Thursday, March 13, 2014

Make ssl certificale for mikrotik

HTTPS connection enabling

Creating certificate
Trusted SSL Certificate can be bought from trusted authorities, for example, VeriSign. An unsigned certificate can be generated by hand, using OpenSSL on a Linux box. To do it issue following commands in the shell:
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Two important things:
  1. Enter the same pass phrase always when asked for "Enter pass phrase for server.key" (Should be 4 times);
  2. Enter your server's domain name, when asked for "Common Name (eg, YOUR name) []". This is important, because otherwise some browsers may refuse your certificate. For example, if the User Manager server's address is http://userman.mt.lv/userman, then "userman.mt.lv" must be specified as Common Name for the certificate.
After doing this three files will be created:
  1. server.crt - Certificate, must be uploaded to router;
  2. server.key - Private key, must be uploaded to router;
  3. server.csr - Signature request, can/should be deleted;
Upload server.crt and server.key to the router and import them, using the same pass phrase again when asked. server.crt must be imported before server.key.
Importing certificate
Certificate file can be then uploaded to the router and imported with command
/certificate import file-name=...
The command should return
    certificates-imported: 1
    private-keys-imported: 1
           files-imported: 1
      decryption-failures: 0
 keys-with-no-certificate: 0
If it doesn't, could happen that the file contains private key and certificate sections in incorrect order. In this situation the output should be
    certificates-imported: 1
    private-keys-imported: 0
           files-imported: 1
      decryption-failures: 0
 keys-with-no-certificate: 1
Just repeat the same command
/certificate import file-name=...
once again and the output should be this time
    certificates-imported: 0
    private-keys-imported: 1
           files-imported: 1
      decryption-failures: 0
 keys-with-no-certificate: 0
Now certificate is imported correctly and ready for use;
Enabling WWW SSL
SSL connections for WWW server can be enabled with command
/ip service set www-ssl disabled=no certificate=cert1
where cert1 must be replaced by a correct certificate name (from /certificate section)


Troubleshooting
1. Authorize.net requires that time time on the server be within 15 minutes of UTC or you will get a failed transaction, use NTP client.
2. Your user manager must be accessible from the internet on port 443, make sure you have DNS setup properly or use the IP address for all of your references. Don't forget to open your firewall for port 443 and use NAT to get to your user manager if behind a firewall.
3. You must put the URL of your UserManager instance in your Authorize.net control panel. For example: Response Reason Code: 14
Response Reason Text: The Referrer or Relay Response URL is invalid.
Notes: Applicable only to SIM and WebLink APIs. The Relay Response or Referrer URL does not match the merchant?s configured value(s) or is absent.
To add a valid Response/Receipt URL, please follow these steps:
1: Login to your Merchant Interface at https://account.authorize.net. 
2: Click Settings in the main left side menu. 
3: Click Response/Receipt URLs. 
4: Click Add URL. 
5: Enter your Response URL. 
6: Click Submit.
4. When inputting the above URL, use only the base URL, not /userman or it won't work.

Saturday, March 8, 2014

Error building eapol_test

Error building eapol_test

Thank you, it works perfectly now!

>> 1- Copy defconfig to .config
>> 2- Uncomment CONFIG_EAPOL_TEST=y
>> 3- Enter: make eapol_test
>>
>> Then it starts building it and in the end this error message is shown:
>>
>> /usr/bin/ld: cannot find -lnl
>
> This is a library used by the nl80211 driver wrapper. You will either
> need to install libnl development package or disable that driver wrapper
> in the build (comment CONFIG_DRIVER_NL80211=y).
>

Friday, March 7, 2014

Authenticating WiFi users with Windows AD + RADIUS Server


 At fast Install:
 http://nilgodhuli.blogspot.com/2014/03/installing-active-directory-on-windows.html 
then:
http://nilgodhuli.blogspot.com/2014/03/how-to-install-enterprise-certificate.html
  1. Log into the Windows server using Domain Admin credentials.
  2. Open the Server Manager console.
 In the Server Manager console right-click Roles and select Add role.
  1. When the Add Roles Wizard opens click Next.
 
 On Select Server Roles, check the box Network Policy and Access Services and click Next.

 On the Select Role Services, check the box labeled Network Policy Server and click Next.

 Network Policy Server And   Health Registration Authority

Use the local CA to issue on this computer


On the "Confirm Installation Selections" dialog, click Install.
Wait for the Installation Progress to complete.

