Tusaalooyinka qaar ee abaabulka Wifi-ga shirkada ayaa mar hore la sharaxay. Halkan waxaan ku tilmaami doonaa sida aan u hirgeliyay xal la mid ah iyo dhibaatooyinka aan la kulmay markii aan ku xidho qalabka kala duwan. Waxaan u isticmaali doonaa LDAP-ka jira isticmaalayaasha diiwaangashan, waxaan kor u qaadi doonaa FreeRadius oo aan ku habeyn doonnaa WPA2-Enterprise kontaroolaha Ubnt. Wax walba waxay u muuqdaan kuwo fudud. Aan aragnoβ¦
Wax yar oo ku saabsan hababka EAP
Kahor intaanan sii wadin hawsha, waxaan u baahanahay inaan go'aansano habka xaqiijinta ee aan u isticmaali doono xalkeena.
Laga soo bilaabo Wikipedia:
EAP waa qaab-dhismeedka aqoonsiga oo inta badan lagu isticmaalo shabakadaha wireless-ka iyo isku xirka bar-ilaa-dhibcaha. Qaabka waxaa markii hore lagu sifeeyay RFC 3748 waxaana lagu cusboonaysiiyay RFC 5247.
EAP waxa loo istcmaalaa in lagu xusho habka xaqiijinta, lagu dhaafo furayaasha, iyo in lagu farsameeyo furayaasha furayaasha la yiraahdo hababka EAP. Waxaa jira habab badan oo EAP ah, oo labadaba lagu qeexay EAP lafteeda oo ay sii daayaan iibiyayaal gaar ah. EAP ma qeexdo lakabka isku xirka, kaliya waxay qeexaysaa qaabka fariinta. Hab-maamuus kasta oo isticmaalaya EAP waxa uu leeyahay hab-raac fariinta EAP u gaar ah.
Hababka laftooda:
- LEAP waa hab-maamuus iska leh oo ay samaysay CISCO. Nuglaanta la helay. Hadda laguma talinayo in la isticmaalo
- EAP-TLS si wanaagsan ayaa looga taageeraa iibiyaasha wireless-ka. Waa hab-maamuus sugan sababtoo ah waa kan ku guulaysta heerarka SSL. Dejinta macmiilku aad bay u dhib badan tahay. Waxaad u baahan tahay shahaado macmiil ka sokow erayga sirta ah. Lagu taageeray nidaamyo badan
- EAP-TTLS - si weyn ayaa looga taageeraa nidaamyo badan, waxay siisaa ammaan wanaagsan iyadoo la adeegsanayo shahaadooyinka PKI oo keliya server-ka xaqiijinta
- EAP-MD5 waa heer kale oo furan. Waxay bixisaa amniga ugu yar. U nugul, ma taageerto xaqiijinta labada dhinac iyo jiilka muhiimka ah
- EAP-IKEv2 - ku salaysan hab-maamuuska isweydaarsiga furaha Internetka nooca 2. Wuxuu bixiyaa xaqiijinta wadajirka ah iyo aasaaska fadhiga furaha u dhexeeya macmiilka iyo adeegaha
- PEAP waa xalka wadajirka ah ee CISCO, Microsoft iyo RSA Security oo ah halbeeg furan. Si weyn looga heli karo alaabada, waxay bixisaa ammaan aad u wanaagsan. Si la mid ah EAP-TTLS, oo u baahan kaliya shahaado dhinaca server-ka ah
- PEAPv0/EAP-MSCHAPv2 - Kadib EAP-TLS, tani waa heerka labaad ee si weyn loo isticmaalo adduunka. Loo adeegsaday xidhiidhka macmiilka iyo adeegaha ee Microsoft, Cisco, Apple, Linux
- PEAPv1/EAP-GTC - Waxaa sameeyay Cisco beddelka PEAPv0/EAP-MSCHAPv2. Ma ilaaliyo xogta xaqiijinta sinaba. Laguma taageero Windows OS
- EAP-FAST waa hab ay samaysay Cisco si loo saxo khaladaadka LEAP. Waxay isticmaashaa aqoonsiga gelitaanka la ilaaliyo (PAC). Gebi ahaanba ma dhammayn
Dhammaan kala duwanaanshahan, doorashadu wali maaha mid weyn. Habka xaqiijinta ayaa loo baahnaa: ammaan wanaagsan, taageero dhammaan aaladaha (Windows 10, macOS, Linux, Android, iOS) iyo, dhab ahaantii, ka fudud ayaa ka wanaagsan. Sidaa darteed, doorashadu waxay ku dhacday EAP-TTLS iyadoo lala kaashanayo borotokoolka PAP.
