NOTE PER IL CORRETTO FUNZIONAMENTO DI FREERADIUS

Transcript

1 NOTE PER IL CORRETTO FUNZIONAMENTO DI FREERADIUS Sommario 1. Introduzione File radiusd.conf File eap.conf FILE clients.conf FILE 6. Impiego di freeradius con certificati generati tramite easy-rsa di openvpn Esempio reale di generazione dei certificati via easy-rsa Copia dei certificati nella directory certs utilizzata da eap.conf Generazione del certificato utente con estensione p Modifica del file eap.conf per poter operare con i certificati generati con easy-rsa 6.5 Startup di radiusd (Freeradius) con il debugging abilitato...13 Installazione dei certificati su Windows XP Installazione di ca.crt su Windows XP Installazione del certificato utente con estensione p Verifica della corretta installazione dei certificati attraverso mmc console Configurazione PEAP su Windows XP Autenticazione con PEAP...48 Configurazione EAP-TLS su Windows XP users...6 Autenticazione con EAP-TLS...51 Ambiente dei test di laboratorio (hardware software)

2 1. Introduzione Freeradius richiede la configurazione di 4 file: 2. radiusd.conf che contiene i parametri generali di configurazione eap.conf che contiene i parametri specifici di configurazione per l autenticazione basata su protocollo EAP clients.conf contiene le informazioni riguardanti gli Autenticatori (AP, Switch, AccessServer) users è il database locale che contiene le informazioni degli utenti File radiusd.conf IMPORTANTE!!! Se il file radiusd.conf non è stato sistemato nelle ultimissime release ci sono delle informazioni di configurazione nei posti sbagliati. Questo errore, di seguito riportato,impedisce il funzionamento di sistemi di autenticazione come LEAP e PEAP che utilizzano le credenziali Username e Password. Errore riportato dal debug: auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Nel file radiusd, nella sezione authorize bisogna mettere la direttiva "files" prima di "eap": in questo modo viene letto prima il file users e poi parte il processo di autenticazione eap. Sezione del file radiusd.conf da sistemare SEZIONE PRIMA DELLA CURA authorize { The preprocess module takes care of sanitizing some bizarre attributes in the request, and turning them into attributes which are more standard. It takes care of processing the 'raddb/hints' and the 'raddb/huntgroups' files. It also adds the %{Client-IP-Address} attribute to the request. preprocess If you want to have a log of authentication requests, un-comment the following line, and the 'detail auth_log' section, above. 2

3 auth_log attr_filter The chap module will set 'Auth-Type := CHAP' if we are handling a CHAP request and Auth-Type has not already been set chap If the users are logging in with an MS-CHAP-Challenge attribute for authentication, the mschap module will find the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' to the request, which will cause the server to then use the mschap module for authentication. mschap If you have a Cisco SIP server authenticating against FreeRADIUS, uncomment the following line, and the 'digest' line in the 'authenticate' section. digest Look for IPASS style 'realm/', and if not found, look for '@realm', and decide whether or not to proxy, based on that. IPASS If you are using multiple kinds of realms, you probably want to set "ignore_null = yes" for all of them. Otherwise, when the first style of realm doesn't match, the other styles won't be checked. suffix ntdomain This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP authentication. It also sets the EAP-Type attribute in the request attribute list to the EAP type from the packet. eap Read the 'users' file files Così non funziona!!!! SEZIONE DOPO LA CURA authorize { The preprocess module takes care of sanitizing some bizarre attributes in the request, and turning them into attributes which are more standard. 3

4 It takes care of processing the 'raddb/hints' and the 'raddb/huntgroups' files. It also adds the %{Client-IP-Address} attribute to the request. preprocess If you want to have a log of authentication requests, un-comment the following line, and the 'detail auth_log' section, above. auth_log Read the 'users' file files attr_filter The chap module will set 'Auth-Type := CHAP' if we are handling a CHAP request and Auth-Type has not already been set chap If the users are logging in with an MS-CHAP-Challenge attribute for authentication, the mschap module will find the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' to the request, which will cause the server to then use the mschap module for authentication. mschap If you have a Cisco SIP server authenticating against FreeRADIUS, uncomment the following line, and the 'digest' line in the 'authenticate' section. digest Look for IPASS style 'realm/', and if not found, look for '@realm', and decide whether or not to proxy, based on that. IPASS If you are using multiple kinds of realms, you probably want to set "ignore_null = yes" for all of them. Otherwise, when the first style of realm doesn't match, the other styles won't be checked. suffix ntdomain This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP authentication. It also sets the EAP-Type attribute in the request attribute list to the EAP type from the packet. eap 4

