An riga an bayyana wasu misalan shirya WiFi na kamfani. Anan zan bayyana yadda na aiwatar da irin wannan mafita da kuma matsalolin da na fuskanta lokacin haɗawa akan na'urori daban-daban. Za mu yi amfani da LDAP ɗin da ke akwai tare da masu amfani da rajista, haɓaka FreeRadius da daidaita WPA2-Enterprise akan mai sarrafa Ubnt. Komai yana da sauƙi. Mu gani…
Kadan game da hanyoyin EAP
Kafin mu ci gaba da aikin, muna buƙatar yanke shawarar hanyar tabbatarwa da za mu yi amfani da ita a cikin maganinmu.
Daga Wikipedia:
EAP shine tsarin tabbatarwa wanda galibi ana amfani dashi a cikin cibiyoyin sadarwa mara waya da haɗin kai-to-point. An fara bayanin tsarin a cikin RFC 3748 kuma an sabunta shi a cikin RFC 5247.
Ana amfani da EAP don zaɓar hanyar tantancewa, wucewa maɓallai, da sarrafa waɗannan maɓallan tare da toshe-kunnen da ake kira hanyoyin EAP. Akwai hanyoyin EAP da yawa, dukansu an bayyana su tare da EAP kanta kuma masu siye ɗaya suka fitar. EAP baya ayyana layin hanyar haɗin gwiwa, yana bayyana tsarin saƙo ne kawai. Kowace yarjejeniya ta amfani da EAP tana da nata tsarin saƙon EAP ɗin sa.
Hanyoyin da kansu:
- LEAP yarjejeniya ce ta mallakar ta CISCO. An sami rauni. A halin yanzu ba a ba da shawarar amfani ba
- EAP-TLS yana da tallafi sosai tsakanin masu siyar da waya. Amintacciyar yarjejeniya ce saboda ita ce magaji ga ƙa'idodin SSL. Saitin abokin ciniki yana da wahala sosai. Kuna buƙatar takardar shaidar abokin ciniki ban da kalmar wucewa. An goyi bayan tsarin da yawa
- EAP-TTLS - ana tallafawa sosai akan tsarin da yawa, yana ba da tsaro mai kyau ta amfani da takaddun shaida na PKI kawai akan sabar tantancewa.
- EAP-MD5 wani ma'aunin buɗaɗɗe ne. Yana bayar da ƙarancin tsaro. M, baya goyan bayan tabbatar da juna da mabuɗin tsara
- EAP-IKEv2 - bisa sigar Mu'amalar Maɓalli ta Intanet 2. Yana ba da ingantaccen haɗin gwiwa da kafa maɓallin zama tsakanin abokin ciniki da uwar garken
- PEAP mafita ce ta haɗin gwiwa tsakanin CISCO, Microsoft da Tsaro na RSA a matsayin buɗaɗɗen ma'auni. Yadu samuwa a cikin samfurori, yana ba da aminci mai kyau sosai. Mai kama da EAP-TTLS, yana buƙatar takardar shaidar gefen uwar garke kawai
- PEAPv0/EAP-MSCHAPv2 - bayan EAP-TLS, wannan shine ma'auni na biyu da ake amfani dashi a duniya. Abokin ciniki da uwar garken da aka yi amfani da shi a cikin Microsoft, Cisco, Apple, Linux
- PEAPv1/EAP-GTC - Cisco ne ya ƙirƙira a matsayin madadin PEAPv0/EAP-MSCHAPv2. Baya kare bayanan tantancewa ta kowace hanya. Ba a tallafawa akan Windows OS
- EAP-FAST dabara ce ta Cisco don gyara gazawar LEAP. Yana Amfani da Kariyar Samun Taimako (PAC). Ba a gama ba
Daga cikin duk wannan bambancin, zaɓin har yanzu bai yi girma ba. Ana buƙatar hanyar tabbatarwa: tsaro mai kyau, tallafi akan duk na'urori (Windows 10, macOS, Linux, Android, iOS) kuma, a zahiri, mafi sauƙi mafi kyau. Saboda haka, zaɓin ya faɗi akan EAP-TTLS tare da haɗin gwiwar PAP.
Tambayar na iya tasowa - Me yasa ake amfani da PAP? saboda yana aika kalmomin shiga a sarari?
