This document provides instructions for setting up WiFi authentication and accounting using FreeRADIUS on CentOS 5. It involves generating digital certificates using OpenSSL, installing and configuring FreeRADIUS, and setting up a wireless access point and client devices to use the RADIUS server for WPA1/2 enterprise authentication via EAP/PEAP/TTLS. Key steps include generating server and client certificates signed by a certificate authority, configuring FreeRADIUS configuration files, adding a RADIUS client for the access point, and setting the access point and client devices to point to the RADIUS IP for authentication.
1. The document configures Oracle database cloud with two nodes using container database and shared servers. It checks the status of the dispatcher and shared servers on node 1 and confirms connection between the nodes.
2. It provides instructions to connect node 2 using Putty SSH and save the TNS name of node 1 in tnsnames.ora on node 2.
3. After connecting, it checks the status of dispatcher and shared servers to confirm two shared servers are configured across the two nodes.
This document provides instructions for setting up secure remote desktop access to a Windows computer using CopSSH and SSH tunneling. The key steps are:
1. Install CopSSH on the remote Windows computer to enable an SSH server.
2. Generate an SSH key pair using PuttyGen and save the public key on the remote computer.
3. Configure CopSSH to use a non-standard port and require SSH key authentication only.
4. Set up Putty on the local client computer to connect via SSH tunneling to the remote computer, forwarding the RDP port.
Percona Live 4/15/15: Transparent sharding database virtualization engine (DVE)Tesora
Amrith Kumar of Tesora and Peter Boros of Percona present an in-depth exploration of transparent database scale out use the Tesora DVE framework for MySQL.
The document provides instructions for setting up a Bacula backup system. It discusses installing Bacula and its components, configuring the director, storage daemon, and file daemon. It describes setting passwords, creating a backup pool and schedule, and configuring a client. Specific configuration files are edited to configure the director, storage daemon, file daemon, and set addresses, passwords and other settings. Commands are provided to start services, run backups and restores, and check configurations for errors. The goal is to have a working Bacula system that can back up and restore a client on a scheduled basis.
This document provides an overview of how DNS lookups generally work, with a focus on DNS security (DNSSEC). It explains the standard DNS lookup process, where a user's request is recursively resolved through root servers, TLD servers, and name servers until an IP address is returned. It then discusses DNSSEC in more detail, explaining the new record types it introduces like DNSKEY, RRSIG, DS, and NSEC to authenticate records and prove non-existence. The document emphasizes that while DNSSEC aims to validate records are authentic, recursive resolvers still may not perform validation, limiting its effectiveness. It also provides steps to configure a zone with DNSSEC.
The document discusses various tools and services provided by CQURE Team including penetration testing, incident response, security architecture design, forensics investigation, and security awareness training. It also covers technical details of how Windows protects secrets using DPAPI and DPAPI-NG, describing the key derivation functions, encryption algorithms, and key storage locations used.
The document provides various PHP and MySQL tips and best practices including:
1) Signing queries and using comments helps when debugging slow queries and process lists.
2) The "LOAD DATA INFILE" statement is 20 times faster than INSERT for loading data.
3) Normalizing data and avoiding storing multiple values in a single column improves performance.
4) Joins should be used instead of executing multiple queries to compare rows.
1. The document configures Oracle database cloud with two nodes using container database and shared servers. It checks the status of the dispatcher and shared servers on node 1 and confirms connection between the nodes.
2. It provides instructions to connect node 2 using Putty SSH and save the TNS name of node 1 in tnsnames.ora on node 2.
3. After connecting, it checks the status of dispatcher and shared servers to confirm two shared servers are configured across the two nodes.
This document provides instructions for setting up secure remote desktop access to a Windows computer using CopSSH and SSH tunneling. The key steps are:
1. Install CopSSH on the remote Windows computer to enable an SSH server.
2. Generate an SSH key pair using PuttyGen and save the public key on the remote computer.
3. Configure CopSSH to use a non-standard port and require SSH key authentication only.
4. Set up Putty on the local client computer to connect via SSH tunneling to the remote computer, forwarding the RDP port.
Percona Live 4/15/15: Transparent sharding database virtualization engine (DVE)Tesora
Amrith Kumar of Tesora and Peter Boros of Percona present an in-depth exploration of transparent database scale out use the Tesora DVE framework for MySQL.
The document provides instructions for setting up a Bacula backup system. It discusses installing Bacula and its components, configuring the director, storage daemon, and file daemon. It describes setting passwords, creating a backup pool and schedule, and configuring a client. Specific configuration files are edited to configure the director, storage daemon, file daemon, and set addresses, passwords and other settings. Commands are provided to start services, run backups and restores, and check configurations for errors. The goal is to have a working Bacula system that can back up and restore a client on a scheduled basis.
This document provides an overview of how DNS lookups generally work, with a focus on DNS security (DNSSEC). It explains the standard DNS lookup process, where a user's request is recursively resolved through root servers, TLD servers, and name servers until an IP address is returned. It then discusses DNSSEC in more detail, explaining the new record types it introduces like DNSKEY, RRSIG, DS, and NSEC to authenticate records and prove non-existence. The document emphasizes that while DNSSEC aims to validate records are authentic, recursive resolvers still may not perform validation, limiting its effectiveness. It also provides steps to configure a zone with DNSSEC.
