äŒæ¥ WiFi ãæŽçããäŸãããã€ããã§ã«èª¬æããŸããã ããã§ã¯ãåæ§ã®ãœãªã¥ãŒã·ã§ã³ãã©ã®ããã«å®è£
ããããããã³ããŸããŸãªããã€ã¹ã§æ¥ç¶ãããšãã«çŽé¢ããªããã°ãªããªãã£ãåé¡ã«ã€ããŠèª¬æããŸãã ç»é²æžã¿ãŠãŒã¶ãŒã«ã¯æ¢åã® LDAP ã䜿çšããFreeRadius ãäžããUbnt ã³ã³ãããŒã©ãŒã§ WPA2-Enterprise ãæ§æããŸãã ãã¹ãŠãã·ã³ãã«ãªããã§ãã èŠãŠã¿ãŸãããâŠ
EAP ã¡ãœããã«ã€ããŠå°ã
ã¿ã¹ã¯ãé²ããåã«ããœãªã¥ãŒã·ã§ã³ã§ã©ã®èªèšŒæ¹æ³ã䜿çšãããã決å®ããå¿ èŠããããŸãã
ãŠã£ãããã£ã¢ããïŒ
EAP ã¯ãã¯ã€ã€ã¬ã¹ ãããã¯ãŒã¯ããã€ã³ãããŒãã€ã³ãæ¥ç¶ã§ãã䜿çšãããèªèšŒãã¬ãŒã ã¯ãŒã¯ã§ãã ãã®åœ¢åŒã¯æåã« RFC 3748 ã§èª¬æãããRFC 5247 ã§æŽæ°ãããŸããã
EAP ã¯ãèªèšŒæ¹æ³ãéžæããããŒãæž¡ããEAP ã¡ãœãããšåŒã°ãããã©ã°ã€ã³ã§ãããã®ããŒãåŠçããããã«äœ¿çšãããŸãã EAP ã¡ãœããã¯å€æ°ãããã©ã¡ãã EAP èªäœã§å®çŸ©ãããŠãããã®ãšãåã ã®ãã³ããŒã«ãã£ãŠãªãªãŒã¹ãããŠããŸãã EAP ã¯ãªã³ã¯å±€ãå®çŸ©ãããã¡ãã»ãŒãžåœ¢åŒã®ã¿ãå®çŸ©ããŸãã EAP ã䜿çšããåãããã³ã«ã«ã¯ãç¬èªã® EAP ã¡ãã»ãŒãž ã«ãã»ã«åãããã³ã«ããããŸãã
ã¡ãœããèªäœ:
- LEAP ã¯ãCISCO ã«ãã£ãŠéçºãããç¬èªã®ãããã³ã«ã§ãã è匱æ§ãèŠã€ãããŸããã çŸæç¹ã§ã¯äœ¿çšã¯æšå¥šãããŠããŸãã
- EAP-TLS ã¯ã¯ã€ã€ã¬ã¹ ãã³ããŒéã§ååã«ãµããŒããããŠããŸãã ãã㯠SSL æšæºã®åŸç¶ãããã³ã«ã§ãããããå®å šãªãããã³ã«ã§ãã ã¯ã©ã€ã¢ã³ãã®èšå®ã¯éåžžã«è€éã§ãã ãã¹ã¯ãŒãã«å ããŠã¯ã©ã€ã¢ã³ã蚌ææžãå¿ èŠã§ãã å€ãã®ã·ã¹ãã ã§ãµããŒããããŠããŸã
- EAP-TTLS - å€ãã®ã·ã¹ãã ã§åºããµããŒããããŠãããèªèšŒãµãŒããŒäžã§ã®ã¿ PKI 蚌ææžã䜿çšããããšã§åªããã»ãã¥ãªãã£ãæäŸããŸã
- EAP-MD5 ããªãŒãã³ ã¹ã¿ã³ããŒãã§ãã æå°éã®ã»ãã¥ãªãã£ãæäŸããŸãã è匱æ§ããããçžäºèªèšŒãšéµçæããµããŒãããŠããŸãã
- EAP-IKEv2 - ã€ã³ã¿ãŒããã ããŒäº€æãããã³ã« ããŒãžã§ã³ 2 ã«åºã¥ããŠããŸããã¯ã©ã€ã¢ã³ããšãµãŒããŒéã®çžäºèªèšŒãšã»ãã·ã§ã³ ããŒã®ç¢ºç«ãæäŸããŸãã
- PEAP ã¯ãCISCOãMicrosoftãRSA Security ã®å ±åãœãªã¥ãŒã·ã§ã³ã§ããããªãŒãã³ ã¹ã¿ã³ããŒãã§ãã 補åã§åºãå ¥æå¯èœã§ãããéåžžã«åªããã»ãã¥ãªãã£ãæäŸããŸãã EAP-TTLS ãšåæ§ããµãŒããŒåŽã®èšŒææžã®ã¿ãå¿ èŠã§ã
