Zitsanzo zina zakukonzekera ma WiFi amakampani zafotokozedwa kale. Apa ndikufotokozerani momwe ndinakhazikitsira njira yofananira komanso mavuto omwe ndimayenera kukumana nawo polumikizana ndi zida zosiyanasiyana. Tidzagwiritsa ntchito LDAP yomwe ilipo ndi ogwiritsa ntchito olembetsa, kwezani FreeRadius ndikukhazikitsa WPA2-Enterprise pa wowongolera wa Ubnt. Chilichonse chikuwoneka chophweka. Tiyeni tiwoneβ¦
Zambiri za njira za EAP
Tisanayambe ntchitoyo, tiyenera kusankha njira yotsimikizira yomwe tidzagwiritse ntchito mu yankho lathu.
Kuchokera ku Wikipedia:
EAP ndi chikhazikitso chotsimikizika chomwe chimagwiritsidwa ntchito nthawi zambiri pama netiweki opanda zingwe komanso kulumikizana kwa point-to-point. Mtunduwu udafotokozedwa koyamba mu RFC 3748 ndikusinthidwa mu RFC 5247.
EAP imagwiritsidwa ntchito kusankha njira yotsimikizira, makiyi odutsa, ndikusintha makiyiwo ndi mapulagi otchedwa njira za EAP. Pali njira zambiri za EAP, zonse zomwe zimatanthauzidwa ndi EAP yokha ndikumasulidwa ndi ogulitsa payekha. EAP simatanthawuza ulalo wosanjikiza, imangotanthauzira mtundu wa uthenga. Protocol iliyonse yogwiritsa ntchito EAP ili ndi protocol yake ya EAP message encapsulation.
Njira zokha:
- LEAP ndi proprietary protocol yopangidwa ndi CISCO. Zowopsa zapezeka. Pakali pano sikulimbikitsidwa kugwiritsa ntchito
- EAP-TLS imathandizidwa bwino pakati pa ogulitsa opanda zingwe. Ndi protocol yotetezeka chifukwa ndiye wolowa m'malo mwa miyezo ya SSL. Kukhazikitsa kasitomala ndizovuta kwambiri. Mufunika satifiketi ya kasitomala kuwonjezera pa mawu achinsinsi. Amathandizidwa ndi machitidwe ambiri
- EAP-TTLS - yothandizidwa kwambiri pamakina ambiri, imapereka chitetezo chabwino pogwiritsa ntchito ziphaso za PKI pokhapokha pa seva yotsimikizira.
- EAP-MD5 ndi muyezo wina wotseguka. Amapereka chitetezo chochepa. Zowonongeka, sizigwirizana ndi kutsimikizika kogwirizana komanso kupanga makiyi
- EAP-IKEv2 - kutengera mtundu 2 wa Internet Key Exchange Protocol. Imapereka kutsimikizika kogwirizana ndikukhazikitsa kiyi yagawo pakati pa kasitomala ndi seva.
- PEAP ndi njira yolumikizirana ya CISCO, Microsoft ndi RSA Security ngati mulingo wotseguka. Zopezeka kwambiri muzinthu, zimapereka chitetezo chabwino kwambiri. Zofanana ndi EAP-TTLS, zimangofunika satifiketi yokha kumbali ya seva
- PEAPv0/EAP-MSCHAPv2 - pambuyo pa EAP-TLS, uwu ndi wachiwiri womwe umagwiritsidwa ntchito kwambiri padziko lonse lapansi. Ubale wogwiritsa ntchito kasitomala-seva ku Microsoft, Cisco, Apple, Linux
- PEAPv1/EAP-GTC - Yopangidwa ndi Cisco m'malo mwa PEAPv0/EAP-MSCHAPv2. Sichiteteza deta yotsimikizira mwanjira iliyonse. Sizikugwiritsidwa ntchito pa Windows OS
- EAP-FAST ndi njira yopangidwa ndi Cisco kukonza zolakwika za LEAP. Amagwiritsa Ntchito Chidziwitso Chotetezedwa (PAC). Zosamalizidwa kwathunthu
Mwa mitundu yonseyi, kusankha sikuli kwakukulu. Njira yotsimikizira idafunikira: chitetezo chabwino, chithandizo pazida zonse (Windows 10, macOS, Linux, Android, iOS) ndipo, kwenikweni, chosavuta bwinoko. Choncho, chisankhocho chinagwera pa EAP-TTLS mogwirizana ndi PAP protocol.