The document discusses various tools and services provided by CQURE Team including penetration testing, incident response, security architecture design, forensics investigation, and security awareness training. It also covers technical details of how Windows protects secrets using DPAPI and DPAPI-NG, describing the key derivation functions, encryption algorithms, and key storage locations used.
The document provides various PHP and MySQL tips and best practices including:
1) Signing queries and using comments helps when debugging slow queries and process lists.
2) The "LOAD DATA INFILE" statement is 20 times faster than INSERT for loading data.
3) Normalizing data and avoiding storing multiple values in a single column improves performance.
4) Joins should be used instead of executing multiple queries to compare rows.
This document provides an overview of MySQL including its architecture, clients, connection layer, SQL layer, storage engines, and installation methods. Key points include:
- MySQL uses a connection thread pool, query cache, parser, optimizer, and various storage engines like InnoDB and MyISAM.
- Common MySQL clients allow executing queries, administering the server, checking tables, backing up data, and more.
- The connection layer handles authentication and the communication protocol.
- The SQL layer performs parsing, optimization, and determining the optimal execution plan.
- Storage engines like InnoDB and MyISAM support different features and have different performance characteristics for storage, indexing, and more.
The document provides instructions for installing and configuring a 3DExperience 2016 environment on a Windows Server 2012 R2 system. It involves preparing the OS, installing prerequisites like .NET Framework, Java, Firefox and other tools. It also covers installing DSLS, configuring DNS entries, installing Oracle 12c database and configuring the listener, installing Apache web server and creating SSL certificates for various 3DExperience-related domains. The overall goal is to set up a full 3DExperience 2016 environment with all required software and configurations.
This document discusses various techniques for exploiting UNIX executable programs, including buffer overflow vulnerabilities. It begins with an introduction and outlines an agenda covering vulnerable UNIX applications, memory layout and stacks, buffer overflows, shellcode, and various protection mechanisms and bypass techniques. These include basic stack overflows, bypassing password protections, limited stack spaces, Ret-2-libc exploits, and return-oriented programming (ROP) chains to execute multiple commands. Demo exploits are proposed to show gaining root privilege on vulnerable applications.
The document discusses the network analysis software Wireshark. It explains that Wireshark can be used to capture and analyze real-time network traffic, filter packets, and determine protocols being used. It also provides overviews of common computer networking concepts like TCP/IP models, network protocols, and using Wireshark to filter packets and view statistics about captured network traffic.
This document provides an overview of physical memory analysis techniques. It begins with prerequisites and an agenda, then covers topics like dump generation, memory spaces, common commands, and analysis patterns. Memory analysis can be challenging due to the vast memory space and multiple processes. A pattern-driven approach is recommended to methodically identify and resolve problems. Common patterns include blocked threads, wait chains, resource consumption, and corruption signs. Examples are provided to illustrate specific patterns.
The document provides steps to install Microsoft SQL Server on Linux. It begins with downloading the repository configuration file and then running commands to install SQL Server. The SQL Server service is then started and its status is checked. Issues are encountered when trying to install the SQL Server tools due to conflicts with the unixODBC package. Workarounds are demonstrated to address the issue by removing unixODBC and importing an additional key.
This document provides a PowerShell script to check for and delete a file. It begins with an overview and prerequisites. The script first validates that the provided directory and file exist. It then uses the Remove-Item cmdlet to delete the file, and outputs a message confirming deletion. If the directory or file is invalid, it outputs an error message.
Kyle Hailey is an Oracle expert who has worked with Oracle since 1990. He has experience with Oracle support, porting versions of Oracle, benchmarking, and real world performance. He has also worked with startups, Quest Software, Oracle OEM, and Embarcadero. The document discusses row locks in Oracle and how to find blocking sessions and SQL using tools like ASH, v$lock, and Logminer. It provides examples of creating row lock waits and how to investigate them using these tools.
The document discusses socket programming in Java. It covers key concepts like layers of protocols, ports, the client-server model, and socket classes. Example code is provided to demonstrate how to create simple client and server applications using sockets to connect two processes and exchange data between them. The examples show how to bind sockets, send/receive data over input/output streams, and handle multiple concurrent connections by spawning new threads.
The document discusses 12 enhancements to wait event monitoring and analysis in Oracle 10g, including more descriptive wait event names, new columns in views like v$session and v$sqlarea, and new views such as v$event_histogram and v$session_wait_history that provide additional insight. It focuses on improvements that help DBAs more easily understand what sessions are waiting for and identify potential performance bottlenecks through better organized wait event classification and more granular wait time statistics.
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3Adel Karimi
Identifying groups of attackers with similar tools or behaviors is useful for profiling and discovering the connections between them. This talk will explore how I collect JA3, a SSL/TLS client fingerprint, to profile attackers and internet-wide SSL/TLS scans. The talk will provide some interesting observations and the first identified attempt to evade SSL/TLS client fingerprinting!
This document summarizes best practices for secure .NET programming. It discusses guidelines for safer code like using the SecureString class and checked keywords. It also covers vulnerabilities like SQL injection and insecure configuration files. Additionally, it outlines secure communication methods in WCF like SSL and hashing, as well as runtime security features in .NET like CAS and reflection permissions. The document stresses the importance of input validation, authorization, encryption, and overall secure development practices to build a safe .NET environment.