5 3. File eap.conf Operazioni da fare sul file: 1. E possibile definire un autenticazione di default che non è esclusiva. Ciò significa che se, per esempio, si sceglie l autenticazione PEAP ci possono essere alcuni utenti che si autenticano con PEAP (default) e utenti che si autenticano via LEAP o EAP-TLS. 2. Se si vuole utilizzare PEAP bisogna abilitarlo togliendo i commenti e bisogna abilitare anche l autenticazione EAP-TLS, togliendo i commenti a questa sezione, perché PEAP si basa comunque su EAP-TLS solo che l utente invece di fornire come credenziale di autenticazione il suo certificato, fornisce Username e Password 3. Ricordarsi di commentare o lasciare commento sul comando check_crl = yes altrimenti i certificati generati verranno considerati revocati, questo comando deve essere eseguito se si vuole controllare la Revocation List, ma in tal caso bisogna eseguire anche gli altri comandi/operazioni di questa sezione di seguito riportata: Check the Certificate Revocation List 1) Copy CA certificates and CRLs to same directory. 2) Execute 'c_rehash <CA certs&crls Directory>'. 'c_rehash' is OpenSSL's command. 3) Add 'CA_path=<CA certs&crls directory>' to radiusd.conf's tls section. 4) uncomment the line below. 5) Restart radiusd check_crl = yes Attenzione l indicazione del punto 3 3) Add 'CA_path=<CA certs&crls directory>' to radiusd.conf's tls section. era vera per le prime versioni di Freeradius dove la sezione tls era inclusa nel file radiusd.conf, mentre nelle recenti versioni la sezione tls è nel file eap.conf 4. FILE clients.conf Aggiungere la parte sottostante al fondo del file client /24 { secret and password are mapped through the "secrets" file. secret = ausba1a2ausca shortname = AP-1200 the following three fields are optional, but may be used by checkrad.pl for simultaneous usage checks 5

6 } Accetta richieste di autenticazione da un Autenticatore (Access-Point) che abbia un indirizzo nel range della rete configurato (client /24). Lo shortname è quello assegnato all AP la password secret è quella configurata nell AP per accedere al server radius. 5. FILE users Aggiungere le informazioni riguardanti lo Username (in questo caso è pietro ) e la password (in questo caso è nicoletti) necessari per l autenticazione basata su LEAP; si possono definire più Users. Username e password vanno inseriti nelle apposite finestre di richiesta di autenticazione del client. pietro pietro Auth-Type := Local, NT-Password == "nicoletti" Auth-Type := Local, User-Password := "nicoletti" studioreti Auth-Type := Local, User-Password := "collegno" This is an entry for a user with a space in their name. Note the double quotes surrounding the name. "John Doe" Auth-Type := Local, User-Password == "hello" Reply-Message = "Hello, %u" 6

