Qee qhov piv txwv ntawm kev teeb tsa neeg ua haujlwm WiFi twb tau piav qhia lawm. Ntawm no kuv yuav piav qhia yuav ua li cas kuv tau siv cov kev daws teeb meem zoo li no thiab cov teeb meem uas kuv tau ntsib thaum sib txuas ntawm cov khoom siv sib txawv. Peb yuav siv LDAP uas twb muaj lawm nrog cov neeg siv tsim, nruab FreeRadius thiab teeb tsa WPA2-Enterprise ntawm Ubnt maub los. Txhua yam zoo li yooj yim. Wb saibβ¦
Ib me ntsis txog cov txheej txheem EAP
Ua ntej peb pib ua haujlwm, peb yuav tsum txiav txim siab seb qhov kev lees paub qhov twg peb yuav siv hauv peb txoj kev daws teeb meem.
Los ntawm Wikipedia:
EAP yog qhov kev lees paub qhov tseeb uas feem ntau siv hauv kev sib txuas wireless thiab kev sib txuas ntawm taw tes rau-taw tes. Cov hom ntawv tau piav qhia thawj zaug hauv RFC 3748 thiab hloov kho hauv RFC 5247.
EAP yog siv los xaiv ib qho kev lees paub, hloov cov yuam sij, thiab ua cov yuam sij los ntawm plugins hu ua EAP txoj kev. Muaj ntau txoj hauv kev EAP, ob qho tib si txhais nrog EAP nws tus kheej thiab cov uas tso tawm los ntawm tus neeg muag khoom. EAP tsis txhais cov txheej txheem txuas, nws tsuas yog txhais cov lus hom. Txhua tus txheej txheem uas siv EAP muaj nws tus kheej EAP cov lus encapsulation raws tu qauv.
Cov txheej txheem lawv tus kheej:
- LEAP yog cov txheej txheem tsim los ntawm CISCO. Pom muaj qhov tsis zoo. Tam sim no tsis pom zoo siv
- EAP-TLS tau txais kev txhawb nqa zoo ntawm cov neeg muag khoom wireless. Nws yog tus txheej txheem ruaj ntseg vim nws yog tus ua tiav rau SSL cov qauv. Kev teeb tsa tus neeg siv khoom yog qhov nyuaj heev. Koj xav tau daim ntawv pov thawj tus neeg siv khoom ntxiv rau tus password. Txhawb rau ntau lub tshuab
- EAP-TTLS - tau txais kev txhawb nqa dav dav ntawm ntau lub tshuab, muaj kev ruaj ntseg zoo siv PKI daim ntawv pov thawj nkaus xwb ntawm kev lees paub tus neeg rau zaub mov
- EAP-MD5 yog lwm tus qauv qhib. Muaj kev ruaj ntseg tsawg. Yooj yim, tsis txhawb kev sib koom ua pov thawj thiab cov cim tseem ceeb
- EAP-IKEv2 - raws li Internet Key Exchange Protocol version 2. Muab kev sib koom ua pov thawj thiab kev sib kho qhov tseem ceeb ntawm cov neeg siv khoom thiab cov neeg rau zaub mov
- PEAP yog kev sib koom ua ke ntawm CISCO, Microsoft thiab RSA Kev Ruaj Ntseg raws li tus qauv qhib. Dav muaj nyob rau hauv cov khoom, muab kev nyab xeeb zoo heev. Zoo ib yam li EAP-TTLS, tsuas yog xav tau daim ntawv pov thawj server-sab
- PEAPv0/EAP-MSCHAPv2 - Tom qab EAP-TLS, qhov no yog tus qauv siv thib ob hauv ntiaj teb. Siv cov neeg siv khoom sib raug zoo hauv Microsoft, Cisco, Apple, Linux
- PEAPv1/EAP-GTC - Tsim los ntawm Cisco ua lwm txoj hauv kev rau PEAPv0/EAP-MSCHAPv2. Tsis tiv thaiv authentication cov ntaub ntawv nyob rau hauv txhua txoj kev. Tsis txaus siab ntawm Windows OS
- EAP-FAST yog ib txoj hauv kev tsim los ntawm Cisco los kho qhov tsis txaus ntawm LEAP. Siv Cov Ntawv Pov Thawj Tiv Thaiv Kev Nkag Mus (PAC). Ua tsis tiav
Ntawm tag nrho cov ntau yam no, kev xaiv tseem tsis zoo. Txoj kev lees paub yuav tsum muaj: kev ruaj ntseg zoo, kev txhawb nqa ntawm txhua yam khoom siv (Windows 10, macOS, Linux, Android, iOS) thiab, qhov tseeb, qhov yooj yim dua. Yog li, qhov kev xaiv poob rau EAP-TTLS nrog rau PAP raws tu qauv.