Funso lingabwere - Chifukwa chiyani mugwiritse ntchito PAP? chifukwa amatumiza mawu achinsinsi momveka bwino?
Inde ndiko kulondola. Kulankhulana pakati pa FreeRadius ndi FreeIPA kudzachitika motere. Muzowongolera zolakwika, mutha kutsata momwe dzina lolowera ndi mawu achinsinsi amatumizidwa. Inde, ndipo alole apite, ndi inu nokha omwe mungathe kupeza seva ya FreeRadius.
Mutha kuwerenga zambiri za ntchito ya EAP-TTLS
FreeRADIUS
FreeRadius idzakwezedwa pa CentOS 7.6. Palibe chovuta apa, timachiyika mwachizolowezi.
yum install freeradius freeradius-utils freeradius-ldap -y
Mtundu wa 3.0.13 umayikidwa kuchokera pamaphukusi. Chotsatiracho chikhoza kutengedwa
Pambuyo pake, FreeRadius ikugwira ntchito kale. Mutha kumasula mzerewo mu /etc/raddb/users
steve Cleartext-Password := "testing"
Yambitsani mu seva mumayendedwe owongolera
freeradius -X
Ndipo pangani kulumikizana koyesa kuchokera ku localhost
radtest steve testing 127.0.0.1 1812 testing123
Ndili ndi yankho Kulandila-Landirani Id 115 kuchokera ku 127.0.0.1:1812 mpaka 127.0.0.1:56081 kutalika 20, zikutanthauza kuti zonse zili bwino. Chitani zomwezo.
Timagwirizanitsa module ldap.
ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldap
Ndipo tidzasintha nthawi yomweyo. Tikufuna FreeRadius kuti tipeze FreeIPA
mods-enabled/ldap
ldap {
server="ldap://ldap.server.com"
port=636
start_tls=yes
identity="uid=admin,cn=users,dc=server,dc=com"
password=**********
base_dn="cn=users,dc=server,dc=com"
set_auth_type=yes
...
user {
base_dn="${..base_dn}"
filter="(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
}
...
Yambitsaninso seva ya radius ndikuwona kulumikizana kwa ogwiritsa ntchito a LDAP:
radtest user_ldap password_ldap localhost 1812 testing123
Editing eap in mods-enabled/eap
Apa tikuwonjezera zitsanzo ziwiri za eap. Adzasiyana pamasitifiketi ndi makiyi okha. Pansipa ndifotokoza chifukwa chake zili choncho.
mods-enabled/eap
eap eap-client { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests}
tls-config tls-common {
private_key_file = ${certdir}/fisrt.key
certificate_file = ${certdir}/first.crt
dh_file = ${certdir}/dh
ca_path = ${cadir}
cipher_list = "HIGH"
cipher_server_preference = no
ecdh_curve = "prime256v1"
check_crl = no
}
ttls {
tls = tls-common
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
}
eap eap-guest {
default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests}
tls-config tls-common {
private_key_passwotd=blablabla
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.crt
dh_file = ${certdir}/dh
ca_path = ${cadir}
cipher_list = "HIGH"
cipher_server_preference = no
ecdh_curve = "prime256v1"
check_crl = no
}
ttls {
tls = tls-common
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
}
Kusintha kwina tsamba lothandizira/zosasintha. Magawo ovomerezeka ndi otsimikizira ndizosangalatsa.
tsamba lothandizira/zosasintha
authorize {
filter_username
preprocess
if (&User-Name == "guest") {
eap-guest {
ok = return
}
}
elsif (&User-Name == "client") {
eap-client {
ok = return
}
}
else {
eap-guest {
ok = return
}
}
ldap
if ((ok || updated) && User-Password) {
update {
control:Auth-Type := ldap
}
}
expiration
logintime
pap
}
authenticate {
Auth-Type LDAP {
ldap
}
Auth-Type eap-guest {
eap-guest
}
Auth-Type eap-client {
eap-client
}
pap
}
Mu gawo lovomerezeka, timachotsa ma module onse omwe sitikufuna. Timasiya ldap yokha. Onjezani kutsimikizira kwa kasitomala ndi dzina lolowera. Ichi ndichifukwa chake tawonjeza zitsanzo ziwiri za eap pamwambapa.
