Mimwe mienzaniso yekuronga WiFi yemakambani yakatotsanangurwa. Pano ini ndichatsanangura mashandisiro andakaita mhinduro yakafanana uye matambudziko andaifanira kutarisana nawo pakubatanidza pamidziyo yakasiyana. Isu tichashandisa iyo iripo LDAP nevashandisi vakanyoreswa, simudza FreeRadius uye gadzirisa WPA2-Enterprise pane Ubnt controller. Zvose zvinoita sezviri nyore. Ngationei...
Zvishoma nezve nzira dzeEAP
Tisati taenderera mberi nebasa, tinoda kusarudza kuti ndeipi nzira yechokwadi yatichashandisa mumhinduro yedu.
Kubva ku Wikipedia:
EAP igadziriso yekusimbisa iyo inowanzo shandiswa mune isina waya network uye point-to-point yekubatanidza. Iyo fomati yakatanga kutsanangurwa muRFC 3748 uye yakagadziridzwa muRFC 5247.
EAP inoshandiswa kusarudza nzira yechokwadi, makiyi ekupfuura, uye kugadzirisa makiyi iwayo nemaplug-ins anonzi EAP nzira. Kune nzira dzakawanda dzeEAP, dzese dzinotsanangurwa neEAP pachayo uye dzinoburitswa nevatengesi vega. EAP haitsananguri iyo link layer, inongotsanangura iyo meseji fomati. Imwe neimwe protocol inoshandisa EAP ine yayo EAP meseji encapsulation protocol.
Nzira dzacho pachadzo:
- LEAP iproprietary protocol yakagadzirwa neCISCO. Kusagadzikana kwawanikwa. Izvozvi hazvikurudzirwi kushandisa
- EAP-TLS inotsigirwa zvakanaka pakati pevatengesi vasina waya. Iyo protocol yakachengeteka nekuti ndiyo inotsiva iyo SSL zviyero. Kugadzirisa mutengi kwakaoma. Iwe unoda chitupa chemutengi kuwedzera kune password. Inotsigirwa pane dzakawanda masisitimu
- EAP-TTLS - inotsigirwa zvakanyanya pane akawanda masisitimu, inopa chengetedzo yakanaka nekushandisa PKI zvitupa chete pane yekusimbisa server.
- EAP-MD5 imwe yakazaruka mwero. Inopa kuchengetedzeka kushoma. Inotapukira, haitsigire kutendeseka uye chizvarwa chakakosha
- EAP-IKEv2 - yakavakirwa paInternet Key Exchange Protocol vhezheni 2. Inopa huchokwadi hwese uye chikamu kiyi yekumisikidza pakati pemutengi neseva.
- PEAP mhinduro yakabatana yeCISCO, Microsoft neRSA Security seyero yakavhurika. Inowanikwa zvakanyanya muzvigadzirwa, inopa kuchengetedzwa kwakanaka kwazvo. Zvakafanana neEAP-TTLS, inoda chete chitupa padivi reseva
- PEAPv0/EAP-MSCHAPv2 - mushure meEAP-TLS, iyi ndiyo yechipiri inoshandiswa zvakanyanya pasi rose. Inoshandiswa mutengi-server hukama muMicrosoft, Cisco, Apple, Linux
- PEAPv1/EAP-GTC - Yakagadzirwa naCisco seimwe nzira yePEAPv0/EAP-MSCHAPv2. Haidziviriri data yechokwadi neimwe nzira. Haisi kutsigirwa paWindows OS
- EAP-FAST inzira yakagadziriswa neCisco kugadzirisa kukanganisa kweLEAP. Inoshandisa Protected Access Credential (PAC). Zvisina kupera zvachose
Pakati pese kusiyana uku, sarudzo haisati iri huru. Nzira yechokwadi yaidiwa: kuchengetedzwa kwakanaka, kutsigirwa pamidziyo yese (Windows 10, macOS, Linux, Android, iOS) uye, kutaura zvazviri, zviri nyore zvirinani. Naizvozvo, sarudzo yakawira paEAP-TTLS yakabatana nePAP protocol.
Mubvunzo ungamuka - Sei uchishandisa PAP? nekuti anotumira mapassword pachena?
