As wireless networks become increasingly popular, admins need to get all their systems—even those orphaned open source machines that you use to monitor the network—ready to roam. A key step to responsible wireless mobility is routing network access requests through a VPN, which shores up otherwise dubious security protocols such as Wired Equivalent Privacy (WEP). Fortunately, some vendors, including industry leader Cisco, offer their own VPN software that makes their wireless devices compatible with open source systems.
In this Daily Drill Down, I will tell you how to correctly install the necessary hardware to enable a secure wireless connection with the Cisco Aironet Series Wireless LAN Adapter (otherwise known as the Cisco Aironet PC350) and the Cisco VPN Client software (which comes with the purchase of a Cisco VPN concentrator).
Planning and background info
For this article we will be installing the Aironet PC350 wireless card onto a laptop running Red Hat Linux version 7.2. We will also be using Cisco’s VPN Client to connect to a remote VPN via wireless connection. Outside of the Cisco hardware, the hardware requirements are standard for any Linux distribution.
Remember that all wireless access points connect to a wire at one end, the same way your cordless phone connects to a base that plugs into a wired wall jack. Since wireless access points are all Layer 2 devices, they are often plugged into a hub or switch—though it is also possible to assign an IP address directly to an access point.
Encrypting your data works the same way on a wireless network as on a wired network. The reason wireless networks are thought of as more of a risk is simply because their radio frequency broadcasts make the data more accessible. However, if the traffic being transmitted to the access point's radio frequency antenna is safely encrypted, your data is protected.
The nice thing about the Cisco Aironet Series Wireless LAN Adapter is that it can be used on laptops running a wide variety of OSs, including Linux or Microsoft Windows NT, 2000, Me, and XP. So even if you have a dual-boot laptop, this card will work. Also, if you're using Windows XP, the driver for the Aironet 350 adapter is already bundled with the XPOS and will be enabled when you install the card.
The installation task list
Here is a summary list of the steps you'll need to follow in order install the Aironet card and connect it to the Cisco VPN:
- · Install the wireless access point
- · Install the Cisco Aironet 350 Series Wireless LAN Adapter PCMCIA card
- · Install the device driver
- · Enable the security features of the card
- · Install the Cisco VPN Client software
First: Install the access point
When you install the wireless access point, you'll want to make note of the IP address you assign to it and the Service Set-Identifier (SSID), which is the unique name you give your radio service. The access point installation will also ask for the Medium Access Control (MAC) address, which you will generally find on the bottom of the access point. It will be a hexadecimal number that looks something like: 00409625854c. You can also setup your access point to use DHCP. The Express Setup utility prompts you for all the information.
Access point security features
If you need to use server-based authentication security for dial-in connectivity, your access point must communicate with a RADIUS server that supports the Light Extensible Access Protocol (LEAP). Make sure that you enable broadcast key rotation, Message Integrity Check (MIC), and Temporal Key Integrity Protocol (TKIP) on the access point or else your adapter will not be able to use these security features. MIC will prevent your data from being susceptible to bit-flip attacks. Bit-flip attacks occur when miscreants intercept encrypted data and alter it slightly—even if they are not able to decrypt it and read it—and then retransmit it.
MIC makes the packets tamper proof by adding a few bytes to each packet. TKIP provides pre-packet keying and message integrity checks and is based on RC4, a well-known encryption algorithm. Broadcast key rotation is especially useful for protecting non-Cisco wireless clients, which cannot otherwise be protected by TKIP, a Cisco proprietary protocol. Broadcast key rotation is similar to continually changing the channels over which the data is traveling, making it much more difficult to intercept since it removes the predictability that a hacker with a wireless sniffer might rely on.
Second: Install the PCMCIA card, its driver, and utilities
Install the PCMCIA card in the PCMCIA slot being careful to try not to touch the antenna. After you install the card, you'll need to install its device driver and the utilities that go along with it. The driver installation program will require that you provide the following information:
- · Your laptop's host name
- · The protocols required to bind the client adapter (which will be dictated by your network hardware or the type of service the client needs to connect to)
- · The SSID for your Radio Frequency (RF) network (this is case-sensitive)
- · Your laptop's static IP address (if you're not using DHCP)
- · Username and password for your authentication server (RADIUS) account
Now that you have collected the information you'll need for installing the driver, put in the CD-ROM that comes with the adapter card and change to the Linux directory on the CD-ROM. Copy the following two files to a temporary location on your Linux system:
- · pcmcia-cs-4.1.25.tar.gz
- · AIROLINUXv15000.tar.gz
Note that your version could differ from 4.1.25 and you should use the version that is on your CD-ROM.
Now type sh ./cwinstall and press [Enter]. You will next be prompted to type in the path to, and the name of, your browser. So for example, at this point you might put in /usr/bin/netscape.
