Sunteți pe pagina 1din 10

Mise en oeuvre de 802.

1x/PEAP sur une infrastructure rseau sans fil avec un serveur Radius
Notes de cours Objectif Sources dinformation Thorie 802.11i Conception Prototype de base Prototype avanc Concepts standard 802.11i 802.1X Authentification : Extensible Authentication Protocol Encryption PEAP Prototype Configuration Configuring AAA with freeradius Variantes avances

Objectif
Cette mise en oeuvre rpond la faille de scurit du dploiement de WPA/WPA2 Personal en entreprise. Elle consiste en un dploiement de WPA2 Enterprise avec la mthode PEAP (MSCHAPv2). On utilisera pour cet exemple : IEEE 802.3, IEEE 802.11n, IEEE 802.11i, IEEE 802.1x, Radius, PEAP (MS-CHAPv2), un fichier plat dutilisateurs sont utiliss avec un seul PC et un point daccs. Des variantes topologiques et protocolaires sont possibles. Il sagit ici de distinguer les concepts dauthentification et dencryption dans les diffrentes couches du modle OSI.

Sources dinformation
Avant toute chose, il est conseill daller lire la documentation.

Thorie 802.11i
http://www.hsc.fr/ressources/articles/hakin9_wifi/hakin9_wifi_FR.pdf http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/secwlandg20/ch3_2_SPMb.html#wp10 56095

Conception
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/Dot1X_Deployment/Do t1x_Dep_Guide.htm 1

Prototype de base
http://opentodo.net/2012/07/02/configuring-aaa-with-freeradius/

Prototype avanc
http://fr.slideshare.net/Pronetis/authentification-rseau-8021x-peapmschapv2 http://www.serverwatch.com/server-reviews/the-9-best-low-cost-radius-servers.html

Concepts standard 802.11i

802.1X

Authentification : Extensible Authentication Protocol Authentication 2

Supplicants Authenticator Authentication Server Encryption 4-Way Handshake

PEAP

Prototype
Voici la topologie tester. Elle est fonctionnelle.

Configuration
Par exemple, parmi les exemples que http://www.google.com peut nous procurer :

Configuring AAA with freeradius


July 2, 2012 by Ivan Mora Perez in GNU/Linux, Networking, Security.

PEAP (Protected Extensible Authentication Protocol) is an authentication method based in two simple steps: 1. The client establishes a TLS session with the server.

2. The server authenticates the client over the same digital certified with a RADIUS server. This allows EAP use insecure authentication protocols like MS-CHAP v2 (Microsoft version of CHAP used in this tutorial because is the default type supported by windows clients) with a secure tunnel. RADIUS (Remote Authentication Dial In User Service) is a network protocol that provides Authentication, Authorization and Accounting to connect network services. Ill configure a simple scenario with an access point authenticating the wireless access with FreeRADIUS:

Configuring FreeRADIUS 1.- Install freeradius:


# apt-get install freeradius

2.- Edit EAP method:


# vi /etc/freeradius/eap.conf: default_eap_type = peap

3.- Adding new users :


# vi /etc/freeradius/users tuxuser Cleartext-Password := "P@sswd4Tux" tuxadmin Cleartext-Password := "P@sswrd4Admin"

4.- Enabling and configuring mschap-v2 protocol:


# vi /etc/freeradius/modules/mschap use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes

5.- Reloading new libraries:


# ldconfig

6.- Add new radius clients (Access point):


# vi /etc/freeradius/clients.conf client 192.168.1.2/24 { secret = 0peN2d0! shortname = Linksys WRT160NL }

7.- Restarting service and testing radius authentication:


# service freeradius restart # radtest tuxuser P@sswd4Tux 192.168.1.10 1812 0peN2d0!

Configuring Access Point:

Configuring the client (Android based phone):

Official page of FreeRADIUS project: http://freeradius.org/

Variantes avances
Serveur Radius : Windows SSO, intgration Active Directory Authentification PEAP MS-CHAPv2 / NTLM sur un proxy Dploiement typiquement Cisco

10