1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

tinyPEAP needs beta testers, please help

Discussion in 'TinyPEAP Firmware' started by nairb2128, Jul 20, 2004.

  1. nairb2128

    nairb2128 Network Guru Member

    Hi,

    tinyPEAP is a very small radius server designed to do one thing in life, and that is to authenticate users using the PEAP protocol. Fortunately, it is small enough to fit on a WRT54G or GS, which means that you can have per user authentication and management right on the access point itself. The tinyPEAP development team has two beta firmwares with tinyPEAP built in available for beta testing. Also, a win32 binary should be up shortly so you can test it even if you do not have a WRT54G/S. Please note however, this IS a beta, and there are still some things missing (it is difficult to change the server's certificate at the moment). If you are interested in helping test this, please visit http://199.77.128.35/ to download the firmware and for installation instructions. Thanks.
     
  2. Toxic

    Toxic Administrator Staff Member

    this looks like having great protential thanks for posting it here. I'll move the thread however to "other Firmware Projects" thanx
     
  3. antidumb

    antidumb Guest

    That seems like a great little project there! Any possibility that it would work on a WAP 54g?

    Thanks!

    --Eric
     
  4. nairb2128

    nairb2128 Network Guru Member

    If the WAP54G has open source firmware, the chances of it working are high. However, we have not tried it.

    On another note, it seems as if im having some trouble conveying to people how neat this software is and how much security it can add so easily. If anyone has advice on how i can spread the word, or would like to write about it on their website or something, it would be greatly appreciated. I would really like to fine tune this server so that everyone can have a safe secure WLAN without the hassles of setting up dedicated RADIUS servers.
     
  5. littlewhoo

    littlewhoo Network Guru Member

    Hi nairb2128,

    I like the idea of an radius server on the WRT54G. Perhaps more people would help you testing, if you could provide this not as a complete firmware you'll have to flash to you router, but as an addon to an existing Satori or Alchemy installation. Most people don't want to reflash their router so often. Especially not if it's a downgrade from Satori or Alchemy to Samadhi.
    Just a file you can download and install on your router.Of course in this case configuration via the web interface would not be possible, but for testing purposes configuration at the shell and with config files is ok, too.
    Would something like that be possible?

    littlewhoo
     
  6. nairb2128

    nairb2128 Network Guru Member

    Im pretty sure the newest firmware is built on satori not Samadhi. I know the picture doesnt reflect that but the pics are old. Ill update the site later tonight.
     
  7. littlewhoo

    littlewhoo Network Guru Member

    Thanks.

    Just another question. In your Setup guide you are configuring the router with WEP 64 Bit encryption. When using just simple WEP without Radius this is usually considered a quite weak and insecure encryption.
    Is this something completely different with Radius? Does Radius (besides being able to assign a unique username & password to each user) enhance the security of the encryption, too?
    Or is having different usernames & passwords the only purpose of Radius?

    If not, is it possible to use WEP 128 Bit or WPA Radius, which are also present in the WRT54G "Security Mode" dropdown list, with your Radius server, too?

    littlewhoo
     
  8. nairb2128

    nairb2128 Network Guru Member

    When using tinyPEAP as your radius server, it is ok to select 64bit encryption. The key is given to you automaticly (you will never know it), and is changed every 5 minutes or so behind your back. This makes it mathmaticly impossible to crack because you cannot feasibly collect enough packets with one key to crack it. Not only that, but if you did somehow figure out the key then it would change in under 5 minutes anyhow. We generally do not see the need to use 128bit encryption since this only adds overhead and doesnt really make things more secure. Using WPA, or more specificly TKIP, is recomended if your hardware supports it. In order to set it up to use WPA, simply choose WPA instead of RADIUS, and fill in the same information. Note however, you do not want WPA Pre shared key. Once again though, this adds more overhead, but WPA has a message integrity check that prevents bit flipping attacks, so it is recommended over 64bit WEP. However, not all hardware supports WPA, which is why the instructions use 64 bit WEP.

    On another note, the binary does use Satori, so you need not fear that you are downgrading your firmware. Also, we can put this server on any firmware really, so if you have some suggestions that would be great.

    -tinyPEAP deveopment team-

    p.s. spread the word on tinyPEAP!
     
  9. nairb2128

    nairb2128 Network Guru Member

    oh, and one more thing...using tinyPEAP makes your system FAR more secure, which is why it was written. It is also compatable and usefull with the new 802.11i standard. Essentially, you get enterprise level security on your 90 dollar linksys ap.
     