Su'aasha ayaa soo bixi karta - waa maxay sababta loo isticmaalo PAP? sababtoo ah wuxuu gudbiyaa furaha sirta ah si cad?
Haa waa sax Xiriirka ka dhexeeya FreeRadius iyo FreeIPA wuxuu u dhici doonaa sidaan oo kale. Habka debug-ka, waxaad la socon kartaa sida magaca isticmaalaha iyo erayga sirta ah loo diro. Haa, oo u daa inay tagaan, kaliya adiga ayaa geli kara server-ka FreeRadius.
Waxaad ka akhrisan kartaa wax badan oo ku saabsan shaqada EAP-TTLS
FreeRADIUS
FreeRadius waxaa lagu kicin doonaa CentOS 7.6. Ma jiraan wax adag halkan, waxaan u dhignay habka caadiga ah.
yum install freeradius freeradius-utils freeradius-ldap -yNooca 3.0.13 ayaa laga rakibay xirmooyinka. Tan dambe waa la qaadan karaa
Taas ka dib, FreeRadius ayaa horay u shaqeyneysay. Waxaad ku jabin kartaa khadka gudaha /etc/raddb/users
steve Cleartext-Password := "testing"Ku billow serferka qaabka debug
freeradius -XOo samee xiriir tijaabo ah localhost
radtest steve testing 127.0.0.1 1812 testing123jawaab baan helay Helay gelitaanka-Aqbal aqoonsiga 115 laga bilaabo 127.0.0.1:1812 ilaa 127.0.0.1:56081 dhererka 20, waxay la macno tahay wax walba waa OK. Horey u soco
Waxaan isku xireynaa moduleka ldp.
ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldapIsla markaaba waanu beddeli doonaa. Waxaan u baahanahay FreeRadius si aan awood ugu yeelanno gelitaanka FreeIPA
mods-karti/ldap
ldap {
server="ldap://ldap.server.com"
port=636
start_tls=yes
identity="uid=admin,cn=users,dc=server,dc=com"
password=**********
base_dn="cn=users,dc=server,dc=com"
set_auth_type=yes
...
user {
base_dn="${..base_dn}"
filter="(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
}
...Dib u billow serfarka raadiyaha oo hubi wada shaqaynta isticmaalayaasha LDAP:
radtest user_ldap password_ldap localhost 1812 testing123
Tafatirka eap in mods-karti/eap
Halkan waxaan ku dari doonaa laba tusaale oo eap ah. Waxay ku kala duwanaan doonaan oo kaliya shahaadooyinka iyo furayaasha. Waxaan hoos ku sharixi doonaa sababta ay tani run u tahay.
mods-karti/eap
eap eap-client { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests}
tls-config tls-common {
private_key_file = ${certdir}/fisrt.key
certificate_file = ${certdir}/first.crt
dh_file = ${certdir}/dh
ca_path = ${cadir}
cipher_list = "HIGH"
cipher_server_preference = no
ecdh_curve = "prime256v1"
check_crl = no
}
ttls {
tls = tls-common
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
}
eap eap-guest {
default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests}
tls-config tls-common {
private_key_passwotd=blablabla
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.crt
dh_file = ${certdir}/dh
ca_path = ${cadir}
cipher_list = "HIGH"
cipher_server_preference = no
ecdh_curve = "prime256v1"
check_crl = no
}
ttls {
tls = tls-common
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
}Tafatir dheeraad ah goobta-karti/default. Qaybaha oggolaanshaha iyo xaqiijinta waa kuwo xiiso leh.