The document discusses various methods for hardening Linux security, including securing physical and remote access, addressing top vulnerabilities like weak passwords and open ports, implementing security policies, setting BIOS passwords, password protecting GRUB, choosing strong passwords, securing the root account, disabling console programs, using TCP wrappers, protecting against SYN floods, configuring SSH securely, hardening sysctl.conf settings, leveraging open source tools like Mod_Dosevasive, Fail2ban, Shorewall, and implementing security at the policy level with Shorewall.
1. The document discusses Oracle RAC Cluster Synchronization Services (CSS) and how it handles split-brain situations when network failures occur.
2. CSS uses services like Group Management and Node Monitoring to manage cluster membership and detect node failures. It relies on voting disks to resolve split-brain situations when nodes cannot communicate over the network.
3. During a split-brain, the CSS reconfiguration process attempts to keep the largest surviving subcluster alive by exiling nodes from the smaller competing subclusters. It does this by checking network and disk heartbeats as well as voting information stored on voting disks.
Postgresql 12 streaming replication holVijay Kumar N
This is a step by step hands on lab for PostgreSQL 12 , setup of replication, replication slot, failover (promoting) to standby as new master cluster and also covering the scenario where old master has to be reinstated using the utility "pg_rewind"
This document discusses writing and installing custom Windows PowerShell cmdlets. It provides steps for creating a custom cmdlet using Visual Studio, installing the cmdlet, and uninstalling it. It also discusses using PowerShell with .NET 4.0 and provides examples of Windows Azure PowerShell cmdlets for managing Azure services and resources.
Linux Server Hardening - Steps by StepsSunil Paudel
Linux Server Hardening
This document has the step by step of the way of hardening the server. We have used the metasploitable server, the vulnerable ubuntu server designed to be hacked, and have done the hardening. We have stopped all the unnecessary services and ports. We have assumed the server to be the web server only. Hence, only port 80 and 443 will be opened. Then the firewall rules have been set following by the apache web server hardening, encryption of the folder and files, disabling the unwanted users, forcing the password policies.
A close encounter_with_real_world_and_odd_perf_issuesRiyaj Shamsudeen
This document discusses a performance issue where a database experienced high CPU usage in the kernel mode. Tracing tools identified that detaching from multiple shared memory segments during connection release was causing the high CPU. The database server had a NUMA architecture, causing the database instance to create multiple shared memory segments across NUMA nodes. Increasing the shared memory size limit did not resolve it, as the instance was optimizing for NUMA.
How To Install and Configure Apache SSL on CentOS 7VCP Muthukrishna
This document provides instructions on how to install and configure Apache SSL on CentOS 7. It includes steps to install the httpd package and enable the service, create a self-signed SSL certificate, configure the SSL settings in the Apache configuration file including the certificate and key files, open firewall ports, and validate the SSL configuration. The goal is to securely serve HTTPS traffic from the Apache web server using the newly created SSL certificate.
This document provides steps to install and configure mod_ssl on CentOS/Fedora/Redhat to enable HTTPS on the Apache web server. It describes generating a self-signed certificate, editing the ssl.conf and httpd.conf configuration files to specify the certificate details and enable SSL, and restarting the Apache server to apply the changes.
This document provides an overview of MySQL including its architecture, clients, connection layer, SQL layer, storage engines, and installation methods. Key points include:
- MySQL uses a connection thread pool, query cache, parser, optimizer, and various storage engines like InnoDB and MyISAM.
- Common MySQL clients allow executing queries, administering the server, checking tables, backing up data, and more.
- The connection layer handles authentication and the communication protocol.
- The SQL layer performs parsing, optimization, and determining the optimal execution plan.
- Storage engines like InnoDB and MyISAM support different features and have different performance characteristics for storage, indexing, and more.
The document provides instructions for installing and configuring a 3DExperience 2016 environment on a Windows Server 2012 R2 system. It involves preparing the OS, installing prerequisites like .NET Framework, Java, Firefox and other tools. It also covers installing DSLS, configuring DNS entries, installing Oracle 12c database and configuring the listener, installing Apache web server and creating SSL certificates for various 3DExperience-related domains. The overall goal is to set up a full 3DExperience 2016 environment with all required software and configurations.
This document discusses various techniques for exploiting UNIX executable programs, including buffer overflow vulnerabilities. It begins with an introduction and outlines an agenda covering vulnerable UNIX applications, memory layout and stacks, buffer overflows, shellcode, and various protection mechanisms and bypass techniques. These include basic stack overflows, bypassing password protections, limited stack spaces, Ret-2-libc exploits, and return-oriented programming (ROP) chains to execute multiple commands. Demo exploits are proposed to show gaining root privilege on vulnerable applications.
The document discusses the network analysis software Wireshark. It explains that Wireshark can be used to capture and analyze real-time network traffic, filter packets, and determine protocols being used. It also provides overviews of common computer networking concepts like TCP/IP models, network protocols, and using Wireshark to filter packets and view statistics about captured network traffic.
This document provides an overview of physical memory analysis techniques. It begins with prerequisites and an agenda, then covers topics like dump generation, memory spaces, common commands, and analysis patterns. Memory analysis can be challenging due to the vast memory space and multiple processes. A pattern-driven approach is recommended to methodically identify and resolve problems. Common patterns include blocked threads, wait chains, resource consumption, and corruption signs. Examples are provided to illustrate specific patterns.