Cov lus nug yuav tshwm sim - Vim li cas siv PAP? Tom qab tag nrho, nws xa cov passwords hauv cov ntawv ntshiab?
Yog lawm. Kev sib txuas lus ntawm FreeRadius thiab FreeIPA yuav ua raws nraim li qhov no. Hauv hom kev debug, koj tuaj yeem taug qab li cas tus username thiab password raug xa mus. Yog lawm, thiab cia lawv mus, tsuas yog koj tuaj yeem nkag mus rau FreeRadius server.
Koj tuaj yeem nyeem ntxiv txog yuav ua li cas EAP-TTLS ua haujlwm
FreeRADIUS
Peb yuav hloov kho FreeRadius rau CentOS 7.6. Tsis muaj dab tsi nyuab ntawm no, peb nruab nws hauv txoj kev niaj zaus.
yum install freeradius freeradius-utils freeradius-ldap -yNtawm cov pob, version 3.0.13 yog ntsia. Cov tom kawg tuaj yeem nqa ntawm
Tom qab no, FreeRadius twb ua haujlwm. Koj tuaj yeem tsis pom cov kab hauv /etc/raddb/users
steve Cleartext-Password := "testing"Tua tawm rau hauv lub server hauv hom kev debug
freeradius -XThiab ua qhov kev xeem sib txuas los ntawm localhost
radtest steve testing 127.0.0.1 1812 testing123Peb tau txais lus teb Tau txais Access-Accept Id 115 ntawm 127.0.0.1:1812 txog 127.0.0.1:56081 ntev 20, nws txhais tau tias txhua yam yog OK. Ua ntej.
Txuas lub module ldap ua.
ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldapThiab peb yuav hloov tam sim ntawd. Peb xav tau FreeRadius kom nkag tau FreeIPA
mods-enabled/ldap
ldap {
server="ldap://ldap.server.com"
port=636
start_tls=yes
identity="uid=admin,cn=users,dc=server,dc=com"
password=**********
base_dn="cn=users,dc=server,dc=com"
set_auth_type=yes
...
user {
base_dn="${..base_dn}"
filter="(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
}
...Rov pib lub vojvoog server thiab tshawb xyuas cov synchronization ntawm LDAP cov neeg siv:
radtest user_ldap password_ldap localhost 1812 testing123
Editing ib mods-enabled/eap
Ntawm no peb yuav ntxiv ob qho piv txwv ntawm eap. Lawv yuav txawv tsuas yog hauv daim ntawv pov thawj thiab cov yuam sij. Kuv yuav piav qhia vim li cas qhov no muaj tseeb hauv qab no.
mods-enabled/eap
eap eap-client { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests}
tls-config tls-common {
private_key_file = ${certdir}/fisrt.key
certificate_file = ${certdir}/first.crt
dh_file = ${certdir}/dh
ca_path = ${cadir}
cipher_list = "HIGH"
cipher_server_preference = no
ecdh_curve = "prime256v1"
check_crl = no
}
ttls {
tls = tls-common
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
}
eap eap-guest {
default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests}
tls-config tls-common {
private_key_passwotd=blablabla
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.crt
dh_file = ${certdir}/dh
ca_path = ${cadir}
cipher_list = "HIGH"
cipher_server_preference = no
ecdh_curve = "prime256v1"
check_crl = no
}
ttls {
tls = tls-common
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
}Tom ntej no peb kho site-enabled/default. Kuv txaus siab rau cov ntawv tso cai thiab txheeb xyuas qhov tseeb.