7 6. Impiego di freeradius con certificati generati tramite easy-rsa di openvpn Copiare la directory easy-rsa e tutto /usr/share/openvpn/ nel percorso /etc/raddb/ il suo contenuto presente nel percorso Generare i certificati tramite easy-rsa e copiarli nella directory certs del server. Successivamente bisogna installare nel PC utente: il certificato CA.crt (Certfication Authority) nel caso si voglia utilizzare il protocollo PEAP entrambi i certificati CA.crt e quello dell utente avente l estensione.p12 nel caso si voglia utilizzare il protocollo EAP-TLS Prima di far partire il programma radiusd bisogna modificare il file eap.conf (sezione tls) inserendo i percorsi per i file: server.crt, server.key, ca.crt, dh1024.pem e modificare il comando per il percorso del file random. 6.1 Esempio reale di generazione dei certificati via easy-rsa [root@sreti-2 acct_users attrs certs clients clients.conf dictionary eap.conf [root@sreti-2 raddb] ls easy-rsa experimental.conf hints huntgroups ldap.attrmap mssql.conf naslist raddb] naspasswd oraclesql.conf postgresql.conf preproxy_users proxy.conf radiusd.conf realms snmp.conf sql.conf users x99.conf x99passwd.sample [root@sreti-2 raddb] [root@sreti-2 raddb] mv certs certs-old [root@sreti-2 raddb] mkdir certs [root@sreti-2 raddb] cd /etc/raddb/easy-rsa/2.0/ [root@sreti-2 2.0] [root@sreti-2 raddb] vars NOTE: If you run./clean-all, I will be doing a rm -rf on [root@sreti-2 2.0]./clean-all [root@sreti-2 2.0]./build-ca Generating a 1024 bit RSA private key writing new private key to 'ca.key' ----You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----Country Name (2 letter code) [IT]: State or Province Name (full name) [TO]: Locality Name (eg, city) [Collegno]: Organization Name (eg, company) [Studio Reti sas]: Organizational Unit Name (eg, section) []:training 7

8 Common Name (eg, your name or your server's hostname) [Studio Reti sas CA]: Address 2.0] 2.0]./build-key-server server Generating a 1024 bit RSA private key writing new private key to 'server.key' ----You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----Country Name (2 letter code) [IT]: State or Province Name (full name) [TO]: Locality Name (eg, city) [Collegno]: Organization Name (eg, company) [Studio Reti sas]: Organizational Unit Name (eg, section) []:training Common Name (eg, your name or your server's hostname) [server]: Address [corso@wireless.it]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:francia-187 An optional company name []:sreti Using configuration from /etc/raddb/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryname :PRINTABLE:'IT' stateorprovincename :PRINTABLE:'TO' localityname :PRINTABLE:'Collegno' organizationname :PRINTABLE:'Studio Reti sas' organizationalunitname:printable:'training' commonname :PRINTABLE:'server' address :IA5STRING:'corso@wireless.it' Certificate is to be certified until Nov 5 15:37: GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@sreti-2 2.0] [root@sreti-2 2.0] [root@sreti-2 2.0]./build-key utente-1 Generating a 1024 bit RSA private key writing new private key to 'utente-1.key' ----You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank

9 Country Name (2 letter code) [IT]: State or Province Name (full name) [TO]: Locality Name (eg, city) [Collegno]: Organization Name (eg, company) [Studio Reti sas]: Organizational Unit Name (eg, section) []:training Common Name (eg, your name or your server's hostname) [utente-1]: Address Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:francia-187 An optional company name []:sreti Using configuration from /etc/raddb/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryname :PRINTABLE:'IT' stateorprovincename :PRINTABLE:'TO' localityname :PRINTABLE:'Collegno' organizationname :PRINTABLE:'Studio Reti sas' organizationalunitname:printable:'training' commonname :PRINTABLE:'utente-1' address :IA5STRING:'corso@wireless.it' Certificate is to be certified until Nov 5 15:39: GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@sreti-2 2.0] [root@sreti-2 2.0] [root@sreti-2 2.0]./build-key utente-2 Generating a 1024 bit RSA private key writing new private key to 'utente-2.key' ----You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----Country Name (2 letter code) [IT]: State or Province Name (full name) [TO]: Locality Name (eg, city) [Collegno]: Organization Name (eg, company) [Studio Reti sas]: Organizational Unit Name (eg, section) []:training Common Name (eg, your name or your server's hostname) [utente-2]: Address [corso@wireless.it]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:francia-187 An optional company name []:sreti Using configuration from /etc/raddb/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryname :PRINTABLE:'IT' 9

10 stateorprovincename :PRINTABLE:'TO' localityname :PRINTABLE:'Collegno' organizationname :PRINTABLE:'Studio Reti sas' organizationalunitname:printable:'training' commonname :PRINTABLE:'utente-2' address Certificate is to be certified until Nov 5 15:40: GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@sreti-2 2.0] [root@sreti-2 2.0]./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time *++*++* [root@sreti-2 2.0] cd keys [root@sreti-2 keys] ls 01.pem dh1024.pem serial utente-1.crt utente-2.key 02.pem index.txt serial.old utente-1.csr 03.pem index.txt.attr server.crt utente-1.key ca.crt index.txt.attr.old server.csr utente-2.crt ca.key index.txt.old server.key utente-2.csr [root@sreti-2 keys] 10

