Embedded Files
Versão avaliada: Fedora 42
O protocolo EAP é utilizado para realizar autenticação no padrão 802.1X para dispositivos móveis.
A configuração que segue abaixo é a mínima para o funcionamento.
Configuração EAP-TTLS + PAP
Configuração EAP-TTLS + PAP
Configure
# vi /etc/raddb/mods-enabled/eap
....
eap {
....
default_eap_type = ttls
Configure
# vi /etc/raddb/sites-enabled/inner-tunnel
authorize {
...
ldap
...
if (!&control:Auth-Type && &User-Password) {
update control {
&Auth-Type := LDAP
}
}
...
authenticate {
...
Auth-Type LDAP {
ldap
}
Reinicie o serviço.
# systemctl restart radiusd.service
Teste de funcionamento Local
Teste de funcionamento Local
Com um dispositivo móvel, configure a interface de rede.
Segurança Wi-FI: WPA & WPA2 Enterprise
Autenticação: Tunneled TLS ou TLS encapsulado
Habilite No CA certificate is required
Inner authentication: PAP
Username: Insira o usuário
Password: Insira a senha
Configure EAP-PEAP
Configure EAP-PEAP
# cd /etc/raddb/mods-available
....
eap {
....
default_eap_type = peap
Configure
# vi /etc/raddb/sites-enabled/inner-tunnel
authorize {
...
update control {
&Proxy-To-Realm := DOMAIN
}
# ipa service-add cifs/samba-hl251.local.domain
# ipa-getkeytab -s ipa-server -p cifs/samba-hl251.local.domain -k /etc/samba/samba.keytab
# ipa permission-add "CIFS server can read user passwords" --attrs={ipaNTHash,ipaNTSecurityIdentifier} --type=user --right={read,search,compare} --bindtype=permission
# ipa privilege-add "CIFS server privilege"
# ipa privilege-add-permission "CIFS server privilege" --permission="CIFS server can read user passwords"
# ipa role-add "CIFS server"
# ipa role-add-privilege "CIFS server" --privilege="CIFS server privilege"
# # ipa role-add-member "CIFS server" --services=cifs/hl251.local.domain
# vi /etc/samba/smb.conf
[global]
workgroup = DOMAIN
realm = LOCAL.DOMAIN
dedicated keytab file = FILE:/etc/samba/samba.keytab
kerberos method = dedicated keytab
log file = /var/log/samba/log.%m
security = ads
Reinicie o serviço.
# systemctl restart radiusd.service
Link:
Configure EAP
Configure EAP
# cd /etc/raddb/mods-available
# mv eap eap.Default
# egrep -v "^\s*(#|$)" eap.Default > eap
# ln -s /etc/raddb/mods-available/eap /etc/raddb/mods-enabled/eap
Edite o arquivo EAP em
# vi eap
/etc/raddb/mods-enabled/eap
default_eap_type = tls
private_key_password = <Password you set output_password in server.cnf>
private_key_file = ${certdir}/server.pem
ca_file = ${cadir}/cacrl.pem
random_file = /dev/random
check_crl = yes
cipher_list = "HIGH"
cipher_list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-CAMELLIA128-SHA"
ecdh_curve = "secp384r1"
name = "EAP-TLS"
persist_dir = "${logdir}/tlscache"
eap eap-client {
tls-config tls-common {
private_key_file = ${certdir}/fisrt.key
certificate_file = ${certdir}/first.crt
dh_file = ${certdir}/dh
ca_path = ${cadir}
cipher_list = "HIGH"
cipher_server_preference = no
ecdh_curve = "prime256v1"
check_crl = no
}
ttls {
tls = tls-common
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
}
eap eap-guest {
default_eap_type = ttls
tls-config tls-common {
private_key_passwotd=whatever
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.crt
dh_file = ${certdir}/dh
ca_path = ${cadir}
cipher_list = "HIGH"
cipher_server_preference = no
ecdh_curve = "prime256v1"
check_crl = no
}
ttls {
tls = tls-common
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
}
# systemctl restart radiusd.service
Nota: Valide se o link simbólico esta criado no diretório mods-enable para o serviço EAP.
Autenticação e Autorização
Autenticação e Autorização
# cd /etc/raddb/site-available
# mv default default.Default
# egrep -v "^\s*(#|$)" default.Default > default
server default {
....
authorize {
filter_username
preprocess
if (&User-Name == "guest") {
eap-guest {
ok = return
}
}
elsif (&User-Name == "client") {
eap-client {
ok = return
}
}
else {
eap-guest {
ok = return
}
}
ldap
if ((ok || updated) && User-Password) {
update {
control:Auth-Type := ldap
}
}
expiration
logintime
pap
}
authenticate {
Auth-Type LDAP {
ldap
}
Auth-Type eap-guest {
eap-guest
}
Auth-Type eap-client {
eap-client
}
pap
}
....
}
Nota: Valide se o link simbólico esta criado no diretório site-enable para o serviço default.
INNER-TUNNEL
INNER-TUNNEL
# cd /etc/raddb/site-available
# mv inner-tunnel inner-tunnel.Default
# egrep -v "^\s*(#|$)" inner-tunnel.Default > inner-tunnel
# cat inner-tunnel
server inner-tunnel {
....
authorize {
filter_username
filter_inner_identity
update control {
&Proxy-To-Realm := LOCAL
}
ldap {
if ((ok || updated) && User-Password) {
update {
control:Auth-Type := ldap
}
}
expiration
digest
logintime
pap
}
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type eap-guest {
eap-guest
}
Auth-Type eap-client {
eap-client
}
ldap
}
....
} # inner-tunnel server block
# vi policy.d/filter
....
if (&outer.request:User-Name !~ /^(anon|@)/) {
update request {
Module-Failure-Message = "User-Name is not anonymized"
}
reject
}
}
elsif (&outer.request:User-Name !~ /^(guest|client|@)/) {
update request {
Module-Failure-Message = "User-Name is not anonymized"
}
reject
}
....
Nota: Valide se o link simbólico esta criado no diretório site-enable para o serviço inner-tunnel.
Page updated
Google Sites
Report abuse