a freeradious/wireless solution for a school

[David Wood]

Hi German,

You've already had much wisdom; I'm going to try a comprehensive reply 
to the whole problem.

In message <8437548.post at talk.nabble.com>, gkalinec 
<gkalinec at newroads.org> writes
>I work for a mid-size private school (about 700-800 people on campus), and
>I'm trying to set up a way to limit the use of our wireless to our
>students/staff.  The main problem that I'm encountering is finding a
>solution that will fit our needs.

Yours is hardly the biggest wireless deployment; there are solutions 
that exist for this.


>  A little background first...
>When I first started (about a year ago, and I'm still the only IT person
>managing the whole school network) we had crappy wireless at different
>places on campus for students and staff to access our network.  The person
>who set these up (my current boss) simply did a MAC access control list on
>each AP and made the students and staff come to him to register their
>computers.  This was a major pain since each of our APs (7 of them) had to
>have the new MAC address manually added to each AP every time we had a new
>laptop.  The problem with this solution (aside from having to enter the MACs
>7 times) was that we eventually run out of room in the MAC table.

MAC authentication is trivially broken. Most wireless cards can work 
with a spoofed MAC address, and MAC addresses are trivially sniffed from 
the air.

As you've also found out, maintainability of MAC tables is an issue. 
Some APs (including the 3Com 8760 - more about that in a minute) support 
MAC authentication against a RADIUS server, but it's usually not worth 
the effort, as it provides little if any extra security on top of WPA.

In fact, the 3Com 8760 doesn't support MAC authentication against a 
RADIUS server when using 802.1x. You could configure the RADIUS server 
to verify the MAC address when dealing with EAP, but this adds so little 
to security it isn't worth the hassle and the maintenance effort in my 
opinion.


>After
>some negotiating we got new wireless, but still not top of the line (I
>wanted CISCOs, we got Netgear WPN802s instead), and I found that we still
>run out space in the table (it now help 50, we now have about 100+ laptops
>being used by students).

It doesn't have to be Cisco to be decent; there are some reasonable 
enough enterprise APs from other vendors.


The latest AP I bought was a 3Com 8760, which is a dual band (802.11a 
and 802.11b/g) AP, capable of WPA and WPA2 with four virtual access 
points per band (each with a different SSID, encryption and 
authentication settings, and optionally a different VLAN as well). It 
supports 802.1q tagged VLAN operation, RADIUS authentication and 
accounting, and you can return which VLAN to connect a user to in the 
Access-Accept packet from your RADIUS server. The 8760 is a Power over 
Ethernet device, and is supplied with simple Power over Ethernet 
injector.

The only drawbacks I've found are that the web interface doesn't work 
perfectly in Firefox (it's documented as IE only in the current firmware 
release), RADIUS accounting has to be set at the CLI (again, documented 
as a limitation in the current firmware) and the PoE injector isn't 
fully 802.3af compliant, in that it doesn't employ any resistive sensing 
and is permanently live instead (which means you have to be careful what 
you connect it to - I inadvertently blew up a cheap network tester by 
connecting it to the other end of one of these).

It's not just the RADIUS accounting that you need to set up in the CLI - 
in fact, there's a few useful bits and pieces not supported in the web 
interface. Things like WPA2 pre-authentication are most easily 
configured in the CLI. Fortunately the user guide has full documentation 
of all the CLI commands.


There is a single band version of the 8760, the 7760 (capable of 802.11a 
or 802.11b/g, but not both at once unlike the 8760).



I had a quick look at the manual of the Netgear WPN802v1, and it's a 
device that I'd class only as a consumer grade AP - in fact, it falls 
well short of what most consumer grade APs can achieve. Despite the 
documentation of EAP and WPA2 in the appendix to the manual, it doesn't 
appear from the specification to support anything higher than WPA-PSK, 
which is useless in this context. Handing out a passphrase to 100+ users 
just isn't on.


You hint later that the Netgear APs have WPA Enterprise support - that's 
WPA with RADIUS rather than a Pre Shared Key. If not, you're going to 
need new APs - indeed, you may find the that existing APs really aren't 
up to the job even if they do have WPA Enterprise support. The 'sales' 
pitch is that you will be securing your wireless network properly. I'd 
go for a proper enterprise AP this time, and you could certainly 
evaluate the 3Com units I've mentioned.

Just to indicate how an enterprise grade AP needn't cost a fortune, 
current pricing in the UK is around GBP75 for the Netgear WPN802, whilst 
the 3Com 7760 can be had for GBP110 and the 3Com 8760 for GBP175. Power 
over Ethernet makes installation much easier. Overall, the price of 
decent network infrastructure is coming down; a decent 24 port 10/100 
plus 2 port 10/100/1000 L2 managed switch such as a HP Procurve 2510-24 
is around GBP200 now.