11 6.2 Copia dei certificati nella directory certs utilizzata da eap.conf keys] cp * /etc/raddb/certs/ [root@sreti-2 keys] cd /etc/raddb/certs/ [root@sreti-2 certs] ls 01.pem dh1024.pem serial utente-1.crt 02.pem index.txt serial.old utente-1.csr 03.pem index.txt.attr server.crt utente-1.key ca.crt index.txt.attr.old server.csr utente-2.crt ca.key index.txt.old server.key utente-2.csr [root@sreti-2 certs] utente-2.key Attenzione al file server.key bisogna aggiungere delle pemission di tipo read altrimenti il programma radiusd non riesce ad accederci e quindi l autenticazione fallisce. [root@sreti-2 certs] ls -l server.key -rw root root 887 Nov 8 18:31 server.key [root@sreti-2 certs] [root@sreti-2 certs] chmod go=+r server.key [root@sreti-2 certs] ls -l server.key -rw-r--r-- 1 root root 887 Nov 8 18:31 server.key [root@sreti-2 certs] 6.3 Generazione del certificato utente con estensione p12 Il certificato utente con l estensione p12 (file xxx.p12) contiene sia la chiave pubblica, sia quella privata. La procedura easy-rsa non genera il file utente con questo tipo di estensione, ma genera i file utente con le seguenti.crt,.key e.csr, inoltre genera dei file 01.pem, 02.pem ecc.. dei quali il primo (01.pem) è il certificato.pem del server i successivi file sono i vari certificati.pem degli utenti generati, messi come numero in ordine di generazione. Per sapere a quale utente si riferisce il file basta editarlo. Nell esempio si vede che il file 02.pem si riferisce all utente utente-1 (parte evidenziate in grassetto col colore rosso). VISUALIZZAZIONE DEL FILE 02.pem Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha1withrsaencryption Issuer: C=IT, ST=TO, L=Collegno, O=Studio Reti sas, OU=training, CN=Studio Reti sas CA/ Address=corso@wireless.it Validity Not Before: Nov 8 15:39: GMT Not After : Nov 5 15:39: GMT Subject: C=IT, ST=TO, L=Collegno, O=Studio Reti sas, OU=training, CN=utente-1/ Address=corso@wireless.it Subject Public Key Info: Public Key Algorithm: rsaencryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:e6:5f:be:a3:3c:3d:16:d8:55:2d:87:b5:c4:31: b8:82:27:fd:c6:ac:41:f6:11:ca:a6:3d:44:84:ce: 06:f3:cb:a7:1a:40:ca:77:b8:0d:32:1b:eb:0a:21: bf:e4:07:d3:60:fa:03:dc:b3:e2:71:e8:4a:a2:6c: 33:83:45:9f:02:5e:83:f9:7d:58:21:4c:ed:3d:a5: cd:a1:f3:26:04:79:0e:fb:fe:ef:88:86:7d:52:a7: 8d:f3:fb:81:3c:1e:c2:a7:d5:69:96:08:05:71:18: 31:de:5e:7e:18:d9:bf:6c:e1:fc:56:da:a2:a2:7b: 11

