NoCatAuth Authentication Server Configuration
December 08, 2003
In this sequel to our look at the Linux-based NoCat authentication system, we'll explain the details on installation and configuration.
The NoCatAuth system is composed of two servers: the gateway server and the authentication (auth) sever. The configuration of the gateway server was covered in the first segment of this tutorial. In that tutorial you can find out more on the background of NoCatAuth, the working groups, and how to install the gateway server.
To complete your NoCatAuth system you will need to either install and configure your own auth server or link your gateway server to someone else's auth server. If you want to use someone else's auth server to authenticate your users, there are many community wireless groups that would probably be happy to allow you to use their auth server. To find out more on community wireless groups, check out the Personal Telco WirelessCommunities page.
This tutorial is dedicated to installing and running your own auth server for your private wireless network or your own community wireless network. Your auth server needs to be a separate machine from your gateway server. Although both servers could be on the same machine, they really should be to be separate for security reasons, and we'll assume that for this tutorial. Besides, one auth server can control numerous gateway servers, so it really makes sense to have them separate.
How it Works
There, they will be prompted via a login screen to enter their name and password. After a user enters his information, the logon credentials are encrypted using gnupg for secure passage from the gateway to the auth server. Once the user's authenticity has been determined by the MySQL database on the auth server, an encrypted acknowledgement is sent back to the client. The acknowledgement opens a small pop-up window on the client, which exists to verify the user is still logged in, has not timed out, or left the range of the access point. All pop-up blockers should be disabled otherwise NoCatAuth will not work.
The user is now logged in with access to the Internet given the rules defined in the nocat.conf file on the gateway server. The user will continue to have access until they leave the access point's range or closes the pop-up window.
- Any PC or Server with Pentium I or better
- One network interface card
- A hard disk of at least 10Gb
- At least 256 Mb of RAM
- RedHat 9.x with the following modules installed
- Apache 2.0.40
- MySQL 3.23.54
- Perl 5.80 or better
- GNU Privacy Guard - gnupg-1.2.3-1rh9.i386.rpm
- Net::Netmask - Net-Netmask-1.9004.tar.gz
- Latest NoCat nightly build
- Download the Net-Netmask file from the link in the required software to your auth server. Then you need to issue the following command sequence.
- $ gunzip Net-Netmask-1.9004.tar.gz
- $ tar xvpf Net-Netmask-1.9.004.tar
- $ cd Net-Netmask-1.9004
- $ perl Makefile.PL
- $ make
- $ make test
- $ make install
- Download the gnupg rpm file from the link in the required software portion to a temporary directory. Then issue the following command rpm --Uvh gnupg-1.2.3-1rh9.i386.rpm . This updates the existing gnupg rpm file on your server to the newer version.
- Download the NoCat nightly build onto your auth server in a temporary directory. Then you can uncompress and unpack the NoCat tarball by issuing the following commands in the directory where you downloaded the file:
- $ gunzip NoCatAuth-0.82.tar.gz
- $ tar xvpf NoCatAuth-0.82.tar
- After uncompressing the NoCat tarball, go to the subdirectory called 'NoCatAuth-nightly' which was created under the temp directory. There you will type make authserv . This will install the NoCat files in the default directory of /usr/local/nocat. If you wish to change the default installation path then edit the Makefile.
- Go to the /usr/local/nocat directory and type make pgpkey . It is important that you do not enter a passphrase. Entering a passphrase may cause a problem when the auth service attempts to encrypt messages.
- You will now need to edit the nocat.conf file found under /usr/local/nocat/ to suit your needs. The following parameters are required to be edited
- DataSource: If you are using MySQL as your user database to authenticate against, then you will need to enter DBI in this field. When you do specify DBI as your source, then you will need to enter values for the fields in b,c,d. Other options include Passwd for local file based authentication, or RADIUS for use of a radius server. Please refer to the comments in the nocat.conf file for more information on other services.
- Database: This will take the format of dbi:mysql:database=nocat, where 'nocat' is the actual name of the MySQL database. Later in the instruction we will create this database referred to here.
