Embedded Files
Versão avaliada: Fedora 42
O protocolo EAP é utilizado para realizar autenticação no padrão 802.1X para dispositivos móveis.
A configuração que segue abaixo é a mínima para o funcionamento.
Configuração EAP-TTLS + PAP
Configuração EAP-TTLS + PAP
Configure
# vi /etc/raddb/mods-enabled/eap
....
eap {
....
default_eap_type = ttls
Configure
# vi /etc/raddb/sites-enabled/inner-tunnel
authorize {
...
ldap
...
if (!&control:Auth-Type && &User-Password) {
update control {
&Auth-Type := LDAP
}
}
...
authenticate {
...
Auth-Type LDAP {
ldap
}
...
post-auth {
...
ldap
...
Reinicie o serviço.
# systemctl restart radiusd.service
Teste de funcionamento Local
Teste de funcionamento Local
Com um dispositivo móvel, configure a interface de rede.
Segurança Wi-FI: WPA & WPA2 Enterprise
Autenticação: Tunneled TLS ou TLS encapsulado
Habilite No CA certificate is required
Inner authentication: PAP
Username: Insira o usuário
Password: Insira a senha
Configure EAP-PEAP (Em desenvolvimento)
Configure EAP-PEAP (Em desenvolvimento)
# cd /etc/raddb/mods-enable
# vi /etc/raddb/mods-enable/eap
....
eap {
....
default_eap_type = peap
....
peap {
default_eap_type = mschapv2
....
Configure
# vi /etc/raddb/sites-enabled/default
authorize {
...
mschap
...
authenticate {
...
Auth-Type MS-CHAP {
mschap
}
...
mschap
...
# vi /etc/raddb/sites-enabled/inner-tunnel
authorize {
...
mschap
...
authenticate {
...
Auth-Type MS-CHAP {
mschap
}
...
mschap
...
# ipa service-add cifs/samba-hl251.local.domain
# ipa-getkeytab -s ipa-server -p cifs/samba-hl251.local.domain -k /etc/samba/samba.keytab
# ipa permission-add "CIFS server can read user passwords" --attrs={ipaNTHash,ipaNTSecurityIdentifier} --type=user --right={read,search,compare} --bindtype=permission
# ipa privilege-add "CIFS server privilege"
# ipa privilege-add-permission "CIFS server privilege" --permission="CIFS server can read user passwords"
# ipa role-add "CIFS server"
# ipa role-add-privilege "CIFS server" --privilege="CIFS server privilege"
# # ipa role-add-member "CIFS server" --services=cifs/hl251.local.domain
# vi /etc/samba/smb.conf
[global]
workgroup = DOMAIN
realm = LOCAL.DOMAIN
dedicated keytab file = FILE:/etc/samba/samba.keytab
kerberos method = dedicated keytab
log file = /var/log/samba/log.%m
security = ads
https://gist.github.com/nazunalika/245f0f3c174a9ae129078567b0d645f6
# ipa service-add 'radius/hl251.local.domain'
# ipa service-add-host --hosts=hl251.local.domain radius/hl251.local.domain
# ipa role-add "samba/radius auth"
# ipa privilege-add "NTLM Password Hash Access"
# ipa permission-add "Read Samba NTLM RC4 Password Hash attribute" --attrs=ipaNTHash --attrs=sambaNTPassword --attrs=sambaPwdLastSet --attrs=sambaSID --attrs=sambaAcctFlags --attrs=sambaDomainName --type=user --right=read --right=compare
# ipa privilege-add-permission "NTLM Password Hash Access" --permissions="Read Samba NTLM RC4 Password Hash attribute"
# ipa role-add-member "samba/radius auth" --services="radius/hl251.local.domain"
# ipa-getkeytab -p 'radius/hl251.local.domain' -s hl251.local.domain -k /etc/raddb/radius.keytab
# chown root:radiusd /etc/raddb/radius.keytab
# chmod 640 /etc/raddb/radius.keytab
# mkdir -p /etc/systemd/system/radiusd.service.d
# cat > /etc/systemd/system/radiusd.service.d/krb5_keytab.conf << EOF
[Service]
Environment=KRB5_CLIENT_KTNAME=/etc/raddb/radius.keytab
ExecStartPre=-/usr/bin/kdestroy -A
ExecStopPost=-/usr/bin/kdestroy -A
EOF
# systemctl daemon-reload
# ldapmodify -x -D 'cn=Directory Manager' -W
Enter password: <admin password>
dn: krbprincipalname=radius/hl251.local.domain@LOCAL.DOMAIN,cn=services,cn=accounts,dc=local,dc=domain
changetype: modify
add: objectClass
objectClass: simpleSecurityObject
-
add: userPassword
userPassword: ldap123
Configurar o serviço NTLM
# dnf install ntlm_auth
# vi mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
#program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
program = "/usr/bin/ntlm_auth --request-nt-key --domain=LOCAL.DOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
}
# vi mods-enabled/mschap
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
Ajustar permissão do serviço WINBIND
/var/lib/samba/winbindd_privileged
# usermod -aG wbpriv radiusd
Reinicie o serviço.
