# EAP-TLS under gentoo

## kubark42

Does anyone have any success getting this to work? Either from the client side or the server side?

I'm busy bashing my brains out on this. I wonder if it's something to do with the crazy rlm_unix config error.

----------

## Scottaroo

Greetings:

Yes, I finally got this working.

No, it was not any fun.

I have Dell Axim units authenticating wirelessly with Cisco 1200 Aironet access points and a Gentoo freeradius box.

How I did it:

Don't use the Gentoo FreeRadius 0.9.3 ebuild.  Many head-sized holes in the wall.  Download the development snapshot and use that.  That was the real key - things went pretty well after that.

I'd be happy to provide more detailed information if you are still interested.

-Scott

----------

## primero.gentoo

very very interested ... i'm just thinking about it , but some HINTS would be very appreciated  :Smile: 

bye

primero

----------

## Scottaroo

Greetings Primero:

We needed to set up a wireless network to support a new app we got that runs on handheld PCs.  We went with the Dell Axims because we have a good relationship with Dell.  I'm going to have to add Windows PCs to the mix at some point, I'm sure.

We are using 6 Cisco 1200 Aironet access points to cover about 12000 sq. ft. on 3 floors in two different buildings.  Due primarily to the weak radios in the handhelds, we get no more than 80 feet of coverage from any one radio.

The Aironets are connected to the corporate net on their own VLAN.  The only other device on the VLAN is the ethernet interface to one a Gentoo box.  The Gentoo box uses iptables to control access off of the wireless net to specific, selected boxes on the corporate net that are required for the app, email, and web browsing.

I have FreeRadius running on another Gentoo box.  I have set up a PKI to deal with the certificates that are required for this and for the VPN that the employees use to gain access to the corporate net from outside the building.  Currently the PKI consists of me running OpenSSL on the command-line to generate the necessary certificates.  I'm evaluating the PKI offering from openca.org, but haven't spent the time yet.

I had a lot of trouble with the Gentoo build of FreeRadius.  First it would build, then it wouldn't.  I don't think that the person responsible for the ebuild cares that much.  Or, more likely, just has better things to do.  

The documentation that the FreeRadius project puts out is mostly useless.  It's major shortcomming is that it is horribly out of date.  Their freeradius-users mailing list is a little better.  There are a few people on it who are trying to help out, but they seem overworked and underappreciated.  There were a lot of people asking a lot of questions that had already been asked and answered the previous week, had they just bothered to search the archives a little bit.  I lurked there and picked up enough to figure out what my problems were.

My problems were that I was using a 5 month old version of the software.  It seems to be under pretty heavy development, and they are pushing for an April release of 1.0.  All of my problems went away when I downloaded and built the latest development snapshot release.

Once I put the new software in place, the handhelds connected right up.  There is some silliness required to get the client certificates onto the handheld computers, because the PocketPC 2003 software expects them in a propriatary Microsoft format, but one of the OpenSSL guys reverse-engineered it and put out a little conversion tool.  You need another little tool to load the certificates into the certificate store on the handhelds.  All of that stupidity is PocketPC only - I'm sure that the PCs will take normal, everyday certificates.

After that, you just point the radius server at it's certificates and fire it up.  The only useful documentation in the freeradius project is in the configuration files, but that documentation is pretty good.  It's a lot like the apache.conf file, in that most of the config options are in the file, just commented out, with a little information about each one in the comments.  You just go through and uncomment what you need and fill in the blanks.

Some hints:

Use the development snapshot of freeradius.

Lurk the freeradius-users mailing list and get a feel for what's going on.

If you've never used radius before, the O'Reilly book is a decent foundation.

Disable all of the AAA sources that you aren't using in the freeradius config.

And, I'm available if you get into something that you can't figure out.

----------

## primero.gentoo

Greetings Scottaroo:

Thanks a lot for the fast and very interesting Answer.

I'm not so expert in Wireless technology, so excuse me if the questions i'm gonna ask are a little bit ... simple and the answers could be RTFM, or GIYF ...  :Smile: 

My situation is very very simpler than yours.

I've got a normal Wireless Lan at home wich i use for connectin 2 Device. 

One i Gentoo Laptop, and the other one is a Wireless Gentoo-MediaBox i use to look DVD, DIVx and such things. Both of them use a Prism54 chip based card and the Access Pont is a 3com Office connect 3CRWE454G72.