Hongu ndizvozvo. Kukurukurirana pakati peFreeRadius neFreeIPA kuchaitika nenzira iyi. Mune debug mode, unogona kutarisa kuti zita rekushandisa uye password zvinotumirwa sei. Ehe, uye vasiye vaende, iwe chete ndiwe unokwanisa kuwana iyo FreeRadius server.
Unogona kuverenga zvakawanda nezve basa reEAP-TTLS
FreeRADIUS
FreeRadius ichasimudzwa paCentOS 7.6. Hapana chakaoma apa, tinochiisa nenzira yakajairika.
yum install freeradius freeradius-utils freeradius-ldap -yShanduro 3.0.13 yakaiswa kubva pamapakeji. Iyo yekupedzisira inogona kutorwa
Mushure meizvozvo, FreeRadius iri kutoshanda. Iwe unogona kusunungura mutsara mukati /etc/raddb/users
steve Cleartext-Password := "testing"Vhura muserver mune debug mode
freeradius -XUye ita bvunzo yekubatanidza kubva localhost
radtest steve testing 127.0.0.1 1812 testing123Ndawana mhinduro Received Access-Gamuchira Id 115 kubva 127.0.0.1:1812 kusvika 127.0.0.1:56081 kureba 20, zvinoreva kuti zvinhu zvose zvakanaka. Enderera mberi.
Isu tinobatanidza module ldap.
ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldapUye tichachichinja ipapo ipapo. Isu tinoda FreeRadius kuti tikwanise kuwana FreeIPA
mods-enabled/ldap
ldap {
server="ldap://ldap.server.com"
port=636
start_tls=yes
identity="uid=admin,cn=users,dc=server,dc=com"
password=**********
base_dn="cn=users,dc=server,dc=com"
set_auth_type=yes
...
user {
base_dn="${..base_dn}"
filter="(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
}
...Tangazve sevha yeradius uye tarisa kuwiriranisa kwevashandisi veLDAP:
radtest user_ldap password_ldap localhost 1812 testing123
Editing eap in mods-enabled/eap
Pano tinowedzera maitiro maviri eap. Vanozosiyana chete muzvitupa nemakiyi. Pazasi ini ndichatsanangura kuti sei zvakadaro.
mods-enabled/eap
eap eap-client { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests}
tls-config tls-common {
private_key_file = ${certdir}/fisrt.key
certificate_file = ${certdir}/first.crt
dh_file = ${certdir}/dh
ca_path = ${cadir}
cipher_list = "HIGH"
cipher_server_preference = no
ecdh_curve = "prime256v1"
check_crl = no
}
ttls {
tls = tls-common
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
}
eap eap-guest {
default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests}
tls-config tls-common {
private_key_passwotd=blablabla
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.crt
dh_file = ${certdir}/dh
ca_path = ${cadir}
cipher_list = "HIGH"
cipher_server_preference = no
ecdh_curve = "prime256v1"
check_crl = no
}
ttls {
tls = tls-common
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
}Kuwedzera kugadzirisa site-enabled/default. Zvikamu zvemvumo nekutendesa zvinofadza.
site-enabled/default
authorize {
filter_username
preprocess
if (&User-Name == "guest") {
eap-guest {
ok = return
}
}
elsif (&User-Name == "client") {
eap-client {
ok = return
}
}
else {
eap-guest {
ok = return
}
}
ldap
if ((ok || updated) && User-Password) {
update {
control:Auth-Type := ldap
}
}
expiration
logintime
pap
}
authenticate {
Auth-Type LDAP {
ldap
}
Auth-Type eap-guest {
eap-guest
}
Auth-Type eap-client {
eap-client
}
pap
}Muchikamu chemvumo, tinobvisa ese mamodule atisingade. Tinosiya ldap chete. Wedzera ongororo yemutengi nezita rekushandisa. Ndosaka takawedzera maviri maepisi eep pamusoro.
