Documente Academic
Documente Profesional
Documente Cultură
Your Name
Your Title
802.1X - Rappel
Mthodes EAP
RADIUS - AAA
Installation & Configuration
802.1X - Rappel
Mthodes EAP
RADIUS - AAA
Installation & Configuration
802.1X - Rappel
Mthodes EAP
RADIUS - AAA
Installation & Configuration
Mthodes EAP
10
Cration de certification Autorit de Confiance, Certificats Autosigns Clients/Serveurs, gestion de liste de rvocations CRL
ROOT CA
Cl publique / Cl prive
Certificats signs par ROOT CA
Client Certificat
Cl publique / Cl prive
Serveur Certificat
Cl publique / Cl prive
Options:
Lifetime = 365 // dure de validit
Password // protge le certificat
Common_Name // identifiant pour l'authentification
11
802.1X - Rappel
Mthodes EAP
RADIUS - AAA
Installation & Configuration
12
Autorisation
Restrictions: horaires, nbre heures, vlan, SSID, BP, QoS...
LDAP, AD, BDD, FILES, PAM.....
Les Payants!
Microsoft Windows Server
Cisco ACS
.........
.....
14
802.1X - Rappel
Mthodes EAP
RADIUS - AAA
Installation & Configuration
15
(dmon)
ou
radiusd -X
(debug)
16
radiusd.conf :
IP / secret partag
config mthodes EAP
listes realm/domaines, suffixes )
17
Configuration clients.conf
client 192.168.0.10 {
secret = secret_partag ( indiquer dans la config du NAS)
shortname = nom
(pour affichage temps rel)
}
18
19
Configuration users
3 parties importantes:
- identifiant
- check item (+mthode authentification ?)
- reply item
pierre
User-Password == "password"
Tunnel-Type = 13,
(=> type VLAN 802.1Q)
Tunnel-Medium-Type = 6,
(=> type Ethernet 802)
Tunnel-Private-Group-Id = 12 (=> VLANid)
Cisco-AVPair += "ip:inacl#1=deny ip any any"
DEFAULT
Auth-Type := LDAP, Autz-type := LDAP
DEFAULT
Auth-Type := Reject (ou Accept)
Reply-Message = "..:: ACCES REFUSE ::.."
20
Configuration users
==
!=
> , >= , <, <=
=~ reg_expr
!~ reg_expr
*=
!=
:=
*Reply-Items:
=
:=
+=
Configuration radiusd.conf
22
Configuration radiusd.conf
23
Configuration radiusd.conf
..: EXEMPLES MODULES :..
unix {
cache = no
cache_reload = 600 //seconds => 10min
passwd = /etc/passwd
shadow = /etc/shadow
group = /etc/group
ldap mes_serveurs_ldap {
server = "ldap.univ-lille1.fr"
basedn = "ou=users,dc=univ-lille1,dc=fr"
start_tls = no
filter = (&(uid=%{User-Name}))
ldap_connections_number = 20
timeout = 10
timelimit = 10
net_timeout = 10
}
24
Configuration radiusd.conf
realm/username
authorize {
# auth_log
chap
mschap
IPASS
suffix
//Log requetes
//requte CHAP ?
//requte MSCHAP ?
realm IPASS {
format = prefix
delimiter = "/"}
username@realm
realm suffix {
eap
//Analyse le type EAP (TLS/PEAP...)
format = suffix
files
//Fichier users
delimiter = "@"}
# sql
//Par SQL - BDD
# etc_smbpasswd //Fichier type passwd
ldap
//Annuaire LDAP
# daily
//Horaire-Compteur (ex:Max-Daily-Session:=xx)
}
25
Configuration radiusd.conf
..: AAA :..
Fonctionnement dpend des valeurs analyses dans la partie Authorize
authenticate {
//Auth-Type => Si prcis dans users ou detect dans Authorize
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
# pam
unix
Auth-Type LDAP {
ldap
}
eap
}
26
Configuration radiusd.conf
..: AAA :..
accounting {
#fichier de log, detail request/reply
detail
# Update the wtmp file for radlast
unix
# For Simultaneous-Use tracking.
radutmp
#
}
Configuration eap.conf
Configuration globale EAP
eap {
default_eap_type = peap
ignore_unknown_eap_types = yes (Autres => Reject )
tls {....}
Configuration eap.conf
tls {
## Certificat Serveur
private_key_password = password
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
## Certificat Autorite de Confiance (ROOT CA)
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
## fichier DH et Random
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
##Liste rvocation
check_crl = yes
}
29
Configuration eap.conf
30
Configuration eap.conf
31