From How-to

802.1x Security for Verizon FiOS

In this post we will explain how to configure your Verizon FiOS service to use IronWifi Radius server. We used the Actiontec MI424WR Rev I Wireless-N Router.

First you have to access the router administration page. By default, the web interface is available on http://192.168.1.1

To authenticate to the web interface, use credentials printed on your wireless router.

Router Administration Login Page

With valid authentication credentials, you should see the Main configuration screen.

FiOS router main administration screen

Proceed to the Wireless Settings by clicking on the button in the navigational bar.

Verizon Wireless Network Settings

In the Wireless Settings screen, click on the Advanced Security Settings link and select WPA2 as your Level 1 protection.

Advanced Configuration of Wireless Network Settings

On the next screen switch 802.1X authentication method

Wireless Network Authentication Method

Enter Radius settings as displayed in your IronWifi console.

Configuring Radius Server settings on Verizon router

Click on the Apply button and wait while new settings are applied.

Applying New Authentication Settings

If necessary, delete old wireless network profile so a new profile can be created.

Deleting Old Wireless Profile

SSH Authentication Using Hosted RADIUS

In this post, we will show how simple it is to configure your Linux server to use credentials stored in your cloud RADIUS.

Firstly, install necessary development tools so we can compile the authentication module.

CentOS:

yum install gcc pam pam-devel make -y

Ubuntu:

apt-get install make libpam0g-dev

 

After it’s finished, we will download the source code of the pam_radius package from the original FTP server.

wget ftp://ftp.freeradius.org/pub/radius/pam_radius-1.3.17.tar.gz

Untar it, move to its directory and compile it:

tar xvzf pam_radius-1.3.17.tar.gz
cd pam_radius-1.3.17
make

A new file called “pam_radius_auth.so” should be created.

In CentOS and if you are on the x86_64 arch, copy this file to /lib64/security folder. If you are still on the x86 arch, you want to copy this file to /lib/security/ folder.

On Ubuntu copy the pam_radius_auth.so file to /lib/x86_64-linux-gnu/security/.

Now open up /etc/pam.d/sshd and add the pam_radius_auth.so just before the top line like below in CentOS:

CentOS:

#%PAM-1.0
auth required pam_sepermit.so
auth sufficient pam_radius_auth.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth

In Ubuntu we open up /etc/pam.d/sshd and add the pam_radius_auth.so line at the very top like below, in Ubuntu we also need to comment this line @include common-auth to look like this [email protected] common-auth, see below:

Ubuntu:

# PAM configuration for the Secure Shell service

auth required pam_radius_auth.so

# Read environment variables from /etc/environment and /etc/security/pam_env.conf.
auth required pam_env.so # [1]

# In Debian 4.0 (etch), locale-related environment variables were moved to /etc/default/locale, so read that as well.
auth required pam_env.so envfile=/etc/default/locale

# Standard Un*x authentication.
[email protected] common-auth

# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so

Save it and create a directory called “raddb” in /etc/ – you also want to create a file called “server” and place this into the folder you just created “raddb.”

Edit the file “server” and add the following:

mkdir /etc/raddb

echo "your_radius_ip:radius_port your_radius_secret 3" > /etc/raddb/server

So it would look something like this:

54.186.197.50:4123 dfk34Jdf 3

Now you should be able to access your Linux box with credentials managed in the Cloud RADIUS.

The last thing that has to be done is create a user on the local system like below:

useradd -d /home/user1/ user1

We don’t add any password for this user, this is where Hosted RADIUS comes in, you will need to use a password match in IronWifi RADIUS for this username.

3 Simple Steps To Secure WiFi

In this short guide, we’re going to go through 5 steps to secure a home wireless network.

Step #1 – Change router’s default password

A) If you’ve never logged into your wireless router, look up the make and model of the router, and find the default IP Address, username, and password, then log in.

B) For example, if your wireless router has a default IP Address of 192.168.0.1, default username of admin, and default password of blank. Login by doing the following:

  1. Open Internet Explorer and type in the address http://192.168.0.1
  2. When prompted, the username would be admin, and the password would be blank.

C) If the router’s password is still set to the default password, it is important to change this password to something else to keep an intruder from effectively kicking you off of your own network.

Step #2 – Disable SSID Broadcasting

This option decides whether people can or cannot see your wireless signal. This is not necessarily recommended because although this will keep your network invisible to the common nosy neighbor, it will not protect your network from any serious hackers. It can also make setting up your own devices on your wireless network more difficult. So, it’s good to know how this works, but always use encryption and don’t rely on just disabling SSID broadcasts to keep your network secure.

Step #3 – Enable Encryption

It’s important to use encryption on your wireless network. Not only does it keep intruders off of the network, but it also keeps eavesdroppers from listening in on your network traffic. The two major types of wireless encryption are listed below. Please also note that any encryption enabled on the wireless router must also be enabled on each Wireless Device that needs to connect to the internet.