- PEAPv0/EAP-MSCHAPv2 - EAP-TLS ã«æ¬¡ãã§ãäžç㧠XNUMX çªç®ã«åºã䜿çšãããŠããæšæºã§ãã MicrosoftãCiscoãAppleãLinux ã§äœ¿çšãããã¯ã©ã€ã¢ã³ã/ãµãŒããŒé¢ä¿
- PEAPv1/EAP-GTC - PEAPv0/EAP-MSCHAPv2 ã®ä»£æ¿ãšã㊠Cisco ã«ãã£ãŠäœæãããŸããã èªèšŒããŒã¿ã¯ãããªãæ¹æ³ã§ãä¿è·ãããŸããã Windows OSã§ã¯ãµããŒããããŠããŸãã
- EAP-FAST ã¯ãLEAP ã®æ¬ ç¹ãä¿®æ£ããããã« Cisco ãéçºããæè¡ã§ãã Protected Access Credential (PAC) ã䜿çšããŸãã å®å šã«æªå®æ
ãã®ãããªå€æ§æ§ã®äžã§ãéžæè¢ã¯ãŸã å€ããããŸããã èªèšŒæ¹æ³ã«ã¯ãåªããã»ãã¥ãªãã£ããã¹ãŠã®ããã€ã¹ (Windows 10ãmacOSãLinuxãAndroidãiOS) ã§ã®ãµããŒããå¿
èŠã§ãããå®éãã·ã³ãã«ã§ããã»ã©åªããŠããŸãã ãããã£ãŠãéžæ㯠PAP ãããã³ã«ãšçµã¿åããã EAP-TTLS ã«æ±ºãŸããŸããã
ãªã PAP ã䜿çšããã®ã§ãããã?ãšããçåãçãããããããŸããã 圌ã¯ãã¹ã¯ãŒããå¹³æã§éä¿¡ããããã§ããïŒ
ã¯ããããã§ãã FreeRadius ãš FreeIPA éã®éä¿¡ã¯ãã®ããã«ããŠè¡ãããŸãã ãããã° ã¢ãŒãã§ã¯ããŠãŒã¶ãŒåãšãã¹ã¯ãŒããã©ã®ããã«éä¿¡ããããã远跡ã§ããŸãã ã¯ãã圌ãã解æŸããŠãã ãããFreeRadius ãµãŒããŒã«ã¢ã¯ã»ã¹ã§ããã®ã¯ããªãã ãã§ãã
EAP-TTLS ã®åãçµã¿ã«ã€ããŠè©³ããèªãããšãã§ããŸãã
ããªãŒã©ãžã¢ã¹
FreeRadius 㯠CentOS 7.6 ã§æäŸãããŸãã ããã§ã¯è€éãªããšã¯äœããªããéåžžã®æ¹æ³ã§èšå®ããŸãã
yum install freeradius freeradius-utils freeradius-ldap -y
ããŒãžã§ã³ 3.0.13 ã¯ããã±ãŒãžããã€ã³ã¹ããŒã«ãããŸãã åŸè
ã¯åããã
ãã®åŸãFreeRadius ã¯ãã§ã«åäœããŠããŸãã /etc/raddb/users å ã®è¡ã®ã³ã¡ã³ãã解é€ã§ããŸãã
steve Cleartext-Password := "testing"
ãããã°ã¢ãŒãã§ãµãŒããŒãèµ·åããŸã
freeradius -X
ãããŠããŒã«ã«ãã¹ããããã¹ãæ¥ç¶ãè¡ããŸã
radtest steve testing 127.0.0.1 1812 testing123
çããåºãŸãã 115:127.0.0.1 ãã 1812:127.0.0.1 ãŸã§ã® Access-Accept Id 56081 ãåä¿¡ããŸãããé·ã 20ããã¹ãŠOKãšããæå³ã§ãã ã©ããã
ã¢ãžã¥ãŒã«ãæ¥ç¶ããŸã LDAP.
ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldap
ãããŠãããã«å€æŽããŸãã FreeIPA ã«ã¢ã¯ã»ã¹ããã«ã¯ FreeRadius ãå¿ èŠã§ã
MODæå¹/LDAP
ldap {
server="ldap://ldap.server.com"
port=636
start_tls=yes
identity="uid=admin,cn=users,dc=server,dc=com"
password=**********
base_dn="cn=users,dc=server,dc=com"
set_auth_type=yes
...
user {
base_dn="${..base_dn}"
filter="(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
}
...
RADIUS ãµãŒããŒãåèµ·åããLDAP ãŠãŒã¶ãŒã®åæã確èªããŸãã
radtest user_ldap password_ldap localhost 1812 testing123
EAP ãç·šéäž MODæå¹/EAP
ããã§ã¯ãeap ã® XNUMX ã€ã®ã€ã³ã¹ã¿ã³ã¹ãè¿œå ããŸãã ãããã¯èšŒææžãšããŒã®ã¿ãç°ãªããŸãã ãã®çç±ã以äžã«èª¬æããŸãã
MODæå¹/EAP
eap eap-client { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests}
tls-config tls-common {
private_key_file = ${certdir}/fisrt.key
certificate_file = ${certdir}/first.crt
dh_file = ${certdir}/dh
ca_path = ${cadir}
cipher_list = "HIGH"
cipher_server_preference = no
ecdh_curve = "prime256v1"
check_crl = no
}
ttls {
tls = tls-common
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
}
eap eap-guest {
default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests}
tls-config tls-common {
private_key_passwotd=blablabla
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.crt
dh_file = ${certdir}/dh
ca_path = ${cadir}
cipher_list = "HIGH"
cipher_server_preference = no
ecdh_curve = "prime256v1"
check_crl = no
}
ttls {
tls = tls-common
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
}
ãããªãç·šé ãµã€ãæå¹/ããã©ã«ãã authorize ã»ã¯ã·ã§ã³ãšauthenticate ã»ã¯ã·ã§ã³ãéèŠã§ãã
ãµã€ãæå¹/ããã©ã«ã
authorize {
filter_username
preprocess
if (&User-Name == "guest") {
eap-guest {
ok = return
}
}
elsif (&User-Name == "client") {
eap-client {
ok = return
}
}
else {
eap-guest {
ok = return
}
}
ldap
if ((ok || updated) && User-Password) {
update {
control:Auth-Type := ldap
}
}
expiration
logintime
pap
}
authenticate {
Auth-Type LDAP {
ldap
}
Auth-Type eap-guest {
eap-guest
}
Auth-Type eap-client {
eap-client
}
pap
}
authorize ã»ã¯ã·ã§ã³ã§ã¯ãäžèŠãªã¢ãžã¥ãŒã«ããã¹ãŠåé€ããŸãã LDAP ã ããæ®ããŸãã ãŠãŒã¶ãŒåã«ããã¯ã©ã€ã¢ã³ãæ€èšŒãè¿œå ããŸãã ãã®ãããäžèšã« eap ã® XNUMX ã€ã®ã€ã³ã¹ã¿ã³ã¹ãè¿œå ããŸããã