The document provides steps to install Microsoft SQL Server on Linux. It begins with downloading the repository configuration file and then running commands to install SQL Server. The SQL Server service is then started and its status is checked. Issues are encountered when trying to install the SQL Server tools due to conflicts with the unixODBC package. Workarounds are demonstrated to address the issue by removing unixODBC and importing an additional key.
This document provides a PowerShell script to check for and delete a file. It begins with an overview and prerequisites. The script first validates that the provided directory and file exist. It then uses the Remove-Item cmdlet to delete the file, and outputs a message confirming deletion. If the directory or file is invalid, it outputs an error message.
Kyle Hailey is an Oracle expert who has worked with Oracle since 1990. He has experience with Oracle support, porting versions of Oracle, benchmarking, and real world performance. He has also worked with startups, Quest Software, Oracle OEM, and Embarcadero. The document discusses row locks in Oracle and how to find blocking sessions and SQL using tools like ASH, v$lock, and Logminer. It provides examples of creating row lock waits and how to investigate them using these tools.
The document discusses socket programming in Java. It covers key concepts like layers of protocols, ports, the client-server model, and socket classes. Example code is provided to demonstrate how to create simple client and server applications using sockets to connect two processes and exchange data between them. The examples show how to bind sockets, send/receive data over input/output streams, and handle multiple concurrent connections by spawning new threads.
The document discusses 12 enhancements to wait event monitoring and analysis in Oracle 10g, including more descriptive wait event names, new columns in views like v$session and v$sqlarea, and new views such as v$event_histogram and v$session_wait_history that provide additional insight. It focuses on improvements that help DBAs more easily understand what sessions are waiting for and identify potential performance bottlenecks through better organized wait event classification and more granular wait time statistics.
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3Adel Karimi
Identifying groups of attackers with similar tools or behaviors is useful for profiling and discovering the connections between them. This talk will explore how I collect JA3, a SSL/TLS client fingerprint, to profile attackers and internet-wide SSL/TLS scans. The talk will provide some interesting observations and the first identified attempt to evade SSL/TLS client fingerprinting!
This document summarizes best practices for secure .NET programming. It discusses guidelines for safer code like using the SecureString class and checked keywords. It also covers vulnerabilities like SQL injection and insecure configuration files. Additionally, it outlines secure communication methods in WCF like SSL and hashing, as well as runtime security features in .NET like CAS and reflection permissions. The document stresses the importance of input validation, authorization, encryption, and overall secure development practices to build a safe .NET environment.
The document discusses various methods for hardening Linux security, including securing physical and remote access, addressing top vulnerabilities like weak passwords and open ports, implementing security policies, setting BIOS passwords, password protecting GRUB, choosing strong passwords, securing the root account, disabling console programs, using TCP wrappers, protecting against SYN floods, configuring SSH securely, hardening sysctl.conf settings, leveraging open source tools like Mod_Dosevasive, Fail2ban, Shorewall, and implementing security at the policy level with Shorewall.
1. The document discusses Oracle RAC Cluster Synchronization Services (CSS) and how it handles split-brain situations when network failures occur.
2. CSS uses services like Group Management and Node Monitoring to manage cluster membership and detect node failures. It relies on voting disks to resolve split-brain situations when nodes cannot communicate over the network.
3. During a split-brain, the CSS reconfiguration process attempts to keep the largest surviving subcluster alive by exiling nodes from the smaller competing subclusters. It does this by checking network and disk heartbeats as well as voting information stored on voting disks.
Postgresql 12 streaming replication holVijay Kumar N
This is a step by step hands on lab for PostgreSQL 12 , setup of replication, replication slot, failover (promoting) to standby as new master cluster and also covering the scenario where old master has to be reinstated using the utility "pg_rewind"
This document discusses writing and installing custom Windows PowerShell cmdlets. It provides steps for creating a custom cmdlet using Visual Studio, installing the cmdlet, and uninstalling it. It also discusses using PowerShell with .NET 4.0 and provides examples of Windows Azure PowerShell cmdlets for managing Azure services and resources.
Linux Server Hardening - Steps by StepsSunil Paudel
Linux Server Hardening
This document has the step by step of the way of hardening the server. We have used the metasploitable server, the vulnerable ubuntu server designed to be hacked, and have done the hardening. We have stopped all the unnecessary services and ports. We have assumed the server to be the web server only. Hence, only port 80 and 443 will be opened. Then the firewall rules have been set following by the apache web server hardening, encryption of the folder and files, disabling the unwanted users, forcing the password policies.
A close encounter_with_real_world_and_odd_perf_issuesRiyaj Shamsudeen
This document discusses a performance issue where a database experienced high CPU usage in the kernel mode. Tracing tools identified that detaching from multiple shared memory segments during connection release was causing the high CPU. The database server had a NUMA architecture, causing the database instance to create multiple shared memory segments across NUMA nodes. Increasing the shared memory size limit did not resolve it, as the instance was optimizing for NUMA.