Multi EAPIcho chokwadi ndechekuti kana tichibatanidza mamwe maturusi, isu tinoshandisa system zvitupa uye tinotsanangura iyo domain. Tine chitupa uye kiyi kubva kune yakavimbika setifiketi chiremera. Ini pachangu, mukuona kwangu, maitiro ekubatanidza akadaro ari nyore pane kukanda chitupa chekuzvisaina pane chimwe nechimwe. Asi kunyangwe pasina zvitupa zvekuzvisainira, hazvina kushanda. Samsung zvishandiso uye Android =< 6 shanduro haigone kushandisa system zvitupa. Naizvozvo, isu tinogadzira yakaparadzana muenzaniso yeap-muenzi wavo ane anozvisainira zvitupa. Kune mamwe ese maturusi, isu tichashandisa eap-mutengi ane chitupa chakavimbika. Iyo User-Zita inotemerwa neAnonymous ndima kana mudziyo wakabatana. Chete matatu maitiro anotenderwa: Muenzi, Mutengi uye munda usina chinhu. Zvimwe zvese zvinoraswa. Ichagadziriswa mune zvematongerwo enyika. Ndichapa muenzaniso zvishoma gare gare.
Ngatigadzirise mvumo uye titendese zvikamu mukati site-enabled/inner-tunnel
site-enabled/inner-tunnel
authorize {
filter_username
filter_inner_identity
update control {
&Proxy-To-Realm := LOCAL
}
ldap
if ((ok || updated) && User-Password) {
update {
control:Auth-Type := ldap
}
}
expiration
digest
logintime
pap
}
authenticate {
Auth-Type eap-guest {
eap-guest
}
Auth-Type eap-client {
eap-client
}
Auth-Type PAP {
pap
}
ldap
}Tevere, iwe unofanirwa kutsanangura mumitemo kuti ndeapi mazita anogona kushandiswa kusazivikanwa login. Kugadzirisa policy.d/filter.
Iwe unofanirwa kutsvaga mitsetse yakafanana neiyi:
if (&outer.request:User-Name !~ /^(anon|@)/) {
update request {
Module-Failure-Message = "User-Name is not anonymized"
}
reject
}Uye pazasi mune elsif wedzera iwo anodikanwa kukosha:
elsif (&outer.request:User-Name !~ /^(guest|client|@)/) {
update request {
Module-Failure-Message = "User-Name is not anonymized"
}
reject
}Iye zvino tinofanira kutamira kune dhairekitori zvitupa. Pano iwe unofanirwa kuisa kiyi uye chitupa kubva kune yakavimbika chitupa chiremera, chatagara tinacho uye tinoda kugadzira zvitupa zvekuzvisaina zve eap-muenzi.
Shandura ma parameter mufaira ca.cnf.
ca.cnf
...
default_days = 3650
default_md = sha256
...
input_password = blablabla
output_password = blablabla
...
countryName = RU
stateOrProvinceNmae = State
localityNmae = City
organizationName = NONAME
emailAddress = [email protected]
commonName = "CA FreeRadius"Isu tinonyora maitiro akafanana mufaira server.cnf. Isu tinoshandura chete
common name:
server.cnf
...
default_days = 3650
default_md = sha256
...
input_password = blablabla
output_password = blablabla
...
countryName = RU
stateOrProvinceNmae = State
localityNmae = City
organizationName = NONAME
emailAddress = [email protected]
commonName = "Server Certificate FreeRadius"Gadzira:
makeReady. Received server.crt и server.kiyi isu takatonyoresa pamusoro mu eap-guest.
Uye pakupedzisira, ngatiwedzerei nzvimbo dzedu dzekuwana kufaira mutengi.conf. Ndine 7. Kuti tisawedzera pfungwa imwe neimwe zvakasiyana, isu tichangonyora chete network mavari (nzvimbo dzangu dzekuwana dziri muVLAN yakasiyana).
client APs {
ipaddr = 192.168.100.0/24
password = password_AP
}Ubiquiti controller
Isu tinosimudza network yakaparadzana pane controller. Ngaive 192.168.2.0/24
Enda kune zvigadziriso -> mbiri. Isu tinogadzira imwe itsva:
Isu tinonyora kero uye chiteshi cheiyo radius server uye password yakanyorwa mufaira clients.conf:
Gadzira zita idzva retiweki isina waya. Sarudza WPA-EAP (Enterprise) senzira yechokwadi uye tsanangura iyo yakagadzirwa radius mbiri:
Isu tinochengetedza zvese, shandisa uye tienderere mberi.
Kugadzira vatengi
Ngatitangei neakanyanya kuoma!
