Month: June 2014

3 Simple Steps To Secure WiFi

In this short guide, we’re going to go through 5 steps to secure a home wireless network.

Step #1 – Change router’s default password

A) If you’ve never logged into your wireless router, look up the make and model of the router, and find the default IP Address, username, and password, then log in.

B) For example, if your wireless router has a default IP Address of 192.168.0.1, default username of admin, and default password of blank. Login by doing the following:

  1. Open Internet Explorer and type in the address http://192.168.0.1
  2. When prompted, the username would be admin, and the password would be blank.

C) If the router’s password is still set to the default password, it is important to change this password to something else to keep an intruder from effectively kicking you off of your own network.

Step #2 – Disable SSID Broadcasting

This option decides whether people can or cannot see your wireless signal. This is not necessarily recommended because although this will keep your network invisible to the common nosy neighbor, it will not protect your network from any serious hackers. It can also make setting up your own devices on your wireless network more difficult. So, it’s good to know how this works, but always use encryption and don’t rely on just disabling SSID broadcasts to keep your network secure.

Step #3 – Enable Encryption

It’s important to use encryption on your wireless network. Not only does it keep intruders off of the network, but it also keeps eavesdroppers from listening in on your network traffic. The two major types of wireless encryption are listed below. Please also note that any encryption enabled on the wireless router must also be enabled on each Wireless Device that needs to connect to the internet.

  1. WEP – This is still the most common type of encryption enabled on most wireless routers. Please note that this can be broken by serious hackers in about 2 minutes, but will keep out most neighbors and passerby.
  2. WPA2-PSK – This is becoming the most common type of encryption and is enabled on most new wireless routers. WPA2 is more secure than WEP but can be compromised by brute-forcing your password.
  3. WPA2-Enterprise – Also called 802.1x, it uses session passwords generated each time your device connects to the network. This security mode has not been compromised yet, but is not available on some older types of Wireless Devices.

 

If you decide for the WPA2-Enterprise security mode, IronWifi will act as a guard verifying identity of users and devices connecting to your Wireless Network. Without this service, people could get in by breaking WEP encryption, faking through a MAC Filter, brute-forcing your WPA2 password, or by good old fashioned hard line plugging into your router directly instead of connecting through the wireless. Taking control of connecting devices is the final step in securing a Wireless Network.

Protecting CLEAR's 4G wireless network with RADIUS

CLEAR is popular 4G wireless internet provider in the United States. It provides internet connectivity by using a 4G wireless modem that also acts as a wireless access point. Unfortunately, currently, the safest supported wireless security mode is only the WPA2-PSK. In this post we describe procedure of securing CLEAR’s wireless network with better, RADIUS powered, WPA2-Enterprise security mode.

Firstly, we access modem’s administration interface by opening http://192.168.15.1 from a web browser. After successful authentication, modem welcomes us with the following Welcome screen.

CLEAR 4G Welcome Screen

To verify available Wireless Security Settings, let’s click on the Basic -> Wi-Fi -> Advanced buttons.

Clear Modem Wireless Security Settings

As you can see in the picture above, this modem supports authentication only with the pre-shared keys and not more secure WPA2-Enterprise mode. For WPA2-Enterprise, it is necessary to add another wireless router, to create new RADIUS powered wireless network.

Connecting TP-Link router to CLEAR’s modem

CLEAR will remain our provider of internet connectivity and we connect the TP-Link router to the modem with provided Ethernet cable and turn the router on. It is important to plug the Ethernet cable into the blue network port (uplink).

CLEAR modem connected to TP-Link

Next, we connect computer to new wireless network provided by TP-Link and follow initial configuration instructions. During this procedure, the router will ask to enter a PIN number, that is printed on the sticker on the bottom side of the router.

TP-Link initial setup

 

In next step, we select the Wireless Security type. At this moment, not all security options are available, so we select the WPA2-PSK security mode, type in some temporary pre-shared key and finish this configuration.

Creating virtual RADIUS server and user’s accounts

Now, let’s go to https://console.ironwifi.com to define our Network and create accounts for our Users. After signing in, all we have to do is follow Configuration Wizard, which provides all required information in the last page’s summary. We keep this page open, so we can use the values in next step.

RADIUS Configuration Wizard Step3

Configuring TP-Link router to use WPA2-Enterprise security mode

Let’s go back to the TP-Link router to change wireless security settings. TP-Link’s web administration interface is available at http://192.168.0.1, and it will prompt to enter default credentials; username is admin and password is admin too.

Router's Interface login

 

After accessing the Wireless Security Settings, we switch the Wireless Security type to WPA/WPA2 and enter information from the IronWifi Console – the RADIUS server IP address, Port, and Shared Secret.

Routers wireless security settings

 

Finally, save new settings and restart router.

Connecting with user’s credentials

Finally we connect our client devices to the new Protected Wireless Network using user’s credentials defined in Console. For us it works like a charm,  but if you still have connecting issues, please follow our documentation for your specific platform.

Solving Access-Reject Issues

This article provides some tips if you are seeing authentication requests being rejected by the RADIUS server.

On Windows platform, one useful tool is NTRadPing Test Utility which can by downloaded from the authors website.

This handy tool produces a simple Authentication Request which will be sent to defined RADIUS server with defined connection parameters and credentials.

In the RADIUS Server reply section, you will see how fast and what response did the server provide. Although it does not support tunneled EAP authentication requests, it can be used to debug basic PAP and CHAP methods.

NTRadPing Screenshot

1. If the answer is Access-Accept, the server accepted your authentication request and you should be able to use the wireless network. If you are still experiencing problems, double-check configuration of your wireless router and client’s device.

2. If you see Access-Reject is the answer from RADIUS server, then there might be multiple explanations:

  • provided credentials might be wrong
  • User might be disabled
  • User’s account might be expired
  • User is trying to log in outside assigned Login Time

3. Another output you might see is the message no response from server (timed out). If this is the case, please double-check RADIUS Server IP address, Port and Secret Key. If values are correct, your firewall might be blocking outgoing requests. Contact your network administrator to verify if outgoing traffic to servers IP address and UDP port is allowed.

Application Released to Chrome WebStore

In our effort to provide our customers convenient ways to control their wireless network everywhere, we release a new extension for Google Chrome, that will allow you to access our Security Console even faster, directly from your web browser and authenticating with your existing Google account.

To install extension to your Chrome web browser, go to chrome webstore and search for IronWifi.

Chrome Extension

After installing the extension, you can access the Shortcuts by clicking on the Apps icon visible after you open new Tab in the right corner.

Chrome Shortcut

List of installed shortcuts will appear. You can now access IronWifi Security Console by clicking on provided icon.

chrome ironwifi shortcut icon

Android Application Released To Google Play Store

I am pleased to announce new release of our IronWifi Security Console available for Android devices. This application provides all the functionality that our native console, including remote control of access to the Wireless network, user based time restrictions, and log report about successful and failed connection attempts.

You can download the application to your phone or tablet from the Google App Store immediately.

IronWifi app on Google Play

Some screenshots:

Mobile screen