If everything has WPA2 support, deploy WPA2, but you may have some 
clients that only support WPA AES, in which case WPA2-Mixed mode may 
come to the rescue. If you have some clients that only support WPA TKIP, 
you'll probably have to use WPA Enterprise TKIP.

It's in this sort of scenario that the virtual APs of the 3Com units are 
useful - you can use WPA2 when possible, whilst accommodating kit that 
can't manage WPA2 as well, optionally on a separate VLAN that maybe 
doesn't have access to more secure internal services.

Indeed, you can use the 3Com APs to provide simultaneous wireless 
hotspot service via a captive portal setup (such as Chillispot) and 
RADIUS authenticated access to the internal network for authorised users 
- again, it's the virtual AP feature that comes in so useful.


>I know that the solution is to implement a radius
>authentication with the APs that we have.  The APs support radius servers
>using either WAP or legacy 802.1X (with WEP keys).  I did tons of research
>on WAP (being the preferred method), but I could not get around the fact
>that certificates MUST be installed in the client computer in order for the
>protocol to work.  This is simply impossible since most of our students (and
>staff for that matter) are unable to install certificates (or unwilling) and
>having to install certificates manualy myself is just too time consuming.

You mean WPA, not WEP.


>So my first questions is what methods would you suggest for this kind of set
>up?

Many wireless supplicants, such as the Microsoft one built into Windows 
XP, only support EAP-TLS and "PEAP" (technically PEAPv0/EAP-MSCHAPv2). 
There are other forms of EAP, such as EAP-TTLS, but without broad 
supplicant support, they're no use to you.

EAP-TLS requires client side certificates. I use it - but for you it's 
out of the question. You need a robust infrastructure to issue client 
certificates and the support burden is heavy, too.


You should therefore look at PEAP - the only certificate required in 
that case is one for the RADIUS server, with the clients using user 
names and passwords.

As others have said, if you have an authentication database already, you 
may be able to leverage that for PEAP in FreeRADIUS (using SQL, LDAP, 
Active Directory or Kerberos as appropriate). It depends on the password 
format, mainly.


You may be able to get away with creating your own CA (or using an 
existing CA under your control) when creating the server certificate, 
but that may require you to install root certificates on at least some 
machines. There's no harm testing with a certificate issued on your own 
CA - if it causes problems, get a certificate for the RADIUS server from 
a CA whose root certificate is in all the operating systems in question. 
Make sure the certificate signing request has the appropriate 
extensions, however!


Using PEAP may give you problems with Windows XP machines that aren't 
upgraded to SP2 (and you may additionally need the KB885453 hotfix). You 
can probably get away with setting the cipher_list in eap.conf to HIGH 
for added security; certainly that works with all my wireless clients, 
though it does depend which ciphers your wireless supplicants support.


>My original idea was to implement the legacy 802.1x option.  i managed to
>set up the AP correctly and the radius server to authenticate based on MAC
>addresses, but I could not find a way to get the WEP key back to the client
>laptop.  I'm not even sure it is possible, really, and I'm hesitant to try
>to have our students and staff enter a WEP key into their laptops themselves
>(since when they fail they will come for me to set it up, and if I wanted to
>change the WEP key, I would have to re-change it on every laptop).  Is tehre
>any way for the radius server to send back the WEP key to the client?  I
>know it must seem horribly insecure (and it is), but I have to show my boss
>a solution that is better than simply leaving our network open.
>Can some one help or suggest a better way of resolving this?

I'd forget all about WEP with 802.1x; it's not well standardised, it's 
insecure because WEP is insecure and client support is often not as good 
as WPA. WPA2 Enterprise (or if you haven't got the necessary support WPA 
Enterprise) is where you should be looking; the necessary keys to enable 
it to work are generated by the RADIUS server and passed to the AP.



In summary, I recommend setting up a PEAP setup using FreeRADIUS, and 
using that with WPA2 Enterprise on the APs, or WPA Enterprise if that's 
all they support.

If that proves impractical, some kind of Chillispot or similar captive 
portal setup based around RADIUS is possible, but that won't encrypt the 
data on the wireless network, which should be one of your aims. 
Chillispot can be used with WPA, but I have no experience of doing this.

MAC authentication, in my opinion, isn't worth bothering with - the 
security it provides is trivially broken, and management is a nightmare.


If you need new APs, something like the 3Com 7760 or 8760 would be more 
suitable than the arguably consumer grade Netgear units you have, not 
least because you can accommodate legacy clients that can't be upgraded 
to a new secure wireless network whilst requiring all new clients to 
operate on WPA2 Enterprise using PEAP.




David
-- 
David Wood
david at wood2.org.uk