Would anybody be willing to give me some conceptual networking information?
-
I also don't want to have to audit their devices before I allow it
This is a very good point for isolation, which I failed to mention - thanks for posting that. Problem is most any guest on my network would be a box I setup or support (friends and family) so not so worried about them being infected.. But yes very good point indeed.
I am in the market for a new AP sometime in the not so distant future - if these AP can do vlan of different SSIDs, going to take a look into that. Just from a play/testing aspect that would be nice to be able to do, and prob upadate my dated wrt54g AP ;)
-
There is no point in using Enterprize wireless security. It does NOT use better encryption, infact it uses the same thing, WPA2/AES. Enterprise wifi security makes MANAGEMENT easier for lots of users, as you can set it up such that each user has their own accounts (typically you will use active directory accounts). This allows you to revoke an individual user's account when they leave the company, for example. In your situation, it has zero advantages, and only makes things more complicated, for no reason.
If you just use WPA2 Personal/PSK then you ARE using the same encryption as an "enterprise setup".
Re-read whatever you read, WPA cannot be easily hacked. WEP can, and also WPS (WiFi Protected Setup) has some mild vulnerabilities, but WPA2/AES IS secure.
Making a second SSID for your neighbors is pretty pointless, unless you connect it to a different NIC on pfSense and keep it isolated from your LAN (you could use VLANs here, and conceptually that would be identical.)
-
I would like to thank you all very, very much for your advice. And I hope you will forgive me and will not shoot me (please don't :'(), but even 'though it is very clear to me that what I want to do is overkill, I still want to do it. Even 'though it is overkill. Please don't be mad at me for not taking your expert advise in this matter :-\
And having asked for you not being mad at me, I was hoping somebody would still be able to give me some clues ( :-[).
By now I have studied a lot, and have read probably a 1000 'how to implement' blog posts and stuff. There are some manco's in what is described, manco's as in: some thing are left out. Things that a noob like me needs. For example, there is a lot of taking about 'NAS' but without definitions, which confused me for days, as NAS for me stands for my Synology Network Attached Storage. I have by now found out it may also mean: 'Network Access Server'. But then, what does it do? Because there are also 'clients', and 'users', and sometimes the NAS is supposed to be the 'client', in other blogs the 'client' is the WAP, sometimes the 'client' is the LAN-computer, but then sometimes the LAN-computer is 'the user', and so it becomes confusing.
Next most of the blog posts deal with installing freeradius (apt-get etc), and then creating keys, editing some config files on the CLI, to then finally end with 'and now the user can login with his user name and password'. But that is not what I want: I want to automatically access using certificates (just as I use rsync to automatically backup my Windows machines to my Synology from a batch file; this also uses public and private keys (cygwin)). And I am also in the dark as to how to setup my switch.
If I may, I will write what I think I understand by now. Again, given my hardware is PFS, the HP switch, the Unify UAP-PRO WAP, my laptop, and my LAN-computers (and the Synology servers):
[list]
- At first I will have to tell PFS who is the 'client', and the 'client' appears to be the UAP-PRO WAP. The role of the client as I understand it is that this appliance will be allowed to connect to the Radius server in the first place (if I indeed understood this correctly, then I think it will follow that the Switch has to be a 'client' also, in order for the LAN-computers to be authenticated also. I am still confused as to how this will work together as the WAP goes into the switch also). If my 'gambling about what is what and does what' is correct, then this concept of a client is the first line of defense; the user names and passwords are the second line of defense.
- Next, I will have to tell the WAP that it is no longer to accept 'clients', which are now the wireless devices (the confusion ;D) by a simple password (the 'PSK'), but that it has to ask the external Radius server if the wireless device ('client') is allowed access. I have found that in the setup of the WAP, so this shouldn't be a problem.
- So, if the above is true, then my guess is the following happens when my laptop wants to connect to the WAP: [ A ] the WAP connects to the PFS, third floor, where the 'radius department' is ( ;D) and asks if this laptop is allowed access. If the Radius department confirms this to the WAP, [ B ] the WAP calls the second floor of the PFS, where the DHCP-server department houses, and asks for an IP-address, either static or dynamic.
- It shouldn't be necessary to use a user name and password, as we can use certificates. These are generated in two steps: [ A ] a master 'CA' certificate is generated in order to be able to [ B ] sign the 'client' (here we go again: confusion ;D) = laptop identification certificates with. This signing of the certificates in [ B ] by [ A ] is necessary because the [ B ]-certificates have to be 'trusted' (e.g. no unsigned certificates). When all this is done, the 'client' (= laptop) certificates are then installed in the network adapter properties of the laptop, and the adapter is also told to use these certificates to start up the authorization process towards the Radius server.
