dimanche 6 décembre 2009
[FreeRadius 2.1.7/OpenLdap] Partie 2 - "EAP-TTLS": installation, test en wpa_supplicant et fichiers de configurations
Par david techer, dimanche 6 décembre 2009 à 23:42 :: Mon réseau et compagnie...
Je colle ici mes fichier de configuration. J'écrirais la documentation un peu plus tard...Il est déjà  23h40 quand j'écris ce billet et Simba m'attend pour dormir LOL..
FreeRadius: Compilation et installation (mode quick)
J'ai effectué les tests su une Ubutnu 8.04.3 Server Edition fraà ®chement installé sous ma VMWare
apt-get install gcc make libldap2-dev libssl-dev openssl wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.7.tar.gz -O - | tar xzf - cd freeradius-server-2.1.7 ./configure --prefix=/opt/freeradius && make && make install
Génération des certificats
Une fois freeradius installé, se conformer au fichier/opt/freeradius/etc/raddb/certs/README
que je ne détaillerais pas ici.
A la fin de la génération, ne pas oublier de faire
make random make dh
Configuration cliente en utilisant wpa_supplicant
Avec la configuration suivante dans le fichierroot@bremko:/var/lib/david/# cat /etc/wpa_supplicant/wifi_belkin54g.conf |grep -v '#' ctrl_interface=/var/run/wpa_supplicant ap_scan=1 network={ ssid="belkin54g" scan_ssid=1 key_mgmt=WPA-EAP phase2="auth=PAP" identity="LOGIN_LDAP" password="PASSWORD_LDAP" ca_cert="/etc/wpa_supplicant/certs/ca.pem" }Bien sà »r, ici on prendra soin de remplaçer comme il se doit les paramètres
identify
et password
. Puisque on utilise ici de l'EAP-TTLS, le certificat n'est pas obligatoire mais bon c'est l'habitude de l'avoir 
On aura en lançant la connexion
root@bremko:~# /sbin/wpa_supplicant -P /var/run/wpa_supplicant.ath0.pid -i ath0 -Dwext -c /etc/wpa_supplicant/wifi_belkin54g.conf Trying to associate with 00:30:bd:98:88:5b (SSID='belkin54g' freq=2462 MHz) Associated with 00:30:bd:98:88:5b CTRL-EVENT-EAP-STARTED EAP authentication started CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected OpenSSL: tls_connection_handshake - Failed to read possible Application Data error:00000000:lib(0):func(0):reason(0) CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully WPA: Key negotiation completed with 00:30:bd:98:88:5b [PTK=TKIP GTK=TKIP] CTRL-EVENT-CONNECTED - Connection to 00:30:bd:98:88:5b completed (auth) [id=0 id_str=] WPA: Group rekeying completed with 00:30:bd:98:88:5b [GTK=TKIP]
Cà ´té serveur: fichiers de configurations
- fichier etc/raddb/radiusd.conf
prefix = /opt/freeradius exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct name = radiusd confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name} db_dir = ${raddbdir} libdir = ${exec_prefix}/lib pidfile = ${run_dir}/${name}.pid max_request_time = 30 cleanup_delay = 5 max_requests = 1024 listen { type = auth ipaddr = * port = 0 } listen { ipaddr = * port = 0 type = acct } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = yes auth_badpass = yes auth_goodpass = yes msg_goodpass = "[* * * GOOD LOGIN * * *]" msg_badpass = "[* * * BAD LOGIN * * *]" } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = yes $INCLUDE proxy.conf $INCLUDE clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { $INCLUDE ${confdir}/modules/ $INCLUDE eap.conf } instantiate { exec expr expiration logintime } $INCLUDE policy.conf $INCLUDE sites-enabled/
- fichier etc/raddb/modules/pap
pap { auto_header = yes }
- fichier etc/raddb/modules/ldap
ldap { server = "olivia.davidgis.fr" basedn = "dc=chezdavid,dc=local" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap password_attribute = userPassword edir_account_policy_check = no set_auth_type = yes }
- fichier etc/raddb/eap.conf
eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 md5 { } leap { } gtc { auth_type = PAP } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = 20091206 private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = ${certdir}/random include_length = yes check_cert_cn = %{User-Name} cipher_list = "DEFAULT" make_cert_command = "${certdir}/bootstrap" cache { enable = no max_entries = 255 } } ttls { default_eap_type = gtc copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" include_length = yes } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } mschapv2 { } }
- fichier etc/raddb/clients.conf
client 127.0.0.1 { secret = oliviatuesmonamour shortname = monroe } client 192.168.2.0/24 { secret = oliviatuesmonamour shortname = reseaudavidgis } client 192.168.2.254 { secret = oliviatuesmonamour shortname = belkin54g }
Ici le mot secret est a saisir depuis l'interface de l'A.P dont l'IP est 192.168.2.254 - fichier etc/raddb/sites-enabled/default
authorize { preprocess chap mschap suffix eap { ok = return } unix files ldap expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { ldap } eap } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp attr_filter.accounting_response } session { radutmp } post-auth { exec Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap }
- fichier etc/raddb/sites-enabled/inner-tunnel
server inner-tunnel { authorize { chap mschap unix suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } files ldap expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { ldap } eap } session { radutmp } post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap }