Eminye imizekelo yokuququzelela i-WiFi yenkampani sele ichaziwe. Apha ndiza kuchaza indlela endiphumeze ngayo isisombululo esinjalo kunye neengxaki endidibana nazo xa ndidibanisa kwizixhobo ezahlukeneyo. Siza kusebenzisa i-LDAP ekhoyo kunye nabasebenzisi abasekiweyo, faka i-FreeRadius kwaye uqwalasele i-WPA2-Enterprise kumlawuli we-Ubnt. Yonke into ibonakala ilula. Masiboneβ¦
Kancinci malunga neendlela ze-EAP
Ngaphambi kokuba siqale umsebenzi, kufuneka sithathe isigqibo sokuba yeyiphi indlela yokuqinisekisa esiya kuyisebenzisa kwisisombululo sethu.
Ukusuka kwiWikipedia:
I-EAP yinkqubo yokuqinisekisa ehlala isetyenziswa kwiinethiwekhi ezingenazintambo kunye noqhagamshelwano lwe-point-to-point. Ifomathi yachazwa okokuqala kwi-RFC 3748 yaza yahlaziywa kwi-RFC 5247.
I-EAP isetyenziselwa ukukhetha indlela yokuqinisekisa, izitshixo zokudlulisa, kunye nokuqhubekekisa ezo zitshixo ngeeplagi ezibizwa ngokuba ziindlela ze-EAP. Zininzi iindlela ze-EAP, zombini ezichazwe nge-EAP ngokwayo kunye nezo zikhutshwe ngabathengisi ngabanye. I-EAP ayichazi umaleko wekhonkco, ichaza kuphela ifomathi yomyalezo. Iprothokholi nganye esebenzisa i-EAP ineprotocol yayo ye-EAP yokufakwa kwemiyalezo.
Iindlela ngokwazo:
- I-LEAP yiprothokholi yobunini ephuhliswe yiCISCO. Ubuthathaka bufunyenwe. Okwangoku ayikhuthazwa ukuba isetyenziswe
- I-EAP-TLS ixhaswa kakuhle phakathi kwabathengisi abangenazingcingo. Yiprotocol ekhuselekileyo kuba ilandela imigangatho ye-SSL. Ukuseta umxhasi kunzima kakhulu. Ufuna isatifikethi somthengi ukongeza kwigama lokugqitha. Ixhaswa kwiinkqubo ezininzi
- I-EAP-TTLS-ixhaswe ngokubanzi kwiinkqubo ezininzi, inikezela ngokhuseleko olulungileyo usebenzisa izatifikethi ze-PKI kuphela kumncedisi wobubhali.
- I-EAP-MD5 yenye umgangatho ovulekileyo. Inika ukhuseleko oluncinci. Isesichengeni, ayixhasi ukuqinisekiswa okufanayo kunye nesizukulwana esingundoqo
- I-EAP-IKEv2 - isekelwe kwiProtokholi yoTshintshiselwano oluPhambili lwe-Intanethi 2. Ibonelela ngokuqinisekiswa okulinganayo kunye nokusekwa okungundoqo kweseshoni phakathi komthengi kunye nomncedisi
- I-PEAP sisisombululo esidibeneyo phakathi kweCISCO, iMicrosoft kunye noKhuseleko lweRSA njengomgangatho ovulekileyo. Ifumaneka ngokubanzi kwiimveliso, ibonelela ngokhuseleko oluhle kakhulu. Iyafana ne-EAP-TTLS, ifuna kuphela isatifikethi secala lomncedisi
- PEAPv0/EAP-MSCHAPv2 - Emva kwe-EAP-TLS, lo ngumgangatho wesibini osetyenziswa ngokubanzi kwihlabathi. Ubudlelwane obusetyenzisiweyo bomthengi-kwiseva kwiMicrosoft, Cisco, Apple, Linux
- PEAPv1/EAP-GTC -Yenziwe nguCisco njengenye indlela ye-PEAPv0/EAP-MSCHAPv2. Ayikhuseli idatha yokuqinisekisa ngayo nayiphi na indlela. Ayixhaswa kwi-Windows OS
- I-EAP-FAST yindlela ephuhliswe yiCisco ukulungisa iziphene ze-LEAP. Isebenzisa iNgcaciso yoFikelelo eKhuselweyo (PAC). Akugqitywanga ngokupheleleyo
Kuzo zonke ezi ntlobo ezahlukeneyo, ukhetho alukho lukhulu. Indlela yokuqinisekisa efunekayo: ukhuseleko olulungileyo, inkxaso kuzo zonke izixhobo (Windows 10, macOS, Linux, Android, iOS) kwaye, enyanisweni, kulula ngakumbi. Ngoko ke, ukhetho lwawela kwi-EAP-TTLS ngokubambisana ne-PAP protocol.