How To Install and Configure Apache SSL on CentOS 7VCP Muthukrishna
This document provides instructions on how to install and configure Apache SSL on CentOS 7. It includes steps to install the httpd package and enable the service, create a self-signed SSL certificate, configure the SSL settings in the Apache configuration file including the certificate and key files, open firewall ports, and validate the SSL configuration. The goal is to securely serve HTTPS traffic from the Apache web server using the newly created SSL certificate.
This document provides steps to install and configure mod_ssl on CentOS/Fedora/Redhat to enable HTTPS on the Apache web server. It describes generating a self-signed certificate, editing the ssl.conf and httpd.conf configuration files to specify the certificate details and enable SSL, and restarting the Apache server to apply the changes.
The Secure Socket Layer protocol was created by Netscape to ensure secure transactions between web servers and browsers.
Most certificates in common use are based on the X.509 v3 certificate standard. First I open the shell with the openssl.exe and MS SDK tools.
This document discusses security concepts like minimizing risk, managing vulnerabilities, and monitoring logs. It then focuses on OpenSSL and cryptography, explaining how to set up an OpenSSL certificate authority (CA) to generate and sign certificates. It covers generating keys, creating certificate signing requests, signing certificates, managing certificate revocation lists, and configuring applications to use the CRL for validation.
This document provides instructions for configuring OpenStack Nova compute on a controller and compute server. It discusses:
1. Configuring the MySQL database, RabbitMQ, and Keystone service credentials for Nova on the controller.
2. Installing and configuring the Nova packages, including API, scheduler, and conductor services on the controller and nova-compute on the compute server.
3. Configuring Nova to use the MySQL database, RabbitMQ for messaging, and Glance for images.
4. Starting the Nova services and cleaning the SQLite database file.
The document describes the steps to set up an OpenVPN server with Easy-RSA on a Linux system. It involves:
1. Installing OpenVPN and Easy-RSA packages and configuring Easy-RSA parameters and keys like CA, server, client, DH.
2. Generating certificates and keys for the OpenVPN server and client.
3. Configuring the OpenVPN server file with settings for port, protocol, network, authentication and other parameters.
4. Enabling port forwarding, starting the OpenVPN service, and verifying logs as the service starts.
This document provides instructions for setting up a TrinityCore private server on Linux. It discusses downloading and compiling TrinityCore source code, configuring the required MySQL databases, and basic server configuration. Key steps include installing prerequisites like build tools and libraries, cloning the TrinityCore source repository, running cmake to configure the build, importing SQL files to set up the auth, characters, and world databases, and editing the realmlist table to point clients to the server.
This document provides an overview of the basic function call flow for OpenSSL to establish a secure TCP connection. It discusses initializing the OpenSSL library, creating an SSL_CTX object, generating randomness, creating an SSL object for a connection, performing the TLS/SSL handshake, and reading and writing data over the encrypted connection. It also provides examples of OpenSSL code for a client application.
Presentation iv implementasi 802x eap tls peap mscha pv2Hell19
1. The document discusses the implementation of 802.1x authentication using EAP-TLS and PEAP-MSCHAPv2 with FreeRADIUS and MySQL on a Linux server.
2. It describes the hardware and software components used, including wireless clients, access points, and a Linux server.
3. The steps covered include installing MySQL, Apache, OpenSSL, FreeRADIUS, and DialupAdmin on the server, and configuring FreeRADIUS, DialupAdmin and the access points to implement the authentication.
This document discusses SSL certificates, including their purpose for server/client authentication and secure data transfer. It covers the process of requesting, signing, installing and verifying certificates from both Certificate Authorities (CAs) and self-signing. The different types of SSL certificates - DV, OV and EV - are explained along with OpenSSL tools, certificate structure, chain of trust, trust stores, certificate pinning and free certificate options like Let's Encrypt.
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB
This document provides information on securing MongoDB installations, including common attacks and weaknesses. It discusses various authentication strategies in MongoDB like SCRAM-SHA-1 and x.509 certificates. It also covers user and role management with examples based on a fictional medical clinic application. Additional topics covered include network configuration, using MongoDB Atlas, implementing read-only views, and architectural considerations for a secure system.
Aeon mike guide transparent ssl filteringConrad Cruz
This document provides instructions for configuring SQUID 3.3 to act as an SSL bumping proxy on a Debian system. It describes how to generate a self-signed SSL certificate, edit the squid.conf file to enable SSL bumping and specify the certificate files, configure iptables rules to redirect HTTP and HTTPS traffic to the proxy ports, and provides an example configuration for filtering access to specific banking sites over HTTPS.
Aeon mike guide transparent ssl filtering (1)Conrad Cruz
This document provides instructions for configuring Squid 3.3 to act as an SSL bumping proxy on a Debian system. It describes how to generate a self-signed SSL certificate, edit the Squid configuration file to enable SSL bumping and specify the certificate files, configure iptables rules to redirect HTTPS traffic to the proxy, and provides an example Squid configuration file for SSL filtering.
Seattle C* Meetup: Hardening cassandra for compliance or paranoiazznate
Details how to secure Apache Cassandra clusters. Covers client to server and server to server encryption, securing management and tooling, using authentication and authorization, as well as options for encryption at rest.
fog or: How I Learned to Stop Worrying and Love the CloudWesley Beary
Learn how to easily get started on cloud computing with fog. If you can control your infrastructure choices, you’ll make better choices in development and get what you need in production. You'll get an overview of fog and concrete examples to give you a head start on your provisioning workflow.
