Table des matières
Cisco 1130AG
Liens:
Trouvé dans une poubelle (enfin presque), un Cisco 1130AG…
Qu'est-ce donc: une borne Wifi Cisco pour les pro… avec CLI, IOS & So on…
Notamment:
16 SSID ! Plusieurs VLAN (optionnel)
Il y a 2 “radio” (comprendre emetteur wifi):
dot11radio 0 | 802.11n 2.4-GHz | la plus ancienne et la plus courante |
dot11radio 1 | 802.11n 5-GHz | autorisé depuis 2006 (un equipement fonctionne avec ça?) |
A savoir: “WPA 2 offers a higher level of security than WPA because AES offers stronger encryption than Temporal Key Integrity Protocol (TKIP). ” |
WPA et Radius: http://wiki.freeradius.org/WPA_HOWTO
Flash
LWAPP to Autonomous
Dés le départ, il est flashé en tant que “Lightweight Access Point”, ce qui ne me plait pas du tout !
$ sh ver ... cisco AIR-LAP1131AG-E-K9 (PowerPCElvis) processor (revision A0) with 24566K/8192K bytes of mem. Processor board ID FCZ1149Q0HQ PowerPCElvis CPU at 262Mhz, revision number 0x0950 Last reset from power-on LWAPP image version 4.0.217.0 1 FastEthernet interface 2 802.11 Radio(s) ...
Donc, il faut re-flashé en “Autonomous”.
TFTP
Pour flasher, il faut disposer d'un serveur TFTP.
On installe tftpd-hpa
(source: http://wozneyenterprises.blogspot.com/2008/12/downgrade-from-lightweight-to.html )
# aptitude install tftpd-hpa
On prépare un répertoire pour le serveur tftpd, par exemple:
/srv/tftp/
IOS
Pour cela, je télécharge un IOS, illégalement, sur un serveur en Chine !!! (Merci le SAV de Cisco )
wget xxxxxxx/c1130-k9w7-tar.124-10b.JA3.tar
Mettre l'image dans le repertoire du serveur “tftp”, avec le nom “c1130-k9w7-tar.default”
$ mv c1130-k9w7-tar.123-11.JA4.tar /srv/tft/c1130-k9w7-tar.default
IP
Sachant que le “cisco” va prendre l'ip 10.0.0.1, je prend la 10.0.0.2 :
# ifconfig eth0:x 10.0.0.2 netmask 255.255.255.0
flasher
tftpd
Demarrer le serveur tftpd comme cela:
# in.tftpd -c -l -s /srv/tftp -a 255.255.255.255
Pourquoi ? parce que le “Cisco” fait une requete broadcast pour recuperer le fichier, et “tftpd” ne fonctionnera bien que s'il est lance comme cela. voila.
reboot
- Debrancher/Eteindre l'AP (Access Point Cisco)
- Maintenir enfoncé le bouton “Mode”
- Brancher/Allumer l'AP
- Maintenir toujours le boute “Mode” jusqu'a ce que le voyant “R” devienne rouge: environ 20 secondes.
- Relacher
Le serveur tftp doit être interrogé, le flashage commence.
A la fin
Verifions l'IOS:
ap>sh ver Cisco IOS Software, C1130 Software (C1130-K9W7-M), Version 12.4(10b)JA3, RELEASE SOFTWARE (fc1) ... ROM: Bootstrap program is C1130 boot loader BOOTLDR: C1130 Boot Loader (C1130-BOOT-M) Version 12.3(8)JEA, RELEASE SOFTWARE (fc2) ... ap uptime is 12 minutes System returned to ROM by power-on System image file is "flash:/c1130-k9w7-mx.124-10b.JA3/c1130-k9w7-mx.124-10b.JA3" ...
Ok
Tuer le serveur tftp:
# killall in.tftpd
Default Setting
voir doc.
