Difference between revisions of "PfSense"
Line 1: | Line 1: | ||
+ | =Hardware= | ||
+ | An embedded system, small, has features. | ||
+ | *http://www.hacom.net/ | ||
=Freeradius2= | =Freeradius2= | ||
http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package | http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package |
Revision as of 17:18, 1 February 2013
Contents
Hardware
An embedded system, small, has features.
Freeradius2
http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package
Install
- http://www.smallnetbuilder.com/wireless/wireless-howto/30213-how-to-setting-up-freeradius-for-wpa-a-wpa2-enterprise-part-2
- http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package
- http://wiki.freeradius.org/Mac-Auth
- http://wiki.freeradius.org/FAQ#FreeRADIUS+Frequently+Asked+Questions
- http://forum.pfsense.org/index.php/topic,43675.255.html
WPA2+EAP-TLS
- After the freeradius2 install
- Configure interfaces, users, and NAS/clients
- Configure EAP
- http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#EAP-TLS
- Use the pfsense cert manager when configuring
- You need to download the CA.crt, the client.crt, the client private key.
- Convert all of them to pem files for wpa_supplicant Cert Authority#Convert crt to PEM, http://www.gridsite.org/wiki/Convert_p12, http://linux.die.net/man/5/wpa_supplicant.conf, http://support.citrix.com/article/CTX106631
- Configure WPA Supplicant: http://linux.die.net/man/5/wpa_supplicant.conf
Disable Weaker EAP Types
If you disable "Weak EAP types" then you disable MD5, GTC and LEAP. Then you there should only be three strong types available:
EAP-TLS which is very secure and the strongest encryption EAP-TTLS Protected EAP (PEAP)
EAP-TTLS and PEAP could be clasified as secure, too, but less than EAP-TLS.
Because all the three types are secure types and so I didn't implement any option in the GUI to disable them. If you would like to disable this just go to Code:
/usr/local/etc/raddb/eap.conf
and delete/comment the TTLS and PEAP blocks and restart freeradius.
EAP/WPA2/ETC
LEAP
Crap created by Cisco and is proprietary. Native support in Win = No. 3rd party/Cisco clients = Yes. Widely adopted means that lots of equipment supports it. Exploit tool ASLEAP. Uses MS-CHAP which is shit in the first place. Recommend only using if need to with really long passwords.
EAP-TLS
Highly 'touted' TLS+PKI. Something about overhead of client side certs being bad. Original wireless EAP makes it natively supported in a majority of os's. Client side cert has to be distributed? (It's a private key)
EAP-MD5
Insecure MD5 hashes. Does not verify EAP server. (vulrn to man in the middle) Works in 2k and depreciated in Vista.
EAP-TTLS
Extends TLS. No native support in Win. Can use CA and PKI but does not require it. Server auth to client via CA, optionally client to server. Server can then use tunnel to auth. Not even username in cleartext. EAP-TTLSv0/EAP-TTLSv1 -v1 = Draft.
EAP-IKEv2
Internet Key Exchange - Asymmetric key pairs, Passwords, Symmetric keys. You can pick and choose auth methods.
EAP-FAST
Cisco makes after LEAP. Optional server certs. PAC (client cert) provisioning can be automatic. Attackers can intercept PAC file or spoof AP to get user/pass (cleartxt or MSCHAPv2). PAC issued to each user. Can issue to devices. Windows Vista and up with Cisco Module. No PAC file?: Falls back to TLS.
EAP-SIM
For GSM networks. http://tools.ietf.org/html/rfc4186
EAP-AKA/EAP-AKA'
UMTS/3GPP
EAP-GTC
Cisco alternative to PEAPv0/EAP-MSCHAPv2. Allows generic authentication to a number of databases: NDS + LDAP. Onetime pass too.
EAP-EKE
Short passwords and uses no PKI, uses Diffie-Hellman variant.
Encapsulation
EAP is not a wire protocol; instead it only defines message formats. Each protocol that uses EAP defines a way to encapsulate EAP messages within that protocol's messages.
IEEE 802.1x
"EAP over LANs" or EAPOL. Also: When EAP is invoked by an 802.1X enabled Network Access Server (NAS) device such as an IEEE 802.11i-2004 Wireless Access Point (WAP), modern EAP methods can provide a secure authentication mechanism and negotiate a secure private key (Pair-wise Master Key, PMK) between the client and NAS which can then be used for a wireless encryption session which uses TKIP or CCMP (based on AES) encryption.
PEAP
Protected EAP or simply PEAP, is a protocol that encapsulates EAP within a potentially encrypted and authenticated Transport Layer Security (TLS) tunnel. Cisco, MS, and RSA. PEAPv1+v2+v3 - The protocol only specifies chaining multiple EAP mechanisms and not any specific method. However, use of the EAP-MSCHAPv2 and EAP-GTC methods are the most commonly supported.
PANA
Protocol for Carrying Authentication for Network Access - PANA will carry the EAP payload. PANA allows dynamic service provider selection, supports various authentication methods, is suitable for roaming users, and is independent from the link layer mechanisms.
Notes
Install
http://www.pfsense.org/index.php?option=com_content&task=view&id=58&Itemid=46
- Installer Mode
- Quick Install
- Command line configure LAN/WAN
- System->Firmware->Autoupdater Settings->Choose Default Autoupdater URLs
- Install Unbound and configure for DNSSEC after disable standard DNS Forwarder
- Make sure LAN ip DNS ip in DHCP server on LAN Interface
- Enable NTP Server
Install BSD Applications
setenv PACKAGESITE ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8-stable/Latest/ pkg_add -r whatever
Custom Build
I would like to build a PFSense install with the right kernel modules for VGA so I can have a graphical log viewer/monitor on the laptop that I use. I would also like to virtualize PFSense and SoleraOS....or find something that does the same thing. One machine, a firewall and monitoring solution in one.
This guide allows one to build their own iso image to install to a system:
One of the VGA modules has to be compiled into the kernel.
http://devwiki.pfsense.org/DevelopersBootStrapAndDevIso
Notes
- http://doc.pfsense.org/index.php/Updating_pfSense_code_between_snapshots
- https://docs.google.com/document/d/1UDg8Rt5wN_pGoepJyKTlAAnQdJgAsNXSrX3vkQu15DE/edit?pli=1
- https://docs.google.com/document/d/1vFa4jCAwEMscJnJLEBZ2wshAwk-JqYh1wv5K1Cjoo5A/edit
- http://www.smallnetbuilder.com/wireless/wireless-howto/30213-how-to-setting-up-freeradius-for-wpa-a-wpa2-enterprise-part-2