E haka ne. Sadarwa tsakanin FreeRadius da FreeIPA zai gudana daidai kamar wannan. A cikin yanayin gyara kuskure, zaku iya waƙa da yadda ake aika sunan mai amfani da kalmar wucewa. Ee, kuma bari su tafi, kawai kuna da damar zuwa uwar garken FreeRadius.
Kuna iya karanta ƙarin game da yadda EAP-TTLS ke aiki
FreeRADIUS
FreeRadius za a tashe akan CentOS 7.6. Babu wani abu mai rikitarwa a nan, mun saita shi a hanyar da aka saba.
yum install freeradius freeradius-utils freeradius-ldap -y
An shigar da sigar 3.0.13 daga fakitin. Ana iya ɗaukar na ƙarshe
Bayan wannan, FreeRadius yana aiki. Kuna iya ba da amsa ga layin a /etc/raddb/users
steve Cleartext-Password := "testing"
Kaddamar da cikin uwar garken a cikin yanayin debug
freeradius -X
Kuma yi haɗin gwaji daga localhost
radtest steve testing 127.0.0.1 1812 testing123
Mun sami amsa An Karɓa Idon-Karɓa Id 115 daga 127.0.0.1:1812 zuwa 127.0.0.1:56081 tsayi 20, yana nufin komai yayi daidai. Ci gaba.
Muna haɗa tsarin ldap.
ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldap
Kuma za mu canza shi nan da nan. Muna buƙatar FreeRadius don samun damar shiga FreeIPA
mods-kunna/ldap
ldap {
server="ldap://ldap.server.com"
port=636
start_tls=yes
identity="uid=admin,cn=users,dc=server,dc=com"
password=**********
base_dn="cn=users,dc=server,dc=com"
set_auth_type=yes
...
user {
base_dn="${..base_dn}"
filter="(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
}
...
Sake kunna uwar garken radius kuma duba aiki tare na masu amfani da LDAP:
radtest user_ldap password_ldap localhost 1812 testing123
Editan eap in mods-kunna/eap
Anan mun ƙara misalai biyu na eap. Za su bambanta kawai a cikin takaddun shaida da maɓalli. A ƙasa zan bayyana dalilin da yasa hakan yake.
mods-kunna/eap
eap eap-client { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests}
tls-config tls-common {
private_key_file = ${certdir}/fisrt.key
certificate_file = ${certdir}/first.crt
dh_file = ${certdir}/dh
ca_path = ${cadir}
cipher_list = "HIGH"
cipher_server_preference = no
ecdh_curve = "prime256v1"
check_crl = no
}
ttls {
tls = tls-common
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
}
eap eap-guest {
default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests}
tls-config tls-common {
private_key_passwotd=blablabla
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.crt
dh_file = ${certdir}/dh
ca_path = ${cadir}
cipher_list = "HIGH"
cipher_server_preference = no
ecdh_curve = "prime256v1"
check_crl = no
}
ttls {
tls = tls-common
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
}
Na gaba mu gyara site-kunna/default. Ina sha'awar ba da izini da kuma tabbatar da sassan.
site-kunna/default
authorize {
filter_username
preprocess
if (&User-Name == "guest") {
eap-guest {
ok = return
}
}
elsif (&User-Name == "client") {
eap-client {
ok = return
}
}
else {
eap-guest {
ok = return
}
}
ldap
if ((ok || updated) && User-Password) {
update {
control:Auth-Type := ldap
}
}
expiration
logintime
pap
}
authenticate {
Auth-Type LDAP {
ldap
}
Auth-Type eap-guest {
eap-guest
}
Auth-Type eap-client {
eap-client
}
pap
}
A cikin sashin izini muna cire duk samfuran da ba mu buƙata. Mu bar ldap kawai. Ƙara tabbacin abokin ciniki ta sunan mai amfani. Wannan shine dalilin da ya sa muka ƙara misalai biyu na eap a sama.
Multi EAPGaskiyar ita ce lokacin da ake haɗa wasu na'urori za mu yi amfani da takaddun shaida na tsarin kuma mu ƙayyade yankin. Muna da takaddun shaida da maɓalli daga amintaccen ikon takaddun shaida. Da kaina, a ganina, wannan hanyar haɗin kai ta fi sauƙi fiye da jefa takardar shaidar sa hannu akan kowace na'ura. Amma ko da ba tare da takardar shaidar sa hannu ba har yanzu ba a iya barin ba. Na'urorin Samsung da Android =< 6 iri ba su san yadda ake amfani da takaddun shaida ba. Don haka, mun ƙirƙiri wani misali na daban na eap-baƙo a gare su tare da takaddun sa hannu. Ga duk sauran na'urori za mu yi amfani da eap-abokin ciniki tare da amintaccen takaddun shaida. Sunan mai amfani yana ƙayyade ta filin da ba a sani ba lokacin haɗa na'urar. Ana ba da izinin ƙima 3 kawai: Baƙo, Abokin ciniki da filin fanko. Sauran duk an watsar da su. Ana iya saita wannan a cikin manufofin. Zan ba da misali kadan daga baya.
