====== Cisco 1130AG ====== Liens: -http://www.cisco.com/en/US/docs/wireless/access_point/12.4_10b_JA/configuration/guide/scg12410b.html -http://www.nantes-wireless.org/actu/ Trouvé dans une poubelle (enfin presque), un Cisco 1130AG... Qu'est-ce donc: une borne Wifi Cisco pour les pro... avec CLI, IOS & So on... Notamment: 16 SSID ! Plusieurs VLAN (optionnel) Il y a 2 "radio" (comprendre emetteur wifi): | dot11radio 0 | 802.11n 2.4-GHz | la plus ancienne et la plus courante | | dot11radio 1 | 802.11n 5-GHz | autorisé depuis 2006 (un equipement fonctionne avec ça?) | | A savoir: "WPA 2 offers a higher level of security than WPA because AES offers stronger encryption than Temporal Key Integrity Protocol (TKIP). " | WPA et Radius: http://wiki.freeradius.org/WPA_HOWTO ===== Flash ===== ==== LWAPP to Autonomous ==== Dés le départ, il est flashé en tant que "Lightweight Access Point", ce qui ne me plait pas du tout ! $ sh ver ... cisco AIR-LAP1131AG-E-K9 (PowerPCElvis) processor (revision A0) with 24566K/8192K bytes of mem. Processor board ID FCZ1149Q0HQ PowerPCElvis CPU at 262Mhz, revision number 0x0950 Last reset from power-on LWAPP image version 4.0.217.0 1 FastEthernet interface 2 802.11 Radio(s) ... Donc, il faut re-flashé en "Autonomous". ==== TFTP ==== Pour flasher, il faut disposer d'un serveur TFTP. On installe **''tftpd-hpa''** (source: http://wozneyenterprises.blogspot.com/2008/12/downgrade-from-lightweight-to.html ) # aptitude install tftpd-hpa On prépare un répertoire pour le serveur tftpd, par exemple: /srv/tftp/ ==== IOS ==== Pour cela, je télécharge un IOS, illégalement, sur un serveur en Chine !!! (Merci le SAV de Cisco :-P ) wget xxxxxxx/c1130-k9w7-tar.124-10b.JA3.tar Mettre l'image dans le repertoire du serveur "tftp", avec le nom "c1130-k9w7-tar.default" $ mv c1130-k9w7-tar.123-11.JA4.tar /srv/tft/c1130-k9w7-tar.default ==== IP ==== Sachant que le "cisco" va prendre l'ip 10.0.0.1, je prend la 10.0.0.2 : # ifconfig eth0:x 10.0.0.2 netmask 255.255.255.0 ==== flasher ==== === tftpd === Demarrer le serveur tftpd comme cela: # in.tftpd -c -l -s /srv/tftp -a 255.255.255.255 Pourquoi ? parce que le "Cisco" fait une requete broadcast pour recuperer le fichier, et "tftpd" ne fonctionnera bien que s'il est lance comme cela. voila. === reboot === -Debrancher/Eteindre l'AP (Access Point Cisco) -Maintenir enfoncé le bouton "Mode" -Brancher/Allumer l'AP -Maintenir toujours le boute "Mode" jusqu'a ce que le voyant "R" devienne rouge: environ 20 secondes. -Relacher Le serveur tftp doit être interrogé, le flashage commence. ==== A la fin ==== Verifions l'IOS: ap>sh ver Cisco IOS Software, C1130 Software (C1130-K9W7-M), Version 12.4(10b)JA3, RELEASE SOFTWARE (fc1) ... ROM: Bootstrap program is C1130 boot loader BOOTLDR: C1130 Boot Loader (C1130-BOOT-M) Version 12.3(8)JEA, RELEASE SOFTWARE (fc2) ... ap uptime is 12 minutes System returned to ROM by power-on System image file is "flash:/c1130-k9w7-mx.124-10b.JA3/c1130-k9w7-mx.124-10b.JA3" ... Ok Tuer le serveur tftp: # killall in.tftpd ===== Default Setting ====== voir doc. ===== Premiers pas ===== Par defaut, le mot de passe "super user" est: Cisco Configuration par defaut: ap#sh ru Building configuration... Current configuration : 1362 bytes ! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname ap ! enable secret 5 $1$ulXd$aoKZ22oOOTg/Dd29BsSc71 ! no aaa new-model ! ! power inline negotiation prestandard source ! ! username Cisco password 7 072C285F4D06 ! bridge irb ! ! interface Dot11Radio0 no ip address no ip route-cache shutdown station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio1 no ip address no ip route-cache shutdown no dfs band block channel dfs station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface BVI1 ip address dhcp client-id FastEthernet0 no ip route-cache ! ip http server no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag bridge 1 route ip ! ! ! line con 0 line vty 0 4 login local ! end Et un service "web" est en service. ap# sh ip interface brief Interface IP-Address OK? Method Status Protocol BVI1 192.168.1.235 YES DHCP up up Dot11Radio0 unassigned YES unset administratively down down Dot11Radio1 unassigned YES unset administratively down down FastEthernet0 unassigned YES other up up ap#show boot BOOT path-list: Config file: flash:/config.txt Private Config file: flash:/private-config Enable Break: no Manual Boot: no Enable IOS Break: no HELPER path-list: NVRAM/Config file buffer size: 32768 Mode Button: on ===== Conf de Base ====== ==== Hostname et plus ==== === hostname === ap#configure terminal ap(config)#hostname ap01 ap01(config)# === IP === pour configurer une IP à l'AP, il faut jouer avec l'interface "bvi1" , (et non pas FastEthernet...) Configurer IP: ap01(config)#interface bvi1 ap01(config-if)#ip address 192.168.0.11 255.255.255.0 === gateway === ap01(config)#ip default-gateway 192.168.0.254 === DNS ? === ap01(config)#ip name-server 192.168.0.2 212.27.40.240 212.27.40.241 === Log console === Desactive cette polution: ap01(config)#no logging console ==== Securiser ==== === passe general === Mettre son mot de passe: #configure terminal ap01(config)#enable secret === users === FIXME : a valider #configure terminal Activer "AAA": #aaa new-model Authentification AAA a partir de la base local (pour toutes les interfaces, par defaut): #aaa authentication login default local Authentification AAA definit les droits EXEC ("enable mode"): #aaa authorization exec default local Authentification AAA pour tout les services relatif aux reseaux: #aaa authorization network local ( #aaa session-id common ) # username tjaouen privilege 15 secret 0 Et voila ? === https === Lien: http://www.cisco.com/en/US/docs/wireless/access_point/12.4_10b_JA/configuration/guide/scg12410b-chap2-gui.html#wp1098676 FIXME : a valider AP# configure terminal AP(config)# hostname ap1100 AP(config)# ip domain name company.com AP(config)# ip name-server 10.91.107.18 AP(config)# ip http secure-server AP(config)# end === disabling http === #no ip http server et/ou: #no ip http secure-server ==== DHCP ==== Lien: http://www.cisco.com/en/US/docs/wireless/access_point/12.4_10b_JA/configuration/guide/scg12410b-chap5-admin.html#wp1058842 ===== WPA simple ===== ==== ssid ==== ap01(config)#dot11 ssid virgin-mobile ap01(config-ssid)#guest-mode "guest-mode" pour broadcasté le SSID ==== radio ==== Lien: http://www.cisco.com/en/US/docs/wireless/access_point/12.4_10b_JA/configuration/guide/scg12410b-chap6-radio.html#wp1035071 | :!: A faire pour "dot11Radio 0" et "dot11Radio 1" | Entre autre: ap01#configure terminal ap01(config)#interface dot11Radio 0 Dire que c'est un "access-point": ap01(config-if)#station-role root access-point Desactiver extension a la con (optionnel): ap01(config-if)#no dot11 extension aironet Si necessaire, monter la radio: ap01(config-if)#no shutdown Specifier l'encryption: ap01(config-if)#encryption mode ciphers aes-ccm tkip Associer le ssid: ap01(config-if)#ssid virgin-mobile Et fin: ap01(config-if)#end ap01#configure terminal ap01(config)#dot11 ssid virgin-mobile ap01(config-ssid)#authentication open ap01(config-ssid)#authentication key-management wpa ap01(config-ssid)#wpa-psk ascii 0 12345678 Et voila ? *la clé partagé est "12345678" *la connexion établie, la borne **bridge** vers le reseau Donc, la borne ne fait pas firewall ou serveur dhcp: rien de tout cela. ==== conf complete ==== ap01#sh ru brief Building configuration... Current configuration : 2310 bytes ! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname ap01 ! no logging console ! aaa new-model ! ! aaa authentication login default local aaa authorization exec default local ! aaa session-id common ip domain name pinkfloyd ip name-server 192.168.0.2 ip name-server 212.27.40.240 ip name-server 212.27.40.241 ! ! ! dot11 ssid virgin-mobile authentication open authentication key-management wpa guest-mode wpa-psk ascii 7 xxxxxxxxxxxxx ! power inline negotiation prestandard source ! crypto pki trustpoint TP-self-signed-2716797280 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2716797280 revocation-check none rsakeypair TP-self-signed-2716797280 ! ! crypto pki certificate chain TP-self-signed-2716797280 certificate self-signed 01 username tjaouen privilege 15 secret 5 $1$xxxxxxxxxxxxxx username bbrule privilege 15 secret 5 $1$xxxxxxxxxxxxxx ! bridge irb ! ! interface Dot11Radio0 no ip address no ip route-cache ! encryption mode ciphers aes-ccm tkip ! ssid virgin-mobile ! station-role root access-point no dot11 extension aironet bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio1 no ip address no ip route-cache shutdown ! encryption mode ciphers aes-ccm tkip ! ssid virgin-mobile ! no dfs band block channel dfs station-role root access-point no dot11 extension aironet bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface BVI1 ip address 192.168.0.11 255.255.255.0 no ip route-cache ! ip default-gateway 192.168.0.254 no ip http server ip http authentication aaa ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag bridge 1 route ip ! ! ! line con 0 line vty 0 4 ! end ap01#sh dot11 bssid Interface BSSID Guest SSID Dot11Radio1 001e.4acd.e1b0 Yes virgin-mobile Dot11Radio0 001e.4ac0.4bf0 Yes virgin-mobile ===== VLANs ===== Lien: http://www.cisco.com/en/US/docs/wireless/access_point/12.3_8_JA/configuration/guide/s38vlan.html ==== reconfig ==== Etat de l'interface: ap01#sh ru interface fastEthernet 0 Building configuration... Current configuration : 175 bytes ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled end Configurer l'interface "native". ap01#configure terminal ap01(config)#interface fastEthernet 0.1 ap01(config-subif)#encapsulation dot1Q 1 native ap01(config-subif)#no ip route-cache ap01(config-subif)#bridge-group 1 ap01(config-subif)#no bridge-group 1 source-learning ap01(config-subif)#bridge-group 1 spanning-disabled A la fin, on peut voir que la config s'est adapté... ap01#sh ru interface fastEthernet 0 Building configuration... Current configuration : 90 bytes ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto end ap01#sh ru interface fastEthernet 0.1 Building configuration... Current configuration : 167 bytes ! interface FastEthernet0.1 encapsulation dot1Q 1 native no ip route-cache bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled end On ajoute une interface dans un VLAN 974. ap01#sh ru interface fastEthernet 0.974 Building configuration... Current configuration : 164 bytes ! interface FastEthernet0.974 encapsulation dot1Q 974 no ip route-cache bridge-group 2 no bridge-group 2 source-learning bridge-group 2 spanning-disabled end Etat de l'interface "radio"... fonctionne mais ne laisse plus passé les connexions. ap01#show running-config interface Dot11Radio 0 Building configuration... Current configuration : 387 bytes ! interface Dot11Radio0 no ip address no ip route-cache ! encryption mode ciphers aes-ccm tkip ! ssid virgin-mobile ! station-role root access-point no dot11 extension aironet bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled end On créé une nouvelle radio (virtuel) : ap01#configure terminal