News items for tag wifi - Koos van den Hout

2022-08-24 Digging into WPA Enterprise authentication packets
After digging into setting up radius and WPA Enterprise with an Asus WL300g accesspoint the next step was to peek into the traffic on a client.

For that part I used a linux machine with a wired and wireless interface and used tcpdump to try to capture the wireless authentication packets. I configured /etc/network/interfaces for wpa enterprise, based on the eduroam examples.

And this worked, starting the capture:
root@ritchie:~# ifconfig wlan0 up
root@ritchie:~# tcpdump -ni wlan0 -w wlanstart.pcap -s 0 -u -v
And I typed in another window 'ifup wlan0'. This resulted in a capture with the right Extensible Authentication Protocol (EAP) packets included:
root@ritchie:~# tcpdump -nr wlanstart.pcap -v
reading from file wlanstart.pcap, link-type EN10MB (Ethernet)
16:47:39.658963 EAP packet (0) v2, len 5, Request (1), id 0, len 5
                 Type Identity (1)
16:47:39.660863 EAP packet (0) v1, len 25, Response (2), id 0, len 25
                 Type Identity (1), Identity: anonymous@idefix.net
16:47:39.662840 IP6 (hlim 1, next-header Options (0) payload length: 56) :: > ff02::16: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener report v2, 2 group record(s) [gaddr ff02::1:ff23:123 to_in, 0 source(s)] [gaddr ff02::1:ff84:afe0 to_ex, 0 source(s)]
16:47:39.668736 EAP packet (0) v2, len 6, Request (1), id 1, len 6
                 Type TTLS (21) TTLSv0 flags [Start bit] 0x20,
16:47:39.670420 EAP packet (0) v1, len 6, Response (2), id 1, len 6
                 Type Nak (3) unknown (25),
16:47:39.682125 EAP packet (0) v2, len 6, Request (1), id 2, len 6
                 Type unknown (25)
16:47:39.741150 EAP packet (0) v1, len 203, Response (2), id 2, len 203
                 Type unknown (25)
16:47:39.756343 EAP packet (0) v2, len 1004, Request (1), id 3, len 1004
                 Type unknown (25)
16:47:39.756598 EAP packet (0) v1, len 6, Response (2), id 3, len 6
                 Type unknown (25)
16:47:39.834920 EAP packet (0) v2, len 1000, Request (1), id 4, len 1000
                 Type unknown (25)
16:47:39.835159 EAP packet (0) v1, len 6, Response (2), id 4, len 6
                 Type unknown (25)
16:47:39.842070 EAP packet (0) v2, len 1000, Request (1), id 5, len 1000
                 Type unknown (25)
16:47:39.842318 EAP packet (0) v1, len 6, Response (2), id 5, len 6
                 Type unknown (25)
16:47:39.866174 EAP packet (0) v2, len 79, Request (1), id 6, len 79
                 Type unknown (25)
16:47:40.006260 EAP packet (0) v1, len 144, Response (2), id 6, len 144
                 Type unknown (25)
16:47:40.014338 EAP packet (0) v2, len 65, Request (1), id 7, len 65
                 Type unknown (25)
16:47:40.016467 EAP packet (0) v1, len 6, Response (2), id 7, len 6
                 Type unknown (25)
16:47:40.028765 EAP packet (0) v2, len 43, Request (1), id 8, len 43
                 Type unknown (25)
16:47:40.029290 EAP packet (0) v1, len 96, Response (2), id 8, len 96
                 Type unknown (25)
16:47:40.036381 EAP packet (0) v2, len 75, Request (1), id 9, len 75
                 Type unknown (25)
16:47:40.043383 EAP packet (0) v1, len 144, Response (2), id 9, len 144
                 Type unknown (25)
16:47:40.057720 EAP packet (0) v2, len 91, Request (1), id 10, len 91
                 Type unknown (25)
16:47:40.058739 EAP packet (0) v1, len 80, Response (2), id 10, len 80
                 Type unknown (25)
16:47:40.071176 EAP packet (0) v2, len 43, Request (1), id 11, len 43
                 Type unknown (25)
16:47:40.072087 EAP packet (0) v1, len 80, Response (2), id 11, len 80
                 Type unknown (25)
16:47:40.082689 EAP packet (0) v2, len 4, Success (3), id 11, len 4
16:47:40.082865 EAPOL key (3) v2, len 117
16:47:40.091607 EAPOL key (3) v1, len 117
16:47:40.107041 EAPOL key (3) v2, len 175
16:47:40.107839 EAPOL key (3) v1, len 95
At the same time I captured the radius traffic. Now time to correlate those two traffic streams in wireshark.
Read the rest of Digging into WPA Enterprise authentication packets

Tags: , , ,
2022-08-23 Testing with radius and 802.1x authentication on wifi
For work I am looking into how Wi-Fi Protected Access (WPA) actually works down to the byte level, to be able to explain what actually happens and where the security strenghts and weaknesses are.

To set this up I need a separation between the access-point and the authentication server. I dug up an old Asus WL300g access-point and looked at FreeRADIUS as authentication, authorization and auditing (AAA) server. I followed the A very basic (but functional) eduroam configuration - FreeRADIUS wiki guide to get to a working setup, but with different passwords.