ãã«ã EAPå®éãäžéšã®ããã€ã¹ãæ¥ç¶ãããšãã¯ãã·ã¹ãã 蚌ææžã䜿çšãããã¡ã€ã³ãæå®ããŸãã ä¿¡é Œã§ããèªèšŒå±ããã®èšŒææžãšããŒãæã£ãŠããŸãã å人çã«ã¯ããã®ãããªæ¥ç¶æé ã¯ãåããã€ã¹ã«èªå·±çœ²å蚌ææžãæå ¥ãããããç°¡åã ãšæããŸãã ããããèªå·±çœ²å蚌ææžããªããŠããããã§ãããŸããããŸããã§ããã Samsung ããã€ã¹ããã³ Android =< 6 ããŒãžã§ã³ã§ã¯ãã·ã¹ãã 蚌ææžã䜿çšã§ããŸããã ãããã£ãŠãèªå·±çœ²å蚌ææžã䜿çšããŠãeap-guest ã®å¥ã®ã€ã³ã¹ã¿ã³ã¹ãäœæããŸãã ä»ã®ãã¹ãŠã®ããã€ã¹ã«ã€ããŠã¯ãä¿¡é Œããã蚌ææžãæ〠eap-client ã䜿çšããŸãã ãŠãŒã¶ãŒåã¯ãããã€ã¹ã®æ¥ç¶æã«å¿åãã£ãŒã«ãã«ãã£ãŠæ±ºå®ãããŸãã ã²ã¹ããã¯ã©ã€ã¢ã³ãã空ã®ãã£ãŒã«ãã® 3 ã€ã®å€ã®ã¿ãèš±å¯ãããŸãã ãã以å€ã¯ãã¹ãŠç Žæ£ãããŸãã ããã¯æ¿æ²»å®¶ã§æ§æãããŸãã å°ãåŸã§äŸãæããŸãã
ã® authorize ã»ã¯ã·ã§ã³ãšauthenticate ã»ã¯ã·ã§ã³ãç·šéããŠã¿ãŸãããã ãµã€ã察å¿/å éšãã³ãã«
ãµã€ã察å¿/å éšãã³ãã«
authorize {
filter_username
filter_inner_identity
update control {
&Proxy-To-Realm := LOCAL
}
ldap
if ((ok || updated) && User-Password) {
update {
control:Auth-Type := ldap
}
}
expiration
digest
logintime
pap
}
authenticate {
Auth-Type eap-guest {
eap-guest
}
Auth-Type eap-client {
eap-client
}
Auth-Type PAP {
pap
}
ldap
}
次ã«ãå¿åãã°ã€ã³ã«äœ¿çšã§ããååãããªã·ãŒã§æå®ããå¿ èŠããããŸãã ç·šé ããªã·ãŒ.d/ãã£ã«ã¿ãŒ.
次ã®ãããªè¡ãèŠã€ããå¿ èŠããããŸãã
if (&outer.request:User-Name !~ /^(anon|@)/) {
update request {
Module-Failure-Message = "User-Name is not anonymized"
}
reject
}
ãããŠã以äžã® elsif ã«å¿ èŠãªå€ãè¿œå ããŸãã
elsif (&outer.request:User-Name !~ /^(guest|client|@)/) {
update request {
Module-Failure-Message = "User-Name is not anonymized"
}
reject
}
次ã«ããã£ã¬ã¯ããªã«ç§»åããå¿ èŠããããŸã 蚌ææžã ããã§ã¯ãä¿¡é Œã§ããèªèšŒå±ããã®ããŒãšèšŒææžãå ¥åããå¿ èŠããããŸãããã®èªèšŒå±ã¯ãã§ã«æã£ãŠãããeap-guest ã®èªå·±çœ²å蚌ææžãçæããå¿ èŠããããŸãã
ãã¡ã€ã«å ã®ãã©ã¡ãŒã¿ãå€æŽãã ca.cnf.
ca.cnf
...
default_days = 3650
default_md = sha256
...
input_password = blablabla
output_password = blablabla
...
countryName = RU
stateOrProvinceNmae = State
localityNmae = City
organizationName = NONAME
emailAddress = [email protected]
commonName = "CA FreeRadius"
åãå€ããã¡ã€ã«ã«æžã蟌ã¿ãŸã ãµãŒããŒ.cnfã ç§ãã¡ã¯ãã å€ããã ã
äžè¬å:
ãµãŒããŒ.cnf
...
default_days = 3650
default_md = sha256
...
input_password = blablabla
output_password = blablabla
...