Umbuzo unokuvela - Kutheni usebenzisa iPAP? Emva kwayo yonke loo nto, idlulisela amagama ayimfihlo kwisicatshulwa esicacileyo?
Ewe oko kulungile. Unxibelelwano phakathi kweFreeRadius kunye neFreeIPA luya kwenzeka kanye ngolu hlobo. Kwimo yedebug, unokulandelela ukuba igama lomsebenzisi kunye negama lokugqitha zithunyelwa njani. Ewe, kwaye ubayeke bahambe, nguwe kuphela onokufikelela kwiseva yeFreeRadius.
Unokufunda ngakumbi malunga nendlela i-EAP-TTLS esebenza ngayo
MahalaRADIUS
Siza kuphucula i-FreeRadius kwi-CentOS 7.6. Akukho nto inzima apha, siyifakela ngendlela eqhelekileyo.
yum install freeradius freeradius-utils freeradius-ldap -y
Kwiiphakheji, inguqulo 3.0.13 ifakiwe. Le yokugqibela ingathathwa kwi
Emva koku, iFreeRadius sele isebenza. Uyakwazi ukukhulula umgca kwi /etc/raddb/users
steve Cleartext-Password := "testing"
Qalisa kwi-server kwimo yedebug
freeradius -X
Kwaye wenze uqhagamshelo lovavanyo kwi-localhost
radtest steve testing 127.0.0.1 1812 testing123
Safumana impendulo Ifunyenwe Access-Yamkela Id 115 ukusuka 127.0.0.1:1812 ukuba 127.0.0.1:56081 ubude 20, kuthetha ukuba yonke into ilungile. Qhubeka.
Ukuqhagamshela imodyuli ldap.
ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldap
Kwaye siya kuyitshintsha kwangoko. Sidinga iFreeRadius ukuze sikwazi ukufikelela kwiFreeIPA
iimods-enabled/ldap
ldap {
server="ldap://ldap.server.com"
port=636
start_tls=yes
identity="uid=admin,cn=users,dc=server,dc=com"
password=**********
base_dn="cn=users,dc=server,dc=com"
set_auth_type=yes
...
user {
base_dn="${..base_dn}"
filter="(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
}
...
Qala kwakhona iseva yeradiyasi kwaye ujonge ungqamaniso lwabasebenzisi be-LDAP:
radtest user_ldap password_ldap localhost 1812 testing123
Ukuhlela eap ngaphakathi iimods-enabled/eaap
Apha siza kongeza imizekelo emibini ye-eap. Ziya kwahluka kuphela kwizatifikethi kunye nezitshixo. Ndiza kuchaza ukuba kutheni oku kuyinyani apha ngezantsi.
iimods-enabled/eaap
eap eap-client { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests}
tls-config tls-common {
private_key_file = ${certdir}/fisrt.key
certificate_file = ${certdir}/first.crt
dh_file = ${certdir}/dh
ca_path = ${cadir}
cipher_list = "HIGH"
cipher_server_preference = no
ecdh_curve = "prime256v1"
check_crl = no
}
ttls {
tls = tls-common
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
}
eap eap-guest {
default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests}
tls-config tls-common {
private_key_passwotd=blablabla
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.crt
dh_file = ${certdir}/dh
ca_path = ${cadir}
cipher_list = "HIGH"
cipher_server_preference = no
ecdh_curve = "prime256v1"
check_crl = no
}
ttls {
tls = tls-common
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
}
Okulandelayo sihlela indawo-yenziwe/ehlala ikho. Ndinomdla kugunyaziso kunye nokuqinisekisa amacandelo.