I hope this I understood correctly, and if I didn't, please do correct me (and thank you in advance for doing so :P).
After trying to read all this between the more kind of 'enter this command in the CLI'-blog posts, some things remain unclear:
-
Why do we still need 'users' and 'passwords'? We are already authenticating with certificates?
-
The switch. No blog-post I found deals with this, but my question is: I will have to instruct my switch also (just as the access point), that it is not 'blindly' to allow access to anybody who plugs a cable into the switch, but that it will also first have to ask the Radius-department if access is allowed. Now it is more or less that I do find the manual of HP also to be a little bit too 'press this button and then that', instead of explaining first what needs to be done. So my question is: is it as simple as it is with the WAP (tell it to use WPA2-Enterprise and the address of the Radius-server), or do I need to do more on the switch? (For example, does the switch need a certificate itself or something like that?)
-
If I implement Radius for the laptop, does this mean it will be mandatory for the wired computers on the LAN also? (I am suspecting that, since we'll tell the switch to use Radius (unless this isn't necessary), so once the switch uses Radius, I might suspect it to use it always and everywhere, so also for the LAN-wired computers). Or isn't this necessary if we use VLANs? As in: on the switch there are two VLANs, one for the wireless part, which uses Radius, and one for the wired part, which doesn't use Radius. But then of course the next problem comes up (and this is just because I still don't understand VLANs): how can computers in different VLAN's talk to eachother? As the laptop will be in VLAN1, but the Synology server is wired and so will be in VLAN2. And you would want the laptop to be able to access data on the Synology file server.
I hope you see that I am really trying very hard to understand how it all works, and am not asking for 'can anybody give me a step by step point and click instruction because I am too lazy to study myself' ;D
But with all that I have found now, I am at a block right now, and would really appreciate very much some leads as to the open/remaining points.
Thank you all for reading this massive post ;D
Bye,
-
Hmm, just to be sure as mentioned above this will probably not make your network any more secure than it already is. Using radius authentication simply makes it easier to manage a large number or wireless devices. If you are doing this just to further your own knowledge then that's fine. :)
Reading through that I spot a couple of things:
The wireless encryption works at layer 2. Thus is happens before any IP address are assigned. The WAP only decides whether or not to accept the wireless device trying to connect. Once it has allowed that the wireless device talks directly to the DHCP server in pfSense.Computers in different VLANs can talk to each other because pfSense routes traffic between its different interfaces including any VLAN interfaces.
I have to say that this is quite complex stuff beyond my normal level of tinkering. If I were attempting to do this I would expect it to take a number of tries and a lot of reading! ;)
Steve
-
Hmm, just to be sure as mentioned above this will probably not make your network any more secure than it already is. Using radius authentication simply makes it easier to manage a large number or wireless devices. If you are doing this just to further your own knowledge then that's fine. :)
Reading through that I spot a couple of things:
The wireless encryption works at layer 2. Thus is happens before any IP address are assigned. The WAP only decides whether or not to accept the wireless device trying to connect. Once it has allowed that the wireless device talks directly to the DHCP server in pfSense.Computers in different VLANs can talk to each other because pfSense routes traffic between its different interfaces including any VLAN interfaces.
I have to say that this is quite complex stuff beyond my normal level of tinkering. If I were attempting to do this I would expect it to take a number of tries and a lot of reading! ;)
Steve
Thanks very much Steve ;D
So far I discovered three things that supposedly would make WPA2-Enterprise/Radius stronger:
1. The encryption key is stronger
2. The encryption key gets renewed every 30 minutes by the Radius server (based on a default policy in networking that any wireless device does this every 30 minutes or something like that. The Radius server then takes this 'opportunity' to issue new unique temporary encryption keys).
3. I forgot (ever since my accident I have trouble remembering things I thought about in the last hour :-).I did find some good tutorials (I think) on setting it up, and I think it won't be that much work. My only 'big' question remaining right now is how my switch-config fits into all this. I hope somebody would be willing to shed a light on that.
Thanks again Steve :P
-
"1. The encryption key is stronger"
No where did you read that? You do understand - with radius its whatever the user password is that is preventing someone from access. Users pick Shitty Passwords ;) While with psk you would pick it, and it would be something strong and randomlike. Are you really going to have your users use a 20+ character password?
Where are you reading this?? Because either your not understand what your reading correctly, or reading something that has nothing to do with the actual security of the system.