When i faced with (in)security about wireless i've decided to look for the simpler solution and i started using a Normal IPSEC Vpn through Kame Implementation. It is working well know with Certificate and so on.

Now i would like to deal with a more interesting solution like EAP_TLS maybe not for technical necessity but for getting experience and knoledge about it.

I think that setting up a CA and RADIUS would not be a great problem, maybe only needing of time. What i need to know is wheter if i understood well the interactions beetween AP and and the RADIUS ...

Particularly i've not completely understood beetween wich devices the Crypto connection is enstablished ...

It should be beetween the Wifi device and the AP right? But when i authenticate against Radius and the Session Key is enstablished , how this key is passed to the AP? Need the AP to be EAP_TLS enabled right? i really don't know if my one is ... (and in reality i don't think so). 

My only solution would be to buy a new one AP i think ... 

maybe i've done a little confusion ... sorry  :Smile: 

bye

primero

----------

## Scottaroo

Greetings Primero:

Well, to start with you need access points that can do eap_tls.  I'm not familiar with the 3Com stuff, but let's assume that it can.  Some of the newest linksys stuff (the 802.11g stuff) can do it, but mostly it's just the expensive corporate stuff.  (I love my job - I get to play with really cool toys!)

There is no permanent crypto connection between the access point and the client.  A temporary TLS tunnel is constructed to do authentication and key exchange.  What happens is that the AP and the client agree on some WEP keys.  They use them for a while, then they create some new ones.  The process is basically to dynamically rotate the WEP keys between the AP and the client.  Each client uses a different set of keys to talk to the AP, so the clients can't snoop on each other.  This prevents an attacker from sniffing enough traffic on any one keyset to be able to decrypt the traffic.  The keys change so often that you can't collect enough packets to mount a successful attack.

What happens when you start the computer is (and everything is configured correctly):

Your computer requests the tls form of eap authentication from the access point.  An encrypted tls tunnel is constructed between your machine and the access point

Your computer supplies its credentials to the access point over the encrypted tunnel.

The access point forwards your credentials to the radius server 

The radius server returns an ACCEPT response if your credentials are good, other wise it returns REJECT.

Your machine is also provided with the credentials of the server, and can decide to abort the connection if it doesn't like the credentials (this prevents someone from setting up a bogus access point.)

Assuming that the radius server returns ACCEPT to the access point, and your computer accepts the access point, the access point and your computer negotiate WEP keys for the session.  You can control how long a "session" lasts, so you can cause the WEP keys to be renegotiated every hour or however often you wish.

These are some of the sites that I gleaned this information from.  Most are out of date and somewhat inaccurate (in that if you just follow the instructions blindly you will not end up with something that works), but they give you some background and the basic idea of how it is supposed to work.

http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm

http://www.freeradius.org/

http://www.dslreports.com/forum/remark,9286052~mode=flat

http://www.missl.cs.umd.edu/wireless/eaptls

I think that from a security standpoint that the IPSEC stuff is just fine.  It's what I use on my wireless stuff at home.  I leave the wireless unencrypted and just run IPSEC over it.  I leave it open so that anyone driving by (or the neighbors) can get Internet access, but restrict them from talking to my machines.  I monitor the access, and no one ever uses it.

I'm sure that you can get it working if your equipment can support it.  I'm sure that the consumer level equipment will be supporting it pretty soon, if you want to get yourself some new equipment.

Good Luck.

-Scott

----------

## primero.gentoo

 *Scottaroo wrote:*   

>   A temporary TLS tunnel is constructed to do authentication and key exchange.  What happens is that the AP and the client agree on some WEP keys.

 

just a question ... how the temporary TLS tunnel is constructed? or better , how the tunnel is secured if the client and th AP have not any shared key or password beetween them? (i've not read your links yet, so if the answer is there , sorry  :Smile:  )

I've got a solution IPSEC-based now , and i think is greatfull but i really would like to try EAP_TLS ... the problem is that i don't know if my AP is supporting it and on the official Docs nothing is written about it , i need to check it out  :Smile: 

Thanks a lot

bye

primero

----------

## kubark42

First off, Scottaroo is soooo right. Download and compile the latest snapshot, and don't forget to disable ALL the unix modules. (Maybe someone more knowledgable than I will make a proper ebuild with version 1.0.) Don't look to much to the documentation for help. I'm not going to spend too much time complaining about free software that I could never even begin to understand in a million years, much less create, but the listserv is a little... hostile sometimes. Part of the redundant question problem might stem from the fact that many important docs are put in the FAQ, which is not where I look, personally, when I have a technical problem such as the rlm_unix issue.