indawo-yenziwe/ehlala ikho
authorize {
filter_username
preprocess
if (&User-Name == "guest") {
eap-guest {
ok = return
}
}
elsif (&User-Name == "client") {
eap-client {
ok = return
}
}
else {
eap-guest {
ok = return
}
}
ldap
if ((ok || updated) && User-Password) {
update {
control:Auth-Type := ldap
}
}
expiration
logintime
pap
}
authenticate {
Auth-Type LDAP {
ldap
}
Auth-Type eap-guest {
eap-guest
}
Auth-Type eap-client {
eap-client
}
pap
}
Kwicandelo logunyaziso sisusa zonke iimodyuli esingazidingiyo. Sishiya i-ldap kuphela. Yongeza isiqinisekiso somthengi ngegama lomsebenzisi. Yiyo loo nto songeze imizekelo emibini ye-eap ngasentla.
EAP ezininziInyani kukuba xa udibanisa ezinye izixhobo siya kusebenzisa izatifikethi zenkqubo kwaye sicacise isizinda. Sinesatifikethi kunye nesitshixo esivela kugunyaziwe wesatifikethi othembekileyo. Ngokomntu, ngokombono wam, le nkqubo yoqhagamshelwano ilula kunokuphosa isatifikethi esizisayinileyo kwisixhobo ngasinye. Kodwa nangaphandle kwezatifikethi ezizisayinileyo kwakusenokwenzeka ukuba uhambe. Izixhobo ze-Samsung kunye ne-Android =< Iinguqulelo ze-6 azikwazi ukusebenzisa izatifikethi zenkqubo. Ke ngoko, senza umzekelo owahlukileyo we-eap-undwendwe kubo abanezatifikethi abazisayinileyo. Kuzo zonke ezinye izixhobo siya kusebenzisa i-eap-client enesatifikethi esithembekileyo. Igama lomsebenzisi limiselwa indawo engaziwa xa uqhagamshela isixhobo. Amaxabiso ama-3 kuphela avumelekileyo: Undwendwe, uMthengi kunye nomhlaba ongenanto. Okuseleyo kulahlwa konke. Oku kungaqwalaselwa kwimigaqo-nkqubo. Ndiza kunika umzekelo kamva.
Masihlele ukugunyazisa kwaye siqinisekise amacandelo kuwo indawo-yenziwe/itonela yangaphakathi
indawo-yenziwe/itonela yangaphakathi
authorize {
filter_username
filter_inner_identity
update control {
&Proxy-To-Realm := LOCAL
}
ldap
if ((ok || updated) && User-Password) {
update {
control:Auth-Type := ldap
}
}
expiration
digest
logintime
pap
}
authenticate {
Auth-Type eap-guest {
eap-guest
}
Auth-Type eap-client {
eap-client
}
Auth-Type PAP {
pap
}
ldap
}
Okulandelayo, kufuneka ucacise kwimigaqo-nkqubo ukuba ngawaphi amagama anokusetyenziselwa ukungena ngokungaziwayo. Ukuhlela policy.d/filtha.
Kufuneka ufumane imigca efana nale:
if (&outer.request:User-Name !~ /^(anon|@)/) {
update request {
Module-Failure-Message = "User-Name is not anonymized"
}
reject
}
Kwaye ngezantsi kwi-elsif yongeza amaxabiso ayimfuneko:
elsif (&outer.request:User-Name !~ /^(guest|client|@)/) {
update request {
Module-Failure-Message = "User-Name is not anonymized"
}
reject
}
Ngoku kufuneka sifudukele kulawulo iindlela. Apha kufuneka sibeke isitshixo kunye nesatifikethi esivela kugunyaziwe wesatifikethi othembekileyo, esele sinabo, kwaye kufuneka sivelise izatifikethi ezizisayinileyo ze-eap-guest.