Hardening cassandra for compliance or paranoiazznate
Cassandra at rest encryption, inter-node communication encryption, client-server communication encryption, authentication, authorization, and securing JMX management were discussed. The document provided guidance on implementing encryption at rest using commercial and open source options, setting up SSL for inter-node and client-server communication using self-signed certificates, implementing authentication and authorization best practices from RBMS, and securing JMX access.
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).DataStax Academy
Security is always at odds with usability, particularly in the context of operations and development. More so when dealing with a distributed system such as Apache Cassandra. In this presentation, we'll walk through the steps required to completely secure a Cassandra cluster to meet most regulatory and compliance guidelines.
Topics will include:
- Encrypting cross-DC traffic
- Different types of at-rest disk encryption options available (and how to tune them)
- Configuring SSL for inter-cluster communication
- Configuring SSL between clients and the API
- Configuring and managing client authentication
Attendees will leave this presentation with the knowledge required to harden Cassandra to meet most guidelines imposed by regulations and compliance.
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Webinar: Designing a schema for a Data WarehouseFederico Razzoli
Are you new to data warehouses (DWH)? Do you need to check whether your data warehouse follows the best practices for a good design? In both cases, this webinar is for you.
A data warehouse is a central relational database that contains all measurements about a business or an organisation. This data comes from a variety of heterogeneous data sources, which includes databases of any type that back the applications used by the company, data files exported by some applications, or APIs provided by internal or external services.
But designing a data warehouse correctly is a hard task, which requires gathering information about the business processes that need to be analysed in the first place. These processes must be translated into so-called star schemas, which means, denormalised databases where each table represents a dimension or facts.
We will discuss these topics:
- How to gather information about a business;
- Understanding dictionaries and how to identify business entities;
- Dimensions and facts;
- Setting a table granularity;
- Types of facts;
- Types of dimensions;
- Snowflakes and how to avoid them;
- Expanding existing dimensions and facts.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
5th LF Energy Power Grid Model Meet-up SlidesDanBrown980551
5th Power Grid Model Meet-up
It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology.
Power Grid Model
The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services.
Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability.
Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization.
What to expect
For the upcoming meetup we are organizing, we have an exciting lineup of activities planned:
-Insightful presentations covering two practical applications of the Power Grid Model.
-An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024.
-An interactive brainstorming session to discuss and propose new feature requests.
-An opportunity to connect with fellow Power Grid Model enthusiasts and users.
Project Management Semester Long Project - Acuityjpupo2018
Acuity is an innovative learning app designed to transform the way you engage with knowledge. Powered by AI technology, Acuity takes complex topics and distills them into concise, interactive summaries that are easy to read & understand. Whether you're exploring the depths of quantum mechanics or seeking insight into historical events, Acuity provides the key information you need without the burden of lengthy texts.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
1. http://www.howtoforge.com/wifi-authentication-accounting-with-freeradius-on-centos5
Certificates: Openssl 0.98b
Radius Sever: Freeradius version 1.1.7 (built from fc6 src.rpms)
(Note: This document also assumes that you have a dhcp server already configured & running on the same
subnet.)
Protocols configured for:
WPA1/2 enterprise
EAP/PEAP/TTLS
Following processes are involved:
1- Install OS
2- Install openssl
3- Generate digital certificates
4- Install / Configure freeradius
5- Configure Access points
6- Configure end wifi clients
Step 1
1- Install the OS in the minimal mode (refer to some howto).
Step 2
2- Install openssl (if not already installed)
yum install openssl
Step 3 ( *********** OpenSSL Certificate Generation ***********)
There are numerous ways of generating ssl based certificates. You can create your certificates at another computer
or on this server.
Following is a manual way of creating certificates which I adopted. But you are suggested to use some script to
create them(skip this step if you . Freeradius 1.1.7 & 2.x version comes with nice certificate generating scripts, use
them if you are new to certificates. (In 2.X the scripts are usually in /etc/radd/certs/, in 1.X it is in
the scripts/directory of un-tgz'ed freeradius).
Note: Following process also creates client certificates which you would not be needing with EAP/PEAP.
3.1 Create a new self-signed certificate authority (if not already created) in /etc/ssl:
mkdir private
mkdir newcerts
2. touch index.txt
echo '01' > serial
Edit /etc/pki/tls/openssl.cnf & change
dir = ../../CA # Where everything is
kept
to
dir = /etc/ssl
openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650
Passphrase: "letmein" was the passwd I chose.
Following is the output:
===========================================================================
[root@ciitwifi ssl]# openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out
cacert.pem -days 3650
Generating a 1024 bit RSA private key
..++++++
..++++++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:pk
State or Province Name (full name) [Berkshire]:pakhtoonkhwa
3. Locality Name (eg, city) [abbottabad]:abbottabad
Organization Name (eg, company) [ciit]:ciit
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ciitwifi
Email Address []:rnd@peace.not@ciit.net.pk
===========================================================================
3.2 Create server certificate request in /etc/ssl: (note the passwd "lettheserverin")
openssl req -new -nodes -keyout server_key.pem -out server_req.pem -days 730
Output:
===========================================================================
[root@ciitwifi ssl]# openssl req -new -nodes -keyout server_key.pem -out server_req.pem -days 730
Generating a 1024 bit RSA private key
.......++++++
..................................++++++
writing new private key to 'server_key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:pk
State or Province Name (full name) [Berkshire]:pakhtoonkhwa
Locality Name (eg, city) [abbottabad]:abbottabad
Organization Name (eg, company) [ciit]:ciit
Organizational Unit Name (eg, section) []:
4. Common Name (eg, your name or your server's hostname) []:ciitwifi
Email Address []:rnd@peace.not
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:lettheserverin
An optional company name []:
[root@ciitwifi ssl]#
===========================================================================
3.3 Sign server certificate using the certificate authority created earlier (with XP extensions):
Create an xpextensions file at /etc/ssl location with the following content.
