Thursday, September 15, 2005

Secure Wireless Access

Today was a good day, I have been trying to find out a special way to make my wireless secure! I could not find a nice and better solution in last 8 weeks, which can tell me that its not broken yet - of course there is nothing which is secure in this internet world; having said that - my solution sounds pretty secure! because I have found that lots of person (including nice companies in many countries use these techniques)

First - a Linux based solution - of course :-) - Ingredients as follows
  • Linux Kernel 2.4 or greater
  • Iptables - you do not have to know about IPTables
  • NoCat - nocat.net
  • DHCPD - plain vanilla dhcpd from distribution
  • Apache HTTPD 2.0
  • bind - optional
  • Wireless AccessPoint
Now - before you get to solution - you need to have a machine - which has two network cards.

This solution creates wireless network as different LAN and which has access to either your LAN or Internet using this Linux box which we are going to setup. Let call internal network 192.168.91.X (wireless) and external network 172.16.X.X (LAN/Internet). And this box has has 192.168.91.254(eth0) as internal network address and 172.16.1.1(eth1) as external network address

  • Setup DHCP - Plain vanilla default dhcpd.conf has range of 192.168.91.1 to 192.168.91.251
  • Setup bind - if you do not want to use name server - then you can provide your network's name server as main name server in dhcpd.conf
  • Setup HTTPD - and make it listen only on 172.16.1.1 - setup ssl on httpd
  • NoCat has two part AuthServ and Gateway - when you download nocat it comes with one tar, which will have both the things. by default nocat gets installed at /usr/local/nocat - but we are going to install AuthServ and Gateway on same machine - we will install authserv in /usr/local/nocat/authserver and gateway at /usr/local/nocat/gateway . you need to change makefile and change the directory in makefile and then execute either authserv and gateway targets respectively
  • You need to change configuration of AuthServ and Gateway and make appropriate changes, these files are well commented.
  • Now choose the authentication method, I choose samba and pointed it to my windows domain.

And if everything goes smooth, you are done, what you have to do is to hook up on wireless visit some site, it will redirect to NoCat authentication page, once authentication is done, it will update IPTables to give your machine access and you are done...

The other solution is RADIUS Server - get windows 2003 and configure it as radius server. Create a SSL Certificate, distribute it using group policy and allow user dialin access in their account management page and point your access point to use this windows 2003 server as radius server. And you get the access! the only problem with this is that you can not get Linux client hooked on it.