Bari mu gyara izini kuma mu tantance sassan ciki an kunna site/ramin ciki
an kunna site/ramin ciki
authorize {
filter_username
filter_inner_identity
update control {
&Proxy-To-Realm := LOCAL
}
ldap
if ((ok || updated) && User-Password) {
update {
control:Auth-Type := ldap
}
}
expiration
digest
logintime
pap
}
authenticate {
Auth-Type eap-guest {
eap-guest
}
Auth-Type eap-client {
eap-client
}
Auth-Type PAP {
pap
}
ldap
}
Bayan haka, kuna buƙatar saka a cikin manufofin waɗanne sunaye za a iya amfani da su don shiga ba tare da suna ba. Gyarawa manufofin.d/tace.
Kuna buƙatar nemo layi kamar haka:
if (&outer.request:User-Name !~ /^(anon|@)/) {
update request {
Module-Failure-Message = "User-Name is not anonymized"
}
reject
}
Kuma ƙasa a cikin elsif ƙara ƙimar da ake so:
elsif (&outer.request:User-Name !~ /^(guest|client|@)/) {
update request {
Module-Failure-Message = "User-Name is not anonymized"
}
reject
}
Yanzu muna buƙatar matsawa zuwa directory takaddun shaida. Anan kuna buƙatar sanya maɓalli da takaddun shaida daga amintaccen ikon takaddun shaida, waɗanda muke da su kuma muna buƙatar samar da takaddun sa hannu don eap-bako.
Canja sigogi a cikin fayil ɗin ku cnf.
ku cnf
...
default_days = 3650
default_md = sha256
...
input_password = blablabla
output_password = blablabla
...
countryName = RU
stateOrProvinceNmae = State
localityNmae = City
organizationName = NONAME
emailAddress = [email protected]
commonName = "CA FreeRadius"
Muna rubuta darajoji iri ɗaya a cikin fayil ɗin uwar garken.cnf. Mu canza kawai
gama gari:
uwar garken.cnf
...
default_days = 3650
default_md = sha256
...
input_password = blablabla
output_password = blablabla
...
countryName = RU
stateOrProvinceNmae = State
localityNmae = City
organizationName = NONAME
emailAddress = [email protected]
commonName = "Server Certificate FreeRadius"
Ƙirƙiri:
make
Shirya An karɓa uwar garken.crt и uwar garken.key Mun riga mun yi rajista a sama a eap-bako.
Kuma a ƙarshe, bari mu ƙara wuraren shiga mu zuwa fayil ɗin abokin ciniki.conf. Ina da 7 daga cikinsu. Domin kada mu ƙara kowane maki daban, za mu rubuta hanyar sadarwar da suke cikinta ne kawai (matakin shiga na suna cikin VLAN daban).
client APs {
ipaddr = 192.168.100.0/24
password = password_AP
}
Mai sarrafa Ubiquiti
Muna ɗaga hanyar sadarwa daban akan mai sarrafawa. Bari ya kasance 192.168.2.0/24
Je zuwa saitunan -> profile. Bari mu ƙirƙiri wata sabuwa:
Muna rubuta adireshin da tashar jiragen ruwa na uwar garken radius da kalmar sirri da aka rubuta a cikin fayil ɗin abokan ciniki.conf:
Ƙirƙiri sabon sunan cibiyar sadarwa mara waya. Zaɓi WPA-EAP (Enterprise) azaman hanyar tabbatarwa kuma saka bayanin martabar radius da aka ƙirƙira:
Muna ajiye komai, nema kuma mu ci gaba.
Kafa abokan ciniki
Bari mu fara da mafi wuya!
Windows 10
Wahalar ta zo ne ga gaskiyar cewa Windows bai riga ya san yadda ake haɗa WiFi na kamfani ta hanyar yanki ba. Don haka, dole ne mu loda takardar shaidar mu da hannu zuwa amintaccen kantin sayar da takaddun shaida. Anan zaka iya amfani da duka masu sanya hannu da kai da kuma daga hukumar ba da takaddun shaida. Zan yi amfani da na biyu.
