Freeradius Server Configuration for Hotspot2.0/Passpoint - freeradius

I want to configure Freeradius server as a Passpoint using Hotspot2.0. I'm new to freeRADIUS server configuration, but I got it to configure Freeradius Server for 802.1x autentication and It's working normally for TLS (with certificate), TTLS (with certificate), PEAP and PWD. But I don't know how to configure Freeradius Server to use autentication for Passpoint/Hotspot2.0.
How can I install and configure this?

For Passpoint R1 release:
If your free radius is already working, there is no special configuration for that. All you need to do now is setting up correctly the profile (used by the device that will connect to the hotspot) and the AP (access point).
For Android devices, this example will guide you: https://source.android.com/devices/tech/connect/wifi-passpoint#example_profile_oma-dm_xml
You will change the fields nested beneath Realm (username, password, EAPMethod) to match with whatever you have configured on your radius.
The key value, though, is FQDN. Your AP must have the same FQDN configured on the hotspot2.0 network. The device will match the profile FQDN with the SSID FQDN. And only when they match the device will use the profile to authenticate agains that AP.
You know when it is working when the friendly name show up in the wifi networks list.
The link above has the instructions to install the profile in the device.

Related

Network Sniffing/SSL Pinning : Not able to get post through the login page in a mobile app when detecting traffic with Fiddler

I am debugging network calls of one of the client's application whom code I am not having. The steps I have gone thorough is as below.
1) Install fiddler in a windows system.
2) unable HTTPS decryption.
3) set the system proxy to match the client's country. (USA)
4) install the app on iOS to which is on same network.
5) Installed the Fiddler certificate in phone, added to trusted certificate
6) Applied the manual proxy matching the same internal IP of the windows system. (not the system proxy of USA)
Now when I open the app, I am able to trace the network calls till login page. Also able to detect network call which send the credentials.
But after loading for 5-8 seconds, the app shows "something went wrong, we are unable to serve you"
I am not able to see any trace of my machine IP (internal IP), in network calls being sent. I changed my phones Timezone in case that is the triggering point for stop serving.
Also randomly after 2-3 attempts the following popup comes. I have set the Client Certificate as asked, which was downloaded from http://ipv4.fiddler:8888 .
There are many other apps for which I am able to see the entire network calls but not for this specific one.
Is there any issue in my system settings or the app provider have mechanism to identify man in the middle proxies. Or certificate issues?
Update 1 : I checked the fiddler log and found the below error
HTTPS hand shake to TargetURL failed The exact error was "a call to SSPI failed, see inner Exception, the certificate chain was issued by an authority that is not trusted. is this case if SSL Pinning?
You are mixing up the certificates. Usually the problem is the server certificate, however in your case the problem arises from a client certificate. A SSL client certificate is a optional feature that allows to identify a user based on a certificate + private key instead of username+password. It is often used in companies where each user has a certificate+private key on a smart card.
There are now two possibilities:
The iOS app includes a client certificate+private key and the app developers use this to protect the communication API (a bit similar like an API key). In this case you have to extract the certificate and the private key and provide it to Fiddler. Most likely certificate and private key are the same for every device world-wide and can be found as static resource in the iOS app (potentially obfuscated or somehow protected).
The server asks for a client certificate but providing a certificate is optional. I don't know if Fiddler can handle this situation.

How to configure auto login feature into Freeradius

I Installed Freeradius Service, MySQL and Imported freeradius's Database Schema to Mysql
I Configured Mikrotik to FreeRadius
I created User and Password into MySQL and I have Captive Portal Design
Now Everything is Okay.
Users can Login only by one click as a free access user.
How to configure Auto Login feature, not to ask users to click on the login button on second time .
To Solve it , I created a Script . when user connect to the network there is a script running to check if this is a new user , so i will save the coming data from mikrotik Like ( Mac Address ) to File .
If this is not a new user , i will connect him to the network directly .
You have to modify the authorize section in radius config file and create a query to identify "whitelist" MAC, then, if found, change the Auth-Type to accept.
well documented on freeradius forum

Is it possible to monitor the visited websites with each user or IP using Mikrotik device and Freeradius server

I'm using Mikrotik device to make a Hotspot service and using Freeradius running on Centos server ( running on different server ) for AAA ( Authentication , Authorization and Accounting )
Now, What i need is to log every single website that certain user visited ( monitoring web surfing )
actually, I i don't know if it is possible with Freeradius or using Mikrotik services
This can be done with a web proxy.
You can use either integrated mikrotik proxy feature by enabling proxy (https://wiki.mikrotik.com/wiki/Manual:IP/Proxy#Transparent_proxy_configuration_example) and log proxy activity (https://wiki.mikrotik.com/wiki/Manual:System/Log#Example:Webproxy_logging).
You can use also proxy program like Squid on your CentOS box to save CPU and storage resources on your Mikrotik router.
Another option, you can also use a program called "conntrack" on your CentOS to, as the name says, keep track of all connections. This can include any connections, not only HTTP requests. Of course, all internet traffic must pass through the CentOS box.