Ukutshintsha iiparameters kwifayile ca.cnf.
ca.cnf
...
default_days = 3650
default_md = sha256
...
input_password = blablabla
output_password = blablabla
...
countryName = RU
stateOrProvinceNmae = State
localityNmae = City
organizationName = NONAME
emailAddress = [email protected]
commonName = "CA FreeRadius"
Sibhala amaxabiso afanayo kwifayile iseva.cnf. Sitshintsha kuphela
commonName:
iseva.cnf
...
default_days = 3650
default_md = sha256
...
input_password = blablabla
output_password = blablabla
...
countryName = RU
stateOrProvinceNmae = State
localityNmae = City
organizationName = NONAME
emailAddress = [email protected]
commonName = "Server Certificate FreeRadius"
Siyayila:
make
Ulungile. Yamkelwe umncedisi.crt ΠΈ isitshixo Sele sibhalisile ngasentla kwi-eap-guest.
Kwaye okokugqibela, masidibanise iindawo zethu zofikelelo kwifayile umxhasi.conf. Ndinesi-7 kubo Ukuze singafaki inqaku ngalinye ngokwahlukileyo, siya kubhalisa kuphela inethiwekhi apho zikhoyo (iindawo zam zokufikelela kwi-VLAN eyahlukileyo).
client APs {
ipaddr = 192.168.100.0/24
password = password_AP
}
Umlawuli we-Ubiquiti
Siphakamisa inethiwekhi eyahlukileyo kumlawuli. Mayibe yi-192.168.2.0/24
Yiya kuseto -> iprofayile. Masenze entsha:
Sibhala phantsi idilesi kunye nesibuko somncedisi weradiyasi kunye negama lokugqitha elibhalwe kwifayile abathengi.conf:
Yenza igama elitsha lenethiwekhi engenazingcingo. Khetha i-WPA-EAP (iShishini) njengendlela yoqinisekiso kwaye uchaze iprofayile yeradiyasi eyenziweyo:
Sigcina yonke into, sisebenzise kwaye siqhubele phambili.
Ukumisela abathengi
Masiqale ngeyona ndawo inzima!
10 Windows
Ubunzima buza kwinto yokuba iWindows ayikayazi indlela yokuqhagamshela kwi-WiFi yenkampani ngaphezulu kwesizinda. Ke ngoko, kufuneka silayishe ngesandla isatifikethi sethu kwivenkile yesatifikethi esithembekileyo. Apha ungasebenzisa umntu ozityikitye ngokwakhe okanye osuka kugunyaziwe woqinisekiso. Ndiza kusebenzisa eyesibini.
Okulandelayo kufuneka wenze uqhagamshelwano olutsha. Ukwenza oku, yiya kwiNethiwekhi kunye noSeto lwe-Intanethi-> Inethiwekhi kunye neZiko lokwabelana-> Yenza kwaye uqwalasele unxibelelwano olutsha okanye inethiwekhi:
Sifaka ngesandla igama lenethiwekhi kwaye sitshintshe uhlobo lokhuseleko. Emva koko cofa ku tshintsha useto loqhagamshelo nakwi Ukhuseleko thebhu, khetha uqinisekiso lwenethiwekhi - EAP-TTLS.
Yiya kwiseto, seta ubumfihlo bobunyani- Umxhasi. Njengogunyaziwe wesatifikethi othembekileyo, khetha isatifikethi esisongezileyo, khangela ibhokisi "Musa ukukhupha isimemo kumsebenzisi ukuba umncedisi akakwazi ukugunyaziswa" kwaye ukhethe indlela yokuqinisekisa - igama eliyimfihlo eliyimfihlo (PAP).
Emva koko, yiya kwiiparameters ezongezelelweyo kwaye ukhangele ibhokisi ethi "Chaza imo yokuqinisekisa." Khetha "Ukuqinisekiswa komsebenzisi" kwaye ucofe gcina iziqinisekiso. Apha kuya kufuneka ufake i-username_ldap kunye ne-password_ldap
Sigcina, sifaka isicelo, sivala yonke into. Ungaqhagamshela kwinethiwekhi entsha.