Zambiri za EAPChowonadi ndi chakuti tikamalumikiza zida zina, tidzagwiritsa ntchito ziphaso zamakina ndikulongosola dera. Tili ndi satifiketi ndi kiyi kuchokera kwa akuluakulu a satifiketi odalirika. Payekha, m'malingaliro anga, njira yolumikizira yotereyi ndiyosavuta kuposa kuponya chiphaso chodzilembera pazida zilizonse. Koma ngakhale popanda ziphaso zodzilembera zokha, sizinaphule kanthu. Zida za Samsung ndi Android =< 6 Mabaibulo sangathe kugwiritsa ntchito satifiketi dongosolo. Chifukwa chake, timapanga chitsanzo chosiyana cha eap-mlendo kwa iwo ndi ziphaso zodzisainira. Pazida zina zonse, tidzagwiritsa ntchito kasitomala wa eap wokhala ndi satifiketi yodalirika. User-Name imatsimikiziridwa ndi gawo losadziwika pomwe chipangizocho chilumikizidwa. Zikhalidwe zitatu zokha ndizololedwa: Mlendo, Makasitomala ndi gawo lopanda kanthu. Zina zonse zimatayidwa. Idzakhazikitsidwa mwa andale. Ndipereka chitsanzo pambuyo pake.
Tiyeni tisinthe zololeza ndikutsimikizira magawo site-enabled/iner-tunnel
site-enabled/iner-tunnel
authorize {
filter_username
filter_inner_identity
update control {
&Proxy-To-Realm := LOCAL
}
ldap
if ((ok || updated) && User-Password) {
update {
control:Auth-Type := ldap
}
}
expiration
digest
logintime
pap
}
authenticate {
Auth-Type eap-guest {
eap-guest
}
Auth-Type eap-client {
eap-client
}
Auth-Type PAP {
pap
}
ldap
}
Kenako, muyenera kufotokoza m'malamulo omwe mayina angagwiritsidwe ntchito polowera mosadziwika. Kusintha policy.d/sefa.
Muyenera kupeza mizere yofanana ndi iyi:
if (&outer.request:User-Name !~ /^(anon|@)/) {
update request {
Module-Failure-Message = "User-Name is not anonymized"
}
reject
}
Ndipo pansipa mu elsif onjezerani zomwe mukufuna:
elsif (&outer.request:User-Name !~ /^(guest|client|@)/) {
update request {
Module-Failure-Message = "User-Name is not anonymized"
}
reject
}
Tsopano tiyenera kusamukira ku chikwatu Zolemba. Apa muyenera kuyika kiyi ndi satifiketi yochokera kwa olamulira satifiketi yodalirika, yomwe tili nayo kale ndipo ikufunika kuti tipange ziphaso zodzilembera zokha za ep-mlendo.
Sinthani magawo mu fayilo ca.cnf.
ca.cnf
...
default_days = 3650
default_md = sha256
...
input_password = blablabla
output_password = blablabla
...
countryName = RU
stateOrProvinceNmae = State
localityNmae = City
organizationName = NONAME
emailAddress = [email protected]
commonName = "CA FreeRadius"
Timalemba zomwezo mufayilo seva.cnf. Timangosintha
dzina wamba:
seva.cnf
...
default_days = 3650
default_md = sha256
...
input_password = blablabla
output_password = blablabla
...
countryName = RU
stateOrProvinceNmae = State
localityNmae = City
organizationName = NONAME
emailAddress = [email protected]
commonName = "Server Certificate FreeRadius"
Pangani:
make
Okonzeka. Adalandira seva.crt ΠΈ seva.kiyi talembetsa kale pamwambapa mu eap-guest.
Ndipo potsiriza, tiyeni tiwonjezere malo athu ofikira ku fayilo kasitomala.conf. Ndili ndi 7. Kuti tisawonjezere mfundo iliyonse padera, tidzangolemba maukonde omwe ali (malo opeza anga ali mu VLAN yosiyana).
client APs {
ipaddr = 192.168.100.0/24
password = password_AP
}
Ubiquiti controller
Timakweza maukonde osiyana pa wolamulira. Lolani kukhala 192.168.2.0/24
Pitani ku zoikamo -> mbiri. Timapanga yatsopano:
Timalemba adilesi ndi doko la seva ya radius ndi mawu achinsinsi omwe adalembedwa mufayilo makasitomala.conf:
Pangani dzina latsopano la netiweki opanda zingwe. Sankhani WPA-EAP (Enterprise) ngati njira yotsimikizira ndikutchula mbiri yopangidwa ndi radius:
Timasunga zonse, tigwiritse ntchito ndikupita patsogolo.
Kukhazikitsa makasitomala
Tiyeni tiyambe ndi zovuta kwambiri!
