WiFi security appliance for authentication solution during conferences and seminars. Riccardo Veraldi INFN - CNAF HEPiX Spring 2009



Similar documents
A practical guide to Eduroam

Firewalling with OpenBSD and PF

Installation of the On Site Server (OSS)

TotalCloud Phone System

Custom Integration Solutions

Linux Embedded devices with PicoDebian Martin Noha

Smoothwall Web Filter Deployment Guide

Load Balancing Trend Micro InterScan Web Gateway

An Embedded Wireless Mini-Server with Database Support

DT01 WiFi/3G VoIP PBX / ATA User Manual

Securing Your Network with pfsense. ILTA-U Dale Qualls Pattishall, McAuliffe, Newbury, Hilliard & Geraldson LLP dqualls@pattishall.

Installation and Deployment

D-Link Central WiFiManager Configuration Guide

Features. Access Point Management and Support APPLICATION

.Trustwave.com Updated October 9, Secure Web Gateway Version 11.0 Setup Guide

2 Disabling Network... Boot. 1 Partitioning 2 Configuring The... Network 3 Installing the "install... sets"

How To Configure A Kiwi Ip Address On A Gbk (Networking) To Be A Static Ip Address (Network) On A Ip Address From A Ipad (Netware) On An Ipad Or Ipad 2 (

DV230 Web Based Configuration Troubleshooting Guide

Securing Networks with PIX and ASA

Hacking. Aims. Naming, Acronyms, etc. Sources

CounterACT 7.0 Single CounterACT Appliance

How to configure your Thomson SpeedTouch 780WL for ADSL2+

How To Connect Xbox 360 Game Consoles to the Router by Ethernet cable (RJ45)?

DEPLOYMENT GUIDE. This document gives a brief overview of deployment preparation, installation and configuration of a Vectra X-series platform.

NXC5500/2500. Application Note. Captive Portal with QR Code. Version 4.20 Edition 2, 02/2015. Copyright 2015 ZyXEL Communications Corporation

How to Configure a BYOD Environment with the Unified AP in Standalone Mode

Unified Access Point Administrator's Guide

Load Balancing McAfee Web Gateway. Deployment Guide

RouterBOARD product overview. September, Gon Tel: +44 (0) Fax: +44 (0)

Ruckus Wireless ZoneDirector Command Line Interface

Mobility System Software Quick Start Guide

RSA Security Analytics. S4 Broker Setup Guide

Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches

How To - Implement Clientless Single Sign On Authentication with Active Directory

VLANs. Application Note

Load Balancing Bloxx Web Filter. Deployment Guide

GregSowell.com. Mikrotik Basics

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

Security. TestOut Modules

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Unified Access Point Administrator s Guide

PePWave Surf Series PePWave Surf Indoor Series: Surf 200, AP 200, AP 400

Cisco Virtual Office Express

How To Manage My Smb Ap On Cwm On Pc Or Mac Or Ipad (Windows) On A Pc Or Ipa (Windows 2) On Pc (Windows 3) On An Ipa Or Mac (Windows 5) On Your Pc

APPENDIX 3 LOT 3: WIRELESS NETWORK

EdgeRouter Lite 3-Port Router. Datasheet. Model: ERLite-3. Sophisticated Routing Features. Advanced Security, Monitoring, and Management

Stratusphere UX Prerequisites & Preparation Overview. Stratusphere Requirements Stratusphere Hub Appliance (SHA)... 2

Comodo MyDLP Software Version 2.0. Installation Guide Guide Version Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013

Load Balancing Smoothwall Secure Web Gateway

WS 2000 Wireless Switch. System Reference

REQUIREMENTS AND INSTALLATION OF THE NEFSIS DEDICATED SERVER

Zeroshell as filtering bridge with connection tracking log and HAVP proxy

Millbeck Communications. Secure Remote Access Service. Internet VPN Access to N3. VPN Client Set Up Guide Version 6.0

Load Balancing Sophos Web Gateway. Deployment Guide

Interoperability between Avaya IP phones and ProCurve switches

ZEN LOAD BALANCER EE v3.02 DATASHEET The Load Balancing made easy

Yun Shield User Manual VERSION: 1.0. Yun Shield User Manual 1 / 22.

JOB READY ASSESSMENT BLUEPRINT COMPUTER NETWORKING FUNDAMENTALS - PILOT. Test Code: 4514 Version: 01

Linux Networking Basics

Bluesocket virtual Wireless Local Area Network (vwlan) FAQ

WiNG5 CAPTIVE PORTAL DESIGN GUIDE

Apache CloudStack 4.x (incubating) Network Setup: excerpt from Installation Guide. Revised February 28, :32 pm Pacific

WAS-105R. PheeNet WAS-105R is a Wireless Hotspot Gateway Kit, which compliance with IEEE standard, and provide data rate up to 300 Mbps.

