Ezinye izibonelo zokuhlela i-WiFi yebhizinisi sezichaziwe. Lapha ngizochaza ukuthi ngenze kanjani isisombululo esifanayo nezinkinga obekufanele ngibhekane nazo lapho ngixhuma kumadivayisi ahlukene. Sizosebenzisa i-LDAP ekhona enabasebenzisi ababhalisiwe, sikhulise i-FreeRadius futhi silungiselele i-WPA2-Enterprise kusilawuli se-Ubnt. Konke kubonakala kulula. Asiboneβ¦
Okuncane mayelana nezindlela ze-EAP
Ngaphambi kokuqhubeka nomsebenzi, sidinga ukunquma ukuthi iyiphi indlela yokuqinisekisa esizoyisebenzisa esixazululweni sethu.
Kusuka ku-Wikipedia:
I-EAP iwuhlaka lokuqinisekisa oluvame ukusetshenziswa kumanethiwekhi angenawaya kanye noxhumano olukhomba iphuzu. Ifomethi iqale yachazwa ku-RFC 3748 futhi yabuyekezwa ku-RFC 5247.
I-EAP isetshenziselwa ukukhetha indlela yokuqinisekisa, okhiye bokudlula, nokucubungula labo khiye ngama-plug-in abizwa ngokuthi izindlela ze-EAP. Kunezindlela eziningi ze-EAP, zombili ezichazwe nge-EAP ngokwayo futhi ezikhishwe abathengisi ngabanye. I-EAP ayichazi isendlalelo sesixhumanisi, ichaza kuphela ifomethi yomlayezo. Iphrothokholi ngayinye esebenzisa i-EAP inephrothokholi yayo ye-EAP encapsulation.
Izindlela ngokwazo:
- I-LEAP iphrothokholi yobunikazi eyakhiwe yi-CISCO. Kutholwe ubungozi. Okwamanje akunconywa ukuthi isetshenziswe
- I-EAP-TLS isekelwa kahle phakathi kwabathengisi abangenazintambo. Kuyiphrothokholi evikelekile ngoba ilandela izindinganiso ze-SSL. Ukusetha iklayenti kuyinkimbinkimbi kakhulu. Udinga isitifiketi seklayenti ngaphezu kwephasiwedi. Isekelwe kumasistimu amaningi
- I-EAP-TTLS - isekelwa kabanzi kumasistimu amaningi, inikeza ukuphepha okuhle ngokusebenzisa izitifiketi ze-PKI kuphela kuseva yokuqinisekisa.
- I-EAP-MD5 ingelinye izinga elivulekile. Inikeza ukuphepha okuncane. Isengcupheni, ayisekeli ukuqinisekiswa okufanayo kanye nokukhiqiza ukhiye
- I-EAP-IKEv2 - isekelwe kunguqulo 2 ye-Internet Key Exchange Protocol. Inikeza ukuqinisekiswa okufanayo kanye nokusungulwa kokhiye weseshini phakathi kweklayenti neseva
- I-PEAP iyisixazululo esihlanganyelwe se-CISCO, iMicrosoft kanye ne-RSA Security njengezinga elivulekile. Itholakala kabanzi emikhiqizweni, inikeza ukuphepha okuhle kakhulu. Ifana ne-EAP-TTLS, idinga kuphela isitifiketi ohlangothini lweseva
- I-PEAPv0/EAP-MSCHAPv2 - ngemva kwe-EAP-TLS, leli izinga lesibili elisetshenziswa kabanzi emhlabeni. Kusetshenziswe ubudlelwano beklayenti neseva kuMicrosoft, Cisco, Apple, Linux
- I-PEAPv1/EAP-GTC - Idalwe ngu-Cisco njengenye indlela ye-PEAPv0/EAP-MSCHAPv2. Ayivikeli idatha yokuqinisekisa nganoma iyiphi indlela. Ayisekelwe ku-Windows OS
- I-EAP-FAST iwuhlelo oluthuthukiswe yi-Cisco ukulungisa amaphutha e-LEAP. Isebenzisa Ukuqinisekisa Ukufinyelela Okuvikelekile (PAC). Akuqediwe ngokuphelele
Kukho konke lokhu kwehluka, ukukhetha kusekukhulu. Indlela yokuqinisekisa yayidingeka: ukuphepha okuhle, ukusekelwa kuwo wonke amadivayisi (Windows 10, macOS, Linux, Android, iOS) futhi, empeleni, kulula kangcono. Ngakho-ke, ukukhetha kuwele ku-EAP-TTLS ngokuhlanganyela nephrothokholi ye-PAP.