  1. WEP – This is still the most common type of encryption enabled on most wireless routers. Please note that this can be broken by serious hackers in about 2 minutes, but will keep out most neighbors and passerby.
  2. WPA2-PSK – This is becoming the most common type of encryption and is enabled on most new wireless routers. WPA2 is more secure than WEP but can be compromised by brute-forcing your password.
  3. WPA2-Enterprise – Also called 802.1x, it uses session passwords generated each time your device connects to the network. This security mode has not been compromised yet, but is not available on some older types of Wireless Devices.
WPA2-Enterprise is the most secure method for keeping intruders off your network. Go to the IronWifi registration page to open a free account.

If you are going to use the WPA2-Enterprise security mode, IronWifi will act as a guard verifying identity of users and devices connecting to your Wireless Network. Without this service, people could get in by breaking WEP encryption, faking through a MAC Filter, brute-forcing your WPA2 password, or by good old fashioned hard line plugging into your router directly instead of connecting through the wireless. Taking control of connecting devices is the final step in securing a Wireless Network.

Protecting CLEAR’s 4G wireless network with RADIUS

CLEAR is popular 4G wireless internet provider, offering its services in the United States. It provides internet connectivity by using a 4G wireless modem that also acts as a wireless access point. Unfortunately, currently, the safest supported wireless security mode is only the WPA2-PSK. In this post I will describe my procedure of securing CLEAR’s wireless network with better, RADIUS powered, WPA2-Enterprise security mode.

Firstly, I have to access modem’s administration interface by opening http://192.168.15.1 from my web browser. After successful authentication, modem welcomes me with the following Welcome screen.

CLEAR 4G Welcome Screen

To verify available Wireless Security Settings, let’s click on the Basic -> Wi-Fi -> Advanced buttons.

Clear Modem Wireless Security Settings

As you can see in the picture above, this modem really supports authentication only with the pre-shared keys and not our desired WPA2-Enterprise mode. It is necessary to add another wireless router, in my case the TP-Link WR842ND, to create new RADIUS powered wireless network.

Connecting TP-Link router to CLEAR’s modem

As CLEAR will remain my provider of internet connectivity, I have to connect the TP-Link router to the modem with provided Ethernet cable and turn the router on. It is important to plug the Ethernet cable into the blue network port (uplink).

CLEAR modem connected to TP-Link

Next, I connect my computer to new TP-Link’s wireless network and follow initial configuration instructions. During this procedure, the router asks me to enter a PIN number, that is printed on the sticker on the bottom side of the router.

TP-Link initial setup

 

In next step, I have to select the Wireless Security type. At this moment, not all security options are available, so I select the WPA2-PSK security mode, type in some temporary pre-shared key and finish this configuration.

Creating virtual RADIUS server and user’s accounts

Now, let’s go to https://console.ironwifi.com to register new wireless router and create accounts for my users. After signing in, all I have to do is follow Configuration Wizard, which provides all required information in the last page’s summary. I will keep this page open, so I am able to use the values in next step.

RADIUS Configuration Wizard Step3

Configuring TP-Link router to use WPA2-Enterprise security mode

I go back to the TP-Link router to change wireless security settings. TP-Link’s web administration interface is available at http://192.168.0.1, and it will prompt to enter default credentials; username is admin and password is admin too.

Router's Interface login

 

After accessing the Wireless Security Settings, I change the Wireless Security type to WPA/WPA2 and enter information from the IronWifi console – the RADIUS server IP address, port, and Shared secret/Password.

Routers wireless security settings

 

Finally, save new settings and restart router.

Connecting with user’s credentials

Finally I connect my client devices to the new Protected Wireless Network using user’s credentials. For me it works like a charm,  but if you still have connecting issues, please follow our documentation for your specific platform.

Was your upgrade also so easy, or did you experience some difficulty?

Solving Access-Reject Issues

Sometimes, it can be quite challenging to identify the reason, why our authentication requests are being rejected by the RADIUS server.

On Windows platform, one useful tool is NTRadPing Test Utility which can by downloaded from the authors website.

This handy tool produces a simple Authentication Request which will be sent to defined RADIUS server with defined connection parameters and credentials.

In the RADIUS Server reply section, you will see how fast and what response did the server provide. Although it does not support tunneled EAP authentication requests, it can be used to debug basic PAP and CHAP methods.

NTRadPing Screenshot

1. If the provided answer is Access-Accept, the server accepted your authentication request and you should be able to use the wireless network. If you are still experiencing problems, double-check configuration of your wireless router and client’s device.

2. If you see Access-Reject is the answer from RADIUS server, then there might be multiple explanations:

  • provided credentials, including the RADIUS Secret key and RADIUS port might be wrong
  • User might be disabled
  • User’s account might be expired
  • User is trying to log in outside assigned Login Time

If this is the case, please double-check user’s account settings.

3. Another output you might see is the message no response from server (timed out). If this is the case, please double-check RADIUS Server IP address and port. If values are correct, your firewall might be blocking outgoing requests. Contact your network administrator to verify if outgoing traffic to servers IP address and UDP port is allowed.

If the problem persists, it might be necessary to try to solve the problem with the RADIUS administrator.

Have you experienced any other problems while trying to authenticate with a RADIUS server?