Home arrow BrainDump arrow Securing a Linux Wireless Access Point

Securing a Linux Wireless Access Point

In this third part of a five-part series on building a Linux wireless access point, you'll learn several different ways to secure your servers, so you can choose the level of security that best suits your needs. This article is excerpted from chapter four of the Linux Networking Cookbook, written by Carla Schroder (O'Reilly; ISBN: 0596102488). Copyright © 2008 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.

TABLE OF CONTENTS:
  1. Securing a Linux Wireless Access Point
  2. 4.8 Enterprise Authentication with a RADIUS Server
  3. 4.9 Configuring Your Wireless Access Point to Use FreeRADIUS
  4. 4.10 Authenticating Clients to FreeRADIUS
By: O'Reilly Media
Rating: starstarstarstarstar / 1
February 04, 2010

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement

4.7 Making WPA2-Personal Almost As Good As WPA-Enterprise

Problem

Youíre nervous about sitting there with an unsecured wireless access point, and you really want to lock it up before you do anything else. Youíve made sure that all of your wireless network interfaces support WPA2, so youíre ready to go. You donít want to run a RADIUS authentication server, but using the same shared key for all clients doesnít seem very secure. Isnít there some kind of in-between option?

Solution

Yes, there is. Pyramid Linux comes with hostapd, which is a user space daemon for access point and authentication servers. This recipe will show you how to assign different pre-shared keys to your clients, instead of everyone using the same one. And, weíll use a nice strong AES-CCMP encryption, instead of the weaker RC4-based ciphers that WPA and WEP use.

First, run/sbin/rwto make the Pyramid filesystem writeable, then create or edit the /etc/hostapd.conf file:

  ##/etc/hostapd.conf
  interface=ath0
  bridge=br0
  driver=madwifi
  debug=0
  ssid=alrac-net
  macaddr_acl=0
  auth_algs=3
  wpa=1
  wpa_psk_file=/etc/hostapd_wpa_psk
  wpa_key_mgmt=WPA-PSK
  wpa_pairwise=CCMP

Next, create /etc/hostapd_wpa_psk, which holds the shared plaintext passphrase:

  00:00:00:00:00:00 waylongpassword

Then, edit /etc/network/interfaces so that hostapd starts when the br0 interface comes up. Add these lines to the end of your br0 entry:

  up hostapd -B /etc/hostapd.conf
  post-down killall hostapd

Run/sbin/ro, then restart networking:

  pyramid:~# /etc/init.d/networking restart

Now, grab a Linux client PC for testing. On the client, create an /etc/wpa_supplicant.conf file with these lines, using your own ESSID and super-secret passphrase from /etc/hostapd_wpa_psk:

  ##/etc/wpa_supplicant.conf
  network={
     ssid="alrac-net"
     psk="waylongpassword"
     pairwise=CCMP
     group=CCMP
     key_mgmt=WPA-PSK
  }

Shut down the clientís wireless interface, then test the key exchange:

  # ifdown ath0
  # wpa_supplicant -iath0 -c/etc/wpa_supplicant.conf -Dmadwifi -w
    Trying to associate with 00:ff:4a:1e:a7:7d (SSID='alrac-net' freq=2412 MHz)
    Associated with 00:ff:4a:1e:a7:7d
    WPA: Key negotiation completed with 00:ff:4a:1e:a7:7d [PTK=CCMP GTK=CCMP] 
  
CTRL-EVENT-CONNECTED - Connection to 00:2b:6f:4d:00:8e

This shows a successful key exchange, and it confirms that the CCMP cipher is being used, which you want to see because it is much stronger than the RC4 stream encryption used by WEP. Hit Ctrl-C to end the key exchange test. So, you can add more clients, giving each of them a unique key. All you do is line them up in /etc/hostapd_wpa_psk, and match their passphrases to their MAC addresses:

  00:0D:44:00:83:CF    uniquetextpassword
  00:22:D6:01:01:E2    anothertextpassword
  23:EF:11:00:DD:2E    onemoretextpassword

Now, you have a good strong AES-CCMP based encryption, and if one user compromises her key, you donít have to change all of them. Revoking a userís access is as easy as commenting out or deleting their key.

