802.1X Easy

 

802.1X Easy

It seems I like doing things the hard way sometimes. Packetfence was that next thing. After much trial and error I fell back to something simpler that I already had running. OPNSense with FreeRADIUS.

My goal is to create a wifi lab that utilizes Dot1X to better understand how enterprise wifi works. While my day job does allow me troubleshoot it, I cant easily test and play around with it.

My setup is basic but that's what makes this so great and accessible for people without the space or extra money for power hungry devices.

  • An OPNSense VM running on Proxmox (Or a standalone device)
  • A Cisco 3560 desktop style gigabit POE switch
  • 2 Unifi AP AC Lites

And that's really all you need. You could even go a little cheaper with a basic POE switch if you don't plan on doing wired Dot1X.

Once your OPNSense instance is setup you just need to download the FreeRADIUS plugin then you can begin configuring Dot1X.

Configuration

You'll want to create a CA to issue certificates. Once created you can also download this Root Certificate as we will need it later

System > Trust > Authorities


Next you need to issue a server certificate for FreeRADIUS to use

System > Trust > Certificates


Moving over to FreeRADIUS we need to first enable it

Services > FreeRADIUS > General

 
 
Then add our Authenticators (Disregard the controller, its not necessary). During this step you will also create a shared key that needs to be entered on your device or controller

Services > FreeRADIUS > Clients


Now’s the time to pick an authentication method. To make it easy on myself I went with PEAP/MSCHAPv2. While its old, slow, and technically broken, its still widely used and easier to manage. Make sure you check the box for Use own certificates, change the Root Certificate to your CA and select the certificate you issued earlier under Server Certificate

Services > FreeRADIUS > EAP

You can enable multiple authentication types but that requires a little config editing which is not quick and dirty

 

Since we’re using MSCHAP we’ll need a user account too

Services > FreeRADIUS > Users

 

That’s everything for FreeRADIUS. Go ahead and install your Root Cert on your device, enter your UN/PW and now you should be using Dot1X at home!

 

I hope this little guide was helpful and demonstrated that it fairly easy to get this working for a home lab. Again this is meant to be a quick and dirty setup. Yes its possible to use EAP-TLS, external CA’s, VLAN assignments, etc. In my opinion this allows you to eventually learn about all that but first and foremost it lets you start understanding EAP flows and FT over Dot1X which can be difficult outside of an enterprise.

Comments

Post a Comment

Leave a comment...

Popular posts from this blog

Capturing Roaming Events

Image
Finally! I scored a newer laptop to put Kali Linux on along with Windows to do some more wifi shenanigans. Before I was using a WLANPi on my desktop, which limited my mobility of course. Now I can follow devices and get closer to some of my other APs. Yes I know you can also use Pi as a remote capture device but that still didnt help with looking into roaming events. Now its been a few years since Ive used Kali and I was amazed at how polished its become. I think I used Backtrack about a decade ago to try and 'hack' my wifi with a WPA cracking tool. Needless to say that didnt launch my security career but it was quite interesting. There are plenty of tutorials on how to set you capture device in monitor mode so I wont go into that here. If you are curious here is the Airmon-ng website. Please note only certain chipsets are supported in Kali for this. Atheros cards seem to be the defacto standard for monitor mode support but I had a Comfast CF912 and TPLink Archer T9UH adapter ...
Read more

IoT and Smart Home Devices: Part 1

Image
  Source: https://www.sparkfun.com/products/17146                 This is going to be a multi part post going over a little IoT smart plug I picked up on clearance at Walmart. I'll make it clear I'm generally very skeptical about these types of devices so much that I don’t even want my roommates Alexa on the same network as mine. However with these things being so prolific it is best to understand them so we can better protect our networks. Ill start with a little background of the device, how I acquired it, and my research on the brand. I will then do my best to uncover any (hopefully) FCC filings and their documentation. From there we will explore a bit of the theory on how the majority of these cheaper devices connect to our networks. Lastly Ill do my best to capture packets during the join process but we will see how that goes with my limited setup.  I was looking to purchase a new Roku and since Walmart was the closest st...
Read more

Frame Exploration: Authentication Frames

Image
Authentication Frames in 802.11 are not about verifying the identity of clients or forming a secure connection. These frames are used to ensure each radio is actually a valid .11 device that can communicate on the network. It has been described similarly to plugging a network cable into the wall or switch.  Please note this is only valid for networks using WPA or WPA2. WPA3 introduces SAE (Simultaneous Authentication of Equals) and uses a 4 message exchange for authentication. We will be looking at Open System Authentication frames here.  In the above we have the two frame exchange between the client device and the AP. Each message is the essentially the same and contains a Sequence Number and Status Code to tell whether or not authentication was successful.  As with all other frames we can look at the FCF to verify what type of message it is too. And that's all there really is to it. If each radio can authenticate with one another they can proceed to the Association stag...
Read more