  10. LaCucaracha

    LaCucaracha Guest

    We are considering using this radius enabled firmware in our school to give each pupil his own login to the school's wireless network.
    Is there any limitation on the number of user acounts that can be created? And is it possible to synchronize the user - passphrase lists between different routers, so that you can logon to any router with your useraccount in a network of WDS connected routers?
    Is tinyPEAP closed source or opensource? Or don't you provide the sourcecode, because it's still a beta version?

    Rgds,
    LaCucaracha
     
  11. nairb2128

    nairb2128 Network Guru Member

    First, the only limitation in making user accounts is the NVRAM, and im not sure how many user accounts will fit in there....this is one of the reason we need beta testing.

    Also, it is possible to have synchronized userbases between routers. You would only run tinyPEAP on one main router that would have the entire user database and would be in charge of all authentication. Then, you would simply "point" the other routers to the main routers ip. What i mean by point is when you are setting up the RADIUS section of the router, put in the main router's ip instead of the routers own ip.

    As far as closed source or open source, it is still beta and we are still weighing our options.

    -tinyPEAP deveopment team-
     
  12. mrbobo

    mrbobo Guest

    I like it. :D
     
  13. vtrac

    vtrac Network Guru Member

    I'm having problems with TinyPEAP. I have 4 APs, 192.168.1.1, .2, .3, and .4. TinyPEAP is installed on .1, and the other 3 are set to use RADIUS, pointing to the .1 AP. .1 is connected to the network, with DHCP turned, while the other 3 are connected via ethernet to .1 to their switch ports, not their WAN. They also have their DHCP turned off, so they're just acting like a switch for .1, rather than as routers. All 4 APs use the same SSID, but different channels.

    When my laptop locks onto .1's channel, I can authenticate fine. However, as soon as I switch APs, Windows will not authenticate with the RADIUS server. It just sits at "Validating Indentity" under Network Connections. It will not give me an IP and will not allow me on the network.

    Is this because the .2, .3, and .4 APs aren't acting as routers? I just connected them the way that Linksys suggested to connect two WRT54G's together.
     
  14. nairb2128

    nairb2128 Network Guru Member

    I plan to make a guide to show how to set up for multiple access points very soon. I think the problem is that you need to edit the configuration file on the access point. We will add this to the management interface on the next release. Also, we now have a domain name for our project. check out http://www.tinypeap.com.
     
  15. nairb2128

    nairb2128 Network Guru Member

    ok, i take that back...right now the server is being run with the -E option that disables it from being accessed from anyone but itself. If you want to ssh into the box and restart the server without the -E option, you can then use it with a multiple ap configuration. We will definately add an option for this on the user interface.
     
  16. vtrac

    vtrac Network Guru Member

    Cool, I got it to work, I think. It wouldn't at first for whatever reason but I fudged with all the APs, rebooting them, etc, and miraculously they are working. I can't seem to find an init.d file for peapd, or for any other service on the AP to permanently remove the -E option? Can you point me to where I can set this value?
     
  17. slick1123

    slick1123 Guest

    "Embedded Mode"

    Sorry I've been AWOL -- I'm the one responsible for the relevant code.

    There's a security reason for the tinyPEAP server only accepting packets from itself. The RADIUS "shared key" password (for encrypting RADIUS packets, not the same as 802.11 shared key) is currently set to "password". (You can see this on the web page for security setup.) Now this isn't too much of a problem as long as tinyPEAP is running with the -E option (to only accept packets from itself). Otherwise, anybody could fake RADIUS packets and fling them at the access point. So the kind of setup you are proposing is not currently supported. However, we will probably work on letting users change the default password away from the default "password". It wouldn't be too hard after that to allow the "-E" flag to be toggled on and off.

    Finally, thanks again for your feedback! Testing and giving us feedback definitely helps up improve tinyPEAP.
     
  18. vtrac

    vtrac Network Guru Member

    Yeah, that default password thing killed me. I thought it was just an example, and spent about 6 hours tryin to figure out why the network wouldn't work until I realized that it HAD to be "password."
     
  19. Esquire

    Esquire Mesquire Staff Member Member

    1. Is the tinyPEAP binary a complete firmware or adds tinyPEAP to an existing firmware? If it is the latter, does it mean I can add it to any WRT54G firmware?

    2. With the Windows Binary, does it mean I do not have to update the router's firmware and instead run one of my wired clients as a RADIUS server?
     