Na gaba, kuna buƙatar ƙirƙirar sabon haɗi. Don yin wannan, je zuwa cibiyar sadarwa da saitunan Intanet -> Cibiyar sadarwa da Cibiyar Rarraba -> Ƙirƙiri kuma saita sabuwar haɗi ko hanyar sadarwa:
Shigar da sunan cibiyar sadarwa da hannu kuma canza nau'in tsaro. Bayan mun danna canza saitunan haɗi kuma a cikin Tsaro shafin, zaɓi ingantaccen hanyar sadarwa - EAP-TTLS.
Mun shiga cikin sigogi, rubuta bayanin sirrin tantancewa - abokin ciniki. A matsayin amintaccen ikon ba da takaddun shaida, zaɓi takardar shaidar da muka ƙara, duba akwatin “Kada ku ba da gayyata ga mai amfani idan uwar garken ba za a iya ba da izini ba” kuma zaɓi hanyar tabbatarwa - kalmar sirrin bayyana (PAP).
Na gaba, je zuwa ci-gaba saituna, sa alama a kan "Specific da tabbatarwa yanayin." Zaɓi "User Authentication" kuma danna kan ajiye takardun shaida. Anan zaka buƙaci shigar da sunan mai amfani_ldap da kalmar sirri_ldap
Muna ajiye komai, shafi, rufe. Kuna iya haɗawa zuwa sabuwar hanyar sadarwa.
Linux
Na gwada akan Ubuntu 18.04, 18.10, Fedora 29, 30.
Da farko, bari mu zazzage takardar shaidar mu. Ban samu a cikin Linux ko yana yiwuwa a yi amfani da takaddun shaida ba kuma ko akwai irin wannan kantin.
Bari mu haɗa zuwa yankin. Don haka, muna buƙatar takaddun shaida daga hukumar ba da takaddun shaida daga inda aka sayi takardar shaidarmu.
Ana yin duk haɗin gwiwa a cikin taga ɗaya. Zabar hanyar sadarwar mu:
m - abokin ciniki
domain - yankin da aka ba da takaddun shaida
Android
ba Samsung ba
Daga sigar 7, lokacin haɗa WiFi, zaku iya amfani da takaddun shaida ta hanyar ƙididdige yankin kawai:
domain - yankin da aka ba da takaddun shaida
m - abokin ciniki
Samsung
Kamar yadda na rubuta a sama, na'urorin Samsung ba su san yadda ake amfani da takaddun shaida lokacin da ake haɗa WiFi ba, kuma ba su da ikon haɗi ta hanyar yanki. Don haka, dole ne ka ƙara tushen takaddun shaida na ikon tabbatarwa da hannu (ca.pem, muna ɗauka akan sabar Radius). Anan ne za a yi amfani da mai sanya hannu.
Zazzage takardar shaidar zuwa na'urar ku kuma shigar da ita.
Shigar da takaddun shaida
A lokaci guda, kuna buƙatar saita ƙirar buɗe allo, lambar PIN ko kalmar sirri, idan ba a riga an saita shi ba:
Na nuna rikitacciyar sigar shigar da takaddun shaida. A yawancin na'urori, kawai danna kan takaddun da aka sauke.
Lokacin da aka shigar da takaddun shaida, zaku iya ci gaba zuwa haɗin kai:
takardar shaidar - nuna wanda aka shigar
m mai amfani - bako
macOS
Na'urorin Apple daga cikin akwatin suna iya haɗawa kawai zuwa EAP-TLS, amma har yanzu kuna buƙatar jefar da takaddun shaida a kansu. Don ƙayyade hanyar haɗi daban, kuna buƙatar amfani da Apple Configurator 2. Saboda haka, dole ne ku fara zazzage shi zuwa Mac ɗin ku, ƙirƙirar sabon bayanin martaba kuma ƙara duk saitunan WiFi masu dacewa.