site-enabled/default
authorize {
filter_username
preprocess
if (&User-Name == "guest") {
eap-guest {
ok = return
}
}
elsif (&User-Name == "client") {
eap-client {
ok = return
}
}
else {
eap-guest {
ok = return
}
}
ldap
if ((ok || updated) && User-Password) {
update {
control:Auth-Type := ldap
}
}
expiration
logintime
pap
}
authenticate {
Auth-Type LDAP {
ldap
}
Auth-Type eap-guest {
eap-guest
}
Auth-Type eap-client {
eap-client
}
pap
}Hauv seem tso cai peb tshem tawm tag nrho cov modules uas peb tsis xav tau. Peb tsuas tso ldap xwb. Ntxiv kev txheeb xyuas tus neeg siv khoom los ntawm tus neeg siv lub npe. Qhov no yog vim li cas peb ntxiv ob qho piv txwv ntawm eap saum toj no.
Multi EAPQhov tseeb yog tias thaum txuas qee cov khoom siv peb yuav siv cov ntawv pov thawj system thiab qhia meej txog qhov sau npe. Peb muaj ib daim ntawv pov thawj thiab tus yuam sij los ntawm ib tug ntseeg daim ntawv pov thawj txoj cai. Tus kheej, hauv kuv lub tswv yim, cov txheej txheem kev sib txuas no yooj yim dua li muab daim ntawv pov thawj tus kheej kos npe rau ntawm txhua lub cuab yeej. Tab sis txawm tias tsis muaj daim ntawv pov thawj tus kheej kos npe nws tseem tsis tuaj yeem tawm mus. Samsung pab kiag li lawm thiab Android =< 6 versions tsis paub yuav ua li cas siv daim ntawv pov thawj system. Yog li ntawd, peb tsim ib qho piv txwv ntawm eap- qhua rau lawv nrog daim ntawv pov thawj tus kheej kos npe. Rau tag nrho lwm yam khoom siv peb yuav siv eap-neeg siv nrog daim ntawv pov thawj ntseeg siab. Tus neeg siv-Npe yog txiav txim los ntawm Anonymous teb thaum txuas lub cuab yeej. Tsuas yog 3 qhov tseem ceeb tau tso cai: Guest, Client thiab ib qho chaw khoob. Tus so yog muab pov tseg tag nrho. Qhov no tuaj yeem teeb tsa hauv cov cai. Kuv mam li muab piv txwv me ntsis tom qab.
Cia peb hloov kho qhov tso cai thiab txheeb xyuas cov ntu hauv site-enabled/inner-tunnel
site-enabled/inner-tunnel
authorize {
filter_username
filter_inner_identity
update control {
&Proxy-To-Realm := LOCAL
}
ldap
if ((ok || updated) && User-Password) {
update {
control:Auth-Type := ldap
}
}
expiration
digest
logintime
pap
}
authenticate {
Auth-Type eap-guest {
eap-guest
}
Auth-Type eap-client {
eap-client
}
Auth-Type PAP {
pap
}
ldap
}Tom ntej no, koj yuav tsum tau qhia hauv cov cai uas cov npe siv tau rau kev nkag mus tsis qhia npe. Kho kom raug policy.d/filter.
Koj yuav tsum nrhiav cov kab zoo li no:
if (&outer.request:User-Name !~ /^(anon|@)/) {
update request {
Module-Failure-Message = "User-Name is not anonymized"
}
reject
}Thiab hauv qab no hauv elsif ntxiv cov nqi tsim nyog:
elsif (&outer.request:User-Name !~ /^(guest|client|@)/) {
update request {
Module-Failure-Message = "User-Name is not anonymized"
}
reject
}Tam sim no peb yuav tsum tau tsiv mus rau cov npe ntawv pov thawj. Ntawm no peb yuav tsum tau muab tus yuam sij thiab daim ntawv pov thawj los ntawm lub chaw tso cai pov thawj, uas peb twb muaj, thiab peb yuav tsum tsim daim ntawv pov thawj tus kheej rau eap- qhua.