goobta-karti/default
authorize {
filter_username
preprocess
if (&User-Name == "guest") {
eap-guest {
ok = return
}
}
elsif (&User-Name == "client") {
eap-client {
ok = return
}
}
else {
eap-guest {
ok = return
}
}
ldap
if ((ok || updated) && User-Password) {
update {
control:Auth-Type := ldap
}
}
expiration
logintime
pap
}
authenticate {
Auth-Type LDAP {
ldap
}
Auth-Type eap-guest {
eap-guest
}
Auth-Type eap-client {
eap-client
}
pap
}Qeybta oggolaanshaha, waxaan ka saareynaa dhammaan cutubyada aanan u baahnayn. Waxaan ka tagnaa kaliya ldap. Ku dar xaqiijinta macmiilka adoo isticmaalaya magaca isticmaalaha Taasi waa sababta aan kor ugu soo kordhinay laba tusaale oo eap ah.
Multi EAPXaqiiqdu waxay tahay in marka la isku xidho aaladaha qaarkood, waxaanu isticmaali doonaa shahaadooyinka nidaamka oo aan qeexi doono domainka. Waxaan haynaa shahaado iyo fure ka socda hay'ad shahaado ah oo lagu kalsoon yahay. Shakhsi ahaan, fikradeyda, habka isku xirka noocan oo kale ah ayaa ka sahlan inuu ku tuuro shahaado iskiis u saxiix ah qalab kasta. Laakiin xitaa iyada oo aan la helin shahaadooyin iskiis u saxeexay, wali may shaqayn. Qalabka Samsung iyo Android =< 6 nooc ma isticmaali karaan shahaadooyinka nidaamka. Sidaa darteed, waxaan u abuurnaa tusaale u gaar ah eap-guest iyaga oo wata shahaadooyin iskood u saxeexay. Dhammaan aaladaha kale, waxaan u isticmaali doonaa eap-client oo wata shahaado la aamini karo. Magaca isticmaalaha waxaa go'aamiya goobta Anonymous marka qalabku ku xiran yahay. Kaliya 3 qiyam ayaa la oggol yahay: Martida, Macmiilka iyo goob madhan. Wax kasta oo kale waa la tuuray. Waxa lagu habayn doonaa siyaasiyiinta. Waxaan tusaale u soo qaadan doonaa wax yar ka dib.
Aynu tafatirno oggolaanshaha oo aan xaqiijino qaybaha gudaha goobta-karti/tunnel-gudaha
goobta-karti/tunnel-gudaha
authorize {
filter_username
filter_inner_identity
update control {
&Proxy-To-Realm := LOCAL
}
ldap
if ((ok || updated) && User-Password) {
update {
control:Auth-Type := ldap
}
}
expiration
digest
logintime
pap
}
authenticate {
Auth-Type eap-guest {
eap-guest
}
Auth-Type eap-client {
eap-client
}
Auth-Type PAP {
pap
}
ldap
}Marka xigta, waxaad u baahan tahay inaad ku qeexdo siyaasadaha magacyada loo isticmaali karo gelitaanka qarsoodiga ah. Tafatirka siyaasad.d/shaandhayn.
Waxaad u baahan tahay inaad hesho khadadka tan la mid ah:
if (&outer.request:User-Name !~ /^(anon|@)/) {
update request {
Module-Failure-Message = "User-Name is not anonymized"
}
reject
}Oo hoosta elsif ku dar qiyamka la rabo:
elsif (&outer.request:User-Name !~ /^(guest|client|@)/) {
update request {
Module-Failure-Message = "User-Name is not anonymized"
}
reject
}Hadda waxaan u baahanahay inaan u gudubno hagaha shahaado. Halkan waxaad u baahan tahay inaad ku riddo furaha iyo shahaado ka timid hay'ad shahaado ah oo la aamini karo, taas oo aan horey u haysanay oo aan u baahanahay inaan u soo saarno shahaadooyin iskiis u saxeexay eap-marti.