Umbuzo ungaphakama - Kungani usebenzisa i-PAP? ngoba uthumela amagama ayimfihlo kucace?
Yebo kunjalo. Ukuxhumana phakathi kweFreeRadius neFreeIPA kuzokwenzeka ngale ndlela. Kumodi yokususa iphutha, ungakwazi ukulandelela ukuthi igama lomsebenzisi nephasiwedi zithunyelwa kanjani. Yebo, futhi bayeke bahambe, nguwe kuphela onokufinyelela iseva yeFreeRadius.
Ungafunda kabanzi ngomsebenzi we-EAP-TTLS
MahhalaRADIUS
I-FreeRadius izophakanyiswa ku-CentOS 7.6. Akukho lutho oluyinkimbinkimbi lapha, sibeka ngendlela evamile.
yum install freeradius freeradius-utils freeradius-ldap -yInguqulo engu-3.0.13 ifakiwe kusukela kumaphakheji. Lesi sakamuva singathathwa
Ngemuva kwalokho, iFreeRadius isivele isebenza. Ungakwazi ukukhulula umugqa ku-/etc/raddb/users
steve Cleartext-Password := "testing"Yethula kuseva kumodi yokususa iphutha
freeradius -XFuthi wenze uxhumano lokuhlola kusuka ku-localhost
radtest steve testing 127.0.0.1 1812 testing123Ngithole impendulo Uthole i-Id yokufinyelela-Yamukela 115 ukusuka ku-127.0.0.1:1812 ukuya ku-127.0.0.1:56081 ubude obungu-20, kusho ukuthi konke kuhamba kahle. Qhubeka.
Sixhuma imojula ldap.
ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldapFuthi sizoyishintsha ngokushesha. Sidinga i-FreeRadius ukuze sikwazi ukufinyelela i-FreeIPA
mods-enabled/ldap
ldap {
server="ldap://ldap.server.com"
port=636
start_tls=yes
identity="uid=admin,cn=users,dc=server,dc=com"
password=**********
base_dn="cn=users,dc=server,dc=com"
set_auth_type=yes
...
user {
base_dn="${..base_dn}"
filter="(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
}
...Qala kabusha iseva yerediyasi futhi uhlole ukuvumelanisa kwabasebenzisi be-LDAP:
radtest user_ldap password_ldap localhost 1812 testing123
Ukuhlela i-eap ku mods-enabled/eap
Lapha sengeza izimo ezimbili ze-eap. Zizohluka kuphela ngezitifiketi nokhiye. Ngezansi ngizochaza ukuthi kungani lokhu kunjalo.
mods-enabled/eap
eap eap-client { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests}
tls-config tls-common {
private_key_file = ${certdir}/fisrt.key
certificate_file = ${certdir}/first.crt
dh_file = ${certdir}/dh
ca_path = ${cadir}
cipher_list = "HIGH"
cipher_server_preference = no
ecdh_curve = "prime256v1"
check_crl = no
}
ttls {
tls = tls-common
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
}
eap eap-guest {
default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests}
tls-config tls-common {
private_key_passwotd=blablabla
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.crt
dh_file = ${certdir}/dh
ca_path = ${cadir}
cipher_list = "HIGH"
cipher_server_preference = no
ecdh_curve = "prime256v1"
check_crl = no
}
ttls {
tls = tls-common
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
}Ukuhlela okwengeziwe isayithi-enikwe amandla/okuzenzakalelayo. Izigaba zokugunyaza nokuqinisekisa ziyintshisekelo.
