Embedded Files
Versão avaliada: Fedora 42
O protocolo EAP é utilizado para realizar autenticação no padrão 802.1X para dispositivos moveis.
Configure EAP
Configure EAP
# cd /etc/raddb/mods-available
# mv eap eap.Default
# egrep -v "^\s*(#|$)" eap.Default > eap
# ln -s /etc/raddb/mods-available/eap /etc/raddb/mods-enabled/eap
Edite o arquivo EAP em
# vi eap
/etc/raddb/mods-enabled/eap
default_eap_type = tls
private_key_password = <Password you set output_password in server.cnf>
private_key_file = ${certdir}/server.pem
ca_file = ${cadir}/cacrl.pem
random_file = /dev/random
check_crl = yes
cipher_list = "HIGH"
cipher_list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-CAMELLIA128-SHA"
ecdh_curve = "secp384r1"
name = "EAP-TLS"
persist_dir = "${logdir}/tlscache"
eap eap-client {
tls-config tls-common {
private_key_file = ${certdir}/fisrt.key
certificate_file = ${certdir}/first.crt
dh_file = ${certdir}/dh
ca_path = ${cadir}
cipher_list = "HIGH"
cipher_server_preference = no
ecdh_curve = "prime256v1"
check_crl = no
}
ttls {
tls = tls-common
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
}
eap eap-guest {
default_eap_type = ttls
tls-config tls-common {
private_key_passwotd=whatever
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.crt
dh_file = ${certdir}/dh
ca_path = ${cadir}
cipher_list = "HIGH"
cipher_server_preference = no
ecdh_curve = "prime256v1"
check_crl = no
}
ttls {
tls = tls-common
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
}
# systemctl restart radiusd.service
Nota: Valide se o link simbólico esta criado no diretório mods-enable para o serviço EAP.
Autenticação e Autorização
Autenticação e Autorização
# cd /etc/raddb/site-available
# mv default default.Default
# egrep -v "^\s*(#|$)" default.Default > default
server default {
....
authorize {
filter_username
preprocess
if (&User-Name == "guest") {
eap-guest {
ok = return
}
}
elsif (&User-Name == "client") {
eap-client {
ok = return
}
}
else {
eap-guest {
ok = return
}
}
ldap
if ((ok || updated) && User-Password) {
update {
control:Auth-Type := ldap
}
}
expiration
logintime
pap
}
authenticate {
Auth-Type LDAP {
ldap
}
Auth-Type eap-guest {
eap-guest
}
Auth-Type eap-client {
eap-client
}
pap
}
....
}
Nota: Valide se o link simbólico esta criado no diretório site-enable para o serviço default.
INNER-TUNNEL
INNER-TUNNEL
# cd /etc/raddb/site-available
# mv inner-tunnel inner-tunnel.Default
# egrep -v "^\s*(#|$)" inner-tunnel.Default > inner-tunnel
# cat inner-tunnel
server inner-tunnel {
....
authorize {
filter_username
filter_inner_identity
update control {
&Proxy-To-Realm := LOCAL
}
ldap {
if ((ok || updated) && User-Password) {
update {
control:Auth-Type := ldap
}
}
expiration
digest
logintime
pap
}
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type eap-guest {
eap-guest
}
Auth-Type eap-client {
eap-client
}
ldap
}
....
} # inner-tunnel server block
# vi policy.d/filter
....
if (&outer.request:User-Name !~ /^(anon|@)/) {
update request {
Module-Failure-Message = "User-Name is not anonymized"
}
reject
}
}
elsif (&outer.request:User-Name !~ /^(guest|client|@)/) {
update request {
Module-Failure-Message = "User-Name is not anonymized"
}
reject
}
....
Nota: Valide se o link simbólico esta criado no diretório site-enable para o serviço inner-tunnel.
Page updated
Google Sites
Report abuse