Getting the access-point to talk to a radius server took a bit of searching and trying: I assumed that "802.1x" which is extended to "Radius with 802.1x" was the right mode to use a radius server in the background, but it turned out this didn't do what I want. I saw no communication with the radius server and I didn't see the SSID advertised.

The right mode is "WPA" and things started to work that way. It still needs a few settings to talk to the radius server: IP address, port and shared secret.

I chose to go the 'eduroam' way because that is what I am used to from work. This does mean I had to set a home domain idefix.net for authentication. With eduroam I also get Extensible Authentication Protol (EAP) extensions to handle with the real user data. The result is an outer authentication layer visible to the first radius server in the path and an inner authentication layer only visible to the final radius server in the path. Although both the outer and the inner authentication servers run on the same freeradius server they are separate configurations with a trust relation between them.

The traffic to the inner authentication server is wrapped in TLS and needs a certificate. I used LetsEncrypt to generate a trusted certificate. I noticed I am at a point where generating a valid LetsEncrypt certificate was easier for me than fiddling with self-signed certificates. So I could set up my phone to require a valid certificate for radius.idefix.net.

All of this worked and I had a WPA Enterprise connection with the access-point and a lot of debug logging in freeradius.

My next plan is to find some computer with a network card where I can run wpa_supplicant while at the same time grabbing all the raw 802.11 frames and analyzing/understanding the traffic. I will also look at the radius traffic between access-point and outer radius server, and the radius traffic between outer and inner radius server.

Tags: , , ,
2022-02-25 Why the wifi in the shed is probably unreliable
I used the raspberry pi in the shed to do a wifi scan, to get an idea of the usage of the 2.4 GHz wifi band as seen in the shed.

This finds 18 to 22 networks, with our own network not as the strongest network. As you can imagine most channels have multiple networks on them. And the overlap in wifi channels makes this worse: the networks on channel 2 see interference from those on channel 1.

From the list of networks, with names and address information removed, just leaving signal strength and channel / frequency:
-93 dBm, ch   1, 2412 MHz
-91 dBm, ch   1, 2412 MHz
-92 dBm, ch   1, 2412 MHz
-72 dBm, ch   1, 2412 MHz
-92 dBm, ch   1, 2412 MHz
-88 dBm, ch   1, 2412 MHz
-92 dBm, ch   1, 2412 MHz
-91 dBm, ch   2, 2417 MHz
-80 dBm, ch   2, 2417 MHz
-90 dBm, ch   3, 2422 MHz
-94 dBm, ch   4, 2427 MHz
-93 dBm, ch   5, 2432 MHz
-94 dBm, ch   5, 2432 MHz
-80 dBm, ch   6, 2437 MHz
-94 dBm, ch   8, 2447 MHz
-95 dBm, ch   8, 2447 MHz
-94 dBm, ch   9, 2452 MHz
-95 dBm, ch   9, 2452 MHz
-77 dBm, ch  10, 2457 MHz
-84 dBm, ch  11, 2462 MHz
-93 dBm, ch  11, 2462 MHz
This is a right mess. If I ever want reliable wifi in the back garden/shed I will have to have an extra access-point there. This option of having wireless vlan(s) available in the shed has influenced the choice in switch for the shed.

Tags: , ,
2022-02-22 Shed switch ordered
In the project to upgrade the connectivity to our shed I ordered a switch with sfp slots: a netgear GS310TP. The choice is to have the same brand as in other places in the network so I can select compatible SFP modules easily. With this switch I also have vlan support so I can have a wifi access point in the shed if I want.

Tags: , ,
2022-02-08 Upgrading the fiber to the shed network
The current fiber to the shed network is working fine but only gives the Raspberry Pi based NTP server network at a speed of 100 mbit.

The link is working fine but the next device with network problems due to unreliable wifi is showing up: the solarpanel inverter in the shed is sometimes unreachable for my solar inverter monitoring using modbus/tcp and that means I 'miss' measurements. The propetairy monitoring that solaredge does can deal with interruptions in reachability and upload older data, but the modbus/tcp monitoring I use can only access real-time data.

My first plan was to look at industrial switches because of the extended temperature and humidity ranges in the shed. But having both 'industrial' and 'sfp slot' costs a lot of money.

My next thought is to put all the possibly sensitive electronics in one case and hope the temperature and humidity inside that case stay within a reasonable range. This thought is based on the fact that the Raspberry Pi based NTP server functions fine in a not very closed wooden box without being affected by temperature or humidity.

Tags: , ,
2020-06-20 A new home timeserver: first parts, a Raspberry Pi
And yet another Raspberry Pi is showing up for my home network. This will become the GPS-based timeserver. I may add it to the NTP Pool when I'm satisfied enough with it.

It will probably also replace the 'shed' weather station computer in the long run, to save on power use.

I added an extra USB-based wifi adapter to the Pi. The shed has no wired network and my experience with the other computer there is that dual-band (2.4 GHz and 5 GHz) wifi support is the best way to have a chance to get working network.