  20. nairb2128

    nairb2128 Network Guru Member

    1. tinyPEAP can be added to any firmware. The firmware provided on the page is sveasoft satori. If you would like to see it added to some other firmware, please make a suggestion.

    2. Correct, the windows version runs on a wired server on your lan. Not as convenient as having it on the access point, but you dont have to reflash the firmware to use it. Also, the windows version should theoreticly work with any AP that supports 802.1X.
     
  21. Esquire

    Esquire Mesquire Staff Member Member

    Thanks. Sounds great, and I agree totally that the Windows binary isn't as convenient as running it on the router, but I am a bit confused with the answer to my Q1.

    Does it mean I cannot download the tinyPEAP binary and simply update it to a WRT54G with an existing firmware (I'm using Wifi-Box)? It isn't a user "addable" addon/extension to a firmware or something that a ordinary user like myself can DIY. Am I correct? :oops:
     
  22. nairb2128

    nairb2128 Network Guru Member

    right, as of now you will have to ask the tinypeap dev team to add it to the firmware. It is not that hard, but it is not completely trivial either.
     
  23. Esquire

    Esquire Mesquire Staff Member Member

    Thanks.

    Oh well, looks like it is the Windows binary for now :wink:
     
  24. bummpr

    bummpr Network Guru Member

    PEAP on Hyper?

    I'd love to see this on the latest HyperWRT release. I find this much more stable than SVEASOFT.

    Thanks for your work...this may be just what I need...a lot more straightforward solution than trying to setup a hotspot.
     
  25. FDM80

    FDM80 Network Guru Member

    I'm using the satori+tinypeap firmware on the WRT54G. Works great. Just one little bug to report though. Not really a bug that affects use though. When you are in the router's web interface and you are on the Wireless\Security tab, the "Peap Settings" tab disappears.
    When on other tabs in the Wireless section the Peap Settings tab is still there.

    I personally couldn't get the system to work when I followed the "Installing own certificate" part of the directions. I don't know if I missed something but that's the only trouble I had. I'm just using tinypeap without that and it seems to work great.

    Now if I can figure out how to get my pocket pc to connect to the wireless network. :(
     
  26. ceevee

    ceevee Guest

    I have downloaded and currently use the tinyPEAP firmware. I have to say that it is great knowing that I have another option for security.

    router: Linksys WRT54GS
    clients: 2 Linksys WMP11, one wired

    I can not run WPA (TKIP or AES) due to hardware limitations. (Clients will not reconnect after the group key renews). I was SOL, only using MAC filters as my wireless defense. I saw tinyPEAP on BBR, so I gave it a try. It works! Everything is authenticated and encrypted. Good job tinyPEAP development team!

    I have a few questions: How does this tinyPEAP wireless security compare to other security measures ie. vs WPA-PSK (TKIP or AES), WPA Radius, WEP 128 or 256 (propriety), etc. I am using the tinyPEAP firmware, but I just want to know how I measure up in "security" terms. Is my method safer than WPA-PSK? What the chance that my network can be "broken into?"

    Thanks!
     
  27. nairb2128

    nairb2128 Network Guru Member

    ok, here is how it should stack up security wise:

    WPA-PSK : this is very prone to brute force attacks. PEAP/MSCHAP is also prone to brute force, but it is much harder since you must guess a username as well. Also, if the PSK does get found out, you must change it on every client. With tinyPEAP, if one client's password gets found out then you only have to change it for that one client.

    WPA-RADIUS : this will beat WEP/RADIUS in every aspect of security. If your hardware supports it, please use it (tinyPEAP supports this mode as well)

    WEP128bit or more: this more or less just slows down the cracking process. It also adds overhead to your network.

    Other EAP methods:
    tinyPEAP uses the PEAP/MSCHAPv2 method for authentication, but there are several others.

    LEAP (found on cisco networks): do not use this....it is literally teh sux and can be cracked very quickly.

    EAP-TLS : good security, hard to setup...perhaps a tad more secure than peap/mschapv2 if setup right.

    EAP-TTLS : virtually the same as PEAP but not supported natively by winders.

    EAP-MD5 : this is a joke and should only be used for testing. it provides no key management so it is essentially pointless.

    PEAP should provide the most security without as much of a compromise to ease of configuration.

    If you want a rundown on anything else, just post it :)
     
  28. ceevee

    ceevee Guest

    Hey nairb2128, thanks alot for the info!

    I guess i have other questions..

    What is the time interval of the wep key change? Would I have to reauthenticate in order to receive the new keys? Wouldn't changing the keys @ a high interval (like every 5 min) slow down a wireless connection (lags, pauses, etc.)?