ap01(config)#interface Dot11Radio 0.1 ap01(config-subif)#encapsulation dot1Q 1 native ap01(config-subif)#no ip route-cache ap01(config-subif)#no cdp enable ap01(config-subif)#bridge-group 1 ap01(config-subif)#bridge-group 1 subscriber-loop-control ap01(config-subif)#bridge-group 1 block-unknown-source ap01(config-subif)#no bridge-group 1 source-learning ap01(config-subif)#no bridge-group 1 unicast-flooding ap01(config-subif)#bridge-group 1 spanning-disabled Comme pour les interfaces, la configuration s'est adapté: ap01#sh ru interface Dot11Radio 0 Building configuration... Current configuration : 189 bytes ! interface Dot11Radio0 no ip address no ip route-cache ! encryption mode ciphers aes-ccm tkip ! ssid virgin-mobile ! station-role root access-point no dot11 extension aironet end ap01#sh ru interface Dot11Radio 0.1 Building configuration... Current configuration : 293 bytes ! interface Dot11Radio0.1 encapsulation dot1Q 1 native no ip route-cache no cdp enable bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled end ap01#sh ru ssid virgin-mobile Building configuration... Current configuration: dot11 ssid virgin-mobile vlan 1 mbssid guest-mode end ap01(config)#interface dot11Radio 0 ap01(config-if)#encryption vlan 1 mode ciphers aes-ccm tkip On en profite pour installer le 2ieme ssid: ap01(config-if)#encryption vlan 974 mode ciphers aes-ccm tkip ap01(config-if)#ssid test2 ap01(config)#interface Dot11Radio 0.2 ap01(config-subif)#encapsulation dot1Q 2 native ap01(config-subif)#no ip route-cache ap01(config-subif)#no cdp enable ap01(config-subif)#bridge-group 2 ap01(config-subif)#bridge-group 2 subscriber-loop-control ap01(config-subif)#bridge-group 2 block-unknown-source ap01(config-subif)#no bridge-group 2 source-learning ap01(config-subif)#no bridge-group 2 unicast-flooding ap01(config-subif)#bridge-group 2 spanning-disabled | :!: ne pas ajouter "native" | Configurer le VLAN de sortie comme cela: ap01#sh ru interface fastEthernet 0.974 Building configuration... Current configuration : 164 bytes ! interface FastEthernet0.974 encapsulation dot1Q 974 no ip route-cache bridge-group 2 no bridge-group 2 source-learning bridge-group 2 spanning-disabled end === Config === Voila... plusieurs SSID et plusieurs VLANs: ap01#sh ru Building configuration... Current configuration : 4520 bytes ! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname ap01 ! no logging console ! aaa new-model ! ! aaa authentication login default local aaa authorization exec default local ! aaa session-id common ip domain name pinkfloyd ip name-server 192.168.0.2 ip name-server 212.27.40.240 ip name-server 212.27.40.241 ! ! ! dot11 ssid virgin-mobile vlan 1 authentication open authentication key-management wpa mbssid guest-mode wpa-psk ascii 7 00554155500E5D5157 ! dot11 ssid test2 vlan 2 authentication open authentication key-management wpa mbssid guest-mode wpa-psk ascii 7 1446435A5D557B7A75 ! power inline negotiation prestandard source ! crypto pki trustpoint TP-self-signed-2716797280 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2716797280 revocation-check none rsakeypair TP-self-signed-2716797280 ! ! crypto pki certificate chain TP-self-signed-2716797280 certificate self-signed 01 ... ... 