PfSense

From Hack Sphere Labs Wiki
Revision as of 23:06, 17 February 2012 by Webdawg (talk | contribs) (freeradius2)

Jump to: navigation, search

freeradius2

Install


EAP/WPA2/ETC

LEAP

Crap created by Cisco and is proprietary. Native support in Win = No. 3rd party/Cisco clients = Yes. Widely adopted means that lots of equipment supports it. Exploit tool ASLEAP. Uses MS-CHAP which is shit in the first place. Recommend only using if need to with really long passwords.

EAP-TLS

Highly 'touted' TLS+PKI. Something about overhead of client side certs being bad. Original wireless EAP makes it natively supported in a majority of os's. Client side cert has to be distributed? (It's a private key)

EAP-MD5

Note: Not part of the wireless standard. Just here because its part of EAP.

Insecure MD5 hashes. Does not verify EAP server. (vulrn to man in the middle) Works in 2k and depreciated in Vista.

EAP-TTLS

Extends TLS. No native support in Win. Can use CA and PKI but does not require it. Server auth to client via CA, optionally client to server. Server can then use tunnel to auth. Not even username in cleartext. EAP-TTLSv0/EAP-TTLSv1 -v1 = Draft.

EAP-IKEv2

Internet Key Exchange - Asymmetric key pairs, Passwords, Symmetric keys. You can pick and choose auth methods.

EAP-FAST

Cisco makes after LEAP. Optional server certs. PAC (client cert) provisioning can be automatic. Attackers can intercept PAC file or spoof AP to get user/pass (cleartxt or MSCHAPv2). PAC issued to each user. Can issue to devices. Windows Vista and up with Cisco Module. No PAC file?: Falls back to TLS.

EAP-SIM

For GSM networks. http://tools.ietf.org/html/rfc4186

EAP-AKA/EAP-AKA'

UMTS/3GPP

EAP-GTC

Cisco alternative to PEAPv0/EAP-MSCHAPv2. Allows generic authentication to a number of databases: NDS + LDAP. Onetime pass too.

EAP-EKE

Short passwords and uses no PKI, uses Diffie-Hellman variant.

Encapsulation

EAP is not a wire protocol; instead it only defines message formats. Each protocol that uses EAP defines a way to encapsulate EAP messages within that protocol's messages.

IEEE 802.1x

"EAP over LANs" or EAPOL. Also: When EAP is invoked by an 802.1X enabled Network Access Server (NAS) device such as an IEEE 802.11i-2004 Wireless Access Point (WAP), modern EAP methods can provide a secure authentication mechanism and negotiate a secure private key (Pair-wise Master Key, PMK) between the client and NAS which can then be used for a wireless encryption session which uses TKIP or CCMP (based on AES) encryption.

PEAP

Protected EAP or simply PEAP, is a protocol that encapsulates EAP within a potentially encrypted and authenticated Transport Layer Security (TLS) tunnel. Cisco, MS, and RSA. PEAPv1+v2+v3 - The protocol only specifies chaining multiple EAP mechanisms and not any specific method. However, use of the EAP-MSCHAPv2 and EAP-GTC methods are the most commonly supported.

PANA

Protocol for Carrying Authentication for Network Access - PANA will carry the EAP payload. PANA allows dynamic service provider selection, supports various authentication methods, is suitable for roaming users, and is independent from the link layer mechanisms.

Notes

Install

http://www.pfsense.org/index.php?option=com_content&task=view&id=58&Itemid=46

  • Installer Mode
  • Quick Install
  • Command line configure LAN/WAN
  • System->Firmware->Autoupdater Settings->Choose Default Autoupdater URLs
  • Install Unbound and configure for DNSSEC after disable standard DNS Forwarder
  • Make sure LAN ip DNS ip in DHCP server on LAN Interface
  • Enable NTP Server


Custom Build

I would like to build a PFSense install with the right kernel modules for VGA so I can have a graphical log viewer/monitor on the laptop that I use. I would also like to virtualize PFSense and SoleraOS....or find something that does the same thing. One machine, a firewall and monitoring solution in one.

This guide allows one to build their own iso image to install to a system:

One of the VGA modules has to be compiled into the kernel.

http://devwiki.pfsense.org/DevelopersBootStrapAndDevIso