Windows 10
Vuto limabwera chifukwa Windows sadziwa momwe angalumikizire ndi WiFi yamakampani kudzera pa domain. Chifukwa chake, tiyenera kukweza pamanja satifiketi yathu ku sitolo yodalirika ya satifiketi. Apa mutha kugwiritsa ntchito zonse zodzisainira nokha komanso kuchokera kwa oyang'anira certification. Ndigwiritsa yachiwiri.
Kenako, muyenera kupanga kulumikizana kwatsopano. Kuti muchite izi, pitani ku ma network ndi ma intaneti -> Network and Sharing Center -> Pangani ndikusintha kulumikizana kwatsopano kapena maukonde:
Lowetsani pamanja dzina lamaneti ndikusintha mtundu wachitetezo. Tikamaliza alemba pa sinthani makonda olumikizirana ndi pa Security tabu, sankhani kutsimikizika kwa netiweki - EAP-TTLS.
Timapita ku magawo, kulongosola chinsinsi cha kutsimikizika - kasitomala. Monga ovomerezeka ovomerezeka, sankhani satifiketi yomwe tawonjezera, yang'anani bokosi lakuti "Osapereka mayitanidwe kwa wogwiritsa ntchito ngati seva silingavomerezedwe" ndikusankha njira yotsimikizira - mawu achinsinsi osalembedwa (PAP).
Kenako, pitani ku zoikamo zapamwamba, ikani chongani pa "Tumizani akafuna kutsimikizira." Sankhani "User Authentication" ndikudina sungani zidziwitso. Apa muyenera kulowa username_ldap ndi password_ldap
Timasunga zonse, kuyika, kutseka. Mutha kulumikizana ndi netiweki yatsopano.
Linux
Ndinayesa pa Ubuntu 18.04, 18.10, Fedora 29, 30.
Choyamba, tiyeni titsitse satifiketi yathu. Sindinapeze ku Linux ngati kuli kotheka kugwiritsa ntchito ziphaso zamakina komanso ngati pali sitolo yotere.
Tiyeni tilumikizane ndi domain. Chifukwa chake, tikufuna satifiketi yochokera kwa oyang'anira certification komwe satifiketi yathu idagulidwa.
Malumikizidwe onse amapangidwa pawindo limodzi. Kusankha maukonde athu:
wosadziwika-kasitomala
domain - malo omwe satifiketi imaperekedwa
Android
si Samsung
Kuchokera ku mtundu 7, mukalumikiza WiFi, mutha kugwiritsa ntchito ziphaso zamakina pofotokoza dera lokhalo:
domain - malo omwe satifiketi imaperekedwa
wosadziwika-kasitomala
Samsung
Monga ndidalemba pamwambapa, zida za Samsung sizikudziwa momwe angagwiritsire ntchito ziphaso zamakina polumikizana ndi WiFi, ndipo alibe luso lotha kulumikizana ndi dera. Chifukwa chake, muyenera kuwonjezera pamanja chikalata chaulamuliro wa certification (ca.pem, timachitengera pa seva ya Radius). Apa ndipamene kudzisainira kudzagwiritsidwa ntchito.
Tsitsani satifiketi ku chipangizo chanu ndikuyiyika.
Kuyika Satifiketi
Nthawi yomweyo, muyenera kukhazikitsa mawonekedwe otsegula chinsalu, pini code kapena mawu achinsinsi, ngati sichinakhazikitsidwe kale:
Ndinawonetsa mtundu wovuta wakuyika satifiketi. Pa zipangizo zambiri, kungodinanso pa dawunilodi satifiketi.
Satifiketi ikayikidwa, mutha kupitiliza kulumikizana:
satifiketi - onetsani zomwe zidayikidwa
wosuta wosadziwika - mlendo
macOS
Zida za Apple zomwe zili m'bokosi zimangolumikizana ndi EAP-TLS, koma muyenera kuwaponyera satifiketi. Kuti mufotokozere njira yolumikizirana yosiyana, muyenera kugwiritsa ntchito Apple Configurator 2. Momwemo, choyamba muyenera kukopera ku Mac yanu, pangani mbiri yatsopano ndikuwonjezera zoikamo zonse zofunika za WiFi.