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

User-ID Best Practices

Unpacking the Product. Rack Installation. Then, use the screws provided with the equipment rack to mount the firewall in the rack.

OSBRiDGE 5XLi. Configuration Manual. Firmware 3.10R

How To Connect A Gemalto To A Germanto Server To A Joniper Ssl Vpn On A Pb.Net 2.Net (Net 2) On A Gmaalto.Com Web Server

Unified Access Point (AP) Administrator s Guide

Palo Alto Networks User-ID Services. Unified Visitor Management

Load Balancing Web Proxies Load Balancing Web Filters Load Balancing Web Gateways. Deployment Guide

Load Balancing Clearswift Secure Web Gateway

AP60. 9 Wireless. Wireless-b/g/n Long Range PoE Access Point. Wireless-b/g/n Long Range Radio. Passive PoE and 4-LAN Ports. IP Finder Management 4 LAN

TimeIPS Server. IPS256T Virtual Machine. Installation Guide

Ruckus Wireless SmartZone Controller. What s New in Release 3.2

Aerohive Networks Inc. Free Bonjour Gateway FAQ

Cisco Application Networking Manager Version 2.0

Deployment Guide: Cisco Guest Access Using the Cisco Wireless LAN Controller

PARALLELS SERVER BARE METAL 5.0 README

Matrix 510/520 User Guide

Special Edition for Loadbalancer.org GmbH

Elastix SIP Firewall. Quick Installation Guide

How to Configure Captive Portal

FINFISHER: FinFly ISP 2.0 Infrastructure Product Training

NEFSIS DEDICATED SERVER

Front LEDs... 2 Rear Ports... 3 BASIC INSTALLATION... 4 Connecting Your Router... 5 Network Configuration... 6

Interlink Networks Secure.XS and Cisco Wireless Deployment Guide

Cisco Secure PIX Firewall Frequently Asked Questions

Web Page Redirect. Application Note


FreeRADIUS server. Defining clients Access Points and RADIUS servers

DSL-2600U. User Manual V 1.0

LOHU 4951L Outdoor Wireless Access Point / Bridge

Deployment Guide AX Series with Citrix XenApp 6.5

Output Power (without antenna) 5GHz 2.4GHz

YO-301AP POE AP Datasheet

Exam Questions SY0-401

Getting Started Guide

Password Reset PRO INSTALLATION GUIDE

What is included in the ATRC server support

Transcription:

WiFi security appliance for authentication solution during conferences and seminars Riccardo Veraldi INFN - CNAF HEPiX Spring 2009

What is TRIP? A distributed INFN-wide WiFi authentication architecture Based on proxy radius authentication for INFN staff people (INFN-dot1x SSID) 802.1x EAP-TTLS phase 2 PAP Customized captive portal (INFN-Web SSID) for guests Open SSID Supports X509 authentication for non 802.1x compliant supplicants Login/Password for non INFN guests Riccardo.Veraldi@cnaf.infn.it - HEPiX Spring 2009 Umea 2

TRIP appliance Possibility to have the TRIP infrastructure avaliable everywhere during seminars and workshops outside INFN sites A portable, robust and secure system which manages INFN WiFi SSIDs everwhere: INFN-dot1x and INFN- Web OpenBSD based Strong hardware no HDD Nothing to install, only need to plug a CF card Users find the same WiFi environment they have in their own office at work Riccardo.Veraldi@cnaf.infn.it - HEPiX Spring 2009 Umea 3

TRIP authentication schema TRIP appliance hosting site router VLAN trunk uplink WiFi supplicant VLAN trunk VLAN trunk WAN WiFi supplicant WiFi supplicant radius.garr.net radius.x.infn.it router.x.infn.it Riccardo.Veraldi@cnaf.infn.it - HEPiX Spring 2009 Umea 4

Soekris net5501 CPU Geode AMD 586-class 500MHz 512 Mbyte DDR-SDRAM, soldered on board 4 Mbit BIOS/BOOT Flash CompactFLASH Type I/II socket UltraDMA-100 interface with 44 pins connector for 2.5" Hard Drive Serial ATA 1.0 interface for Hard Drive, with +5V and +12V power header 4 VIA VT6105M 10/100 Mbit Auto MDIX Ethernet ports, RJ-45, protected to 700W/40A Surge 2 Serial ports, DB9 and 10 pins internal header USB 2.0 interface, one internal, one external port Mini-PCI type III socket. (for t.ex. hardware encryption or wireless controller) PCI Slot, right angle 3.3V signaling only, dual PCI slot option Temperature and voltage monitor ower using external power supply is 6-25V DC, max 20 Watt, Riccardo.Veraldi@cnaf.infn.it - HEPiX Spring 2009 Umea 5

tripgw Soekris net5501 Sw distribution derived from Flashdist (OpenBSD 4.5 based): 64MB CF Final distribution for TRIP: 256 MB Flashdist 20090227 OpenBSD 4.5 kernel Freeradius 1.1.6 distribution OpenBSD Apache 1.3.29 TINO INFN 12032009 customized Captive Portal (support for X509 auth added) ISC dhcpd v3.1.1 OpenBSD pf nat/firewall + ALTQ Perl 5.10.0 RadiusPerl-0.13 Data-HexDump-0.02 Standard unix userland added: less, sudo, bash etc. Several configuration files required for TRIP to work Riccardo.Veraldi@cnaf.infn.it - HEPiX Spring 2009 Umea 6

How TINO works (captive portal) Captive portal developed by Hannu Teulahti as a component of Palosaari Campus Wireless Network Added INFN customization and patches to enable PKI authentication Everything managed by a few perl cgi scripts Clients are assigned an IP address by DHCP after INFN-Web association Upon first TCP connection they are redirected to port 80 TCP and then to TINO https first login page Logon is based on X509 or login/password Credentials are checked against radius users file or local UN*X account or proxied to external radius A dynamic firewall open rule is created through firewall.sh triggered by TINO login page firewall.sh is executed through sudo Firewall close rule is issued on user logoff or when user session goes into timeout Session timeout is managed with dhcpd leases file and users session log directory /var/spool/tino Everything is logged on static file or syslog Riccardo.Veraldi@cnaf.infn.it - HEPiX Spring 2009 Umea 7

TINO login page Riccardo.Veraldi@cnaf.infn.it - HEPiX Spring 2009 Umea 8

Build appliance Installation of OpenBSD 4.5 snapshot 20090227 on a PC or virtual machine Build of TRIP mandatory software compiled from sources and statically linked if possible: httpd, radiusd, dhcpd, sudo, perl etc. Copy back of all additional software over the base Flashdist image distribution Configuration of all the TRIP mandatory software and OpenBSD startup and system scripts. Copy back on the flashdist distribution: /etc/rc, radiusd.conf, pf.conf, firewall.sh many other scripts Copy of the main system image and expansion over CF Soekris net5501 boot from CF Riccardo.Veraldi@cnaf.infn.it - HEPiX Spring 2009 Umea 9

Boot appliance Boot configuration all inside /etc/rc script mount /dev into memory 1MB mount /tmp into memory 32MB Symbolic link of /var into /tmp/var The log partition /var/log is on volatile RAM Creation of TINO Captive Portal environment and configuration, all files copyed to /tmp partition SSH DSA e RSA keys creation Hostname setting VLAN and IP interfaces creation VLAN forwarding on three physical interfaces ntpdate, startup firewall, syslog startup dhcpd startup over VLAN interfaces sshd, apache, freeradius, cron startup Riccardo.Veraldi@cnaf.infn.it - HEPiX Spring 2009 Umea 10

OpenBSD boot on soekris >> OpenBSD/i386 BOOT 3.02 booting hd0a:/bsd: 2109736+393112 [52+124800+116772]=0x29e20c entry point at 0x200120 [ using 241996 bytes of bsd ELF symbol table ] Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2009 OpenBSD. All rights reserved. http://www.openbsd.org OpenBSD 4.5 (GEODE) #8: Fri Feb 27 09:31:52 PST 2009 chris@tundra.nmedia.net:/usr/src/sys/arch/i386/compile/geode cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) 500 MHz cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX real mem = 536440832 (511MB) avail mem = 515358720 (491MB) OpenBSD/i386 (tripgw1.infn.it) (tty00) login: Riccardo.Veraldi@cnaf.infn.it - HEPiX Spring 2009 Umea 11

VLAN list Default untagged Network 172.16.1.0/24 Radius IP 172.16.1.254 AP1: 172.16.1.253 AP2: 172.16.1.252 AP3: 172.16.1.251 VLAN100 INFN-dot1x Network 172.16.100.0/24 802.1x gw 172.16.100.254 vr3 vr2 vr1 vr0 VLAN101 INFN-Web Network 172.16.101.0/24 TINO gw 172.16.101.254 VLANs forwarded on vr1 vr2 vr3 vr0 UPLINK interface Riccardo.Veraldi@cnaf.infn.it - HEPiX Spring 2009 Umea 12

VLAN configuration One VLAN on each NIC for each TAG = 6 VLAN + Default Untagged ifconfig vr1 172.16.1.254 netmask 255.255.255.0 ifconfig vr2 up ifconfig vr3 up ifconfig vr0 <uplink_ip> netmask 255.255.255.0 ifconfig vlan1100 vlan 100 vlandev vr1 ifconfig vlan2100 vlan 100 vlandev vr2 ifconfig vlan3100 vlan 100 vlandev vr3 ifconfig bridge100 create brconfig bridge100 add vlan1100 add vlan2100 add vlan3100 add vr1 add vr2 add vr3 up ifconfig vlan1100 inet 172.16.100.254 netmask 255.255.255.0 up ifconfig vlan1101 vlan 101 vlandev vr1 ifconfig vlan2101 vlan 101 vlandev vr2 ifconfig vlan3101 vlan 101 vlandev vr3 ifconfig bridge101 create brconfig bridge101 add vlan1101 add vlan2101 add vlan3101 up ifconfig vlan1101 inet 172.16.101.254 netmask 255.255.255.0 Riccardo.Veraldi@cnaf.infn.it - HEPiX Spring 2009 Umea 13

Multiport VLAN bridge Default untagged vr1 vlan1100 TAG 100 vlan1101 TAG 101 Default untagged bridge100 vr2 vlan2100 TAG 100 bridge101 vlan2101 TAG 101 Default untagged vr3 vlan3100 TAG 100 vlan3101 TAG 101 Riccardo.Veraldi@cnaf.infn.it - HEPiX Spring 2009 Umea 14

Radius configuration Freeradius 1.1.6 /usr/local/etc/raddb Radius authentication with proxying + radius local authentication for Captive Portal Need to configure proxy.conf with INFN remote peer radius server, eg: realm DEFAULT { type = radius authhost = radius.x.infn.it:1812 accthost = radius.x.infn.it:1813 secret = ********* nostrip } Need to add APs IP addresses and peer radius server in clients.conf Localhost must also be added for local radius authentication interface with Captive Portal Authentication bound to radius users file Authentication with UN*X account Riccardo.Veraldi@cnaf.infn.it - HEPiX Spring 2009 Umea 15

Firewall OpenBSD PF configuration pf.conf Packet filter Nat vlan1101 (TAG 101) filtered by default (INFN-Web) Only UDP 53 and TCP 80 and 443 to Captive Portal is allowed vlan1100 (TAG 100) open by default (INFN-dot1x) Dynamic PF table created by firewall.sh TINO script Nat for both vlan1100 (INFN-dot1x) and vlan1101 (INFN- Web) Redirection rules allowing APs configuration from outside Redirection rules for Captive Portal Riccardo.Veraldi@cnaf.infn.it - HEPiX Spring 2009 Umea 16

Traffic Shaping: ALTQ Mandatory for slow speed uplink altq on vr0 priq bandwidth 330Kb queue { std_out, smtp_imaps_out, dns_out, tcp_ack_out } queue std_out priq(default) queue dns_out priority 4 priq(red) queue smtp_imaps_out priority 5 priq(red) queue tcp_ack_out priority 6 pass out on fxp0 inet proto tcp from (fxp0) to any flags S/SA \ keep state queue(std_out, tcp_ack_out) pass out on fxp0 inet proto { tcp udp } from (fxp0) to any port domain \ keep state queue dns_out pass out on fxp0 inet proto tcp from (fxp0) to any port { 22, 25, 587, 465, 993 } \ flags S/SA keep state queue(smtp_imaps_out, tcp_ack_out) Riccardo.Veraldi@cnaf.infn.it - HEPiX Spring 2009 Umea 17

How to use it Read-only pre-configured CF If we need to change configuration (add users, add APs etc) Use { ro, rw } commands to modify CF access mode UN*X shell, OpenBSD environment adduser, vi, tcpdump etc. Users can be added with adduser or directly into freeradisu users file Mandatory to use ro command after any modification to CF to preserve CF life Use the system in rw mode only when necessary Up to three access points can be attached to NICs ( vr1, vr2, vr3) Mandatory to register vr0 IP address on the parent radius server configuration and on the logserver X509 host cert is pre-installed hostname tripgw1.infn.it Riccardo.Veraldi@cnaf.infn.it - HEPiX Spring 2009 Umea 18

Where to use it Conferences and seminars outside INFN sites where TRIP INFN wide WiFi authentication architecture is required Conferences and seminars without TRIP CF customized with Captive Portal only TRIP appliance for small INFN sites Anyone who need a WiFi authentication appliance with Captive Portal and 802.1x Eduroam ready Easy integration in any WiFi environment in any place to offer enterprise level WPA authentication and Captive Portal as well Riccardo.Veraldi@cnaf.infn.it - HEPiX Spring 2009 Umea 19

TODO Add bind chrooted cache-only local nameserver Friendly user interface Web user interface for setup Console text only user interface for setup Riccardo.Veraldi@cnaf.infn.it - HEPiX Spring 2009 Umea 20

Questions or Comments? Riccardo.Veraldi@cnaf.infn.it - HEPiX Spring 2009 Umea 21

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information