Authentication Gateway HOWTO

Nathan Zorn

           
        

Revision History
Revision 0.06 2002-11-05 Revised by: nhz
Revision 0.05 2002-05-10 Revised by: nhz
Revision 0.04 2002-02-28 Revised by: nhz
Revision 0.03 2001-09-28 Revised by: nhz
Revision 0.02 2001-09-28 Revised by: KET
Revision 0.01 2001-09-06 Revised by: nhz

There are many concerns with the security of wireless networks and public access areas such as libraries or dormitories. These concerns are not met with current security implementations. A work around has been proposed by using an authentication gateway. This gateway addresses the security concerns by forcing the user to authenticate in order to use the network.


Table of Contents
1. Introduction
1.1. Copyright Information
1.2. Disclaimer
1.3. New Versions
1.4. Credits
1.5. Feedback
2. What is needed
2.1. Netfilter
2.2. Software for dynamic Netfilter rules.
2.3. DHCP Server
2.4. Authentication mechanism
2.5. DNS Server
3. Setting up the Gateway Services
3.1. Netfilter Setup
3.2. Dynamic Netfilter rules.
3.2.1. PAM iptables Module
3.2.2. NoCatAuth gateway
3.3. DHCP Server Setup
3.4. Authentication Method Setup
3.4.1. PAM LDAP
3.4.2. NoCatAuth Service
3.5. DNS Setup
4. Using the authentication gateway
5. Concluding Remarks
6. Additional Resources
7. Questions and Answers

1. Introduction

With wireless networks and public acces areas it is very easy for an unauthorized user to gain access. Unauthorized users can look for a signal and grab connection information from the signal. Unauthorized users can plug their machine into a public terminal and gain access to the network. Security has been put in place such as WEP, but this security can be subverted with tools like AirSnort. One approach to solving these problems is to not rely on the wireless security features , and instead to place an authentication gateway in front of the wireless network or public access area and force users to authenticate against it before using the network. This HOWTO describes how to set up this gateway with Linux.

1.1. Copyright Information

This document is copyrighted (c) 2001 Nathan Zorn. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is available at http://www.gnu.org/copyleft/fdl.html

If you have any questions, please contact

1.2. Disclaimer

No liability for the contents of this documents can be accepted. Use the concepts, examples and other content at your own risk. As this is a new edition of this document, there may be errors and inaccuracies, that may of course be damaging to your system. Proceed with caution, and although this is highly unlikely, the author(s) do not take any responsibility for that.

All copyrights are held by their by their respective owners, unless specifically noted otherwise. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark.

Naming of particular products or brands should not be seen as endorsements.

You are strongly recommended to take a backup of your system before major installation and backups at regular intervals.

1.3. New Versions

The newest release of this document can be found at http://www.itlab.musc.edu/~nathan/authentication_gateway/. Related HOWTOs can be found at the Linux Documentation Project homepage.

1.4. Credits

Jamin W. Collins

Kristin E Thomas

Logu (visolve.com)

1.5. Feedback

Feedback is most certainly welcome for this document. Without your submissions and input, this document wouldn't exist. Please send your additions, comments and criticisms to the following email address : .