Beddel cabbirrada faylka ca.cnf.
ca.cnf
...
default_days = 3650
default_md = sha256
...
input_password = blablabla
output_password = blablabla
...
countryName = RU
stateOrProvinceNmae = State
localityNmae = City
organizationName = NONAME
emailAddress = [email protected]
commonName = "CA FreeRadius"Waxaan ku qornaa isla qiimaha faylka server.cnf. Waxaan bedelnaa kaliya
magac guud:
server.cnf
...
default_days = 3650
default_md = sha256
...
input_password = blablabla
output_password = blablabla
...
countryName = RU
stateOrProvinceNmae = State
localityNmae = City
organizationName = NONAME
emailAddress = [email protected]
commonName = "Server Certificate FreeRadius"Abuur:
makeDiyaar. helay server.crt ΠΈ server.key Waxaan hore uga diiwaan gashannay eap-guest.
Ugu dambayntii, aynu ku darno meelahayaga galitaanka faylka macmiil.conf. Waxaan haystaa 7. Si aan dhibco kasta goonidiisa loogu darin, waxaan qori doonaa oo keliya shabakadda ay ku yaalliin (meelaha gelitaankaygu waxay ku jiraan VLAN gooni ah).
client APs {
ipaddr = 192.168.100.0/24
password = password_AP
}Xakamaynta Ubiquiti
Waxaan kor u qaadnaa shabakad gaar ah kantaroolaha. Ha ahaato 192.168.2.0/24
Tag settings -> profile. Waxaan abuurnaa mid cusub:
Waxaan qoreynaa cinwaanka iyo dekedda server-ka raadiyaha iyo erayga sirta ah ee ku qoran faylka macaamiisha.conf:
Samee magac cusub oo shabakad wireless ah. Dooro WPA-EAP (Enterprise) habka xaqiijinta oo cadee astaanta raadiyaha la sameeyay:
Wax walba waanu kaydinnaa, codsanaa oo dhaqaaqnaa.
Dejinta macaamiisha
Aan ku bilowno kan ugu adag!
Windows 10
Dhibaatadu waxay hoos ugu dhacdaa xaqiiqda ah in Windows uusan weli garanayn sida loogu xiro WiFi-ga shirkadda iyada oo loo marayo domain. Sidaa darteed, waa inaan gacanta ku galnaa shahaadadayada dukaanka shahaadada la aamini karo. Halkan waxaad isticmaali kartaa mid iskiis u saxeexay ama mid ka socda hay'adda shahaado bixinta. Waxaan isticmaali doonaa kan labaad.
Marka xigta, waxaad u baahan tahay inaad abuurto xiriir cusub. Si tan loo sameeyo, aad shabakada iyo goobaha internetka -> Network and Sharing Center -> Abuur oo habee xidhiidh ama shabakad cusub:
Gacanta geli magaca shabakadda oo beddel nooca amniga. Ka dib markii aan guji beddel goobaha isku xirka iyo tab Security, dooro aqoonsiga shabakada - EAP-TTLS.
Waxaan galeynaa xuduudaha, qorna sirta xaqiijinta - macmiilka. Sida maamul shahaado la aamini karo, dooro shahaadada aan ku darnay, calaamadee sanduuqa "Ha soo saarin martiqaad adeegsadaha haddii server-ka aan la oggolaan karin" oo dooro habka aqoonsiga - erayga sirta ah ee aan qarsoodi ahayn (PAP).
Marka xigta, u gudub goobaha horumarsan, ku dheji "Cadee habka aqoonsiga." Dooro "User Authentication" oo guji kaydi aqoonsiga. Halkan waxaad u baahan doontaa inaad geliso username_ldap iyo password_ldap
Wax walba waanu kaydinnaa, codsanaa, xidhnaa. Waxaad ku xidhi kartaa shabakad cusub
Linux
Waxaan ku tijaabiyay Ubuntu 18.04, 18.10, Fedora 29, 30.