Here's a link for how EAP-TLS works. Definitely look at Fig 4-3

http://www.cisco.com/en/US/netsol/ns339/ns395/ns176/ns178/networking_solutions_white_paper09186a008009256b.shtml

Also, you need more than just an AP that supports EAP (which is usually called IEEE 802.1x. I have a Buffalo Tech WBR-G54, a WLA-G54C, and a Linksys WRT-54G that all function with my RADIUS network . I bought all of them for less than $100). You also need client software. If you have a Cisco card or use WinXP, than perfect. If not, you'll have to work a little harder. M$ has downloadable client utilities for all versions of Windows, although it's free only for Win2000. Mac and Linux can use Open1x, www.open1x.org. Otherwise, you'll have to buy the client utility from some company (I forget which) for $30.

In case it doesn't work under WinXP, this is the best troubleshooting help I've found. 

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/wifitrbl.mspx

----------

## Scottaroo

 *primero.gentoo wrote:*   

> just a question ... how the temporary TLS tunnel is constructed? or better , how the tunnel is secured if the client and th AP have not any shared key or password beetween them?

 

Well, once you get into the realm of how crypto is actually performed, you get out of my area.  The math involved becomes magic to me.  I can tell you that it works the same way that basic SSL works when you connect to a website.  The phrase Diffie-Hellman key exchange has come up on more than one occasion, but I'm not sure if that is just how the keys are exchanged once the tunnel is in place or whether it is also used in the establishment of the tunnel as well.  Sorry to not be more helpful, but I just really don't know the answer.

As kubark42 was saying, you would need the proper software to do the exchanges.  The Dell systems that we use came with everything that we needed (I think it's part of the base PocketPC system).  The XSupplicant program from the open1x guys seems to work, and we've gotten rid of all of our Win9X systems, so that wasn't a problem for us.  Since you're running Gentoo on both of them, XSupplicant is almost surely the way to go.  There's even an ebuild (masked, but you wouldn't want it to be easy, would you?)

----------

## pulz

By any chance, is someone thinking of making an howto for this on the gentoo forum ?

there are some good links in this thread, but none of them are 100 %, so an complete guide would be nice  :Smile: 

----------

## pulz

I am having some troubles with the certs, so im just woundering if you guys made them your self.

or used the scripts included in freeradius package

----------

## kubark42

I did both: used my own certificates and used the premade certs. Both worked for me.

The premade certs were much, much easier to do. I don't recommend using your own scripts unless you've got a good reason to. Also, I noticed that the premade certs they are all generic, meaning you don't have to come up with a new script for each machine.

As far as a Howto goes, I don't see me setting one up. Everything I'd say has already been said here on the forums or on google. I would hesitate to try to replace the excellent howtos cited earlier by Scottaroo. 

Especially since I'm getting lazy about looking on the gentoo forums for everything. It used to be that first I'd look on the docs, then google, and then I'd peruse the lists. Ever since I discovered gentoo, though, everything's been topsyturvy. The forums are so great, welcoming, and well informed, I almost never look on google anymore, and this is a bad thing, IMHO. It means that all the collective information on these forums isn't penetrating the net.

I think a better idea is an ebuild of FreeRADIUS 1.0, once it comes out, that works on everyone's machine. That way someone (who knows, maybe me?) can make a really nice FreeRADIUS 1.0 howto that's accessible to all linux distros. Especially for WPA and TTLS under FreeRADIUS.  :Very Happy: 

P.S. To answer your question, with a really quick, quick, quick howto:

1. Download latest snapshot

2. Compile (make, make install, blah, blah, blah)

3. Comment out all references to unix and unix modules in the conf.

4. ???

5. Profit!

----------

## flickerfly

Just wanted to say thanks for the info and a working ebuild would be greatly appreciated by myself and certainly many others. 1.0 is at pre-release atm so it might be a good time to get started on it.

How could I help out with that? I'm not much of an ebuilder.

----------