I also ordered the Raspberry Pi GPS/RTC Expansion Board directly from uputronics.

Tags: , , ,
2017-07-17 Wireless access-point TP-LINK TL-WDR4300 firmware
Recently the wireless access-point decided that I should not have access to the management interface. I even tried both the IPv4 address I assigned and the default IPv4 address it gets. And the last days I noticed strange delays, which may have been caused by channel overlaps. So I wanted access to the management interface to check the channel settings. I noticed the management interface decided to respond again on the IPv4 address I assigned, and I saw new firmware available which should also help with some stability issues.

Firmware upgraded, and after the upgrade and automatic reboot my access was gone again. Time for the suggested factory reset to get everything back to normal. Done, and I was able to set it up again from scratch with the right configuration.

Maybe I should start running some kind of wiki or something to keep internal documentation of my home network. I had a hard time remembering several details of my own setup recently.

Tags: , ,
2016-06-16 Connecting to eduroam with the new laptop
For the first time I brought my new personal laptop to a place where I could use eduroam wireless network. This gave some trouble, eduroam did not work out of the box. I had to set the authentication method to 'Protected EAP (PEAP)' and set the inner authentication correct. And I had to set the CA-Certificate to check. If you don't set it, network manager settings will ask if you are sure, but if you say you are sure the net result in the background is that the request for a valid certificate is set but there is no certificate set to check against, resulting in the connection not working.

Tags: , , ,
2016-04-01 Forcing a dual-band wireless card to 2.4 GHz channels
The wireless card of the weather station computer in the shed is dual-band but with only a 2.4 GHz capable antenna. Since the house access-point is configured to support both 2.4 GHz and 5 GHz channels the system sometimes selects the 5 GHz access and keeps having serious packet loss. I looked at ways to convince the driver to select 2.4 GHz channels only but found none, but then I found out wpa_supplicant can do this. But I configure wpa_supplicant through wpa-* options in /etc/network/interfaces so I had to find out how to configure it using those. The manpages for the interfaces file is very limited on the wpa-* options, but I found an explanation that a lot of wpa_supplicant options are supported, including the one to select frequencies. The sneaky part is that the option in wpa_supplicant.conf is freq_list and the option in /etc/network/interfaces is wpa-freq-list. A rather complete list can be found at Where can I find a full list of wpa-* options for the interfaces file? - superuser.com. So now I have in /etc/network/interfaces:
auto wlan0
iface wlan0 inet dhcp
        wpa-ssid default
        wpa-psk VerySecret
        wpa-freq-list 2412 2417 2422 2427 2432 2437 2442 2452 2457 2462 2467 2472
The ideal solution is to order a dual-band (2.4 GHz and 5 GHz) antenna.

Update: Noticeable absent are channels 12 and 13 which are available for regulatory domain NL but are not listed when I ask the driver for available channels:
koos@ritchie:~$ /sbin/iwlist wlan0 chann
wlan0     19 channels in total; available frequencies :
          Channel 01 : 2.412 GHz
          Channel 02 : 2.417 GHz
          Channel 03 : 2.422 GHz
          Channel 04 : 2.427 GHz
          Channel 05 : 2.432 GHz
          Channel 06 : 2.437 GHz
          Channel 07 : 2.442 GHz
          Channel 08 : 2.447 GHz
          Channel 09 : 2.452 GHz
          Channel 10 : 2.457 GHz
          Channel 11 : 2.462 GHz
          Channel 36 : 5.18 GHz
          Channel 40 : 5.2 GHz
          Channel 44 : 5.22 GHz
          Channel 48 : 5.24 GHz
          Channel 52 : 5.26 GHz
          Channel 56 : 5.28 GHz
          Channel 60 : 5.3 GHz
          Channel 64 : 5.32 GHz
          Current Frequency:2.462 GHz (Channel 11)
And now I wonder why those are missing.

Tags: , , ,
2016-01-21 Sniffing insecure wireless networks
For an upcoming demonstration about security I plan to play with sniffing insecure wireless networks.

I currently have a 'WiFi Pineapple' to play with which makes this quite easy. I created an open wireless network with the SSID of a very popular open network which should be 'attractive' to the visitors of the demonstration and I play with tools to show what can be found in the passing datastream.

First of all dsniff for decoding usernames/passwords in a lot of open protocols, like:
dsniff: listening on
-----------------
01/21/16 21:54:47 tcp xx.yy.zz.60683 -> ftp3.xs4all.net.21 (ftp)
USER ftp
PASS koos@

-----------------
01/21/16 22:05:49 tcp xx.yy.zz.35913 -> pop.xs4all.nl.110 (pop3)
USER bestaatniet
PASS weetikniet
It took me a while to get dsniff working: it does not 'see' connections that originate on the system it is running on, which was my 'preferred' way to test it.

And a more visual one: driftnet for picking out all images from passing traffic. It's a strong visual thing when you see the images from a site you visit popping up in another screen.

Tags: , ,

IPv6 check

Running test...
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

RSS
Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: newstag.cgi,v 1.37 2022/02/15 21:48:19 koos Exp $ in 0.039476 seconds.