46FB2C4E C005BB45 B699 quit username tjaouen privilege 15 secret 5 xxxxxxxxxx ! bridge irb ! ! interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 1 mode ciphers aes-ccm tkip ! encryption vlan 2 mode ciphers aes-ccm tkip ! ssid virgin-mobile ! ssid test2 ! mbssid station-role root access-point no dot11 extension aironet ! interface Dot11Radio0.1 encapsulation dot1Q 1 native no ip route-cache no cdp enable bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio0.2 encapsulation dot1Q 2 no ip route-cache no cdp enable bridge-group 2 bridge-group 2 subscriber-loop-control bridge-group 2 block-unknown-source no bridge-group 2 source-learning no bridge-group 2 unicast-flooding bridge-group 2 spanning-disabled ! interface Dot11Radio1 no ip address no ip route-cache shutdown ! encryption mode ciphers aes-ccm tkip no dfs band block channel dfs station-role root access-point no dot11 extension aironet bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto ! interface FastEthernet0.1 encapsulation dot1Q 1 native no ip route-cache bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface FastEthernet0.974 encapsulation dot1Q 974 no ip route-cache bridge-group 2 no bridge-group 2 source-learning bridge-group 2 spanning-disabled ! interface BVI1 ip address 192.168.0.11 255.255.255.0 no ip route-cache ! ip default-gateway 192.168.0.254 no ip http server ip http authentication aaa ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag bridge 1 route ip ! ! ! line con 0 line vty 0 4 ! end ===== radius ===== Lien: http://supportwiki.cisco.com/ViewWiki/index.php/EAP_Authentication_with_RADIUS_Server Tester le radius. Lien: http://www.fcug.fr/ios-tester-l-039-authentification-radius ap01(config)#aaa group server radius rad_eap ap01(config-sg-radius)#server 192.168.0.10 auth-port 1812 acct-port 1813 ap01(config-sg-radius)#exit ap01(config)#aaa authentication login eap_methods group rad_eap ap01(config)#end ap01(config)#radius-server host 192.168.0.10 auth-port 1812 acct-port 1813 key ceci-est-mon-secret ap01(config)#dot11 ssid virgin-mobile On vire la config precedente ap01(config-ssid)#no wpa-psk ap01(config-ssid)#no authentication key-management ap01(config-ssid)#no authentication open Puis on ajoute les nouveaux trucs: ap01(config-ssid)#authentication open eap eap_methods ap01(config-ssid)#authentication network-eap eap-methods Ajoute le WPA (my stuff): ap01(config-ssid)#authentication key-management wpa Mais sans clé partagé... bizarre pour moi... ap01(config-ssid)#end Accounting: :!: pas trouvé comment activer l'accounting radius !!! Requete sur le radius (pas encore monté) ? 17:43:28.088527 IP 192.168.0.11.datametrics > mds.thierry-jaouen.local.radius: RADIUS, Access Request (1), id: 0x02 length: 216 Yes ! On s'approche: *** Received from 192.168.0.11 port 1645 .... Code: Access-Request Identifier: 6 Authentic: xxxxxxx Attributes: User-Name = "1208012000584533@wlan.mnc001.mcc208.3gppnetwork.org" Framed-MTU = 1400 Called-Station-Id = "001e.4ac0.4bf0" Calling-Station-Id = "0018.8d06.8092" Service-Type = Login-User Message-Authenticator = xxxxxxxxx EAP-Message = <2><2><0>8<1>1208012000584533@wlan.mnc001.mcc208.3gppnetwork.org NAS-Port-Type = Wireless-IEEE-802-11 NAS-Port = 279 NAS-Port-Id = "279" NAS-IP-Address = 192.168.0.11 | :!: LEAP ne fonctionne pas. | -LEAP est pourri (voir goog) -LEAP ne fonctionne pas sous Windows XP Family... dommage. Donc, on abandonne cette pseudo simplicité. ===== wpa2 ===== Lien: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008054339e.shtml ===== LEAP ===== Je n'y arrive pas. ===== PEAP ===== Lien: http://web.archive.org/web/20031206113912/http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm Une manière trés compliqué de rendre un reseau super securisé... En tout cas, avec un "Windoz XP Home", c'est trés chiant. ==== principes généraux ==== Ca ressemble furieusement à un "vpn"... On a un certificat "root" a creer, qui va signer tout le reste. On créé un certificat "serveur": pour nous, c'est le "ssid" du reseau Wifi. On créé ensuite les certificat pour les clients. ==== Configuration ==== === openssl.cnf === Editer **''/etc/ssl/openssl.cnf''** (sauver l'original, on sait jamais), et personnalisé ce qui doit l'être... En gros: ... # 10 ans de validité, c'est mieux qu'un an default_days = 3650 # how long to certify for ... [ req_distinguished_name ] ... countryName_default = FR ... localityName_default = Paris ... 