Virtual Private Network - PowerPoint by pengxiang


									Wireless RADIUS Access

     Susan Mulholland
    Joseph Paulowskey
      Joseph Woulfe
What is a Wi-Fi?
   Stands for Wireless Fidelity
   The wireless networking and networking
    is called 802.11
   Can connect PC’s, notebooks, and
    PDAs to enable them to share internet
    connections, printers and documents
   Can be up to 300 feet
Three kinds of 802.11
   802.11b
     The first version of 802.11b
     Slowest
     Least expensive
   802.11a
     The second version
     Can handle up to 54 mega bits per second
     Operates at 5 GHz
   802.11g
     The third version
     Operates at 2.4 GHz
     Has advantage of higher speeds
Advantages of Wi-Fi
   Allows LANs to be deployed without cabling
   Reduce the costs of network deployment and
   Can host wireless LANs.
   Networks support roaming
   Wi-Fi client works in all different countries
   A global set of standards
Disadvantages of Wi-Fi
   Power consumption is high
   Concerns about battery life and heat
   Has limited range.
   Access points could be used to steal personal
    information transmitted from Wi-Fi users.
   Wired Equivalent Privacy or WEP is easy to be
    breakable even when correctly configured.
    WPA2 Wired Protected Access is improved
    and better than WEP.
Wi-Fi Security
   If a hotspot is open, then anyone with a Wi-Fi
    card can access the hotspot. The original
    standard was 64-bit encryption that was easily
   If it is secure using 128-bit encryption, then the
    user needs to know a WEP key to connect.
    Using a hotspot at your house, you need a
    WEP 128-bit encryption preventing intruders
    into your network.
Wi-Fi network in your home
   802.11b
     Is slightly less expensive and the slowest of the three
      802.11. For home use, 802.11g costs just a little more,
      but is up to 5 times faster. If you will be doing a lot of
      file transfers between computers in your home,
      802.11g is definitely the way to go.
   802.11g
     Costs just a little more,
     Up to 5 times faster. If you do a lot of file transfers
      between computers in your home, then 802.11g is the
      best the way to go.
Two kinds of Wi-Fi
   Commerical Wi-Fi
     Services are available such as Internet cafes, Borders
      bookstore, and more. T-Mobile has many hotspots in
      all Borders and Starbucks.
   Free Wi-Fi
     Many members of local governments have joined with
      local community groups to help expand free Wi-Fi
      networks. Some community groups built their Wi-Fi
      networks based on volunteer efforts and donations.
About Wi-Fi revolution
   Consultants from Pyramid Research predicted
    that more Americans would use Wi-Fi than
    cellular networks by 2007.
   Last year, approximately 30.2 million
    Americans used Wi-Fi, according to Pyramid
    comparing with 213 million mobile-phone
   Demand for Wi-Fi is increasing. However, the
    pace shows signs of slowdown.
   Stands for: Remote Dial In User Service
   The Certificates are used to authenticate
    the user’s computer and to authenticate
    the RADIUS server.
     Deployment Diagram
   This diagram shows how the user’s
    wireless device will connect through
    the wireless access point. The
    credentials will then be sent from
    the access point to the radius
    server which will verify the user
    information using the Network
    Information Service (NIS) server.
    Upon verification in the NIS server
    the user acceptance will be passed
    back up to the RADIUS server then
    back up to the access point which
    will put the user back on the
    network. The user will then be
    allowed to do a DHCP request for
    an IP address and the DHCP
    server will respond.
Architectural Design
   The radiusd.conf file is the main
    configuration file for the FreeRadius
   radiusd.conf file.
    • Port =1812    #sets the port to listen on to
    •   Log_auth = yes #sets the server to log
        authentication requests
   The clients.conf file is a configuration file for the FreeRadius
    server that establishes what clients can connect to the radius

   The following are the lines that were modified in the client.conf
    file to allow for the single test access point to be a client as well
    as the local host to be a client for testing.

     •   client []{
          secret = cmps354
          shortname = WAP354
     •   client localhost{
          secret = cmps354
          shortname = lh
   The eap.conf file is a file that handles the configuration for the EAP
    protocols in FreeRadius.
   The following lines have to be adjusted.