Linux
Ndivavanye ku-Ubuntu 18.04, 18.10, Fedora 29, 30.
Okokuqala, zikhuphelele ngokwakho isatifikethi. Andifumananga kwi Linux ukuba kuyenzeka ukusebenzisa iziqinisekiso zesixokelelwano okanye kukho ivenkile enjalo konke.
Siza kuqhagamshela nge-domain. Ke ngoko, sifuna isatifikethi esivela kwabasemagunyeni bezatifikethi apho sathengwa khona isatifikethi sethu.
Lonke uqhagamshelwano lwenziwa kwifestile enye. Khetha inethiwekhi yethu:
engaziwa - umxhasi
ithambeka β indawo esikhutshelwe yona isatifikethi
Android
non-Samsung
Ukusuka kwinguqulo yesi-7, xa uqhagamshela i-WiFi, ungasebenzisa izatifikethi zenkqubo ngokuchaza indawo yommandla kuphela:
ithambeka β indawo esikhutshelwe yona isatifikethi
engaziwa - umxhasi
Samsung
Njengoko ndibhale ngasentla, izixhobo ze-Samsung azikwazi ukusebenzisa izatifikethi zenkqubo xa zidibanisa i-WiFi, kwaye azikwazi ukuxhuma nge-domain. Ngoko ke, kufuneka udibanise ngesandla isiqinisekiso sengcambu yesiqinisekiso segunya (ca.pem, sithathe kumncedisi weRadius). Apha kulapho ukuzisayinela khona kuya kusetyenziswa.
Khuphela isatifikethi kwisixhobo sakho kwaye usifake.
Ukuhlohla isatifikethi
Kule meko, kuya kufuneka usete ipateni yokuvula isikrini, ikhowudi ye-PIN okanye igama lokugqitha, ukuba ayikamiselwa:
Ndibonise inketho entsonkothileyo yokuhlohla isatifikethi. Kwizixhobo ezininzi, cofa ngokulula kwisatifikethi esikhutshelweyo.
Xa isatifikethi sifakiwe, ungaqhubekeka kuqhagamshelo:
isatifikethi - bonisa eso usifakileyo
umsebenzisi ongaziwa - undwendwe
Mac
Izixhobo ze-Apple zinokuqhagamshela kuphela kwi-EAP-TLS ngaphandle kwebhokisi, kodwa kusafuneka uzinike isatifikethi. Ukucacisa indlela yokudibanisa eyahlukileyo, kufuneka usebenzise i-Apple Configurator 2. Ngokufanelekileyo, kufuneka uqale uyikhuphele kwi-Mac yakho, wenze iprofayili entsha kwaye ungeze zonke izicwangciso ze-WiFi eziyimfuneko.
Apple Configurator
Apha sibonisa igama lothungelwano lwethu
Uhlobo loKhuseleko-WPA2 Enterprise
Iintlobo ze-EAP ezamkelweyo - TTLS
Igama lomsebenzisi kunye nePassword-shiya ingenanto
Uqinisekiso lwangaphakathi - PAP
Isazisi sangaphandle - umxhasi
Thembela ithebhu. Apha sibonisa indawo yethu
Konke. Iprofayili inokugcinwa, isayinwe kwaye isasazwe kwizixhobo
Emva kokuba iprofayile ilungile, kufuneka uyikhuphele kwiMac yakho kwaye uyifake. Ngexesha lofakelo, kuya kufuneka uchaze i-usernmae_ldap kunye ne-password_ldap yomsebenzisi:
iOS
Inkqubo iyafana ne-macOS. Kufuneka usebenzise iprofayile (ungasebenzisa enye efana neye-macOS. Jonga ngasentla malunga nendlela yokwenza iprofayile kwi-Apple Configurator).
Khuphela iprofayile, faka, ngenisa iziqinisekiso, qhagamshela:
Kuko konke. Siseta iseva yeRadius, sivumelanise ne-FreeIPA, kwaye sixelele iindawo zokufikelela ze-Ubiquiti ukuba zisebenzise i-WPA2-EAP.