Hloov cov parameter hauv cov ntaub ntawv cav cnf.
cav cnf
...
default_days = 3650
default_md = sha256
...
input_password = blablabla
output_password = blablabla
...
countryName = RU
stateOrProvinceNmae = State
localityNmae = City
organizationName = NONAME
emailAddress = [email protected]
commonName = "CA FreeRadius"Peb sau tib qhov tseem ceeb hauv cov ntaub ntawv server.cnf. Peb tsuas hloov
npe:
server.cnf
...
default_days = 3650
default_md = sha256
...
input_password = blablabla
output_password = blablabla
...
countryName = RU
stateOrProvinceNmae = State
localityNmae = City
organizationName = NONAME
emailAddress = [email protected]
commonName = "Server Certificate FreeRadius"Peb tsim:
makeNpaj txhij. Tau txais server.crt ΠΈ server.key Peb twb tau sau npe saum toj no hauv eap- qhua.
Thiab thaum kawg, cia peb ntxiv peb cov ntsiab lus nkag mus rau cov ntaub ntawv client.conf. Kuv muaj 7 ntawm lawv, txhawm rau kom tsis txhob ntxiv txhua qhov sib cais, peb yuav sau npe tsuas yog lub network uas lawv nyob (Kuv cov ntsiab lus nkag tau nyob hauv VLAN cais).
client APs {
ipaddr = 192.168.100.0/24
password = password_AP
}Kev tswj hwm tus kheej
Peb tsa ib lub network cais ntawm tus maub los. Cia nws yog 192.168.2.0/24
Mus rau qhov chaw -> profile. Cia peb tsim ib qho tshiab:
Peb sau qhov chaw nyob thiab chaw nres nkoj ntawm lub vojvoog server thiab tus password uas tau sau rau hauv cov ntaub ntawv clients.conf:
Tsim lub npe tshiab wireless network. Xaiv WPA-EAP (Enterprise) raws li tus txheej txheem authentication thiab qhia meej lub voj voog tsim profile:
Peb txuag txhua yam, siv nws thiab txav mus.
Kev teeb tsa cov neeg siv khoom
Cia peb pib nrog qhov nyuaj tshaj plaws!
lub qhov rais 10
Qhov nyuaj los ntawm qhov tseeb tias Windows tseem tsis tau paub yuav ua li cas txuas mus rau cov tuam txhab WiFi hla lub npe. Yog li ntawd, peb yuav tsum manually upload peb daim ntawv pov thawj mus rau lub trusted daim ntawv pov thawj khw. Ntawm no koj tuaj yeem siv tus kheej kos npe rau ib qho lossis ib qho los ntawm cov ntawv pov thawj txoj cai. Kuv yuav siv qhov thib ob.
Tom ntej no koj yuav tsum tsim kev sib txuas tshiab. Txhawm rau ua qhov no, mus rau Network thiab Internet Chaw -> Network thiab Sib Koom Chaw -> Tsim thiab teeb tsa kev sib txuas tshiab lossis network:
Peb manually sau lub npe network thiab hloov hom kev ruaj ntseg. Ces nyem rau hloov chaw txuas thiab hauv Security tab, xaiv network authentication - EAP-TTLS.
Mus rau qhov chaw, teeb tsa qhov tsis pub lwm tus paub txog kev lees paub - neeg. Raws li txoj cai pov thawj ntseeg tau, xaiv daim ntawv pov thawj peb ntxiv, khij lub npov "Tsis txhob tawm lus caw rau tus neeg siv yog tias tus neeg rau zaub mov tsis tuaj yeem tso cai" thiab xaiv cov txheej txheem authentication - plaintext password (PAP).
Tom ntej no, mus rau qhov tsis muaj ntxiv thiab kos lub thawv "Specify authentication mode." Xaiv "User Authentication" thiab nyem rau ntawm khaws cov ntawv pov thawj. Ntawm no koj yuav tsum sau username_ldap thiab password_ldap
Peb txuag, siv, kaw txhua yam. Koj tuaj yeem txuas rau lub network tshiab.
Linux
Kuv tau sim ntawm Ubuntu 18.04, 18.10, Fedora 29, 30.