You can make it permanent on the clients by configuring their wireless interfaces to call wpa_supplicant when they come up. On Debian, do this:

  ##/etc/network/interfaces
  auto ath0
  iface ath0 inet dhcp
  pre-up wpa_supplicant -iath0 -Dmadwifi -Bw -c/etc/wpa_supplicant/wpa_supplicant.conf
  post-down killall -q wpa_supplicant

On Fedora, add this line to /etc/sysconfig/network-scripts/ifup-wireless:

  wpa_supplicant -ieth0 -c/etc/wpa_supplicant/wpa_supplicant.conf -Dmadwifi -Bw

Make sure your filepath to wpa_supplicant.conf is correct, that you specify the correct interface with-i, and that you specify the correct driver for your wireless interface with the-Doption.

Discussion

When you test the key exchange, you need to specify the driver for your WIC (in the example, itís - Dmadwifi). man 8 wpa_supplicant lists all options. The wext driver is a generic Linux kernel driver. Youíll see documentation recommending that you use this. Itís better to try the driver for your interface first, then give wext a try if that causes problems.

The example passphrases are terrible, and should not be used in real life. Make yours the maximum length of 63 characters, no words or names, just random jumbles of letters and numbers. Avoid punctuation marks because some Windows clients donít handle them correctly. There are all kinds of random password generators floating around if you want some help, which a quick web search will find.

Windows XP needs SP2 for WPA support, plus client software that comes with your wireless interfaces. Older Windows may be able to get all the necessary client software with their wireless interfaces. Or maybe notóshop carefully.

It takes some computational power to encrypt a plaintext passphrase, so using plaintext passphrases could slow things down a bit. You can use wpa_password to encrypt your passphrases, then copy the encrypted strings into place:

  $ wpa_passphrase alrac-net w894uiernnfif98389rbbybdbyu8i3yenfig87bfop
  network={
         
ssid="alrac-net"
         
#psk= "w894uiernnfif98389rbbybdbyu8i3yenfig87bfop"
         
psk= 48a37127e92b29df54a6775571768f5790e5df87944 c26583e1576b83390c56f
  }

Now your clients and access point wonít have to expend so many CPU cycles on the passphrase. Encrypted keys do not have quotation marks in wpa_supplicant.conf; plaintext passphrases do.

In our original example, 00:00:00:00:00:00 means ďaccept all MAC addresses.Ē

You can see your keys in action with the iwlist ath0 key command on the access point and clients.

Your access point supports virtually all clients: Linux, Mac OS X, Windows, Unix, the BSDs...any client with a supplicant and support for the protocols will work.

NetworkManager and Kwlan are good graphical network management tools for Linux clients. NetworkManager is designed for all Linux desktops and window managers, and comes with Gnome; Kwlan is part of KDE. Both support profiles, key management, and easy network switching.

When youíre using an Ethernet bridge, make sure that you enter your wireless and bridge interfaces in /etc/hostapd.conf.

hostapd.conf supports access controls based on MAC addresses. Youíre welcome to use these; however, I think theyíre a waste of time because MAC addresses are so easy to spoof your cat can do it.

HostAP was originally a project that supported only Prism wireless chips, but now it supports these drivers:

  1. Host AP driver for Prism2/2.5/3
  2. madwifi (Atheros ar521x)
  3. Prism54.org (Prism GT/Duette/Indigo)
  4. BSD net80211 layer

See Also

  1. Pyramid Linux does not include manpages, so you should install the applications in this chapter on a PC to get the manpages, or rely on Google
     
  2. wlanconfig is part of MadWiFi-ng 
  3. man 8 wlanconfig
  4. The default hostapd.conf is full of informative comments
  5. The default wpa_supplicant.conf is helpful
  6. 802.11 Wireless Networks: The Definitive Guide, by Matthew Gast (OíReilly)
  7. MadWiFi.org: http://madwifi.org/



 
 
>>> More BrainDump Articles          >>> More By O'Reilly Media
 

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort
   

BRAINDUMP ARTICLES

- Apple Founder Steve Jobs Dies
- Steve Jobs` Era at Apple Ends
- Google's Chrome Developer Tool Updated
- Google's Chrome 6 Browser Brings Speed to th...
- New Open Source Update Fedora 13 is Released...
- Install Linux with Knoppix
- iPad Developers Flock To SDK 3.2
- Managing a Linux Wireless Access Point
- Maintaining a Linux Wireless Access Point
- Securing a Linux Wireless Access Point
- Configuring a Linux Wireless Access Point
- Building a Linux Wireless Access Point
- Migrating Oracle to PostgreSQL with Enterpri...
- Demystifying SELinux on Kernel 2.6
- Yahoo and Microsoft Create Ad Partnership

Developer Shed Affiliates

 


Dev Shed Tutorial Topics: