YFi Hotspot Manager Wiki

Brought to you by: dvdwalt

YfiTechEAP

Labels:

Authors: Anonymous

EAP Explained

Extensible Authentication Protocol (EAP) is a universal authentication framework frequently used in wireless networks and Point-to-Point connections.
Although the EAP protocol is not limited to wireless LANs and can be used for wired LAN authentication, it is most often used in wireless LANs.
The WPA and WPA2 standard has officially adopted five EAP types as its official authentication mechanisms.
Because the FreeRADIUS data which YFi Hotspot Manager maintains contains clear-text passwords, we can only use the EAP-TTLS type with PAP in the inner tunnel.

This section will show which changes has to be made to FreeRADIUS for EAP-TTLS/PAP activation.
It assumes the standard install and set-up of YFi Hotspot Manager.

Compile FreeRADIUS with EAP support

Ensure that the following dev package is installed BEFORE compiling FreeRADIUS from source:
```
sudo apt-get install libssl-dev
```
This will allow FreeRADIUS to compile the EAP-TTLS libraries required for our setup.

Ensure there are Certificates

When FreeRADIUS is compiled with EAP-TTLS support, it will generate a set of self-signed certificates.
They are by default situated under /usr/local/etc/raddb/certs
The tar file which comes with YFi Hotspot Manager also contains a set of certs which can be used for testing.
You are encouraged to read through the /usr/local/etc/raddb/certs/README file and follow the instructions to create your own new set for production environments.

Activate inner-tunnel

As of FreeRADIUS version 2.X it features different 'sites' which can be activated.

Activate the inner-tunnel site with the following command:

sudo ln -s /usr/local/etc/raddb/sites-available/inner-tunnel /usr/local/etc/raddb/sites-enabled/inner-tunnel

Edit /usr/local/etc/raddb/sites-available/inner-tunnel and change the following:
In the authorize section.

Original:

#
#  Read the 'users' file
files

#
#  Look in an SQL database.  The schema of the database
#  is meant to mirror the "users" file.

Change To:

#
#  Read the 'users' file
files
perl
if(ok){
   update control {
      Auth-Type := perl
   }
}

#
#  Look in an SQL database.  The schema of the database
#  is meant to mirror the "users" file.

In the authenticate section

Original:

authenticate {
        #
        #  PAP authentication, when a back-end database listed

Change to:

authenticate {

        Auth-Type Perl {
                perl
        }

        #
        #  PAP authentication, when a back-end database listed

Restart FreeRADIUS in debug mode and ensure it starts up OK
```
sudo /etc/init.d/radiusd stop
sudo radiusd -X
```

Change default site to work with inner-tunnel

Edit the /usr/local/etc/raddb/sites-enabled/default file. Change the following in the authorize section.

Original:

#
#  Read the 'users' file
files
update control {
   Auth-Type := perl
}
#perl

Change to:

#
#  Read the 'users' file
files
perl
#The perl module will return 'ok' if there is a 'User-Password'
#else wil return noop

if(ok){
   update control {
      Auth-Type := perl
   }
}

Restart FreeRADIUS in debug mode and ensure it starts up OK

Change the Perl module

The Perl module has to be changed to so it DOES NOT authentication requests which do not have the password attribute.
This will typically happen with EAP-TTLS when the secure tunnel gets established before transmitting the user's credentials through this tunnel.
Edit the /usr/local/etc/raddb/rlm_perl_modules/rlm_perl.pm file and change the following.

Original:

# Function to handle authorize
sub authorize {
       return RLM_MODULE_OK;
       #return RLM_MODULE_HANDLED;
}

Change to:

# Function to handle authorize
sub authorize {
        #Check if the 'User-Name' has a '\' in it - typical of windows
        if(defined($RAD_REQUEST{'User-Name'})){
                $RAD_REQUEST{'User-Name'} =~ s/\\\\/\\/g; #Removing troublesome characters in outer tunnel's username
                print($RAD_REQUEST{'User-Name'});
        }
        #EAP CHECK
        if(exists($RAD_REQUEST{'User-Password'})){   #Prevent EAP tunnel-setup auth request failure
                return RLM_MODULE_OK
        }else{
                return RLM_MODULE_NOOP
        }
        #END EAP CHECK
       #return RLM_MODULE_OK;
       #return RLM_MODULE_HANDLED;
}

Restart FreeRADIUS in debug mode and ensure it starts up OK

Add the AP as a NAS device

Use the YFi Hotspot Manager to do this.

Configure AP to use FreeRADIUS WPA-2 Enterprise security

Each AP has a different way to do this - usually through a web interface.

Test from the client's machine

Using your favorite GNU/Linux operating system ;-)

Wiki: Home

YFi Hotspot Manager Wiki

YfiTechEAP

EAP Explained

Compile FreeRADIUS with EAP support

Ensure there are Certificates

Activate inner-tunnel

Change default site to work with inner-tunnel

Change the Perl module

Add the AP as a NAS device

Configure AP to use FreeRADIUS WPA-2 Enterprise security

Test from the client's machine

Related