Monowall And Wikid

posted: December 9th, 2008

I found out about Monowall about a year and a half ago and really love it. Some of it’s best features are:

  • Easy to deploy (via PC / Embedded or even as a VM)
  • Easy to Manage (web based management interface second to none)
  • Powerful. It is easy to create a good strong firewall rule set. Traffic Shaper, Captive Portal, PPTP and IPSec VPNs, User manager, Single config file (easy backup of configs) and the list goes on.
  • Reliable ; Good community support available

In the last month I bought a 2-Factor Authentication system from Wikid and have set it up as my authentication mechanism for my monowall-terminated PPTP VPN (doesn’t work with IPsec at time of publication). The steps to set this up are:

  • Install Wikid Auth server via the ISO or use the RPMs (I found the ISO easier and just upgraded the RPMs after install)
  • Enable the Radius Protocol modules for your wikid domain (I have the IP Address for the Radius server set as 127.0.0.1 – not sure why that works but it obviously still spawns a radius daemon on the wikid auth server’s real interface) I also had the “Multihomed” setting set to ‘on’ (the default).
  • Setup a network client for your monowall using radius and a shared secret  (I have the network client pointing to the interface address of my vlan, not the LAN interface address)
  • Setup a Token Client and ensure that you can authenticate to the wikid auth server.

On the monowall:

  • Set the PPTP VPN settings to use Radius authentication. Set the IP address of the radius server to the IP of the Wikid Auth server and set the shared secret that you specified on the Wikid Auth Server.
  • Reboot the Monowall – I spent a day trying to figure out why this was not working. I setup a Iptables firewall rule to log all traffic and could not see any traffic coming from the monowall while trying to authenticate to the VPN. Eventually out of frustration I rebooted the firewall and viola it worked !!

Since then it has been working pretty well, except that the iPhone token doesn’t work on some 3G and Wifi networks - it gives the message “unable to get passcode”.

Other than that issue the solution works well and I like the Wikid 2-Factor authentication system. Another cool feature is you can have wikid “domains” which allow you to have different zones of authentication while using only one token, for example I can use a domain to authenticate to my VPN and another (same token, protected by a different PIN) to authenticate to my linux servers.