possible, really, and I'm hesitant to try
to have our students and staff enter a WEP key into their laptops themselves
(since when they fail they will come for me to set it up, and if I wanted to
change the WEP key, I would have to re-change it on every laptop). Is tehre
any way for the radius server to send back the WEP key to the client? I
know it must seem horribly insecure (and it is), but I have to show my boss
a solution that is better than simply leaving our network open.
Can some one help or suggest a better way of resolving this?
I'd forget all about WEP with 802.1x; it's not well standardised, it's
insecure because WEP is insecure and client support is often not as good
as WPA. WPA2 Enterprise (or if you haven't got the necessary support WPA
Enterprise) is where you should be looking; the necessary keys to enable
it to work are generated by the RADIUS server and passed to the AP.
In summary, I recommend setting up a PEAP setup using FreeRADIUS, and
using that with WPA2 Enterprise on the APs, or WPA Enterprise if that's
all they support.
If that proves impractical, some kind of Chillispot or similar captive
portal setup based around RADIUS is possible, but that won't encrypt the
data on the wireless network, which should be one of your aims.
Chillispot can be used with WPA, but I have no experience of doing this.
MAC authentication, in my opinion, isn't worth bothering with - the
security it provides is trivially broken, and management is a nightmare.
If you need new APs, something like the 3Com 7760 or 8760 would be more
suitable than the arguably consumer grade Netgear units you have, not
least because you can accommodate legacy clients that can't be upgraded
to a new secure wireless network whilst requiring all new clients to
operate on WPA2 Enterprise using PEAP.
David
--
David Wood
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