Windows 10
Kuomerwa kunouya kunyaya yekuti Windows haisati yaziva nzira yekubatanidza kune yekambani WiFi kuburikidza nedomasi. Naizvozvo, isu tinofanirwa kurodha chitupa chedu kune yakavimbika zvitupa chitoro. Pano iwe unogona kushandisa zvese zvakasaina uye kubva kune chiremera chetifiketi. Ndichashandisa wechipiri.
Tevere, unofanirwa kugadzira chinongedzo chitsva. Kuti uite izvi, enda kunetiweki uye Internet marongero -> Network uye Kugovera Center -> Gadzira uye gadzirisa chinongedzo chitsva kana network:
Pamaoko pinda zita retiweki uye shandura rudzi rwekuchengetedza. Tapedza tinya pa shandura marongero ekubatanidza uye mune Chengetedzo tebhu, sarudza network yechokwadi - EAP-TTLS.
Isu tinoenda mumaparameter, nyora kuvanzika kwehuchokwadi - munhu anoda kubetserwa. Sechiremera chekuvimbika chitupa, sarudza chitupa chatakawedzera, tarisa bhokisi "Usaburitse kukoka kumushandisi kana sevha isingagone kupihwa mvumo" uye sarudza nzira yechokwadi - isina kunyorwa password (PAP).
Tevere, enda kune zvigadziriso zvepamberi, isa tiki pa "Tsanangura iyo yekusimbisa maitiro." Sarudza "User Authentication" uye tinya pa chengetedza magwaro. Pano iwe uchada kuisa username_ldap uye password_ldap
Isu tinochengetedza zvese, shandisa, vhara. Unogona kubatanidza kune network itsva.
Linux
Ndakaedza paUbuntu 18.04, 18.10, Fedora 29, 30.
Chekutanga, ngatitorei chitupa chedu. Ini handina kuwana muLinux kana zvichikwanisika kushandisa zvitupa system uye kana paine chitoro chakadaro zvachose.
Ngatibatanei kune iyo domain. Naizvozvo, isu tinoda chitupa kubva kune certification chiremera chakatengwa chitupa chedu.
Zvese zvinongedzo zvinogadzirwa muhwindo rimwe. Kusarudza network yedu:
anonymous-client
domain - iyo domain inopihwa chitupa
Android
isiri-Samsung
Kubva muvhezheni 7, kana uchibatanidza WiFi, unogona kushandisa zvitupa system nekutsanangura chete domain:
domain - iyo domain inopihwa chitupa
anonymous-client
Samsung
Sezvandanyora pamusoro, Samsung zvishandiso hazvizive mashandisiro ezvitupa system kana uchinge wabatana neWiFi, uye ivo havana kugona kubatana kuburikidza nedura. Naizvozvo, iwe unofanirwa kuwedzera nemaoko chitupa chechiremera chetifiketi (ca.pem, tinoitora paRadius server). Apa ndipo pachashandiswa kuzvisainira.
Dhawunirodha chitupa kune chako kifaa uye chiise.
Certificate Installation
Panguva imwecheteyo, iwe unozofanirwa kuseta iyo skrini yekuvhura pateni, pini kodhi kana password, kana isati yatoiswa:
Ndakaratidza vhezheni yakaoma yekuisa chitupa. Pamichina yakawanda, ingo dzvanya pachitupa chakatorwa.
Kana chitupa chaiswa, unogona kuenderera kune chinongedzo:
chitupa - ratidza iyo yakaiswa
asingazivikanwe mushandisi - muenzi
macOS
Apple zvishandiso kunze kwebhokisi zvinogona kungobatana neEAP-TLS, asi iwe uchiri kufanira kukanda chitupa pavari. Kuti utsanangure imwe nzira yekubatanidza, unoda kushandisa Apple Configurator 2. Saizvozvowo, unofanira kutanga uitora kuMac yako, gadzira purogiramu itsva uye uwedzere zvose zvinodiwa WiFi zvirongwa.