0.organizationName_default = TJ Corp. ... organizationalUnitName_default = AP lab ... commonName_default = TJ-Root-CA ... emailAddress_default = postmaster@thierry-jaouen.fr ... Tout le reste va bien par defaut. === scriptes === Il y a plein de methodes pour procéder, mais on va s'aider de scripts pompé sur le net. On retrouve un script proche de ce qui suit dans "Radiator" , avec le nom **''"mkcertificate.sh"''**... == CA.root == #!/bin/sh #SSL=/usr/local/openssl-certgen #export PATH=${SSL}/bin/:${SSL}/ssl/misc:${PATH} #export LD_LIBRARY_PATH=${SSL}/lib export PATH=/usr/bin/:/usr/lib/ssl/misc:${PATH} export LD_LIBRARY_PATH=/usr/lib/ssl # needed if you need to start from scratch otherwise the CA.pl -newca command doesn't copy the new # private key into the CA directories rm -rf demoCA echo "*********************************************************************************" echo "Creating self-signed private key and certificate" echo "When prompted override the default value for the Common Name field" echo "*********************************************************************************" echo # Generate a new self-signed certificate. # After invocation, newreq.pem will contain a private key and certificate # newreq.pem will be used in the next step openssl req -new -x509 -keyout newreq.pem -out newreq.pem -passin pass:whatever -passout pass:whatever echo "*********************************************************************************" echo "Creating a new CA hierarchy (used later by the "ca" command) with the certificate" echo "and private key created in the last step" echo "*********************************************************************************" echo echo "newreq.pem" | CA.pl -newca >/dev/null echo "*********************************************************************************" echo "Creating ROOT CA" echo "*********************************************************************************" echo # Create a PKCS#12 file, using the previously created CA certificate/key # The certificate in demoCA/cacert.pem is the same as in newreq.pem. Instead of # using "-in demoCA/cacert.pem" we could have used "-in newreq.pem" and then omitted # the "-inkey newreq.pem" because newreq.pem contains both the private key and certificate openssl pkcs12 -export -in demoCA/cacert.pem -inkey newreq.pem -out root.p12 -cacerts -passin pass:whatever -passout pass:whatever # parse the PKCS#12 file just created and produce a PEM format certificate and key in root.pem openssl pkcs12 -in root.p12 -out root.pem -passin pass:whatever -passout pass:whatever # Convert root certificate from PEM format to DER format openssl x509 -inform PEM -outform DER -in root.pem -out root.der #Clean Up rm -rf newreq.pem # TJ ------ echo "01" > demoCA/serial # --------- Par rapport a l'original, j'ai modifié les lignes du debut et à la fin (car le fichier "serial" n'est pas créé). | :!: la pass phrase par defaut est "whatever" => on pourrait la changer, non ?| == CA.svr == #!