    My questions reveal how much I don't know about how wireless security works. :(

    I am using Funk's Odyssey Client on my wireless clients.

    //EDIT ADD: I found a way to make my WMP11v4's work with WPA and WPA2 (TKIP and AES). So now I use WPA2 Radius on the tinyPEAP. Works great and safe! Better than the WEP I was using b4!
     
  29. roachslayer

    roachslayer Network Guru Member

    I tried loading the bin with tftp, and all I got was an error saying: "Wrong code pattern"

    Anyone know what the deal is? I have a WRT54G, which has the satori 4.0 firmware loaded. I'm using the proper bin file, and I followed the loading instructions exactly.
     
  30. FDM80

    FDM80 Network Guru Member

    I guess you will have to try the web interface instead of using tftp.
     
  31. roachslayer

    roachslayer Network Guru Member

    That implies that tftp does the same things as the web method... re-write the flash mem with the bin file. But if tftp thinks the "code pattern" is wrong, what would the web interface do? It may not flag me the same with errors. If it is actually a hosed bin, I fear hosing the router with the web bin loader.

    I'm not a pro at this flashing stuff. But I might go ahead and try this unless anyone else chimes in here...

    thanks!
     
  32. wizzritz

    wizzritz Network Guru Member

    Graviness

    Awesome, thanks for the firmware. I was going to make a small RADIUS machine from a closet PC, that is, until I stumbled onto this thread. Gonna load it on the WRT tomorrow.

    It would also be cool if you can add it to the BEFSR41 firmware, seeing as how I have one lying around (bet some of you do), and it would be perfect to use as a small RADIUS only device. I would do it myself, but I know nearly squat about Linux (maybe now would be a good time to learn).


    EDIT - Nix the BEFSR41 idea, apparently it's not an open source firmware according to Linksys
     
  33. ssam

    ssam Network Guru Member

    If you cold make, that i could use my WAP54G in repeater mode, with WPA (linksys firmware doesnt support it) i'd write a full guide and report! You could base you firmware on Mustdie for WAP54G or Freya from Sveasoft?
     
  34. qtk9

    qtk9 Network Guru Member

    PEAP as HyperWRT addon?

    Seconded, esp. now 1.4 supports addons (see http://www.hyperdrive.be/hyperwrt/index.php?page=add-ons). This would make an ideal addon. And unlike Sveasoft, it wouldn't need re-doing every time there was a new release of HyperWRT.
     
  35. FDM80

    FDM80 Network Guru Member

    Wondering if the tinyPEAP developers have any intention of adding their code to Alchemy since it seems there is word that it will be released fairly soon. Only thing I'd like better than Satori+tinyPEAP is Alchemy+tinyPEAP. :D
     
  36. Smoky

    Smoky Network Guru Member

    can you make a add-on for hyperwrt?
     
  37. Disman_ca

    Disman_ca Super Moderator Staff Member Member

    I too would be more interested in an addon for Alchemy build. Perhaps the tinyPEAP group should join in with Sveasoft and post in the "Contributor's Experimental Builds". I am sure you will get more testers there and probably peak a lot of interest. BTW, I had a look at your site and didn't see any current activity on this project.
     
  38. nairb2128

    nairb2128 Network Guru Member

    Hi All,

    TinyPEAP has already been integrated into Alchemy. However, this will be released when we are allowed. Also, tinyPEAP is being worked on and expect a new and improved version soon.

    Cheers,
    Brian
     
  39. euser4life

    euser4life Network Guru Member

    Thanks for the update...

    This is AWESOME news... A lot of people have been hoping that this project was still going and can really benefit from integration within SVEASOFT Firmware. Keep up the good work... :D
     
  40. jabz

    jabz Guest

    Hi we have 7 linksys WRT54G and 5 WAP54G at work running WPA-PSK, accross two buildings with 60 users.
    When I saw Tinypeap project I instantly downloaded it and installed it on all 7 WRT54G wireless routers, it is working great!

    But I have a problem I cannot find Tinypeap for the 5 linksys WAP54G!! Can you PLEASE add it to the WAP54G, using the free Sveasoft WAP54G Freya v2.06-1 firmware?!?
    I'd be VERY greatful, this will complete our secure wireless network. Currently al the WAP54G is still running WPA-PSK, and roaming clients cannot connect to then. Also the wireless is only as secure as the weakest link, which currently is the WAP54G without tinypeap!!

    thanks a lot,
    cheers
    Jai
     

Share This Page