isayithi-enikwe amandla/okuzenzakalelayo
authorize {
filter_username
preprocess
if (&User-Name == "guest") {
eap-guest {
ok = return
}
}
elsif (&User-Name == "client") {
eap-client {
ok = return
}
}
else {
eap-guest {
ok = return
}
}
ldap
if ((ok || updated) && User-Password) {
update {
control:Auth-Type := ldap
}
}
expiration
logintime
pap
}
authenticate {
Auth-Type LDAP {
ldap
}
Auth-Type eap-guest {
eap-guest
}
Auth-Type eap-client {
eap-client
}
pap
}Esigabeni sokugunyaza, sisusa wonke amamojula esingawadingi. Sishiya i-ldap kuphela. Engeza ukuqinisekiswa kweklayenti ngegama lomsebenzisi. Yingakho sengeze izimo ezimbili ze-eap ngenhla.
I-EAP eminingiIqiniso liwukuthi ngokuxhuma amanye amadivayisi sizosebenzisa izitifiketi zesistimu futhi sicacise isizinda. Sinesitifiketi kanye nokhiye ovela kwabasemagunyeni abathembekile. Ngokwami, ngokubona kwami, inqubo enjalo yokuxhuma ilula kunokuphonsa isitifiketi esizisayinele kudivayisi ngayinye. Kodwa nangaphandle kwezitifiketi ezizisayinisile, akuzange kuphumelele. Amadivayisi e-Samsung ne-Android =< 6 izinguqulo azikwazi ukusebenzisa izitifiketi zesistimu. Ngakho-ke, kubo sidala isibonelo esihlukile se-eap-guest enezitifiketi ezizisayinele. Kuwo wonke amanye amadivayisi, sizosebenzisa i-eap-client nesitifiketi esithenjwayo. Igama lomsebenzisi linqunywa indawo engaziwa lapho idivayisi ixhunyiwe. Amanani ama-3 kuphela avunyelwe: Isivakashi, Iklayenti kanye nenkundla engenalutho. Konke okunye kulahliwe. Izolungiswa kosopolitiki. Ngizonikeza isibonelo kamuva.
Masihlele izigaba zokugunyaza futhi sigunyaze kuzo isayithi-enikwe amandla/umhubhe wangaphakathi
isayithi-enikwe amandla/umhubhe wangaphakathi
authorize {
filter_username
filter_inner_identity
update control {
&Proxy-To-Realm := LOCAL
}
ldap
if ((ok || updated) && User-Password) {
update {
control:Auth-Type := ldap
}
}
expiration
digest
logintime
pap
}
authenticate {
Auth-Type eap-guest {
eap-guest
}
Auth-Type eap-client {
eap-client
}
Auth-Type PAP {
pap
}
ldap
}Okulandelayo, udinga ukucacisa kuzinqubomgomo ukuthi yimaphi amagama angasetshenziselwa ukungena ngemvume ngokungaziwa. Iyahlela policy.d/filtha.
Udinga ukuthola imigqa efana nalena:
if (&outer.request:User-Name !~ /^(anon|@)/) {
update request {
Module-Failure-Message = "User-Name is not anonymized"
}
reject
}Futhi ngezansi ku-elsif engeza amanani oyifunayo:
elsif (&outer.request:User-Name !~ /^(guest|client|@)/) {
update request {
Module-Failure-Message = "User-Name is not anonymized"
}
reject
}Manje sidinga ukuthuthela kunkomba izitifiketi. Lapha udinga ukubeka ukhiye nesitifiketi esivela kwabaphathi bezitifiketi ezethenjwayo, esesivele sinazo futhi esizidingayo ukuze sikhiqize izitifiketi ezizisayinele ze-eap-guest.