/bin/sh #SSL=/usr/local/openssl-certgen #export PATH=${SSL}/bin/:${SSL}/ssl/misc:${PATH} #export LD_LIBRARY_PATH=${SSL}/lib export PATH=/usr/bin/:/usr/lib/ssl/misc:${PATH} export LD_LIBRARY_PATH=/usr/lib/ssl echo "*********************************************************************************" echo "Creating server private key and certificate" echo "When prompted enter the server name in the Common Name field." echo "*********************************************************************************" echo # Request a new PKCS#10 certificate. # First, newreq.pem will be overwritten with the new certificate request openssl req -new -keyout newreq.pem -out newreq.pem -passin pass:whatever -passout pass:whatever # Sign the certificate request. The policy is defined in the openssl.cnf file. # The request generated in the previous step is specified with the -infiles option and # the output is in newcert.pem # The -extensions option is necessary to add the OID for the extended key for server authentication openssl ca -policy policy_anything -out newcert.pem -passin pass:whatever -key whatever -extensions xpserver_ext -extfile xpextensions -infiles newreq.pem # Create a PKCS#12 file from the new certificate and its private key found in newreq.pem # and place in file specified on the command line openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out $1.p12 -clcerts -passin pass:whatever -passout pass:whatever # parse the PKCS#12 file just created and produce a PEM format certificate and key in certsrv.pem openssl pkcs12 -in $1.p12 -out $1.pem -passin pass:whatever -passout pass:whatever # Convert certificate from PEM format to DER format openssl x509 -inform PEM -outform DER -in $1.pem -out $1.der # Clean Up rm -rf newert.pem newreq.pem Même remarque que pour "CA.root". == CA.clt == #!/bin/sh #SSL=/usr/local/openssl-certgen #export PATH=${SSL}/bin/:${SSL}/ssl/misc:${PATH} #export LD_LIBRARY_PATH=${SSL}/lib export PATH=/usr/bin/:/usr/lib/ssl/misc:${PATH} export LD_LIBRARY_PATH=/usr/lib/ssl echo "*********************************************************************************" echo "Creating client private key and certificate" echo "When prompted enter the client name in the Common Name field. This is the same" echo " used as the Username in FreeRADIUS" echo "*********************************************************************************" echo # Request a new PKCS#10 certificate. # First, newreq.pem will be overwritten with the new certificate request openssl req -new -keyout newreq.pem -out newreq.pem -passin pass:whatever -passout pass:whatever # Sign the certificate request. The policy is defined in the openssl.cnf file. # The request generated in the previous step is specified with the -infiles option and # the output is in newcert.pem # The -extensions option is necessary to add the OID for the extended key for client authentication openssl ca -policy policy_anything -out newcert.pem -passin pass:whatever -key whatever -extensions xpclient_ext -extfile xpextensions -infiles newreq.pem # Create a PKCS#12 file from the new certificate and its private key found in newreq.pem # and place in file specified on the command line openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out $1.p12 -clcerts -passin pass:whatever -passout pass:whatever # parse the PKCS#12 file just created and produce a PEM format certificate and key in certclt.pem openssl pkcs12 -in $1.p12 -out $1.pem -passin pass:whatever -passout pass:whatever # Convert certificate from PEM format to DER format openssl x509 -inform PEM -outform DER -in $1.pem -out $1.der # clean up rm -rf newcert newreq.pem Même remarque que pour "CA.root". == executable == rendre les scripts executable: # chmod a+x CA.