Difference between revisions of "PfSense"
(→EAP-MD5) |
(→EAP/WPA2) |
||
| Line 12: | Line 12: | ||
{{Note|Not part of the wireless standard. Just here because its part of EAP.}} | {{Note|Not part of the wireless standard. Just here because its part of EAP.}} | ||
Insecure MD5 hashes. Does not verify EAP server. (vulrn to man in the middle) Works in 2k and depreciated in Vista. | Insecure MD5 hashes. Does not verify EAP server. (vulrn to man in the middle) Works in 2k and depreciated in Vista. | ||
| + | ===EAP-TTLS=== | ||
| + | Extends TLS. No native support in Win. Can use CA and PKI but does not require it. Server auth to client via CA, optionally client to server. Server can then use tunnel to auth. Not even username in cleartext. EAP-TTLSv0/EAP-TTLSv1 -v1 = Draft. | ||
| + | ===EAP-IKEv2=== | ||
| + | Internet Key Exchange - Asymmetric key pairs, Passwords, Symmetric keys. You can pick and choose auth methods. | ||
| + | ===EAP-FAST=== | ||
| + | Cisco makes after LEAP. Optional server certs. PAC (client cert) provisioning can be automatic. Attackers can intercept PAC file or spoof AP to get user/pass (cleartxt or MSCHAPv2). PAC issued to each user. Can issue to devices. Windows Vista and up with Cisco Module. No PAC file?: Falls back to TLS. | ||
==Notes== | ==Notes== | ||
Revision as of 22:16, 17 February 2012
Contents
freeradius2
Install
EAP/WPA2
LEAP
Crap created by Cisco and is proprietary. Native support in Win = No. 3rd party/Cisco clients = Yes. Widely adopted means that lots of equipment supports it. Exploit tool ASLEAP. Uses MS-CHAP which is shit in the first place. Recommend only using if need to with really long passwords.
EAP-TLS
Highly 'touted' TLS+PKI. Something about overhead of client side certs being bad. Original wireless EAP makes it natively supported in a majority of os's. Client side cert has to be distributed? (It's a private key)
EAP-MD5
Insecure MD5 hashes. Does not verify EAP server. (vulrn to man in the middle) Works in 2k and depreciated in Vista.
EAP-TTLS
Extends TLS. No native support in Win. Can use CA and PKI but does not require it. Server auth to client via CA, optionally client to server. Server can then use tunnel to auth. Not even username in cleartext. EAP-TTLSv0/EAP-TTLSv1 -v1 = Draft.
EAP-IKEv2
Internet Key Exchange - Asymmetric key pairs, Passwords, Symmetric keys. You can pick and choose auth methods.
EAP-FAST
Cisco makes after LEAP. Optional server certs. PAC (client cert) provisioning can be automatic. Attackers can intercept PAC file or spoof AP to get user/pass (cleartxt or MSCHAPv2). PAC issued to each user. Can issue to devices. Windows Vista and up with Cisco Module. No PAC file?: Falls back to TLS.
Notes
Install
http://www.pfsense.org/index.php?option=com_content&task=view&id=58&Itemid=46
- Installer Mode
- Quick Install
- Command line configure LAN/WAN
- System->Firmware->Autoupdater Settings->Choose Default Autoupdater URLs
- Install Unbound and configure for DNSSEC after disable standard DNS Forwarder
- Make sure LAN ip DNS ip in DHCP server on LAN Interface
- Enable NTP Server
Custom Build
I would like to build a PFSense install with the right kernel modules for VGA so I can have a graphical log viewer/monitor on the laptop that I use. I would also like to virtualize PFSense and SoleraOS....or find something that does the same thing. One machine, a firewall and monitoring solution in one.
This guide allows one to build their own iso image to install to a system:
One of the VGA modules has to be compiled into the kernel.