Unless your using eap-tls and require a cert to auth with you can forget about the encryption strength because the weakest link is the key.. Be it a PSK or users name and password with radius. All that is going to be required to access your wireless network switching from WPA2 - PSK, to WPA2 with radius or enterprise is I know or guess the key. Now with enterprise I would need username along with password. But normally those would be simple to guess or obtain and then the password is going to be way weaker than than a PSK normally is.
If you want to play with setting up radius auth for your wireless - go for it, but its not going to make your setup any more secure. And is only complicating something that requires no complication.
If you want to secure your network more, than sure you can vlan it off and then use ACLs between your network and your wireless network. So that even if wireless is compromised they have little access, and could isolate guest wireless from normal wireless so that "guests" don't have any access to your nas, etc.. But radius by itself vs psk is not making your network more secure - if anything less. Since now you will have More Passwords that could be guessed vs just the 1 ;)
-
With relatively few users using certificates becomes logistically possible.
It's a while since I really looked into this but from my recollection the potential encryption strength of enterprise vs SOHO was equal. However I would say that by default the encryption level of straight WPA2 is probably less than choosing enterprise. That is to say you can configure WPA2 to use an equally high encryption strength but it may not be by default. Using external authentication pretty much forces you to configure everything so you're likely to choose the strongest settings.So in answer to your questions:
1. Perhaps by default but not necessarily
2. You can set the re-keying interval.
3. No rebuttal! ;DSteve
-
"the encryption level of straight WPA2 is probably less than choosing enterprise."
What???
What radius can bring to the table is protection against brute force attacks against short passwords that the user might choose, because you could lock out the account after say 3 bad attempts. Which is something you could not do with a PSK, or you would lock everyone out, etc.
Lets not forget that many enterprise setups the account and password use to auth against the wireless, is also their AD creds. So if someone gets the creds to auth to the wireless, then quite possible they have the creds to auth against the resources on the network.
While when using PSK, they may be able to get on the network - they would not have creds to auth against resources on the network.
Using enterprise to auth makes sense as already brought up in when you have multiple users and need the ability change the ability of 1 user to use the wireless without effecting your other users. I would not say that its more or less secure then PSK out of the box. And depending there can be added security risks with using it - so depending on the setup you could say that enterprise is less secure than psk. But without the details of how each would be setup its hard to say.
One thing for sure - is it makes it more complex, which can make the network less reliable - more things that can fail. So do you make the network more complex to setup and maintain or not depends on your needs. And sorry in a home setup, it is unlikely that enterprise type auth makes any sense to use.
Now if all your after is learning - then sure go for it. But its going to make accessing and maintaining access to your network more complex then it needs that is for sure. And if anything comes with complexity is the possibility of overlooking something, and in the long run having a hole in your security for no reason.
-
Yes, I worded that badly. :-[
What I meant is that the default settings of a SOHO wireless access point could be less secure than those that are selected when you choose to use external authentication. Purely because most access points have default settings that allow them to work with the greatest number of devices out there reducing support calls. By less secure I mean shorter key length, tkip over aes, longer re-keying interval etc.
There are still access points out there that default to no encryption at all. Thankfully they are hard to find these days.Steve
-
While it might be possible to select wpa2 with tkip+aes, I have never seen a soho wireless router or ap that that would be the default when picking from a drop down for wpa - psk, or wpa2 - psk.
By default wpa2 would be AES, this is a requirement of the standard.. To use wpa2 with tkip would be a compatibility type mode that sure is possible, but would not be the default.
And key length of your psk would be something the user would have to pick, while I agree wireless devices should require a min length that is secure, and warn the user and have them agree if picking something short, etc..
Where I disagree is that with using radius its quite common to see enterprise password policy of only 7 characters, at most 8 in length. Now hopefully they have a lock out feature with say 3 bad, etc. And you do have to know what eap they are using, etc. But since usernames are quite often just the email address of a user, where this is public info. And then a short password its quite possible for ent to be less secure than psk.
Keep in mind that with using a enterprise auth, it is in theory possible for me to just do a dos type attack against a company by just sitting in a parking lot and doing random brute force against all of their email names, or just random - looking to lock out all of their accounts ;) Now do I not only lock out their users from wireless - I also can lock them out of their resources on the wired lan by locking out accounts..
Security there are + and -'s to every security scheme - where it makes sense to use enterprise type auth in an enterprise ;) It does not not when your talking a hand full of users in a home or small office.
-
Like I say it's a while since I last looked into this in any detail and my memory isn't what it used to be. I fairly sure that the last access point I configured defaulted to tkip so perhaps it was using wpa. In fact the actual last access point I dealt with was a much older model that had forgotten it's settings and defaulted to completely open.