Connman without any user interaction

I'm trying to use Connman to manage the WiFi connection of my embedded system because it handles automagically any type of protection.
In interactive mode it's very simple:
connmanctl
agent on
scan wifi
services
connect
enter password if requested
On my system, the user enters the WiFi credentials (SSID, password) using a remote (web) application. Then I would use this information to setup connman using a script.
The goal is to avoid the user to select which type of protection is going to setup. I mean, most users just enter SSID/password but they don't know if it is a WPA-PSK or WEP connection.
I'm reading throught the documentation, but I'm not sure which is the correct approach:
a config file: http://git.kernel.org/cgit/network/connman/connman.git/tree/doc/config-format.txt
but as far as I understand I need to specify the type of the security:
Security: The security type of the network. Possible values are 'psk'
(WPA/WPA2 PSK), 'ieee8021x' (WPA EAP), 'none' and 'wep'. When not set,
the default value is 'ieee8021x' if an EAP type is configured, 'psk'
if a passphrase is present and 'none' otherwise.
It seems 'wep' is not handled if the field is omitted.
dbus-api: http://git.kernel.org/cgit/network/connman/connman.git/tree/doc/manager-api.txt
Here I understand it needs an 'agent' to feed the passphrase, thus I'm afraid I cannot send it programmatically.
Do you have any recommendation about?

Generating client certificates for applications using Quickbooks Online Edition

I'm trying to get a certificate from the appreg.intuit.com area. I have a webapp that was previously registered with mysubdomain.myhost.com as the host and myapp.myhost.com as the AppLogin. Due to recent changes in some of our systems, we need to run the application that interfaces with QBOE from an IP address. We have a certificate for the IP address that we created and is currently set up.
I created a new key in the java keystore with CN=123.456.78.9:myapp.myhost.com
Once I did this I generated a new cert request:
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIEUzCCAzsCAQAwczEdMBsGA1UEAxMUcWJvZS5hZXJ1c29ubGluZS5jb20xCzAJ
BgNVBAsTAklUMRMwEQYDVQQKEwpBZXJ1cywgTExDMRAwDgYDVQQHEwdCcmlzdG9s
MREwDwYDVQQIEwhWaXJnaW5pYTELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDMqC2g9voE9WwEl4puuOUYTOBOJECe+7N/BVLt6My0
hn9fj0zDkKzQitYiebFYPLbArECybSfTNubjmOiwl/OsR2sLltAXpdqp4+JTiBWW
e/9w95jGwCNu4T4Dzuv7O0Cj5lFp3b+ATfeRQjkTy8On5FwbU0ESrMOE/l1FpXd0
raL5dCVJSOnqROnD+t1+toapSfZgCNp3FD6swlYHBQ80dsrON2uj8J0gj6kqhcjg
3jfgy7RBksE2RDbRXwLKBb+BaSWCMHe8EbLMDrN+sah9YHuHNKxJRQNjAl2ccS09
Ss2BfPYkABMBzmV5su8Y87ahu6ve1szX4XzPdSz9K6dzAgMBAAGgggGZMBoGCisG
AQQBgjcNAgMxDBYKNS4wLjIxOTUuMjB7BgorBgEEAYI3AgEOMW0wazAOBgNVHQ8B
Af8EBAMCBPAwRAYJKoZIhvcNAQkPBDcwNTAOBggqhkiG9w0DAgICAIAwDgYIKoZI
hvcNAwQCAgCAMAcGBSsOAwIHMAoGCCqGSIb3DQMHMBMGA1UdJQQMMAoGCCsGAQUF
BwMBMIH9BgorBgEEAYI3DQICMYHuMIHrAgEBHloATQBpAGMAcgBvAHMAbwBmAHQA
IABSAFMAQQAgAFMAQwBoAGEAbgBuAGUAbAAgAEMAcgB5AHAAdABvAGcAcgBhAHAA
aABpAGMAIABQAHIAbwB2AGkAZABlAHIDgYkAJ1L9qpiQmoL5dNlVLkM2P6UFcMYM
E1cUMidPEUHEGfxOB1eTGXu8rhguJfDScUiy9h1SOkHO8CnjCQFoYPhb/iRhaCbb
u1UsNfoJG1imCP07Lr8k8gOW76zuvn+zfU5AbSQjJf/SbXyLZO9TDbe4Y2aklRo2
aeZBVm2GXz3ezjYAAAAAAAAAADANBgkqhkiG9w0BAQUFAAOCAQEAVUT0xkyDB5rB
niZT5zYMcYa8vd68Dgl0RZ7CtEkBS4EFf4IayDBO1Z3ycZkjpEP879ktpkfD9pbP
1c1Ksm2s61RKivYqcF4HD594UDJCAfjqMyyQOUtkw/iegMSIVos5ngbQVcABvdY8
c6J2icTY30L+WGrmZmZczNGHB5GrU6Vc5f2mU49cDHaLF8j4KaDIHqX+9+WY/xm8
FQ8ovW6zIkmdxn8lZ1jmTGAE/v3/DTFsAHtRh+4m2uT4LDUQTA4vHYxcfGoGZk9R
U5ypYayMScLIWYBPIZG9lZdj0iD7P6XD04GBzjdmgQxZi7zaYi9JtlwqVK+g9kYx
fr2pEzvrPw==
-----END NEW CERTIFICATE REQUEST-----
When I try to paste this into the request area in the app registration, I get "ARSC262: common name not in hostname:applogin format.". Which, it is in the right format as far as I know. I also saw somewhere on the forums where you shouldn't add an email address or any optional fields. I removed them with the same error message. Is there something that I need to change so that my applogin matches the host or at least part of the host in some way? Are they even related at all? What other possibilites could the error message be pointing to besides just an incorrect format?
Evidently, you can't use an IP address as the host name. Here's the response I got from Intuit:
The hostname has to be a DNS name and
cannot be an IP address.
Regards,
William Lorfing á±–The hostname has to
be a DNS name and cannot be an IP
address.
Regards,
Intuit Developer Network

Resources