Ua ntej, rub tawm daim ntawv pov thawj rau koj tus kheej. Kuv tsis tau pom nyob rau hauv Linux seb nws puas tuaj yeem siv daim ntawv pov thawj system lossis seb puas muaj lub khw no txhua.
Peb yuav txuas ntawm tus sau. Yog li ntawd, peb xav tau ib daim ntawv pov thawj los ntawm cov ntaub ntawv pov thawj uas peb tau yuav daim ntawv pov thawj.
Txhua qhov kev sib txuas yog ua nyob rau hauv ib lub qhov rais. Xaiv peb lub network:
anonymous - neeg
domain β lub domain uas tau muab daim ntawv pov thawj
Android
tsis yog Samsung
Los ntawm version 7, thaum txuas WiFi, koj tuaj yeem siv daim ntawv pov thawj system los ntawm kev qhia tsuas yog sau npe:
domain β lub domain uas tau muab daim ntawv pov thawj
anonymous - neeg
Samsung
Raws li kuv tau sau saum toj no, Samsung pab kiag li lawm tsis paub yuav ua li cas siv cov ntawv pov thawj system thaum txuas WiFi, thiab lawv tsis muaj peev xwm txuas tau los ntawm kev sau npe. Yog li ntawd, koj yuav tsum manually ntxiv cov hauv paus ntawv pov thawj ntawm cov ntawv pov thawj txoj cai (ca.pem, coj nws los ntawm Radius server). Qhov no yog qhov uas tus kheej kos npe yuav raug siv.
Download tau daim ntawv pov thawj rau koj lub cuab yeej thiab nruab nws.
Txhim kho daim ntawv pov thawj
Hauv qhov no, koj yuav tsum tau teeb tsa tus qauv qhib lub vijtsam, PIN code lossis lo lus zais, yog tias nws tsis tau teeb tsa:
Kuv pom qhov kev xaiv nyuaj rau kev txhim kho daim ntawv pov thawj. Ntawm cov khoom siv feem ntau, tsuas yog nyem rau ntawm daim ntawv pov thawj rub tawm.
Thaum daim ntawv pov thawj raug ntsia, koj tuaj yeem mus rau qhov kev sib txuas:
daim ntawv pov thawj - qhia qhov koj tau nruab
tus neeg siv tsis qhia npe - qhua
MacOS
Apple cov khoom siv tsuas tuaj yeem txuas rau EAP-TLS tawm ntawm lub thawv, tab sis koj tseem yuav tsum tau muab daim ntawv pov thawj rau lawv. Txhawm rau qhia txog txoj kev sib txuas sib txawv, koj yuav tsum siv Apple Configurator 2. Raws li, koj yuav tsum xub rub nws mus rau koj Mac, tsim ib qho profile tshiab thiab ntxiv tag nrho cov tsim nyog WiFi chaw.
Kua Configurator
Ntawm no peb qhia lub npe ntawm peb lub network
Hom Kev Ruaj Ntseg - WPA2 Enterprise
Txais EAP Hom - TTLS
Tus neeg siv lub npe thiab tus password - tawm khoob
Inner Authentication - PAP
Outer Identity - tus neeg siv khoom
Trust tab. Ntawm no peb qhia peb lub npe
Tag nrho. Cov profile tuaj yeem khaws cia, kos npe thiab faib rau cov khoom siv
Tom qab lub profile yog npaj txhij, koj yuav tsum download tau nws rau koj Mac thiab nruab nws. Thaum lub installation txheej txheem, koj yuav tsum tau qhia meej tus usernmae_ldap thiab password_ldap ntawm tus neeg siv:
iOS
Cov txheej txheem zoo ib yam li macOS. Koj yuav tsum siv qhov profile (koj tuaj yeem siv tib yam li rau macOS. Saib saum toj no rau kev tsim profile hauv Apple Configurator).
Download tau qhov profile, nruab, sau ntawv pov thawj, txuas:
Yog tag nrho. Peb teeb tsa lub Radius server, synced nrog FreeIPA, thiab hais rau Ubiquiti cov ntsiab lus nkag siv WPA2-EAP.
Muaj lus nug
Hauv: Yuav ua li cas hloov tus profile / daim ntawv pov thawj rau tus neeg ua haujlwm?