Anyway I think we are in agreement that external authentication offers nothing by way of encryption security that can't be had by simply configuring the access point correctly. :)
Steve
-
Agreed ;) In a home or small business all enterprise is buying you is complexity..
Now if he wants to play with setting it up - more power too him. But if what he is looking to do is have a secure and rock solid setup, no not the direction he should go.
Now isolation of services via network segments/vlans and ACLs – clearly will add complexity to the config. But sure its a good idea to only allow specific segments access to only the resources they need on a different segment.
If box A on segment A needs to talk to box B on segment B on ports http and https -- than sure lock that down via a ACL to only allow that traffic on your firewall between your segments! This is always good common security practice. Can get to be a bit much for a home setup, and can add a lot more overhead to your network management.
But I think the OP is jumping ahead in the book ;) If he does not even understand how vlans talk to each other.. Maybe you should work that out before trying to work out how to setup a enterprise wireless solution..
-
Congratulations, you won ( :D :D :D).
I am taking the knowledge, experience and wisdom that you have extremely seriously, just as a I am extremely grateful that you devote your time to helping me out (thank you, again, very much :P).
As you go to great length to tell me I should not be wanting this, for now I will, finally (I am a stubborn person ;D), follow your recommendations. I will not do Radius for the time being. You won ;D
So I will be using WPA2-PSK with the maximum key (63 characters, I think I read somewhere). But still, I am wondering how to secure it more. The old wish is still this: I would like to allow my own laptop (and later on the tablet I will be buying for my lovely wife who still stays with me despite all my shortfalls ( ;D))) to access the wired Synology NAS (pictures of our long gone but very very beloved dogs, ebooks, movies). At the same time minimizing the risk of a hacker to access that Synology.
There is one option in the Pfs DHCP that says 'deny unknown clients'. Would this be sufficient? Or should I indeed go into the route of different VLAN's, one for wired and one for wireless, and then 'some' firewall rules that allow specific (fixed, all my LAN-devices are fixed, as this makes rsync scripts easier) IP's access from VLAN1 to VLAN2?
Not that I have a clue as to how to set this up. Just to clarify: in addition to donating financially (although not much, I am not rich) to the PFS-project, I have also bought the book 'PFS the definite guide', also to sponsor this project. I've read parts of it, and it definitely is a good book. I do realize however that I am some sort of a 'strange breed': the book obviously has been written assuming more background knowledge than I have (I am an economist, not an IT-technician), so at some points in the book I have difficulties attaching to the subject. So I feel the book alone is not sufficient for me (still stressing it is a good book).
So would you perhaps be willing to give me a some high level instruction how to proceed? Again, I don't expect a 'click here and click there' reply, but if you would be willing to tell me: 'setup VLAN x and VLAN y, make firewall rules as follows to allow/deny XYZ, make sure ABC are right in the PFS configuration', then I would have a clue as to what to study next.
I apologise for me being such a noob, and I do assure you: I really can do your taxes, that is my area of expertise ;D ;D ;D
Thank you again for all your help, it is deeply appreciated,
Bye,
-
"So I will be using WPA2-PSK with the maximum key (63 characters, "
Dude that is just over the top ;) 20 should be enough, if your paranoid use 25 ;)
Setting up mac controls in dhcp or not even running dhcp is also suggested in the 6 dumbest way to secure your wireless lists.. Are not security methods, they are controls. But do you really think someone that just hacked a 63 character psk is going to have an issue with you not giving him an IP address via dhcp??
If you want to isolate your wired from your wireless - then sure vlans or actual physical segments is the way to do it. Does risk of possible breach of your secure PSK in a home setup warrant it, prob not. But hey if you want to segment your network and put in ACLs between them - sure have fun.
-
Separating your wireless and wired traffic is something I would recommend just to make it easier to control your traffic.
If you want to get a paranoia level of security you could setup a vpn server in pfSense and then configure your wireless interface firewall rules to only allow access to that. Then all your wireless devices would have to connect to the vpn server to get access to anything. VPN encryption level can be anything you choose. Potentially you could use two factor authentication or something! ;)
Steve
-
Separating your wireless and wired traffic is something I would recommend just to make it easier to control your traffic.
If you want to get a paranoia level of security you could setup a vpn server in pfSense and then configure your wireless interface firewall rules to only allow access to that. Then all your wireless devices would have to connect to the vpn server to get access to anything. VPN encryption level can be anything you choose. Potentially you could use two factor authentication or something! ;)
Steve
I still have to do this all, but I don't have enough time :-\
Thank you for your reply, Steve ;D