# systemctl restart radiusd.service
Link: 1 / 2 / 3 / 4 / 5
Configure EAP
Configure EAP
# cd /etc/raddb/mods-available
# mv eap eap.Default
# egrep -v "^\s*(#|$)" eap.Default > eap
# ln -s /etc/raddb/mods-available/eap /etc/raddb/mods-enabled/eap
Edite o arquivo EAP em
# vi eap
/etc/raddb/mods-enabled/eap
default_eap_type = tls
private_key_password = <Password you set output_password in server.cnf>
private_key_file = ${certdir}/server.pem
ca_file = ${cadir}/cacrl.pem
random_file = /dev/random
check_crl = yes
cipher_list = "HIGH"
cipher_list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-CAMELLIA128-SHA"
ecdh_curve = "secp384r1"
name = "EAP-TLS"
persist_dir = "${logdir}/tlscache"
eap eap-client {
tls-config tls-common {
private_key_file = ${certdir}/fisrt.key
certificate_file = ${certdir}/first.crt
dh_file = ${certdir}/dh
ca_path = ${cadir}
cipher_list = "HIGH"
cipher_server_preference = no
ecdh_curve = "prime256v1"
check_crl = no
}
ttls {
tls = tls-common
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
}
eap eap-guest {
default_eap_type = ttls
tls-config tls-common {
private_key_passwotd=whatever
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.crt
dh_file = ${certdir}/dh
ca_path = ${cadir}
cipher_list = "HIGH"
cipher_server_preference = no
ecdh_curve = "prime256v1"
check_crl = no
}
ttls {
tls = tls-common
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
}
# systemctl restart radiusd.service
Nota: Valide se o link simbólico esta criado no diretório mods-enable para o serviço EAP.
Autenticação e Autorização
Autenticação e Autorização
# cd /etc/raddb/site-available
# mv default default.Default
# egrep -v "^\s*(#|$)" default.Default > default
server default {
....
authorize {
filter_username
preprocess
if (&User-Name == "guest") {
eap-guest {
ok = return
}
}
elsif (&User-Name == "client") {
eap-client {
ok = return
}
}
else {
eap-guest {
ok = return
}
}
ldap
if ((ok || updated) && User-Password) {
update {
control:Auth-Type := ldap
}
}
expiration
logintime
pap
}
authenticate {
Auth-Type LDAP {
ldap
}
Auth-Type eap-guest {
eap-guest
}
Auth-Type eap-client {
eap-client
}
pap
}
....
}
Nota: Valide se o link simbólico esta criado no diretório site-enable para o serviço default.
INNER-TUNNEL
INNER-TUNNEL
# cd /etc/raddb/site-available
# mv inner-tunnel inner-tunnel.Default
# egrep -v "^\s*(#|$)" inner-tunnel.Default > inner-tunnel
# cat inner-tunnel
server inner-tunnel {
....
authorize {
filter_username
filter_inner_identity
update control {
&Proxy-To-Realm := LOCAL
}
ldap {
if ((ok || updated) && User-Password) {
update {
control:Auth-Type := ldap
}
}
expiration
digest
logintime
pap
}
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type eap-guest {
eap-guest
}
Auth-Type eap-client {
eap-client
}
ldap
}
....
} # inner-tunnel server block
# vi policy.d/filter
....
if (&outer.request:User-Name !~ /^(anon|@)/) {
update request {
Module-Failure-Message = "User-Name is not anonymized"
}
reject
}
}
elsif (&outer.request:User-Name !~ /^(guest|client|@)/) {
update request {
Module-Failure-Message = "User-Name is not anonymized"
}
reject
}
....
Nota: Valide se o link simbólico esta criado no diretório site-enable para o serviço inner-tunnel.
Page updated
Google Sites
Report abuse