The installation program will then see if it can find your Aironet PC350 card and after indicating that the card has been found, the installation program will ask you if you are using Red Hat Linux, which you should answer yes(y) or no(n) accordingly. You then should confirm that you have already unpacked the pcmcia-cs-4.1.25.tar.gz file and type in the directory where that file exists when prompted. At this point, the driver will start unpacking and will extract files and copy them to the appropriate places.
Now press [Enter] to accept all the defaults. At the root prompt type make config. When the configuration process completes, type make all. When the compilation process completes, type make install. Now reboot your laptop and your driver will be loaded.
After the driver is installed, you need to enable the security features.
Third: Enable the adapter's security features
Although there have been reported security weaknesses in WEP's encryption, you're going to want to install it because you can't use LEAP without it. Since you'll encrypt the traffic with a VPN client, any weaknesses on WEP's part won't matter much.
You'll use the Aironet Client Utility (ACU) to set up your security features. Read the release notes to make sure you have the latest version. As of this writing the latest version for Linux is 1.3 and the latest version for Windows is 4.13. Cisco has released newer ACU versions after the original build (1.0), and you'll want to use the version indicated in the release notes, which could be more current that the version that comes bundled with your package. If you don't have the ACU version indicated in your release notes, you can download it from Cisco's Web site.
To start the Aironet Client Utility run the command /opt/cisco/bin/acu & and the utility will open. You'll first want to change the Client Encryption Manager (CEM) password (shown in Figure A). This dialog box will automatically appear when you run the acu command.
|This shows the Linux menu setting for the CEM password.|
Next, you'll want to enter the WEP keys for your access point. Your WEP keys will be either 40- or 128-bit keys. By law, the U.S. government controls the 128-bit WEP keys, which will, according to location, dictate what type of key you can legally use. WEP keys must be 10 characters long for 40-bit keys, and 26 characters long for 128-bit keys. Select the Transmit Key button next to the key that you want to use to transmit traffic (shown in Figure B). If you want your laptop to retain this key even if the adapter loses power, select Persistent and then click OK.
|On this screen, enter the WEP keys associated with your access point.|
Next, click the Network Security tab in the ACU, select Enable WEP (as shown in Figure C), and then click the LEAP button. Click OK to save the settings and return to the Commands tab. Then you'll be able to access the Set Leap Information option. Click on Set Leap Information and you'll see a password screen. Enter your username and a LEAP password. You'll need to verify the password, and then click OK to return to the main ACU screen.
|Linux Network Security Screen|
Note that some security features are supported automatically in the PCMCIA card-driver firmware, so you won't have to configure or enable them in any way. These features are broadcast key rotation, MIC, and TKIP. TKIP will strengthen your WEP keys.
It is very important to make sure that the security features on your access point and the security features on your wireless client match.
Fourth: Install your VPN client and start roaming
Next, you need to secure the TCP/IP stack by installing the Cisco VPN Client software. Using the VPN encryption standard IPSec, your VPN client will encrypt all the traffic into a routable packet and create a secure tunnel between your client system and the remote network you're connecting to.
The types of authentication available for use with Cisco's VPN Client are:
- · RADIUS
- · RSA SecurID
- · NT Domain
- · VPN server internal user list
- · X.509 PKI Certificates
You can download the VPN Client software from Cisco's Web site and put it in a temporary directory on your laptop. For Linux systems, unpack it using this command, where x.x.x is the correct version number:
zcat vpnclient-linux-x.x.x-K9.tar.gz | tar xvf -
Next, you'll want to cd to the vpnclient directory and type ./vpn_install.
Answer the prompts asking where you want to install the files (pick the default directory), and then reboot your laptop. If you want to enable the service without rebooting, use the command etc/rc.d/init.d/vpnclient_init start. Then, open the sample user profile and modify it to reflect your own profile. The profiles are stored in the /etc/CiscoSystemsVPNClient/Profiles/ directory.
You can create your own profile using any text editor by making a template like that shown in Listing A.
The Host, AuthType, GroupName, and Username parameters are the minimal requirements for your profile so you will need to configure these parameters.
You can now start the VPN Client on the command line with the vpnclient command. When prompted, enter in your group password, username, and user password. You can send the VPN Client to the background by pressing [Ctrl]Z, and then entering bg on the command line. You'll then be ready to transmit data wirelessly and securely. If you run into any problems, be sure to check the log files for clues (such as incorrect group or user name errors) using the /usr/local/bin/ipseclog /tmp/clientlog.txt command.
To get the VPN Client tunnel information, use the vpnclient stat command. This could assist you in any troubleshooting you may need to do and should give you output similar to the output shown in Listing B.
Once you go wireless…
Of all the pieces you've just set up—the access point, the adapter card, and the VPN client—the VPN client is probably the trickiest to set up. But once you've done it and are roaming, you'll never go back to wires.