12 4a:73:37:87:40:e5:d9:91:3f Exponent: (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: Easy-RSA Generated Certificate X509v3 Subject Key Identifier: 5F:21:FB:7C:D0:D2:10:67:3B:F5:29:01:F0:23:10:7A:07:DC:BD:C1 X509v3 Authority Key Identifier: keyid:e0:5c:2a:6f:f4:fd:5a:7e:53:7d:2b:dc:92:0b:4e:82:74:0e:d7:cd DirName:/C=IT/ST=TO/L=Collegno/O=Studio Reti sas/ou=training/cn=studio Reti sas serial:95:18:0c:6b:52:5b:bb:93 X509v3 Extended Key Usage: TLS Web Client Authentication X509v3 Key Usage: Digital Signature Signature Algorithm: sha1withrsaencryption a5:56:ad:c9:61:a6:23:bf:70:2b:b3:dd:ea:90:75:d6:68:10: a2:c5:8d:27:a6:b2:82:48:29:1a:1c:98:01:a6:7b:e8:7c:bd: db:06:23:b1:08:29:49:c9:16:51:13:12:df:8f:4e:60:46:8e: cf:89:d7:b3:09:0d:60:10:24:9d:c2:56:c9:aa:41:50:03:02: 1d:98:2d:de:36:06:5d:44:1b:8d:70:b2:bd:a7:29:5d:97:fa: 54:1c:5d:25:fc:d7:21:6f:24:2e:79:9c:c5:c8:c6:a2:68:74: f2:36:d4:87:34:92:9f:35:76:97:07:34:6c:43:2f:49:63:8f: fb: BEGIN CERTIFICATE----MIID8jCCA1ugAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBmTELMAkGA1UEBhMCSVQx CzAJBgNVBAgTAlRPMREwDwYDVQQHEwhDb2xsZWdubzEYMBYGA1UEChMPU3R1ZGlv IFJldGkgc2FzMREwDwYDVQQLEwh0cmFpbmluZzEbMBkGA1UEAxMSU3R1ZGlvIFJl dgkgc2fzienbmsawhgyjkozihvcnaqkbfhfjb3jzb0b3axjlbgvzcy5pddaefw0w NjExMDgxNTM5MDhaFw0xNjExMDUxNTM5MDhaMIGPMQswCQYDVQQGEwJJVDELMAkG A1UECBMCVE8xETAPBgNVBAcTCENvbGxlZ25vMRgwFgYDVQQKEw9TdHVkaW8gUmV0 asbzyxmxetapbgnvbastchryywluaw5nmrewdwydvqqdewh1dgvudgutmtegmb4g CSqGSIb3DQEJARYRY29yc29Ad2lyZWxlc3MuaXQwgZ8wDQYJKoZIhvcNAQEBBQAD gy0amigjaogbaozfvqm8prbyvs2htcqxuiin/casqfyryqy9ritobvplpxpayne4 DTIb6wohv+QH02D6A9yz4nHoSqJsM4NFnwJeg/l9WCFM7T2lzaHzJgR5Dvv+74iG fvknjfp7gtwewqfvazyibxeymd5efhjzv2zh/fbaoqj7snm3h0dl2ze/agmbaagj ggfqmiibtdajbgnvhrmeajaamc0gcwcgsagg+eibdqqgfh5fyxn5lvjtqsbhzw5l cmf0zwqgq2vydglmawnhdguwhqydvr0obbyeff8h+3zq0hbno/upafajehoh3l3b MIHOBgNVHSMEgcYwgcOAFOBcKm/0/Vp+U30r3JILToJ0DtfNoYGfpIGcMIGZMQsw CQYDVQQGEwJJVDELMAkGA1UECBMCVE8xETAPBgNVBAcTCENvbGxlZ25vMRgwFgYD VQQKEw9TdHVkaW8gUmV0aSBzYXMxETAPBgNVBAsTCHRyYWluaW5nMRswGQYDVQQD ExJTdHVkaW8gUmV0aSBzYXMgQ0ExIDAeBgkqhkiG9w0BCQEWEWNvcnNvQHdpcmVs ZXNzLml0ggkAlRgMa1Jbu5MwEwYDVR0lBAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQD AgeAMA0GCSqGSIb3DQEBBQUAA4GBAKVWrclhpiO/cCuz3eqQddZoEKLFjSemsoJI KRocmAGme+h8vdsGI7EIKUnJFlETEt+PTmBGjs+J17MJDWAQJJ3CVsmqQVADAh2Y Ld42Bl1EG41wsr2nKV2X+lQcXSX81yFvJC55nMXIxqJodPI21Ic0kp81dpcHNGxD L0ljj/tk -----END CERTIFICATE