countryName = RU
stateOrProvinceNmae = State
localityNmae = City
organizationName = NONAME
emailAddress = [email protected]
commonName = "Server Certificate FreeRadius"
äœæããïŒ
make
æºåãã§ããŠã åãåã£ã ãµãŒããŒ.crt О ãµãŒããŒã㌠äžèšã§ eap-guest ã«ç»é²æžã¿ã§ãã
æåŸã«ãã¢ã¯ã»ã¹ ãã€ã³ãããã¡ã€ã«ã«è¿œå ããŸããã client.confã 7 ã€ãããŸãããåãã€ã³ããåå¥ã«è¿œå ããªãããã«ãããããé 眮ãããŠãããããã¯ãŒã¯ã®ã¿ãèšè¿°ããŸã (ã¢ã¯ã»ã¹ ãã€ã³ãã¯å¥ã® VLAN ã«ãããŸã)ã
client APs {
ipaddr = 192.168.100.0/24
password = password_AP
}
ãŠãããã£ã³ã³ãããŒã©ãŒ
ã³ã³ãããŒã©ãŒäžã«å¥ã®ãããã¯ãŒã¯ãæ§ç¯ããŸãã 192.168.2.0/24 ãšããŸãã
èšå® -> ãããã£ãŒã«ã«ç§»åããŸãã æ°ãããã®ãäœæããŸãã
ãã¡ã€ã«ã«æžã蟌ãã RADIUSãµãŒããŒã®ã¢ãã¬ã¹ãšããŒãããã¹ã¯ãŒããæžããŸã ã¯ã©ã€ã¢ã³ã.conf:
æ°ããã¯ã€ã€ã¬ã¹ãããã¯ãŒã¯åãäœæããŸãã èªèšŒæ¹æ³ãšã㊠WPA-EAP (ãšã³ã¿ãŒãã©ã€ãº) ãéžæããäœæãã RADIUS ãããã¡ã€ã«ãæå®ããŸãã
ãã¹ãŠãä¿åããé©çšããŠæ¬¡ã«é²ã¿ãŸãã
ã¯ã©ã€ã¢ã³ãã®ã»ããã¢ãã
æãé£ããããšããå§ããŸããã!
Windows 10
åé¡ã¯ãWindows ããã¡ã€ã³çµç±ã§äŒæ¥ WiFi ã«æ¥ç¶ããæ¹æ³ããŸã ç¥ããªããšããäºå®ã«åž°çããŸãã ãããã£ãŠã蚌ææžãä¿¡é Œã§ãã蚌ææžã¹ãã¢ã«æåã§ã¢ããããŒãããå¿ èŠããããŸãã ããã§ã¯ãèªå·±çœ²åãšèšŒææ©é¢ããã®çœ²åã®äž¡æ¹ã䜿çšã§ããŸãã XNUMXæ¬ç®ã䜿ããŸãã
次ã«ãæ°ããæ¥ç¶ãäœæããå¿ èŠããããŸãã ãããè¡ãã«ã¯ã[ãããã¯ãŒã¯ãšã€ã³ã¿ãŒãããã®èšå®] -> [ãããã¯ãŒã¯ãšå ±æã»ã³ã¿ãŒ] -> [æ°ããæ¥ç¶ãŸãã¯ãããã¯ãŒã¯ãäœæããŠæ§æ] ã«ç§»åããŸãã
ãããã¯ãŒã¯åãæåã§å
¥åããã»ãã¥ãªãã£ã®çš®é¡ãå€æŽããŸãã ã¯ãªãã¯ããåŸ æ¥ç¶èšå®ãå€æŽãã [ã»ãã¥ãªãã£] ã¿ãã§ããããã¯ãŒã¯èªèšŒ - EAP-TTLS ãéžæããŸãã
ãã©ã¡ãŒã¿ãæ€èšããèªèšŒã®æ©å¯æ§ãèŠå®ããŸãã ã¯ã©ã€ã¢ã³ãã ä¿¡é Œã§ãã蚌ææ©é¢ãšããŠãè¿œå ãã蚌ææžãéžæããããµãŒããŒãèªèšŒã§ããªãå Žåã¯ãŠãŒã¶ãŒã«æåŸ
ãçºè¡ããªãããã§ãã¯ããã¯ã¹ããªã³ã«ããŠãèªèšŒæ¹æ³ãšããŠæå·åãããŠããªããã¹ã¯ãŒã (PAP) ãéžæããŸãã