Shintsha amapharamitha kufayela ca.cnf.
ca.cnf
...
default_days = 3650
default_md = sha256
...
input_password = blablabla
output_password = blablabla
...
countryName = RU
stateOrProvinceNmae = State
localityNmae = City
organizationName = NONAME
emailAddress = [email protected]
commonName = "CA FreeRadius"Sibhala amanani afanayo efayeleni iseva.cnf. Siyashintsha kuphela
igama elivamile:
iseva.cnf
...
default_days = 3650
default_md = sha256
...
input_password = blablabla
output_password = blablabla
...
countryName = RU
stateOrProvinceNmae = State
localityNmae = City
organizationName = NONAME
emailAddress = [email protected]
commonName = "Server Certificate FreeRadius"Dala:
makeIlungile. Kwamukelwe iseva.crt ΠΈ server.key sesibhalisile ngenhla ku-eap-guest.
Futhi ekugcineni, ake sengeze izindawo zethu zokufinyelela kufayela iklayenti.conf. Nginabo abangu-7. Ukuze singangezi iphuzu ngalinye ngokwehlukana, sizobhala kuphela inethiwekhi lapho zitholakala khona (izindawo zami zokufinyelela ziku-VLAN ehlukile).
client APs {
ipaddr = 192.168.100.0/24
password = password_AP
}Isilawuli se-Ubiquiti
Siphakamisa inethiwekhi ehlukile kusilawuli. Makube ngu-192.168.2.0/24
Iya kuzilungiselelo -> iphrofayili. Sakha entsha:
Sibhala ikheli kanye nembobo yeseva yerediyasi kanye nephasiwedi eyayibhalwe efayeleni amaklayenti.conf:
Dala igama elisha lenethiwekhi engenantambo. Khetha i-WPA-EAP (Ibhizinisi) njengendlela yokuqinisekisa futhi ucacise iphrofayela yerediyasi edaliwe:
Sigcina yonke into, sisebenzise futhi siqhubeke.
Ukusetha amaklayenti
Ake siqale ngokunzima kakhulu!
Windows 10
Ubunzima buza eqinisweni lokuthi iWindows ayikayazi indlela yokuxhuma kwi-WiFi yebhizinisi ngesizinda. Ngakho-ke, kufanele silayishe mathupha isitifiketi sethu esitolo sesitifiketi esethembekile. Lapha ungasebenzisa kokubili ozazisayinela wena kanye nakwabaphathi bezitifiketi. Ngizosebenzisa owesibili.
Okulandelayo, udinga ukudala uxhumano olusha. Ukuze wenze lokhu, iya kunethiwekhi nezilungiselelo ze-inthanethi -> Inethiwekhi Nesikhungo Sokwabelana -> Dala futhi ulungiselele ukuxhumana okusha noma inethiwekhi:
Faka mathupha igama lenethiwekhi bese ushintsha uhlobo lokuphepha. Ngemva kokuchofoza shintsha izilungiselelo zokuxhuma naku-Ezokuphepha ithebhu, khetha ukuqinisekiswa kwenethiwekhi - EAP-TTLS.
Singena kumapharamitha, sinikeze ubumfihlo bokuqinisekisa - iklayenti. Njengesiphathimandla sokunikeza izitifiketi esithenjiwe, khetha isitifiketi esisingezile, khetha ibhokisi elithi "Ungakhiphi isimemo kumsebenzisi uma iseva ingenakugunyazwa" bese ukhetha indlela yokuqinisekisa - iphasiwedi engabetheliwe (PAP).
Okulandelayo, hamba kuzilungiselelo ezithuthukile, beka uphawu kokuthi "Cacisa imodi yokuqinisekisa." Khetha "Ukuqinisekiswa Komsebenzisi" bese uchofoza gcina imininingwane. Lapha uzodinga ukufaka igama lomsebenzisi_ldap kanye ne-password_ldap
Silondoloza yonke into, sisebenzise, ββsivale. Ungakwazi ukuxhuma kunethiwekhi entsha.
