Cameras and Wireless Security with OpenBSD

2004-09-27

I started looking at digital cameras today and came across the Canon Powershot A75. Of all the sites that I checked out, it seemed to be the "most bang for the buck". It's more of a point-and-shoot camera than anything else, perfect for what I plan to use it for.

Also spent some time at the mall earlier. I ended up buying a couple of books (how lame). One of which was Wireless Hacks by Rob Flickenger. I've been meaning to get this one for a while but haven't been to Barnes & Noble in a while.

Anyway, as I was reading through the first couple pages of it I came across a section where each protocol is defined and explained in very basic terms. It really just reiterated things that I already knew, but I also learned a few new things. One of these protocols piqued my interest though, 802.1x. Now, I know this isn't exactly a wireless protocol but it's something that I've been meaning to play with for a while. It basically allows port-based authentication, usually authenticating against a RADIUS server on the backend, another topic I've been meaning to put some reasearch into.

After realizing that there wasn't much more about 802.1x in the book, I started looking through the configuration pages of my Linksys WRT54G AP. I found that it indeed had the ability to authenticate against a RADIUS server for WPA clients. So I set about researching the RADIUS server end of things.

Because this is a security oriented protocol I decided to install it on my OpenBSD firewall. After a quick search through the ports collection I found two RADIUS daemons, cistron and lucent. I was however, unable to find any real documentation distinguishing the two I decided to install the cistron daemon. From what I was able to gather on the net, the cistron daemon was forked to create a much more popular daemon called FreeRADIUS. I didn't feel like compiling FreeRADIUS from source by hand so I just had the ports collection do all the work with cistron.

After getting it installed and spending a few minutes reading through the man pages, I had added an entry to rc.local to make it run at startup and had an idea of how everything was supposed to fit together. I played with the extremely un-intuitive config files for a few minutes and decided to focus my attention elsewhere for now.

I went back into the wireless router's config and turned on WPA RADIUS authentication and gave it the IP of the RADIUS server. At this point, I was at a loss as to how to configure Windows to use RADIUS authentication on the wireless interface. I found a couple of sites detailing how to do an end-to-end setup using Windows Server 2003. I figured that the client portion would be mainly the same and gave it a shot.

It worked up to a certain point. The RADIUS daemon was complaining about an unauthorized connection from the AP. After about an hour of messing with the config files (they really are difficult to understand) I managed to get the daemon to recognize the AP as a RADIUS proxy. At this point, I was getting unauthorized user errors from the daemon and decided to call it a night. I'll play with it some more when I'm not as tired. From the looks of things though, all that I should need to do is add an entry to the users file to make it accept my credentials and allow me port-level access to the AP.

I did notice in a few places that the daemon supports reading usernames from a MySQL database. I've been thinking about this for a while and I've pretty much decided that I'm going to wipe Athena (Windows Server 2003) and install some Unix variant on it. Currently, it's responsibilities are external DNS and internally sharing out my music collection. As far as I can recall, it doesn't do anything else.

If I install a *nix system on it I'll be able to use Samba to keep the file shares working and use a chrooted BIND for DNS. It's got a lot more power than my current web server, Artemis and will allow me to have a box that isn't so restricted. It won't matter if Athena goes down for a few hours while I play with it. I figure that I can install MySQL on it and use it as a backend database for any apps that I write on the web server. This will also give me a lot more flexibility in the area of security. I can try out a few theories that have been floating around the security world lately.

The only question that remains is which Unix variant to install. I've really started to like OpenBSD but I just don't think it's flexible enough for what I want to do with it. If I were to go the Linux path I would prefer my Linux From Scratch system, Petra but this would leave me out in the cold for tech support and community mailing lists. However, I've really been itching to play with the GNU/Mach Microkernel so I may build a new LFS system for that. Another possibility would be to use a common Linux distro. I would probably end up with either Debian or Gentoo. I prefer Gentoo but Debian is a lot more stable and has been tried and tested for quite a long time.

I'm still not quite sure where I'll land myself on this debate but I'll figure something out before I commit a weekend to building a new system. Hmm, that reminds me... It takes two days straight at the console to build a fresh LFS system. I really don't enjoy spending that much time compiling packages so the payoff had better be worth it.

Getting back to the subject here... I bought a copy of Wireless Hacks because I would like to start building some custom hardware to work with my wireless setup and give me some better range. I have very little idea where to start on this so I figured that this would be a good book to learn something from. From the looks of the table of contents, this book is filled with just that kind of stuff... Explaining that strange divide where analog meets digital.