Marka hore, soo deji shahaadada naftaada. Maan ka helin Linux in ay suurtagal tahay in la isticmaalo shahaadooyinka nidaamka iyo in uu jiro bakhaar noocaas ah gabi ahaanba.
Aan ku xidhno domainka Sidaa darteed, waxaan u baahanahay shahaado ka timid hay'adda shahaado bixinta ee shahaadadayada laga soo iibsaday.
Xidhiidhada oo dhan waxa lagu sameeyaa hal daaqad. Doorashada shabakadayada:
qarsoodi-macmiil
domain - domainka kaas oo shahaadada la soo saaray
Android
aan Samsung ahayn
Laga soo bilaabo nooca 7, marka aad ku xidhidhiyaha WiFi, waxaad isticmaali kartaa shahaadooyinka nidaamka adiga oo tilmaamaya kaliya domainka:
domain - domainka kaas oo shahaadada la soo saaray
qarsoodi-macmiil
Samsung
Sida aan kor ku qoray, aaladaha Samsung ma yaqaanaan sida loo isticmaalo shahaadooyinka nidaamka marka lagu xirayo WiFi, mana laha awood ay ku xirmaan domain. Sidaa darteed, waa inaad gacanta ku darto shahaadada asalka ah ee maamulka shahaadada (ca.pem, waxaan ku qaadnaa serverka Radius). Halkani waa meesha kuwa iskiis u saxeexay lagu isticmaali doono.
Ku soo deji shahaadada qalabkaaga oo ku rakib.
Ku rakibida shahaadada
Isla mar ahaantaana, waxaad u baahan doontaa inaad dejiso qaabka furitaanka shaashadda, lambarka sirta ah ama erayga sirta ah, haddii aan hore loo dejin:
Waxaan tusay doorasho adag oo lagu rakibayo shahaado. Inta badan aaladaha, si fudud guji shahaadada la soo dejiyay.
Marka shahaadada la rakibo, waxaad sii wadi kartaa xiriirka:
shahaado - sheeg midda la rakibay
isticmaale qarsoodi ah - marti
macOS
Aaladaha Apple ee ka baxsan sanduuqa waxay ku xidhi karaan oo keliya EAP-TLS, laakiin waxaad weli u baahan tahay inaad ku tuurto shahaado iyaga. Si aad u qeexdo habka isku xirka kala duwan, waxaad u baahan tahay inaad isticmaasho Apple Configurator 2. Sidaas awgeed, waa inaad marka hore u soo dejisan kartaa Mac-gaaga, samee profile cusub oo ku dar dhammaan goobaha lagama maarmaanka ah ee WiFi.
Apple Configurator
Halkan geli magaca shabakadaada
Nooca Amniga - WPA2 Enterprise
Noocyada EAP ee la aqbalay - TTLS
Magaca isticmaalaha iyo erayga sirta ah - ka tag faaruq
Xaqiijinta Gudaha - PAP
Aqoonsiga dibadda-macmiilka
Kalsoonida tab. Halkan waxaan ku cadeynayaa domainkayaga
Dhammaan Muuqaalka waa la kaydin karaa, saxeexi karaa oo loo qaybin karaa aaladaha
Ka dib markii profile-ku diyaar yahay, waxaad u baahan tahay inaad u soo dejiso poppy-ga oo aad ku rakibto. Inta lagu guda jiro nidaamka rakibidda, waxaad u baahan doontaa inaad qeexdo usernmae_ldap iyo password_ldap isticmaalaha:
macruufka
Nidaamku wuxuu la mid yahay macOS. Waxaad u baahan tahay inaad isticmaasho profile (waxaad isticmaali kartaa mid la mid ah kan macOS. Sida loo abuuro profile gudaha Apple Configurator, arag kor).
Soo deji profile, rakib, geli shahaadooyinka, ku xidh:
Waa intaas. Waxaan dejinay server-ka Radius, waxaan ku dhejinay FreeIPA, waxaana u sheegnay Ubiquiti APs inay isticmaalaan WPA2-EAP.