Apple Configurator
Isa zita retiweki yako pano
Chengetedzo Type - WPA2 Enterprise
Yakagamuchirwa EAP Mhando - TTLS
Zita reMushandisi uye Password - siya usina chinhu
Inner Authentication - PAP
Outer Identity-mutengi
Vimba tab. Pano tinotsanangura domain yedu
Zvose. Iyo mbiri inogona kuchengetwa, kusainwa uye kugoverwa kune zvishandiso
Mushure mekunge chimiro chave chagadzirira, unofanirwa kuirodha kune poppy uye woiisa. Panguva yekuisa, iwe unozofanirwa kutsanangura iyo usernmae_ldap uye password_ldap yemushandisi:
iOS
Maitiro acho akafanana ne macOS. Iwe unofanirwa kushandisa chimiro (iwe unogona kushandisa yakafanana neye macOS. Maitiro ekugadzira chimiro muApple Configurator, ona pamusoro).
Dhawunirodha chimiro, isa, isa zvitupa, batanidza:
Ndizvo zvose. Isu takamisa sevha yeRadius, takaiwiriranisa neFreeIPA, uye takaudza Ubiquiti APs kushandisa WPA2-EAP.
Mibvunzo inobvira
Mu: nzira yekuendesa mbiri / chitupa kune mushandi?
About: Ini ndinochengeta zvese zvitupa / maprofile pa ftp nekuwana webhu. Yakasimudza network yevaenzi ine yekumhanyisa muganho uye kuwana chete kuInternet, kunze kweftp.
Kusimbiswa kunotora mazuva maviri, mushure mezvo inogadziriswa uye mutengi anosara asina Internet. Izvozvo. kana mushandi achida kubatana neWiFi, anotanga abatanidza kunetiweki yevaenzi, opinda muFTP, otora chitupa kana mbiri yaanoda, oiisa, obva abatanidza kune network yekambani.
Mu: wadii kushandisa schema neMSCHAPv2? Akachengeteka!
About: Chekutanga, chirongwa chakadaro chinoshanda zvakanaka paNPS (Windows Network Policy System), mukuita kwedu zvinodikanwa kuti uwedzere kugadzirisa LDAP (FreeIpa) uye chengetedza password hashes pane server. Wedzera. hazvikurudzirwe kuita marongero, nekuti. izvi zvinogona kutungamirira kumatambudziko akasiyana-siyana ekufananidza ultrasound. Chechipiri, hashi ndeye MD4, saka haiwedzeri kuchengetedzeka kwakawanda.
Mu: zvinoita here kubvumidza zvishandiso nema mac-kero?
About: Kwete, izvi hazvina kuchengetedzeka, munhu anorwisa anogona kushandura kero dzeMAC, uye zvakatonyanya kubvumidzwa neMAC kero hakutsigirwe pamidziyo yakawanda.
Mu: chii chezvizhinji zvese izvi zvitupa zvekushandisa? unogona kubatana pasina ivo?
About: zvitupa zvinoshandiswa kupa mvumo sevha. Avo. paunenge uchibatanidza, mudziyo unotarisa kana iri sevha inogona kuvimbwa nayo kana kuti kwete. Kana zvirizvo, saka kuvimbiswa kunoenderera mberi, kana zvisiri, kubatana kwakavharwa. Iwe unogona kubatanidza pasina zvitupa, asi kana munhu anorwisa kana muvakidzani akamisa sevha yeradius uye nzvimbo yekupinda ine zita rakafanana neredu kumba, anogona nyore kubata zvitupa zvemushandisi (usakanganwa kuti zvinopfuudzwa mumavara akajeka). Uye kana chitupa chikashandiswa, muvengi achaona mumatanda ake chete ekunyepedzera-Zita reMushandisi - muenzi kana mutengi uye kukanganisa kwerudzi - Haizivikanwe CA Chitupa.
zvimwe zvishoma nezve macOSKazhinji pa macOS, kudzoreredza sisitimu kunoitwa kuburikidza neInternet. Mune yekudzoreredza maitiro, iyo Mac inofanirwa kunge yakabatana neWiFi, uye hapana yedu yekambani WiFi kana network yevaenzi ichashanda pano. Ini pachangu, ndakasimudza imwe network, yakajairwa WPA2-PSK, yakavanzika, chete yehunyanzvi mashandiro. Kana iwe unogona kugadzira bootable USB flash drive ine system pamberi. Asi kana poppy iri mushure me 2015, iwe uchazoda kutsvaga adapta yeiyi flash drive)
Source: www.habr.com