Apple Configurator
Lowetsani dzina la netiweki yanu apa
Mtundu wa Chitetezo - WPA2 Enterprise
Mitundu Yovomerezeka ya EAP - TTLS
Dzina Logwiritsa ndi Achinsinsi - siyani opanda kanthu
Kutsimikizika Kwamkati - PAP
Outer Identity-kasitomala
Trust tabu. Apa tikufotokozerani dera lathu
Zonse. Mbiriyo imatha kusungidwa, kusaina ndikugawidwa kuzida
Mbiriyo ikakonzeka, muyenera kuitsitsa ku poppy ndikuyiyika. Pakukhazikitsa, muyenera kufotokoza usernmae_ldap ndi password_ldap wa wosuta:
iOS
Njirayi ikufanana ndi macOS. Muyenera kugwiritsa ntchito mbiri (mutha kugwiritsa ntchito yofanana ndi ya macOS. Momwe mungapangire mbiri mu Apple Configurator, onani pamwambapa).
Tsitsani mbiri, yikani, lowetsani zidziwitso, lumikizani:
Ndizomwezo. Tinakhazikitsa seva ya Radius, kuigwirizanitsa ndi FreeIPA, ndipo tinauza Ubiquiti APs kuti agwiritse ntchito WPA2-EAP.
Mafunso otheka
Mu: momwe mungasamutsire mbiri / satifiketi kwa wogwira ntchito?
Za: Ndimasunga ma satifiketi / mbiri yonse pa ftp yokhala ndi intaneti. Adakweza maukonde ochezera omwe ali ndi malire othamanga komanso mwayi wofikira pa intaneti kokha, kupatula ftp.
Kutsimikizika kumatenga masiku a 2, pambuyo pake kumakhazikitsidwanso ndipo kasitomala amasiyidwa opanda intaneti. Kuti. Wogwira ntchito akafuna kulumikizana ndi WiFi, amayamba kulumikizana ndi netiweki ya alendo, amapeza FTP, kutsitsa satifiketi kapena mbiri yomwe akufuna, ndikuyiyika, ndiyeno amatha kulumikizana ndi netiweki yamakampani.
Mu: bwanji osagwiritsa ntchito schema ndi MSCHAPv2? Ndiwotetezeka!
Za: Choyamba, chiwembu choterechi chimagwira ntchito bwino pa NPS (Windows Network Policy System), pakukhazikitsa kwathu ndikofunikira kuwonjezera LDAP (FreeIpa) ndikusunga mawu achinsinsi pa seva. Onjezani. sikoyenera kupanga zoikamo, chifukwa. izi zingayambitse mavuto osiyanasiyana a synchronizing ultrasound. Chachiwiri, hashi ndi MD4, kotero sichimawonjezera chitetezo chochuluka.
Mu: ndizotheka kuvomereza zida ndi ma adilesi a mac?
Za: AYI, izi sizotetezeka, wowukira amatha kusintha ma adilesi a MAC, ndipo koposa apo kuvomerezedwa ndi ma adilesi a MAC sikumathandizidwa pazida zambiri.
Mu: bwanji kuti ziphaso zonsezi zigwiritsidwe ntchito? mukhoza kujowina popanda iwo?
Za: satifiketi amagwiritsidwa ntchito kuvomereza seva. Iwo. Mukalumikiza, chipangizochi chimayang'ana ngati ndi seva yomwe ingakhale yodalirika kapena ayi. Ngati ndi choncho, ndiye kuti kutsimikizika kumapitilira; ngati sichoncho, kulumikizana kwatsekedwa. Mutha kulumikizana popanda ziphaso, koma ngati wowukira kapena woyandikana naye akhazikitsa seva ya radius ndi malo ofikira okhala ndi dzina lofanana ndi lathu kunyumba, amatha kulanda zidziwitso za wogwiritsa ntchito (musaiwale kuti zimafalitsidwa momveka bwino) . Ndipo chiphaso chikagwiritsidwa ntchito, mdani adzawona m'zipika zake zokhazokha-Dzina lathu labodza - mlendo kapena kasitomala ndi cholakwika chamtundu - Sitifiketi Yosadziwika ya CA
zambiri za macOSNthawi zambiri pa macOS, kukhazikitsanso dongosolo kumachitika kudzera pa intaneti. Munjira yochira, Mac iyenera kulumikizidwa ndi WiFi, ndipo WiFi yathu yamakampani kapena netiweki ya alendo sizigwira ntchito pano. Payekha, ndinakweza maukonde ena, WPA2-PSK wamba, obisika, chifukwa cha ntchito zamakono. Kapena mutha kupanga bootable USB flash drive ndi dongosolo pasadakhale. Koma ngati poppy itatha 2015, mudzafunikabe kupeza adaputala ya flash drive iyi)
Source: www.habr.com