Configuring RADIUS service

Choose Start | Ad­min­is­tra­tive Tools | Net­work Pol­icy Server
Right click on NPS and then click on Reg­is­ter server in Ac­tive Di­rec­tory
 
Stay on NPS (local) and from the right win­dow choose |RA­DIUS server for 802.1x Wire­less or Wired Con­nec­tions |Click on Con­fig­ure 802.1x

Choose |Se­cure Wire­less Con­nec­tions | Choose Name |Next

Ra­dius clients |Add

Choose a name for client | Enter IP ad­dress (it has to be fixed) of client that we are reg­is­ter­ing | Shared se­cret – Man­ual |Enter pass­word for client iden­ti­fi­ca­tion |OK

Next

Choose | Mi­crosoft Pro­tected EAP (PEAP) |Click on Con­fig­ure

Cer­tifi­cate Prop­er­ties | Se­lect Se­cured pass­word | click on Edit

Edit num­ber of au­then­ti­ca­tion re­tries to de­sired value | OK |OK

Next

Choose groups that will be able to au­then­ti­cate with RA­DIUS |Next

Next

Fin­ish
After fin­ish­ing con­fig­u­ra­tion click on Start |Ad­min­is­tra­tive Tools | Ser­vices |find NPS ser­vice and restart it.
By click­ing on Ra­dius Clients and Servers | Ra­dius Clients I can see cre­ated client. I`m now able to au­then­ti­cate with RA­DIUS.
That is the basic setup for RA­DIUS server.
You can setup RA­DIUS more de­tailed under |NPS |Poli­cies |Con­nec­tion Re­quest Poli­cies or Net­work Poli­cies

I`m now di­rect­ing my at­ten­tion to Net­work Poli­cies
Net­work Poli­cies | Choose cre­ated WiFiAP and right click| Prop­er­ties

Tab Con­straints |I have cho­sen even less se­cure au­then­ti­ca­tion meth­ods for test­ing pur­poses. In pro­duc­tion en­vi­ron­ment you should choose only most se­cure pro­to­cols.

Tab Set­tings | En­cryp­tion. For test­ing pur­poses I left all op­tions ON, in pro­duc­tion en­vi­ron­ment you should choose strongest en­cryp­tion (MPPE 128bit)
You should go through all the set­tings and setup RA­DIUS to your pref­er­ences.

ACCESS POINT setup

I used Linksys WAP54G. Setup is more or less the same for all APs. Al­though I had some APs that just won`t work with Win­dows Server based RA­DIUS server, so be care­ful when you choose your equip­ment.

Ac­cess Point should have eth­er­net con­nec­tion to the net­work en­vi­ron­ment where RA­DIUS server is lo­cated.

Ac­cess Point should be setup as fol­lows:
Sta­tic IP, same sub­net as RA­DIUS server


Setup as Ac­cess Point


Basic Wire­less Set­tings |Setup SSID name


Wire­less Se­cu­rity |Choose WPA En­ter­prise ( My AP is older so It doesn`t have WPA2 ) |En­cryp­tion AES | RA­DIUS Server: IP ad­dress of RA­DIUS server | RA­DIUS Port: it`s usu­ally 1812 |Shared se­cret: you de­fined it while cre­at­ing new client in NPS, de­sir­able value for shared se­cret is for ex­am­ple: 984752G2N3
Key re­newal: leave as it is.

Ad­vanced Wire­less Set­tings | Leave de­fault set­tings.

With this step we con­fig­ured AP for com­mu­ni­ca­tion with RA­DIUS. Save your set­tings and re­boot Ac­cess Point.

Testing


I want to con­nect my iPhone (iOS5) to WiFI net­work Ra­diusTest and by that con­nec­tion test con­nec­tion be­tween client – AP and RA­DIUS server.

On my iPhone in WiFI net­works I can see cre­ated WiFi Ra­diusTest  – I`m tap­ing on it to con­nect.
I need to au­then­ti­cate. I en­tered my do­main user ac­count and pass­word in fol­low­ing form : Do­main\user + pass­word | Choose Join
After few sec­onds I`m of­fered the cer­tifi­cate that I cre­ated ear­lier on RA­DIUS server | Ac­cept
iPhone is suc­cess­fully con­nected and au­then­ti­cated on RA­DIUS server.
With this step in­stalling, con­fig­ur­ing and test­ing RA­DIUS server on Win­dows Server 2008 x64 is suc­cess­fully fin­ished.