Kamfanin Apple
Shigar da sunan cibiyar sadarwar ku anan
Nau'in Tsaro - WPA2 Enterprise
Nau'in EAP da aka karɓa - TTLS
Sunan mai amfani da kalmar wucewa - bar komai
Tabbatar da Ciki - PAP
Outer Identity - abokin ciniki
Amintaccen tab. Anan mun ƙayyade yankin mu
Duka. Za a iya ajiye bayanin martaba, sanya hannu da rarrabawa zuwa na'urori
Bayan an shirya bayanin martaba, kuna buƙatar zazzage shi zuwa poppy kuma shigar da shi. Yayin aiwatar da shigarwa, kuna buƙatar saka usernmae_ldap da kuma kalmar sirri_ldap na mai amfani:
iOS
Tsarin yana kama da macOS. Kuna buƙatar amfani da bayanin martaba (zaku iya amfani da ɗaya kamar na macOS. Yadda ake ƙirƙirar bayanin martaba a cikin Apple Configurator, duba sama).
Zazzage bayanin martaba, shigar, shigar da takaddun shaida, haɗa:
Shi ke nan. Mun kafa uwar garken Radius, mun daidaita shi da FreeIPA, kuma mun gaya wa Ubiquiti APs su yi amfani da WPA2-EAP.
Tambayoyi masu yiwuwa
B: yadda za a canja wurin bayanin martaba / takaddun shaida ga ma'aikaci?
Game da: Ina adana duk takaddun shaida / bayanan martaba akan ftp tare da shiga yanar gizo. Haɓaka cibiyar sadarwar baƙo tare da iyakacin sauri da samun damar Intanet kawai, ban da ftp.
Tabbatarwa yana ɗaukar kwanaki 2, bayan haka an sake saita shi kuma an bar abokin ciniki ba tare da Intanet ba. Wannan. lokacin da ma'aikaci yana son haɗawa zuwa WiFi, ya fara haɗawa zuwa cibiyar sadarwar baƙo, shiga FTP, zazzage takaddun shaida ko bayanin martaba da yake buƙata, shigar da shi, sannan zai iya haɗawa zuwa cibiyar sadarwar kamfani.
B: me yasa ba'a amfani da tsari tare da MSCHAPv2? Ta fi lafiya!
Game da: Da fari dai, irin wannan makircin yana aiki da kyau akan NPS (Tsarin Manufofin Hanyar Sadarwar Windows), a cikin aiwatar da mu ya zama dole a sake saita LDAP (FreeIpa) da adana hashes na kalmar sirri akan sabar. Ƙara. Ba shi da kyau a yi saituna, saboda wannan zai iya haifar da matsaloli daban-daban tare da aiki tare da tsarin duban dan tayi. Na biyu, zanta shine MD4, don haka baya ƙara tsaro sosai.
B: Shin yana yiwuwa a ba da izinin na'urori ta amfani da adiresoshin mac?
Game da: A'a, wannan ba lafiya ba ne, mai hari zai iya canza adireshin MAC, har ma fiye da haka ba a tallafawa izini ta adireshin MAC akan na'urori da yawa.
B: Me yasa ake amfani da duk waɗannan takaddun shaida kwata-kwata? kuna iya haɗawa ba tare da su ba
Game da: ana amfani da takaddun shaida don ba da izini ga uwar garken. Wadancan. lokacin haɗawa, na'urar tana bincika ko uwar garken ce da za a iya amincewa da ita ko a'a. Idan haka ne, to tabbas yana ci gaba; idan ba haka ba, haɗin yana rufe. Kuna iya haɗawa ba tare da takaddun shaida ba, amma idan mai kai hari ko maƙwabci ya kafa sabar radius da wurin shiga mai suna iri ɗaya da namu a gida, yana iya shiga cikin sauƙi ya kutsa bayanan bayanan mai amfani (kar ku manta cewa ana watsa su a cikin bayyanannen rubutu). Kuma lokacin da aka yi amfani da takaddun shaida, abokan gaba za su gani a cikin bayanansa kawai Sunan Mai amfani na ƙagaggen - baƙo ko abokin ciniki da kuskuren nau'in - Takaddun shaida CA ba a sani ba
kadan game da macOSYawancin lokaci akan macOS, sake shigar da tsarin ana yin ta ta Intanet. A yanayin dawowa, Mac ɗin dole ne a haɗa shi zuwa WiFi, kuma ba WiFi na kamfani ko cibiyar sadarwar baƙo ba zai yi aiki a nan. Da kaina, na tayar da wata hanyar sadarwa, WPA2-PSK na yau da kullun, ɓoye, kawai don ayyukan fasaha. Ko kuma har yanzu kuna iya yin bootable USB flash drive tare da tsarin a gaba. Amma idan poppy yana bayan 2015, har yanzu kuna buƙatar nemo adaftar wannan filasha)
source: www.habr.com