13 Per l impiego del protocollo di autenticazione EAP-TLS è necessario installare sul PC Windows il file utente con l estensione.p12. Per ottenere il file utente con l estensione.p12 bisogna: 1. copiare il file 0x.pem rinominandolo nome-utente.pem 2. esportare il file nome-utente.pem nel file nome-utente.p12 Si veda l esempio successivo [root@sreti-2 certs] cp 02.pem utente-1.pem [root@sreti-2 certs] ls 01.pem dh1024.pem serial utente-1.crt 02.pem index.txt serial.old utente-1.csr 03.pem index.txt.attr server.crt utente-1.key ca.crt index.txt.attr.old server.csr utente-1.pem ca.key index.txt.old server.key utente-2.crt [root@sreti-2 certs] utente-2.csr utente-2.key [root@sreti-2 certs] openssl pkcs12 -export -in utente-1.pem -inkey utente1.key -out utente-1.p12 Enter Export Password:francia-187 Verifying - Enter Export Password:francia-187 [root@sreti-2 certs] ls 01.pem dh1024.pem serial utente-1.crt utente-2.crt 02.pem index.txt serial.old utente-1.csr utente-2.csr 03.pem index.txt.attr server.crt utente-1.key utente-2.key ca.crt index.txt.attr.old server.csr utente-1.p12 ca.key index.txt.old server.key utente-1.pem [root@sreti-2 certs] 6.4 Modifica del file eap.conf per poter operare con i certificati generati con easy-rsa Nella sezione EAP-TLS bisogna modificare i percorsi per l utilizzo dei file server.crt, server.key, ca.crt, dh1024.pem tls { private_key_password = francia-187 private_key_file = ${raddbdir}/certs/server.key If Private key & Certificate are located in the same file, then private_key_file & certificate_file must contain the same file name. certificate_file = ${raddbdir}/certs/server.crt Trusted Root CA list CA_file = ${raddbdir}/certs/ca.crt dh_file = ${raddbdir}/certs/dh1024.pem random_file = /dev/urandom 6.5 Startup di radiusd (Freeradius) con il debugging abilitato [root@sreti-2 keys] radiusd -X -A Starting - reading configuration files... reread_config: reading radiusd.conf 13

14 Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" 14

15 Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/server.key" tls: certificate_file = "/etc/raddb/certs/server.crt" tls: CA_file = "/etc/raddb/certs/ca.crt" tls: private_key_password = "francia-187" tls: dh_file = "/etc/raddb/certs/dh1024.pem" tls: random_file = "/dev/urandom" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "%{User-Name}" rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 15

16 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IPAddress, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{client-ip-address}/detail-%y%m %d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. 7. Installazione dei certificati su Windows XP Copiare i certificati ca.crt e nome-utente.p12 in una directory e installare dapprima il certificato ca.crt e successivamente il certificato nome-utente.p12. Si noti che se si vuole utilizzare il protocollo PEAP è sufficiente installare solo il certificato ca.crt. Per installare i certificati è sufficiente fare un doppio-click sul certificato e seguire l installazione guidata, si veda l esempio. 16

17 7.1 Installazione di ca.crt su Windows XP 17

18 18

19 19

20 20

21 21

22 22

23 23

24 24

25 7.2 Installazione del certificato utente con estensione p12 25

26 26

27 francia

28 28

29 29

30 30

31 7.3 Verifica della corretta installazione dei certificati attraverso mmc console Cliccare su Start -> Esegui, digitare nella finestra mmc e dare Ok. 31

32 32

33 33

34 34

35 35

36 36

37 37

38 38

39 39

40 40

41 41

42 42

43 7.4 Configurazione PEAP su Windows XP 43

44 44

45 45

46 46

47 47

48 7.4.1 Autenticazione con PEAP Inserire nell apposita casella il Nome Utente a la Password 48

49 49

50 7.5 Configurazione EAP-TLS su Windows XP 50

51 7.5.1 Autenticazione con EAP-TLS L utente si autentica presso il Server utilizzando il certificato utente (nome-utente.p12) 8. Ambiente dei test di laboratorio (hardware software) Hardware: Access Point: modello 1200 della Cisco con OS AIR-AP1231G-E-K9 Scheda di rete: Aironet 350 con driver ACU Server: Dell PowerEdge 600SC Software: Sistema operativo linux Server Fedora 5 RPM Freeradius: Freeradius i386 RPM Openvpn: Openvpn beta14.fc5.i386 51