- DB_User: This is the MySQL database administrators name
- <DB_Passwd: This is the password of the MySQL database adminstrator.
- LocalGateway: If you have your auth server and gateway server on the same machine or same subnet then you will need to specify the IP address of your gateway server in this field. If you do have your NoCatAuth system configured this way, you will only be able to use one gateway server with your auth server. Note: Remember for security reasons it is not a good idea to have your gateway and auth servers running on the same machine.
- HTML locations: After the LocalGateway section in the nocat.conf file there is a section where you can specify the locations of the various HTML files used for the portal display. Here you can customize the look and feel of your captive portal.
- Auth Server Messages: Here you can customize the various messages that NoCat can display to the user during the session
- You need to make sure that the owner of the apache Web server also owns the pgp and the directory so that you do not get permission errors. You must first find out the user name of the Web server. It is probably 'apache' but please check to be sure. To do this you need to go to /etc/httpd/conf directory. Then scan through the httpd.conf file to find the name of the 'User'.
- After verifying the Web server user name you need to issue the following command to assign ownership to the pgp directory (assuming 'apache' is the user name): chown apache /usr/local/nocat/pgp then also type: chown apache /usr/local/nocat/pgp/*
- If the server you are installing the auth server on will solely be used as an auth server, then you will need to edit your machine's httpd.conf file so that the images for the portal will properly be displayed. To do this go to /etc/httpd/conf and edit the httpd.conf file. Search for the field called 'DocumentRoot' and change the path in the quotation marks from /var/www/html to /usr/local/nocat/htdocs.
- While you are editing your apache Web server's httpd.conf file you also need to add an include reference to the end of the file. This will reference the httpd.conf file that came with the NoCat distribution. Do this by adding the following line to the end of the apache's httpd.conf file: Include /usr/local/nocat/httpd.conf
- Since we are using MySQL as the authentication source, you will need to make a new database. To do this type: mysqladmin create nocat Be sure that the database name created matches that referred to in step 6b. Now you have to import the table schemas. Go to the /usr/local/nocat/etc directory and type mysql nocat < nocat.schema
- Now you are ready to begin adding users to your authentication source. Start off by adding a single user. Go to the /usr/local/nocat/bin directory. Type admintool --c username password
- Before going further we should make sure the machine's hardware clock matches the operating system's clock. To do this type hwclock - -systohc
- Another clocking issue that needs to be fixed before going further is synchronizing the clocks on the auth and gateway servers so that the encryption keys will be in synch. To do this you will need to set up a cron job on both the gateway and auth servers. To edit the crontab of each server you need to type: crontab --e and then add the following line at the bottom of your crontab 0 0 * * 0 /usr/bin/rdate --s 220.127.116.11 > /dev/null 2>&1 This will synchronize your server's time to the time-a.nist.gov server every Sunday morning at 12 am. Clock synchronization is extremely important for the trusted keys operation.
- The gpg keys will now need to be copy from your auth server to all of your gateway servers. You can do this remote copy using services such as FTP, Samba, or NFS so long as you have those services running on your servers. By any method you need to copy the /usr/local/nocat/trustedkeys.gpg file on the auth server to the /usr/local/nocat/pgp directory on the gateway server(s).
You now have your authentication server configured and are ready to go. Make sure that your servers have rebooted and that all cables are in place. Go to the access point connected to the gateway server. Select that wireless network on your laptop computer. Open up your Web browser and see if the captive portal works. All of the graphics you see can be changed to suit your needs. Those files were listed in step 6f. You may have to go back in and tweak some of the settings in the auth and gateway conf files to match your personal tastes. The comments in the conf files are very helpful and if you can not find help there, check out the NoCatNet mailing lists. Good Luck!
References and Credits
- No Cat Net
- All of the kind folks on the two NoCat mailing lists
- The open source community
- John-David Henderson, Goose Creek Communications, Inc
- Flickenger, Rob. Building Wireless Community Networks. Sebastopol: O'Reilly & Associates, Inc, 2002.
- Nate Davis from Salt Lake City, Utah
- Atanu from India (chatted over the net)
- Rob from NoCatNet, 'Running Your Own Auth Service', 2001