[root@centos5 ssl]# cat xpextensions
[ xpclient_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[ xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
openssl ca -policy policy_anything -out server_cert.pem -extensions xpserver_ext -extfile
/etc/ssl/xpextensions -infiles /etc/ssl/server_req.pem
(Note: passphrase was letmein in step 3.)
===========================================================================
[root@ciitwifi ssl]# openssl ca -policy policy_anything -out server_cert.pem -extensions
xpserver_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/server_req.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/ssl/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
5. Not Before: Jun 10 03:22:22 2008 GMT
Not After : Jun 10 03:22:22 2009 GMT
Subject:
countryName = pk
stateOrProvinceName = pakhtoonkhwa
localityName = abbottabad
organizationName = ciit
commonName = ciitwifi
emailAddress = rnd@peace.not
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
Certificate is to be certified until Jun 10 03:22:22 2009 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@ciitwifi ssl]#
===========================================================================
3.4 Create a server file with both the server key and the server certificate:
cat server_key.pem server_cert.pem > server_keycert.pem
3.5 Create a client certificate request in /etc/ssl:
openssl req -new -keyout client_key.pem -out client_req.pem -days 730
"ciitwificlient" is the PEM passphrase I used.
Output:
===========================================================================
6. [root@ciitwifi ssl]# openssl req -new -keyout client_key.pem -out client_req.pem -days 730
Generating a 1024 bit RSA private key
.........++++++
..............++++++
writing new private key to 'client_key.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:pk
State or Province Name (full name) [Berkshire]:pakhtoonkhwa
Locality Name (eg, city) [abbottabad]:abbottabad
Organization Name (eg, company) [ciit]:ciit
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ciitwifi
Email Address []:rnd@peace.not
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:whateverdotwhat
An optional company name []:
[root@ciitwifi ssl]#
===========================================================================
3.6 Sign client certificate using the certificate authority created earlier (with XP extensions):
7. openssl ca -policy policy_anything -out client_cert.pem -extensions xpclient_ext -extfile
/etc/ssl/xpextensions -infiles /etc/ssl/client_req.pem
"letmein" is the passphrase I used.
===========================================================================
[root@ciitwifi ssl]# openssl ca -policy policy_anything -out client_cert.pem -extensions
xpclient_ext -extfile /etc/ssl/xpextensions -infiles /etc/ssl/client_req.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/ssl/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Jun 10 03:49:46 2008 GMT
Not After : Jun 10 03:49:46 2009 GMT
Subject:
countryName = pk
stateOrProvinceName = pakhtoonkhwa
localityName = abbottabad
organizationName = ciit
commonName = ciitwifi
emailAddress = rnd@peace.not
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Client Authentication
Certificate is to be certified until Jun 10 03:49:46 2009 GMT (365 days)
Sign the certificate? [y/n]:yes
1 out of 1 certificate requests certified, commit? [y/n]y
8. Write out database with 1 new entries
Data Base Updated
[root@ciitwifi ssl]#
===========================================================================
3.7 Export the client certificate in the appropriate format (P12) for an XP client:
openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client_cert.p12 -clcerts
"ciitwificlient" is the passphrase.
"Idontknow" is the export password. This is the password that the you will be giving the windows XP clients, who
will be using this while installing the client_cert.
Output:
===========================================================================
[root@ciitwifi ssl]# openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out
client_cert.p12 -clcerts
Enter pass phrase for client_key.pem:
Enter Export Password:
Verifying - Enter Export Password:
[root@ciitwifi ssl]#
===========================================================================
3.8 Export the root certificate of the server in the appropriate format (DER) for an XP client:
openssl x509 -setalias "ciitwifi@ciit" -outform DER -in cacert.pem -out cacert.der
Step 4 (*********** Freeradius Setup ***********)
4.1 Fetch freeradius rpm
rpm -Uvh freeradius....
9. If it asks for dependencies do the following:
yum install net-snmp-utils perl-DBI libtool-ltdl -y
Note: The freeradius available with CentOS 5.1 repos is freeradius-1.1.3... which comes with openssl support,
which is not supported by freeradius.org, but support is only availabe for 1.1.7.x version. Latest version 2.0.5 has
newer features but does not have rpm binaries for CentOS 5.x although .src.rpms of 2.0.3 of Fedora 9 do exist. FR
2.x differs from 1.x version under the hood (paths/files of various protocols).
4.2 Remove the FreeRadius default certificate files etc:
rm -Rf /etc/raddb/demoCA
This is actually /etc/raddb/certs/demoCA; I back up (mv'ed) the /etc/raddb/certsfolder
to /etc/raddb/bkup_certs.