* == xpextensions == Encore un fichier nommé "xpentensions" dont le contenu doit être: [ xpclient_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [ xpserver_ext ] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 == Au final == # ls -lrt -rwxr-xr-x 1 root root 1769 2009-05-11 14:25 CA.svr -rwxr-xr-x 1 root root 1826 2009-05-11 14:26 CA.clt -rw-r--r-- 1 root root 111 2009-05-11 14:26 xpextensions -rwxr-xr-x 1 root root 2350 2009-05-11 14:45 CA.root ==== En pratique ==== === repertoire === Choisir un répertoire de travail, par exemple: # mkdir /etc/ssl/radius # cd /etc/ssl/radius Y copier les fichiers vu ci-dessus, c'est a dire: CA.root CA.svr CA.clt xpextensions === Root === | :!: a ne faire que la 1er fois ! | Générer le certificat d'authorité: # ./CA.root Verifier le "Common Name", par exemple: TJ-RADIUS-CA . Cela créé divers fichiers (et répertoires). === Serveur === Générer le certificat du "serveur". # ./CA.svr virgin-mobile Le "Common Name" doit être: virgin-mobile (Je crois qu'il y a une vérification de correspondance du "Common Name" avec le ssid) === Client === Générer le certificat d'un client. (ou d'un "__pool__" de clients ?) # ./CA.clt tjaouen :!: le "Common Name" n'a aucune importance par la suite, notamment pour l'authentification.\\ Le "username"/password final, demandé par Windoz, est independant du "Common Name". === au final === root.pem root.der .pem .p12 On ignore le reste? ok.... ==== Radius ==== Un extrait de la configuration de radius: AutoMPPEKeys yes EAPType PEAP,MSCHAP-V2 #EAPType PEAP,MSCHAP-V2, TTLS #EAPType PEAP EAPTLS_CAFile %D/ssl2/root.pem EAPTLS_CertificateFile %D/ssl2/virgin-mobile.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/ssl2/virgin-mobile.pem EAPTLS_PrivateKeyPassword whatever EAPTLS_MaxFragmentSize 1000 Dans ce cas, les fichiers ont été déposé dans le sous répertoire ".../ssl2/", mais peu importe? :!: -la pass-phrase est en clair... -la clé publique et privé sont dans le même fichier (virgin-mobile.pem) ==== Windows XP ==== Transferer les fichiers suivant sur le client: root.der .p12 Comment ? on s'en fout. === installer certificats === D'abord "root.der" Puis .p12 Au moment du montage "wifi" c'est plus compliquer: Propriété reseau > Wifi > "virgin-mobile" > Propriété > Authentification EAP protégé (PEAP) [x] Authentifier en tant qu'ordinateur .... Propriété PEAP ... [ ] Valider le certificat du serveur Mot de passe (EAP-MSCHAP v2) > Configurer [ ] Utiliser automatiquement mon nom ... Aprés avoir fait tout cela, vous vous rendrez compte qu'il faudra recommencer a chaque fois ! dumoins sous Windoz XP SP3 HOME. En plus, il faut faire ça au bon moment !!! ggrrrrrrrrrrr ==== Cisco Conf ==== ... ! aaa new-model ! ! aaa group server radius rad_eap server 192.168.0.10 auth-port 1812 acct-port 1813 ! aaa authentication login default local aaa authentication login eap_methods group rad_eap aaa authorization exec default local ! aaa session-id common ... ! dot11 ssid virgin-mobile vlan 1 authentication open eap eap_methods authentication network-eap eap_methods authentication key-management wpa mbssid guest-mode ! ... interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 1 mode ciphers aes-ccm ! encryption vlan 2 mode ciphers aes-ccm tkip ! ssid virgin-mobile ! ssid test2 ! mbssid station-role root access-point no dot11 extension aironet ! ... ! ip default-gateway 192.168.0.254 no ip http server ip http authentication aaa ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag radius-server host 192.168.0.10 auth-port 1812 acct-port 1813 key 7 15110E0F0D672E373C7E382D1D4A0506C bridge 1 route ip ! ... ===== Tips ===== ==== redirection ==== Redirection d'un SSID ap01#configure terminal ap01(config)#dot11 ssid virgin-mobile ap01(config-ssid)#ip redirection host 192.168.166.2 | :!: mais c'est du DNAT !!!! pas du routing ! | grrrr ====== Test ====== Liens: *http://itknowledgeexchange.techtarget.com/itanswers/need-help-with-multiple-dhcp-pools-on-a-cisco-aironet-ap/ *http://www.cisco.com/en/US/docs/wireless/access_point/12.3_2_JA/configuration/guide/s32adm.html#wpmkr1060653