Su'aalaha suurtagalka ah
AT: sida loogu wareejiyo profile/shahaadad shaqaale?
Ku saabsan: Waxaan ku kaydiyaa dhammaan shahaadooyinka/profilelada ftp oo leh marin shabakadeed. Kor u qaaday shabakad marti ah oo leh xaddid xawli ah iyo gelitaanka internetka oo keliya, marka laga reebo ftp.
Xaqiijinta waxay socotaa 2 maalmood, ka dib dib ayaa loo dajiyay oo macmiilka ayaa looga tagayaa internetka la'aan. Taasi. Marka shaqaaluhu rabo inuu ku xidho WiFi, marka hore wuxuu ku xidhaa shabakada martida, galo FTP, soo dejiyo shahaadada ama profile uu u baahan yahay, rakibo, ka dibna wuxuu ku xidhi karaa shabakada shirkadda.
AT: maxaad u isticmaali weyday schema MSCHAPv2? Way ka badbaadsan tahay!
Ku saabsan: Marka hore, nidaamka noocan oo kale ah wuxuu si fiican ugu shaqeeyaa NPS (Nidaamka Siyaasadda Shabakadda Shabakadda Windows), hirgalintayada waxaa lagama maarmaan ah in la habeeyo LDAP (FreeIpa) oo lagu kaydiyo hashes-ka sirta ah ee server-ka. Ku darso. laguma talinayo in la sameeyo goobaha, sababtoo ah. Tani waxay u horseedi kartaa dhibaatooyin kala duwan oo ah isku-dubarid ultrasound. Marka labaad, xashiishku waa MD4, sidaas darteed ammaan badan kuma soo kordhinayso.
AT: Suurtagal ma tahay in aaladaha lagu oggolaado ciwaannada mac?
Ku saabsan: MAYA, tani maahan badbaado, weeraryahanku wuxuu bedeli karaa ciwaanada MAC, iyo in ka sii badan si oggolaanshaha ciwaanada MAC laguma taageero qalabyo badan
AT: Maxaa guud ahaan dhammaan shahaadooyinkan loo isticmaali karaa? ma ku biiri kartaa la'aantood?
Ku saabsan: shahaadooyinka waxaa loo isticmaalaa in lagu oggolaado server-ka. Kuwaas. Marka la isku xirayo, qalabku wuxuu hubinayaa inuu yahay server la aamini karo iyo in kale. Haddii ay tahay, markaa xaqiijintu way socotaa, haddii kale, xidhiidhku wuu xidhan yahay. Waxaad ku xidhi kartaa shahaado la'aan, laakiin haddii weeraryahan ama derisku dejiyo server-ka radius iyo meel laga galo oo leh magac la mid ah gurigayaga, wuxuu si fudud u faragelin karaa aqoonsiga isticmaalaha (ha iloobin in lagu kala qaado qoraal cad). Oo marka shahaado la isticmaalo, cadawgu wuxuu ku arki doonaa diiwaankiisa kaliya Magaca-isticmaalka khayaaliga ah - martida ama macmiilka iyo nooca khaladka - Shahaadada CA ee aan la garanayn
wax yar oo ku saabsan macOSCaadi ahaan macOS, dib u soo celinta nidaamka waxaa lagu sameeyaa internetka. Habka soo kabashada, Mac waa in lagu xidhaa WiFi, mana shaqeyn doono WiFi-ga shirkadda ama shabakadda martida halkan. Shakhsi ahaan, waxaan kor u qaaday shabakad kale, WPA2-PSK caadiga ah, qarsoon, oo kaliya hawlaha farsamada. Ama wali waxaad samayn kartaa bootable USB flash drive oo leh nidaamka ka hor. Laakiin haddii poppy-ku uu yahay 2015 ka dib, waxaad weli u baahan doontaa inaad u hesho adabtarada flash-kan)
Source: www.habr.com