4.3 Create the appropriate directories in /etc/raddb in which to keep the certificate information:
I back up (mv'ed) the /etc/raddb/certs folder to /etc/raddb/bkup_certs & created another one
named /etc/raddb/certs.
mkdir /etc/raddb/certs
4.4 Move the server certificate and the root certificate to the FreeRadius folder:
cp /etc/ssl/cacert.pem /etc/raddb/certs/ -v
cp /etc/ssl/server_keycert.pem /etc/raddb/certs/ -v
4.5 Create the Diffie-Hellman parameters file for TLS:
openssl dhparam -check -text -5 512 -out dh
Output:
[root@ciitwifi ssl]# pwd
/etc/ssl
[root@ciitwifi ssl]# openssl dhparam -check -text -5 512 -out dh
Generating DH parameters, 512 bit long safe prime, generator 5
10. This is going to take a long time
.+.........................................................................+
................+......+.............................+...........+.........+.............
..........+..............................................................................
......+........................................+...........................+.............
.................+........................+..............................................
...+...........................+..........................+..........+.+.......+.........
....................................+...+...........................................+....
...............................+.....................+.........+.........................
.......+.......+.........+.....+......................+............................+.....
.........+.........+............................................................++*++*++*
++*++*++*
DH parameters appear to be ok.
[root@ciitwifi ssl]#
===========================================================================
Copy this "dh" file to /etc/raddb/certs folder:
cp /etc/ssl/dh /etc/raddb/certs -v
4.6 Create the random bitstream file for TLS, & change ownership of the certificate & stuff for the freeradius to be able to
read them.
dd if=/dev/urandom of=random count=2
Output (in the /etc/raddb/certs folder i.e.):
===========================================================================
[root@ciitwifi certs]# dd if=/dev/urandom of=random count=2
2+0 records in
2+0 records out
1024 bytes (1.0 kB) copied, 0.000545195 seconds, 1.9 MB/s
chown -R radiusd /etc/raddb/certs
4.7 Modify /etc/raddb/eap.conf (full listing):
(Note: "lettheserverin" is the private keypassword of the certificate.)
(Yes, it can be tuned further. i.e dropping/adding support for some other protocols . That's up to you.)
eap {
11. default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
private_key_password = lettheserverin
private_key_file = ${raddbdir}/certs/server_keycert.pem
certificate_file = ${raddbdir}/certs/server_keycert.pem
CA_file = ${raddbdir}/certs/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
}
ttls {
default_eap_type = mschapv2
use_tunneled_reply = yes
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
4.8 Add a radius client for the wireless access point in /etc/raddb/clients.conf:
For the dlink AP3200:
client 192.168.0.53 {
secret = <dlink secret phrase>
shortname = AP3200
nastype = other
}
12. 4.9 Modify /etc/raddb/radiusd.conf:
I didn't modify the radiusd.conf but make sure followings are uncommented. (Yes, it can be tuned further. i.e
dropping/adding support for some other protocols. Unloading useless modules, increasing performance etc. That's
up to you.)
log_auth = yes
authorize {
preprocess
chap
mschap
suffix
pap
eap
files
}
authenticate{
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
# unix
eap
}
4.10 Modify /etc/raddb/users & start the server.
Create a user at the top of the file:
faheem Cleartext-Password := "khan"
Now start the radius server:
13. /etc/init.d/radiusd start
Step 5 ****************** Configuring the Access Point *********************
Now set the the AP setting to use "WPA enterprise auto" or WPA 2 enterprise” & point to the radius servers ip
address/port. The secret field would be same as mentioned in /etc/raddb/clients.conf . (i.e. in our case
“dlinksecret” phrase)
Step 6 ******************** Configure end wifi clients ********************
Install certificates
Certification authority CA.der (according to above certificate method it should be cacert.der).
Server certificate with keys sever.p12 (according to above certificate method, it should be server_keycert.p12).
Note: The following screenshots are from Windows 2003 server. But it shouldn't be very different for Windows XP.
Go to “start”, select “run”& type “mmc”.
14.
15.
16.
17.
18. Follow the same procedure for importing server.p12 certificate into “trusted Root” section.
That is it for EAP/PEAP (TTLS), but for TLS you also need to import/install the client certificate. (You would also
need to modify your eap.conf file for TLS.)
19. Configuring the wifi interface
View the “My network neighborhood”, choose your Access point, in this case “AP3200” (not really its
named mydlink here).
20.
21.
22.
23.
24.
25. Press “ok”, “ok,and “ok”. Your done configuring the wifi.
Immediately “disable”the wifi interface. Righ click & choose “disable”.
After a second or two , re-enable the wifi interface. You should be prompted for username/password/Logindomain.
Simply supply the username/password & press”ok”.
You should connect in less than a second.
Congratulations you have configured a WPA1/2 enterprise wifi network.
Possible problems/Solutions:
Freeradius not compiled with openssl support. (Google.)
Certificates not installed correctly. (Use demo certificates/use some automating script.)
End client XP is not supporting protocol. (Install possibly the latest service pack.)
Client/AP not communicating. (Turn off the firewall or open the ports.)
AP not communicating. (Reset/restart or update the firmware.)
Client not getting authenticated. (Check logs/ run the freeradius server in debug mode e.g radiusd -X -z.)