次ã«ã詳现èšå®ã«ç§»åãããèªèšŒã¢ãŒããæå®ãããã«ãã§ãã¯ãå
¥ããŸãã ããŠãŒã¶ãŒèªèšŒããéžæãã ãã¯ãªãã¯ããŸãã èªèšŒæ
å ±ãä¿åããã ããã§username_ldapãšpassword_ldapãå
¥åããå¿
èŠããããŸãã
ãã¹ãŠãä¿åããé©çšããŠãéããŸãã æ°ãããããã¯ãŒã¯ã«æ¥ç¶ã§ããŸãã
Linux
Ubuntu 18.04ã18.10ãFedora 29ã30ã§ãã¹ãããŸããã
ãŸãã蚌ææžãããŠã³ããŒãããŸãããã Linux ã§ã¯ã·ã¹ãã 蚌ææžã䜿çšã§ãããã©ããããŸããã®ãããªã¹ãã¢ããããã©ããã¯èŠã€ãããŸããã§ããã
ãã¡ã€ã³ã«æ¥ç¶ããŠã¿ãŸãããã ãããã£ãŠã蚌ææžãè³Œå ¥ããèªèšŒå±ããã®èšŒææžãå¿ èŠã§ãã
ãã¹ãŠã®æ¥ç¶ã¯ XNUMX ã€ã®ãŠã£ã³ããŠã§è¡ãããŸãã ãããã¯ãŒã¯ã®éžæ:
å¿åã¯ã©ã€ã¢ã³ã
ãã¡ã€ã³ - 蚌ææžãçºè¡ããããã¡ã€ã³
Android
ãµã ã¹ã³ä»¥å€ã®
ããŒãžã§ã³ 7 以éãWiFi ã«æ¥ç¶ãããšãã«ããã¡ã€ã³ã®ã¿ãæå®ããŠã·ã¹ãã 蚌ææžã䜿çšã§ããããã«ãªããŸããã
ãã¡ã€ã³ - 蚌ææžãçºè¡ããããã¡ã€ã³
å¿åã¯ã©ã€ã¢ã³ã
ãµã ã¹ã³
äžã§æžããããã«ãSamsung ããã€ã¹ã¯ WiFi ã«æ¥ç¶ãããšãã«ã·ã¹ãã 蚌ææžã䜿çšããæ¹æ³ãç¥ããŸããããŸãããã¡ã€ã³çµç±ã§æ¥ç¶ããæ©èœããããŸããã ãããã£ãŠãèªèšŒå±ã®ã«ãŒã蚌ææž (ca.pemãRadius ãµãŒããŒäžã§ååŸããŸã) ãæåã§è¿œå ããå¿ èŠããããŸãã ããã§èªå·±çœ²åã䜿çšãããŸãã
蚌ææžãããã€ã¹ã«ããŠã³ããŒãããŠã€ã³ã¹ããŒã«ããŸãã
蚌ææžã®ã€ã³ã¹ããŒã«
åæã«ãç»é¢ã®ããã¯è§£é€ãã¿ãŒã³ãPIN ã³ãŒãããŸãã¯ãã¹ã¯ãŒããèšå®ããå¿
èŠããããŸã (ãŸã èšå®ãããŠããªãå Žå)ã
蚌ææžã®ã€ã³ã¹ããŒã«ã®è€éãªããŒãžã§ã³ã瀺ããŸããã ã»ãšãã©ã®ããã€ã¹ã§ã¯ãããŠã³ããŒããã蚌ææžãã¯ãªãã¯ããã ãã§ãã
蚌ææžãã€ã³ã¹ããŒã«ãããããæ¥ç¶ã«é²ãããšãã§ããŸãã
蚌ææž - ã€ã³ã¹ããŒã«ããããã®ã瀺ããŸã
å¿åãŠãŒã¶ãŒ - ã²ã¹ã
macOS
Apple ããã€ã¹ã¯ãã®ãŸãŸã§ã¯ EAP-TLS ã«ã®ã¿æ¥ç¶ã§ããŸãããããã§ã蚌ææžãã¹ããŒããå¿ èŠããããŸãã å¥ã®æ¥ç¶æ¹æ³ãæå®ããã«ã¯ãApple Configurator 2 ã䜿çšããå¿ èŠããããŸãããããã£ãŠãæåã« Apple Configurator XNUMX ã Mac ã«ããŠã³ããŒãããæ°ãããããã¡ã€ã«ãäœæããŠãå¿ èŠãªãã¹ãŠã® WiFi èšå®ãè¿œå ããå¿ èŠããããŸãã
Apple Configurator