Linux
Ngihlole ku-Ubuntu 18.04, 18.10, Fedora 29, 30.
Okokuqala, ake silande isitifiketi sethu. Angitholanga ku-Linux ukuthi kungenzeka yini ukusebenzisa izitifiketi zesistimu nokuthi sikhona yini isitolo esinjalo.
Masixhume esizindeni. Ngakho-ke, sidinga isitifiketi esivela kwabaphathi bezitifiketi lapho isitifiketi sethu sithengwe khona.
Konke ukuxhumana kwenziwa efasiteleni elilodwa. Ukukhetha inethiwekhi yethu:
ikhasimende elingaziwa
isizinda - isizinda esikhishelwe sona isitifiketi
Android
okungeyona i-Samsung
Kusukela kunguqulo 7, lapho uxhuma i-WiFi, ungasebenzisa izitifiketi zesistimu ngokucacisa isizinda kuphela:
isizinda - isizinda esikhishelwe sona isitifiketi
ikhasimende elingaziwa
Samsung
Njengoba ngibhale ngenhla, amadivaysi e-Samsung awazi ukuthi asetshenziswa kanjani izitifiketi zesistimu lapho exhuma ku-WiFi, futhi awanawo amandla okuxhuma ngesizinda. Ngakho-ke, kufanele ungeze mathupha isitifiketi sempande yesiphathimandla sokunikeza isitifiketi (ca.pem, sisithatha kuseva yeRadius). Lapha yilapho kuzosetshenziswa ukuzisayina ngokwakho.
Landa isitifiketi kudivayisi yakho futhi usifake.
Ukufakwa Kwesitifiketi
Ngesikhathi esifanayo, uzodinga ukusetha iphethini yokuvula isikrini, iphinikhodi noma iphasiwedi, uma ingasethiwe kakade:
Ngibonise inguqulo eyinkimbinkimbi yokufaka isitifiketi. Kumadivayisi amaningi, mane uchofoze esitifiketini esilandiwe.
Uma isitifiketi sifakiwe, ungaqhubekela ekuxhumekeni:
isitifiketi - khombisa esifakiwe
umsebenzisi ongaziwa - isivakashi
macOS
Amadivayisi we-Apple angaphandle kwebhokisi angaxhuma kuphela ku-EAP-TLS, kodwa usadinga ukuphonsa isitifiketi kuwo. Ukuze ucacise indlela yokuxhumana ehlukile, udinga ukusebenzisa i-Apple Configurator 2. Ngokuvumelana nalokho, kufanele uqale uyilande ku-Mac yakho, udale iphrofayela entsha bese wengeza zonke izilungiselelo ezidingekayo ze-WiFi.
I-Apple Configurator
Faka igama lenethiwekhi yakho lapha
Uhlobo Lokuphepha - WPA2 Enterprise
Izinhlobo ze-EAP Ezamukelwe - TTLS
Igama lomsebenzisi nephasiwedi - shiya kungenalutho
Ukuqinisekiswa Kwangaphakathi - PAP
I-Outer Identity-iklayenti
Thembela ithebhu. Lapha sicacisa isizinda sethu
Konke. Iphrofayela ingalondolozwa, isayinwe futhi isatshalaliswe kumadivayisi
Ngemuva kokuthi iphrofayili isilungile, udinga ukuyilanda ku-poppy futhi uyifake. Phakathi nenqubo yokufaka, uzodinga ukucacisa i-usernmae_ldap ne-password_ldap yomsebenzisi:
iOS
Inqubo ifana ne-macOS. Udinga ukusebenzisa iphrofayili (ungasebenzisa efanayo neye-macOS. Ungayakha kanjani iphrofayili ku-Apple Configurator, bheka ngenhla).
Landa iphrofayela, faka, faka imininingwane, xhuma:
Yilokho kuphela. Setha iseva ye-Radius, sayivumelanisa ne-FreeIPA, futhi satshela i-Ubiquiti APs ukuthi isebenzise i-WPA2-EAP.
