802.1x and Radius Server authentication

debrat

Hello,

I am currently looking at setting up a RADIUS server on a desktop and have an accesspoint connected to it which authenticates wireless nodes through the Radius server. I also wanted to setup a CA for certificates. I was wondering if anyone can give me a push in the right direction and tell me where I can get resources for this, what freeware I can use and advice from anyone who has done this before.

Thanks,
Debratd

K_amisi

I currently have a setup like this is at my place, using a radius server to authenticate clients.

what exactly do you need to know? to setup certifficate enrollment, or just for the authentication bit.

TeKniques

Here are some great articles on Technet that might be able to help you out.

IAS

Deploying Certificates

Good luck!

debrat

Thankd for the replies K_amisi and TeKniques,

K_amisi, I actually want to set this up myself and have never done it before, I want to know how to setup certificate enrollment as well as the authentication. I had an AP but I realised that its not 802.1x compliant and I will not be able to use it. Just needed suggestions on how to go about this and recommendations on the AP to use, I am doing it for my final year project and just want to try different setups.

Regards,
Debrat

JDMurray

There are several different firmware distributions for the Linksys WRT54G and GS access points which do support Radius and 802.1X. You can pick up a one of these APs (hardware v1-v4, not v5) for under $50US, and the firmware is usually free. Have a look at the following links:

http://www.wi-fiplanet.com/tutorials/article.php/3562391

http://www.linksysinfo.org/

http://en.wikipedia.org/wiki/WRT54G

debrat

Thanks jdmurray,

This is really cool. I was getting worried that I wil have to buy an expensive AP. I will have a look at the info and see where I can get one of these AP's from.

Cheers

JDMurray

You can buy a Linksys WRT54GS almost anywhere. They are probably the most popular AP with people who like mod'ed firmware. You just need to make sure that you do not buy a WRT54GS with v5.x hardware. Linksys significantly changed the v5.x hardware so most 3rd-party firmware distros will not work on it. If you have a choice, buy a v3.0 WRT54GS (the serial number begins with CGN5); v3.0 seems to have the most capability. You will learn more about this as you read up on the WRT54GS.

debrat

Thanks for this jdmurray. Yeah I will make sure I dont get the 5.x one. I am quite excited amount messing around with it. Thanks for the tips.

Cheers

K_amisi

hey boss,

first of all you need windows server 2003 or 2000 box, i use 2003. if you don't have AD a standalone will still work

http://www.isaserver.org/img/upl/vpnkitbeta2/installenterpriseca.htm

You need to setup a certificate server and set up the certificate templates that will be used by the wireless clients.

Next up you need to setup a radius server on the same windows server 2003 box

...btwn u and me...u do not need to buy the full version, you can order for the(180 day trial ) w2k3 ent. cd from microsoft.

For greater security use a manual enrollment.....i suspect u have a workgroup setup, so this shud not be a problem.


I hope this helps you???

debrat

This is really great, Thanks for the tips K_amisi. I will go thorugh the details and set it up once i get my Access Point. Have u ever tried the same setup with Linux using the FreeRadius Server? I was thinking of trying that out as well, since I just want to see howthe thing will work, would like to experiment with different things. Funk also has a softare called Odyssey, dunno if you have used it. Now Funk has been acquired by Juniper, they have 30 day trials of their software so I can use that also. Yeah, you are right, I will use the evaluation version, I am a student, would never buy the full version
Thanks for the tips, and hope you dont me asking more questions as I run along the setup
Cheers

debrat

Hey jdmurray,

Had a quick question, I was looking through ebay, there are loads of people selling the WRT54GS wireless G router. IN all of them it doesn't say what version it is, but it just says it has a speed booster, among other things it says it supports WPA and WPA2, am I correct to assume that if it supports WPA2 then it will be 802.1x compliant also?

JDMurray

802.1X is actually the authentication part of WPA2, which is also known as the IEEE 802.11i wireless network security standard. If access point firmware is certified for WPA2 compliance then 802.1X comes along with it.