ããã«ãããã¯ãŒã¯åãå
¥åããŠãã ãã
ã»ãã¥ãªãã£ã®çš®é¡ - WPA2 ãšã³ã¿ãŒãã©ã€ãº
åãå
¥ãããã EAP ã¿ã€ã - TTLS
ãŠãŒã¶ãŒåãšãã¹ã¯ãŒã - 空ã®ãŸãŸã«ããŠãããŸã
å
éšèªèšŒ - PAP
å€éšã¢ã€ãã³ãã£ãã£ã¯ã©ã€ã¢ã³ã
ãä¿¡é Œãã¿ãã ããã§ãã¡ã€ã³ãæå®ããŸã
å šãŠã ãããã¡ã€ã«ã®ä¿åã眲åãããã€ã¹ãžã®é åžãå¯èœ
ãããã¡ã€ã«ã®æºåãã§ããããããããããŒã«ããŠã³ããŒãããŠã€ã³ã¹ããŒã«ããå¿ èŠããããŸãã ã€ã³ã¹ããŒã«ããã»ã¹äžã«ããŠãŒã¶ãŒã® usernmae_ldap ãš passwd_ldap ãæå®ããå¿ èŠããããŸãã
iOS
ãã®ããã»ã¹ã¯ macOS ãšäŒŒãŠããŸãã ãããã¡ã€ã«ã䜿çšããå¿ èŠããããŸã (macOS ã®å Žåãšåããã®ã䜿çšã§ããŸããApple Configurator ã§ãããã¡ã€ã«ãäœæããæ¹æ³ã«ã€ããŠã¯ãäžèšãåç §ããŠãã ãã)ã
ãããã¡ã€ã«ãããŠã³ããŒãããã€ã³ã¹ããŒã«ããè³æ Œæ å ±ãå ¥åããŠæ¥ç¶ããŸãã
ããã ãã§ãã Radius ãµãŒããŒãã»ããã¢ããããFreeIPA ãšåæããUbiquiti AP ã« WPA2-EAP ã䜿çšããããã«æ瀺ããŸããã
èãããã質å
ã§ïŒ ãããã¡ã€ã«/蚌ææžãåŸæ¥å¡ã«è»¢éããã«ã¯ã©ãããã°ããã§ãã?
ã«ã€ããŠïŒ ãã¹ãŠã®èšŒææž/ãããã¡ã€ã«ã Web ã¢ã¯ã»ã¹ã䜿çšã㊠FTP ã«ä¿åããŸãã é床å¶éãèšããftp ãé€ããŠã€ã³ã¿ãŒãããã®ã¿ã«ã¢ã¯ã»ã¹ããã²ã¹ã ãããã¯ãŒã¯ãæ§ç¯ããŸããã
èªèšŒã¯ 2 æ¥éç¶ãããã®åŸãªã»ãããããã¯ã©ã€ã¢ã³ãã¯ã€ã³ã¿ãŒããããªãã®ãŸãŸã«ãªããŸãã ããã åŸæ¥å¡ã WiFi ã«æ¥ç¶ãããå ŽåããŸãã²ã¹ã ãããã¯ãŒã¯ã«æ¥ç¶ããFTP ã«ã¢ã¯ã»ã¹ããå¿
èŠãªèšŒææžãŸãã¯ãããã¡ã€ã«ãããŠã³ããŒãããŠã€ã³ã¹ããŒã«ãããšãäŒæ¥ãããã¯ãŒã¯ã«æ¥ç¶ã§ããããã«ãªããŸãã
ã§ïŒ MSCHAPv2 ã§ã¹ããŒãã䜿çšããªãã®ã¯ãªãã§ãã? 圌女ã®æ¹ãå®å šã ãïŒ
ã«ã€ããŠïŒ ãŸãããã®ãããªã¹ããŒã 㯠NPS (Windows ãããã¯ãŒã¯ ããªã·ãŒ ã·ã¹ãã ) ã§ããŸãæ©èœããŸãããç§ãã¡ã®å®è£ ã§ã¯ãè¿œå 㧠LDAP (FreeIpa) ãæ§æãããµãŒããŒã«ãã¹ã¯ãŒã ããã·ã¥ãä¿åããå¿ èŠããããŸãã è¿œå ã èšå®ãè¡ãããšã¯ãå§ãã§ããŸããã ããã«ãããè¶ é³æ³¢ã®åæã«é¢ããããŸããŸãªåé¡ãçºçããå¯èœæ§ããããŸãã 次ã«ãããã·ã¥ã¯ MD4 ã§ãããããã»ãã¥ãªãã£ã¯ããŸã匷åãããŸããã
ã§ïŒ MAC ã¢ãã¬ã¹ã§ããã€ã¹ãèªèšŒããããšã¯ã§ããŸãã?