Imibuzo enokwenzeka
KWI: indlela yokudlulisela iprofayili / isatifikethi kumsebenzi?
O: Ndigcina zonke izatifikethi/iiprofayile kwi-FTP enofikelelo ngewebhu. Ndisete inethiwekhi yeendwendwe kunye nomda wesantya kunye nokufikelela kwi-Intanethi kuphela, ngaphandle kwe-FTP.
Ukuqinisekiswa kuthatha iintsuku ezi-2, emva koko kusetwa kwakhona kwaye umxhasi ushiywe ngaphandle kwe-Intanethi. Oko. Xa umqeshwa efuna ukuqhagamshela kwi-WiFi, uqala aqhagamshele kuthungelwano lweendwendwe, angene kwi-FTP, akhuphele isatifikethi okanye iprofayile ayifunayo, azifakele, aze ke akwazi ukuqhagamshela kuthungelwano loshishino.
KWI: kutheni ungasebenzisi inkqubo ene-MSCHAPv2? kukhuselekile!
O: okokuqala, esi sikimu sisebenza kakuhle kwi-NPS (iNkqubo yoMgaqo-nkqubo weWindows Network), ekuphunyezweni kwethu kuyimfuneko ukongeza ukuqwalasela i-LDAP (FreeIpa) kunye nokugcina i-password hashes kumncedisi. Yongeza. Akukhuthazwa ukwenza izicwangciso, kuba oku kunokukhokelela kwiingxaki ezahlukeneyo ngongqamaniso lwenkqubo ye-ultrasound. Okwesibini, i-hash yi-MD4, ngoko ayongezi ukhuseleko oluninzi
KWI: Ngaba kunokwenzeka ukugunyazisa izixhobo usebenzisa iidilesi ze-mac?
O: HAYI, oku akukhuselekanga, umhlaseli unokonakalisa iidilesi ze-MAC, kwaye nangaphezulu, ukugunyaziswa kweedilesi ze-MAC akuxhaswanga kwizixhobo ezininzi.
KWI: Kutheni usebenzisa zonke ezi zatifikethi? ungaqhagamshela ngaphandle kwabo
O: izatifikethi zisetyenziselwa ukugunyazisa umncedisi. Ezo. Xa uqhagamshela, isixhobo sijonga ukuba ngaba yiseva enokuthenjwa okanye hayi. Ukuba kunjalo, uqinisekiso luyaqhubeka; ukuba akunjalo, umdibaniso uvaliwe. Ungaqhagamshela ngaphandle kwezatifikethi, kodwa ukuba umhlaseli okanye ummelwane useka iseva yeradiyasi kunye nendawo yofikelelo enegama elifanayo nelethu ekhaya, unokuthintela ngokulula iziqinisekiso zomsebenzisi (ungalibali ukuba zihanjiswa ngesicatshulwa esicacileyo) . Kwaye xa isatifikethi sisetyenzisiwe, utshaba luya kubona kwizigodo zakhe kuphela igama lomsebenzisi elikhohlisayo - undwendwe okanye umxhasi kunye nohlobo lwempazamo - Isatifikethi seCA esingaziwayo.
kancinci malunga ne-macOSNgokwesiqhelo, kwi-macOS, ukufakwa kwakhona kwenkqubo kwenziwa nge-Intanethi. Kwimowudi yokubuyisela, iMac kufuneka iqhagamshelwe kwiWiFi, kwaye akukho WiFi yethu yeshishini okanye inethiwekhi yeendwendwe iya kusebenza apha. Ngokomntu, ndifake enye inethiwekhi, i-WPA2-PSK eqhelekileyo, efihliweyo, kuphela kwimisebenzi yobugcisa. Okanye unokwenza kwakhona i-USB flash drive ene-bootable kunye nenkqubo kwangaphambili. Kodwa ukuba iMac yakho isemva kuka-2015, kuya kufuneka ufumane kwakhona iadaptha yale flash drive)
umthombo: www.habr.com