Imibuzo engenzeka
B: uyidlulisela kanjani iphrofayili/isitifiketi kusisebenzi?
MAYELANA: Ngigcina zonke izitifiketi/amaphrofayili ku-ftp ngokufinyelela kuwebhu. Ikhulise inethiwekhi yesivakashi enomkhawulo wesivinini kanye nokufinyelela ku-inthanethi kuphela, ngaphandle kwe-ftp.
Ukufakazela ubuqiniso kuthatha izinsuku ezingu-2, ngemva kwalokho kumiswa kabusha futhi iklayenti lishiywe ngaphandle kwe-inthanethi. Lokho. uma isisebenzi sifuna ukuxhuma ku-WiFi, siqale sixhume kunethiwekhi yesivakashi, sifinyelele ku-FTP, silande isitifiketi noma iphrofayela esiyidingayo, siyifake, bese sixhuma kunethiwekhi yebhizinisi.
B: kungani ungasebenzisi i-schema nge-MSCHAPv2? Uphephe kakhudlwana!
MAYELANA: Okokuqala, uhlelo olunjalo lusebenza kahle ku-NPS (Isistimu Yenqubomgomo Yenethiwekhi YeWindows), ekusetshenzisweni kwethu kuyadingeka ukuze ungeze i-LDAP (FreeIpa) futhi ugcine ama-hashi ephasiwedi kuseva. Engeza. akufanelekile ukwenza izilungiselelo, ngoba. lokhu kungaholela ezinkingeni ezihlukahlukene zokuvumelanisa i-ultrasound. Okwesibili, i-hashi yi-MD4, ngakho ayifaki ukuphepha okuningi.
B: kungenzeka yini ukugunyaza amadivayisi ngamakheli e-mac?
MAYELANA: CHA, lokhu akuphephile, umhlaseli angashintsha amakheli e-MAC, futhi ngisho nangaphezulu ukugunyazwa ngamakheli e-MAC akusekelwa kumadivayisi amaningi.
B: yini okufanele isetshenziswe ngokujwayelekile zonke lezi zitifiketi? ungakwazi ukujoyina ngaphandle kwabo?
MAYELANA: izitifiketi zisetshenziselwa ukugunyaza iseva. Labo. uma uxhuma, idivayisi ihlola ukuthi iyiseva engathenjwa noma cha. Uma kunjalo, khona-ke ukuqinisekiswa kuyaqhubeka, uma kungenjalo, uxhumano luvaliwe. Ungakwazi ukuxhuma ngaphandle kwezitifiketi, kodwa uma umhlaseli noma umakhelwane emisa iseva yerediyasi nendawo yokufinyelela enegama elifanayo nelethu ekhaya, angakwazi ukuvimba kalula izifakazelo zomsebenzisi (ungakhohlwa ukuthi zidluliselwa ngombhalo ocacile). Futhi uma kusetshenziswa isitifiketi, isitha sizobona kulogi lwaso kuphela iGama lethu Lomsebenzisi elingamanga - isivakashi noma iklayenti kanye nephutha lohlobo - Isitifiketi Se-CA Esingaziwa
okuningi mayelana ne-macOSImvamisa ku-macOS, ukufaka kabusha uhlelo kwenziwa nge-Intanethi. Kumodi yokutakula, i-Mac kufanele ixhumeke ku-WiFi, futhi ngeke i-WiFi yethu yebhizinisi noma inethiwekhi yesivakashi izosebenza lapha. Ngokwami, ngiphakamise enye inethiwekhi, i-WPA2-PSK evamile, efihliwe, kuphela imisebenzi yobuchwepheshe. Noma usengenza i-USB flash drive ebhuthayo ngohlelo kusenesikhathi. Kodwa uma i-poppy ingemva kuka-2015, usazodinga ukuthola i-adaptha yale flash drive)
Source: www.habr.com