Hais txog: Kuv khaws txhua daim ntawv pov thawj / cov ntaub ntawv ntawm FTP nrog kev nkag los ntawm lub vev xaib. Kuv teeb tsa lub network qhua nrog kev txwv ceev thiab nkag mus rau hauv Is Taws Nem nkaus xwb, tshwj tsis yog FTP.
Kev lees paub yuav siv li 2 hnub, tom qab ntawd nws rov pib dua thiab tus neeg siv khoom tawm mus yam tsis muaj Is Taws Nem. Qhov ntawd. Thaum ib tus neeg ua haujlwm xav txuas rau WiFi, nws thawj zaug txuas mus rau cov qhua network, nkag mus rau hauv FTP, rub tawm daim ntawv pov thawj lossis qhov profile nws xav tau, nruab lawv, thiab tom qab ntawd tuaj yeem txuas mus rau lub tuam txhab network.
Hauv: Vim li cas ho tsis siv lub tswv yim nrog MSCHAPv2? nws muaj kev nyab xeeb dua!
Hais txog: ua ntej, cov tswv yim no ua haujlwm zoo ntawm NPS (Windows Network Policy System), hauv peb qhov kev siv nws yog qhov tsim nyog ntxiv rau kev teeb tsa LDAP (FreeIpa) thiab khaws lo lus zais hashes ntawm lub server. Ntxiv. Nws tsis pom zoo los ua qhov chaw, vim Qhov no tuaj yeem ua rau muaj ntau yam teeb meem nrog synchronization ntawm ultrasound system. Qhov thib ob, tus hash yog MD4, yog li nws tsis ntxiv kev ruaj ntseg ntau
Hauv: Puas muaj peev xwm tso cai cov cuab yeej siv mac chaw nyob?
Hais txog: Tsis yog, qhov no tsis muaj kev nyab xeeb, tus neeg tawm tsam tuaj yeem spoof MAC chaw nyob, thiab ntau dua li, kev tso cai los ntawm MAC chaw nyob tsis txaus siab rau ntau yam khoom siv.
Hauv: Vim li cas thiaj siv tag nrho cov ntawv pov thawj no? koj tuaj yeem txuas yam tsis muaj lawv
Hais txog: daim ntawv pov thawj yog siv los tso cai rau lub server. Cov. Thaum txuas, lub cuab yeej kuaj xyuas seb nws puas yog lub server uas tuaj yeem ntseeg tau lossis tsis tau. Yog tias muaj, tom qab ntawv pov thawj pib; yog tias tsis yog, kev sib txuas raug kaw. Koj tuaj yeem txuas yam tsis muaj ntawv pov thawj, tab sis yog tias tus neeg tawm tsam lossis cov neeg nyob ze teeb tsa lub vojvoog server thiab qhov chaw nkag nrog tib lub npe raws li peb nyob hauv tsev, nws tuaj yeem cuam tshuam tus neeg siv cov ntaub ntawv pov thawj tau yooj yim (tsis txhob hnov ββββqab tias lawv tau kis hauv cov ntawv ntshiab) . Thiab thaum siv daim ntawv pov thawj, tus yeeb ncuab yuav pom hauv nws cov cav tsuas yog peb tus neeg siv lub npe tsis tseeb - qhua lossis tus neeg siv khoom thiab hom yuam kev - Tsis paub CA Daim Ntawv Pov Thawj
me ntsis ntxiv txog macOSFeem ntau, ntawm macOS, rov nruab qhov system yog ua tiav hauv Is Taws Nem. Hauv hom rov qab, Mac yuav tsum txuas nrog WiFi, thiab tsis yog peb lub tuam txhab WiFi lossis cov qhua network yuav ua haujlwm ntawm no. Tus kheej, kuv tau teeb tsa lwm lub network, ib txwm WPA2-PSK, zais, tsuas yog rau kev ua haujlwm. Lossis koj tuaj yeem ua rau lub bootable USB flash drive nrog lub kaw lus ua ntej. Tab sis yog tias koj Mac yog tom qab 2015, koj kuj yuav tau nrhiav ib qho adapter rau lub flash drive no)
Tau qhov twg los: www.hab.com