     •    default_eap_type = tls       #tls is the authentication form that is being used
     •   #The following is from the tls module
     •   private_key_password =
     •   private_key_file = ${raddbdir}/certs/serverkey_cert.pem
     •   certificate_file = ${raddbdir}/certs/serverkey_cert.pem
     •   CA_file = /usr/local/openssl/cmpsCA/cacert.pem
     •   dhfile = /dev/null #link to a built in null location
     •   random_file = /dev/urandom #link to a built in random number generator
     •   #The following is from the ttls module
     •   #default_eap_type =
     •   copy_request_to_tunnel = yes
     •   use_tunnled_reply = yes
Installing OpenSSL
   OpenSSL by default is installed onto the
    FreeBSD 5.4 system
   After installing OpenSSL the administrator has
    to go to the directory that contains the
    configuration files for OpenSSL.
   By default on FreeBSD the path is
   From there you can find the file openssl.cnf
    this file has a number of lines that should be
    edited for ease of use.
   lines that should be edited for ease of
   # These are some of the lines that
    should be modified
    •   [ CA_default ]
        dir = ./cmpsCA # Where the CA is kept#further
        downcountryName_default = US
        stateOrProvinceName_default =Pennsylvania
        0.organizationName_default  = Computing Science Department
   After editing the defaults of the
    openssl.cnf file another file must be
    created because these certificates are
    going to be used on Microsoft Windows
    XP computers.
   The file should be created and named
   The following lines should be added to
    • [ xpclient_ext]extendedKeyUsage =
    •   [ xpserver_ext ]extendedKeyUsage =
Creating a Certificate Authority
   To create a certificate authority you must
    edit the file in the openssl/misc
    • CATOP=./cmpsCA      #this path should match
      the dir specified in
Creating and Signing Certificates
   The first step for creating the server certificates is to
    make a certificate request with this command:
     •   $ openssl req -new -nodes -keyout server_key.pem -out
         server_req.pem -days 730 -config ./openssl.cnf
   After making the request it will prompt the user to enter
    some organization information then the request will be
    created under the file server_req.pem
   This server request now has to be signed by your created
    certificate authority and the xpextensions needs to be
    added to the certificate. This can be done with the
     •   $ openssl ca -config ./openssl.cnf \-policy policy_anything -
         out server_cert.pem \-extensions xpserver_ext -extfile
         ./xpextensions \-infiles ./server_req.pem
Creating and Signing Certificates
   client_req.pem
   The client certificate follows the same process
    as the server certificate
   First you must create a signing request.
    •   $ openssl req -new -keyout client_key.pem \ -out
        client_req.pem -days 730 -config ./openssl.cnf
   Then you sign the request with the same
    certificate authority
    •   $ openssl ca -config ./openssl.cnf \-policy
        policy_anything -out client_cert.pem \-extensions
        xpclient_ext -extfile ./xpextensions \-infiles
Creating and Signing Certificates

   Finally after you have created your
    signed certificate in the client_cert.pem
    you have to convert it to a .p12 file for
    windows machines.
   You can do that with this command
    openssl pkcs12 -export -in
    client_cert.pem \-inkey client_key.pem -
    out client_cert.p12 -clcerts
Wireless Access Points
   The Wireless Access points need to be
    configured for the network
   Set static IP
   IP address should be reflected in the
    clients.conf file of the radius directory
   The SSID needs to be modified to
Wireless Access Points
User Interface Design
   SecureW2 Supplicant
   The SecureW2 client is a WPA
    supplicant that installs onto the users
    Windows XP computer.
   This is used to authenticate the user
    through the RADIUS server using the
    TTLS protocol.
SecureW2 Installation
   The SecureW2 client can be
    downloaded from
SecureW2 Installation
SecureW2 Installation
   SecureW2 allows for PAP authentication
   SecureW2 also allows you to input a
    user id and password combination for
    quick reconnecting to the network
   This can be used on a personal
   The configuration of the SecureW2
    Client is shown below

To top