It is important to look at the hardware requirements for any firmware distribution. Although all of those little black-and-blue Linksys boxes look the same, they all have very different hardware inside. It's important to not just grab one off the shelf without understanding what hardware revision it is, and if it is supported by the firmware you want to run on it. This is true for any computer or networking hardware that supports flash-able firmware.

debrat

Hey jdmurray,

I am thinking of getting the linksys wrt54gs router. Was looking at the details and it also supports WPA2. Just a quick question, since its a linksys AP does this mean that it will support Cisco EAP protocols as well?

JDMurray

Linksys firmware does not support Cisco's propriety EAP solutions, such as EAP-FAST. I've also not seen a third-party WRT54G firmware distribution which supports Cisco EAP either. Linksys may be now owned by Cisco, but to get Cisco functionality it seems that you must still buy actual Cisco products.

TheWarrior520

Is there any good reason besides compatibility that anyone would actually want to use one of CISCO's proprietary solutions? From my research thus far all that I have seen is that these solutions just serve to weaken WPA in general, and give more information to attackers. Admittedly, I have not really researched this in depth at all yet because I have been very busy with the CWNA v3 book, but was just wondering if I am missing out on much with my wrt54g.

-LC

JDMurray

The average SOHO or ROBO really doesn't need anything more complex than WPA and a proper configuration to create an acceptable level of security on an 802.11 network. Cisco's proprietary networking solutions provide more manageability on very large networks with thousands of wireless nodes, but they also lock the customer into only using Cisco-compliant technology.

Unless you specifically need connectivity with a Cisco-managed network, I don't think you need to worry about compliance with Cisco's proprietary networking solutions.

TheWarrior520

thanks for the reply jd, actually what I am more worried about is really just in respect to getting experience. I have been led to believe that many businesses use cisco products and I know that without dishing out a lot of money, or taking a course which doesnt exactly sound like great fun if I can't actually "apply" what I am learning anywhere it is probable that I will not have experience with it until the time comes where I need it, and I hate putting myself in that situation.

JDMurray

Your concern is real. This is why people studying the for the Cisco certifications often build their own lab of Cisco switches, routers, firewall and VPN boxes, etc. Students of Cisco technology realize the need to have the actual equipment with which to learn; if they don't have access to the equipment they need where they work, they must buy/borrow/share it themselves. The same is true with 802.11 equipment when studying for the CWNP exams.

If you don't have the equipment you need, borrow it from someone who does, or get thee to eBay!

debrat

Hello,

I just got the Linksys WRT54GS router, it looks good and it has support for WPA and WPA2 . WHen I was trying to configure it I noticed that the settings give many options. These are: WPA Personal, WPA Enterprise, WPA2 Personal, WPA2 Enterprise and Radius. On the WPA Enterprise and WPA2 Enterprise it does have the settings of the Radius Server and the port along with the shared Key. But there is no settings for defining the EAP protocol, Isn't this also supposed to be specified in the AP? Where do I have to specify the 802.1x settings or I just need to do them in the Radius Server and the client and as long as the AP supports it it will forward it?
Please let me know about this.

JDMurray

When you are using EAP-RADIUS, you only need to configure the EAP type(s) at the remote client and the RADIUS server. The access point simply passes the RADIUS-encapsulated EAP messages between the client and server and doesn't care what EAP type is used. Just set the access point to "RADIUS" or "RADIUS Server" and you should be good to go.

debrat

Thats great, Thanks for this jdmurray, will try it out

debrat

Hi,

I tried the 802.1x setup. It was fairly easy. I used PEAP and had a certificate authority and IAS running on the same machine, Windows 2000 Server. So the client was using WEP alone with a user name and password I had created on the domain with Active Directory.
I am not entirely sure how I can do a setup with EAP-TLS, having a certificate on both client and server side. Can anyone point out some documentation I can use to set this up, can I do it on Win2k or will I need Win2003?

Debrat