ã«ã€ããŠïŒ ããããããã¯å®å šã§ã¯ãããŸãããæ»æè ã MAC ã¢ãã¬ã¹ãå€æŽããå¯èœæ§ããããããã«å€ãã®ããã€ã¹ã§ã¯ MAC ã¢ãã¬ã¹ã«ããèªèšŒããµããŒããããŠããŸããã
ã§ïŒ ããããã¹ãŠã®èšŒææžã¯äžè¬çã«äœã䜿çšããã°ããã®ã§ãããã? 圌ããªãã§åå ã§ããŸããïŒ
ã«ã€ããŠïŒ 蚌ææžã¯ãµãŒããŒãèªèšŒããããã«äœ¿çšãããŸãã ãããã®ã æ¥ç¶æã«ãããã€ã¹ã¯ä¿¡é Œã§ãããµãŒããŒãã©ããã確èªããŸãã ããã§ããå Žåã¯èªèšŒãç¶è¡ãããããã§ãªãå Žåã¯æ¥ç¶ãéããããŸãã 蚌ææžãªãã§æ¥ç¶ããããšã¯ã§ããŸãããæ»æè ãŸãã¯é£äººãèªå® ãšåãååã® RADIUS ãµãŒããŒãšã¢ã¯ã»ã¹ ãã€ã³ããã»ããã¢ãããããšããŠãŒã¶ãŒã®è³æ Œæ å ±ãç°¡åã«ååã§ããŸã (è³æ Œæ å ±ã¯ã¯ãªã¢ ããã¹ãã§éä¿¡ãããããšãå¿ããªãã§ãã ãã)ã ãããŠã蚌ææžã䜿çšããããšãæµã®ãã°ã«ã¯ãæ¶ç©ºã®ãŠãŒã¶ãŒå (ã²ã¹ããŸãã¯ã¯ã©ã€ã¢ã³ã) ãšã¿ã€ã ãšã©ãŒ (äžæ㪠CA 蚌ææž) ã ãã衚瀺ãããŸãã
macOS ã«ã€ããŠããå°ã詳ããéåžžãmacOS ã§ã¯ãã·ã¹ãã ã®åã€ã³ã¹ããŒã«ã¯ã€ã³ã¿ãŒãããçµç±ã§è¡ãããŸãã ãªã«ã㪠ã¢ãŒãã§ã¯ãMac ã WiFi ã«æ¥ç¶ããå¿ èŠãããã瀟å WiFi ãã²ã¹ã ãããã¯ãŒã¯ãããã§ã¯æ©èœããŸããã å人çã«ã¯ãæè¡çãªæäœã®ã¿ãç®çãšããŠãå¥ã®ãããã¯ãŒã¯ (éåžžã® WPA2-PSK) ãé衚瀺ã«ããŸããã ãŸãã¯ãäºåã«ã·ã¹ãã ã§èµ·åå¯èœãª USB ãã©ãã·ã¥ ãã©ã€ããäœæããããšãã§ããŸãã ãã ãããããŒã 2015 幎以éã®å Žåã¯ããã®ãã©ãã·ã¥ ãã©ã€ãçšã®ã¢ããã¿ãŒãèŠã€ããå¿ èŠããããŸã)
åºæïŒ habr.com