Premiers pas
Par defaut, le mot de passe “super user” est: Cisco
Configuration par defaut:
ap#sh ru Building configuration... Current configuration : 1362 bytes ! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname ap ! enable secret 5 $1$ulXd$aoKZ22oOOTg/Dd29BsSc71 ! no aaa new-model ! ! power inline negotiation prestandard source ! ! username Cisco password 7 072C285F4D06 ! bridge irb ! ! interface Dot11Radio0 no ip address no ip route-cache shutdown station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio1 no ip address no ip route-cache shutdown no dfs band block channel dfs station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface BVI1 ip address dhcp client-id FastEthernet0 no ip route-cache ! ip http server no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag bridge 1 route ip ! ! ! line con 0 line vty 0 4 login local ! end
Et un service “web” est en service.
ap# sh ip interface brief Interface IP-Address OK? Method Status Protocol BVI1 192.168.1.235 YES DHCP up up Dot11Radio0 unassigned YES unset administratively down down Dot11Radio1 unassigned YES unset administratively down down FastEthernet0 unassigned YES other up up
ap#show boot BOOT path-list: Config file: flash:/config.txt Private Config file: flash:/private-config Enable Break: no Manual Boot: no Enable IOS Break: no HELPER path-list: NVRAM/Config file buffer size: 32768 Mode Button: on
Conf de Base
Hostname et plus
hostname
ap#configure terminal ap(config)#hostname ap01 ap01(config)#
IP
pour configurer une IP à l'AP, il faut jouer avec l'interface “bvi1” , (et non pas FastEthernet…)
Configurer IP:
ap01(config)#interface bvi1 ap01(config-if)#ip address 192.168.0.11 255.255.255.0
gateway
ap01(config)#ip default-gateway 192.168.0.254
DNS ?
ap01(config)#ip name-server 192.168.0.2 212.27.40.240 212.27.40.241
Log console
Desactive cette polution:
ap01(config)#no logging console
Securiser
passe general
Mettre son mot de passe:
#configure terminal ap01(config)#enable secret <mot_de_passe>
users
: a valider
#configure terminal
Activer “AAA”:
#aaa new-model
Authentification AAA a partir de la base local (pour toutes les interfaces, par defaut):
#aaa authentication login default local
Authentification AAA definit les droits EXEC (“enable mode”):
#aaa authorization exec default local
Authentification AAA pour tout les services relatif aux reseaux:
#aaa authorization network local
( #aaa session-id common )
# username tjaouen privilege 15 secret 0 <MOT_DE_PASSE_EN_CLAIR>
Et voila ?
https
: a valider
AP# configure terminal AP(config)# hostname ap1100 AP(config)# ip domain name company.com AP(config)# ip name-server 10.91.107.18 AP(config)# ip http secure-server AP(config)# end
disabling http
#no ip http server
et/ou:
#no ip http secure-server
DHCP
WPA simple
ssid
ap01(config)#dot11 ssid virgin-mobile ap01(config-ssid)#guest-mode
“guest-mode” pour broadcasté le SSID
radio
A faire pour “dot11Radio 0” et “dot11Radio 1” |
Entre autre:
ap01#configure terminal ap01(config)#interface dot11Radio 0
Dire que c'est un “access-point”:
ap01(config-if)#station-role root access-point
Desactiver extension a la con (optionnel):
ap01(config-if)#no dot11 extension aironet
Si necessaire, monter la radio:
ap01(config-if)#no shutdown
Specifier l'encryption:
ap01(config-if)#encryption mode ciphers aes-ccm tkip
Associer le ssid:
ap01(config-if)#ssid virgin-mobile
Et fin:
ap01(config-if)#end
ap01#configure terminal ap01(config)#dot11 ssid virgin-mobile ap01(config-ssid)#authentication open ap01(config-ssid)#authentication key-management wpa ap01(config-ssid)#wpa-psk ascii 0 12345678
Et voila ?
- la clé partagé est “12345678”
- la connexion établie, la borne bridge vers le reseau
Donc, la borne ne fait pas firewall ou serveur dhcp: rien de tout cela.
conf complete
ap01#sh ru brief Building configuration... Current configuration : 2310 bytes ! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname ap01 ! no logging console ! aaa new-model ! ! aaa authentication login default local aaa authorization exec default local ! aaa session-id common ip domain name pinkfloyd ip name-server 192.168.0.2 ip name-server 212.27.40.240 ip name-server 212.27.40.241 ! ! ! dot11 ssid virgin-mobile authentication open authentication key-management wpa guest-mode wpa-psk ascii 7 xxxxxxxxxxxxx ! power inline negotiation prestandard source ! crypto pki trustpoint TP-self-signed-2716797280 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2716797280 revocation-check none rsakeypair TP-self-signed-2716797280 ! ! crypto pki certificate chain TP-self-signed-2716797280 certificate self-signed 01 username tjaouen privilege 15 secret 5 $1$xxxxxxxxxxxxxx username bbrule privilege 15 secret 5 $1$xxxxxxxxxxxxxx ! bridge irb ! ! interface Dot11Radio0 no ip address no ip route-cache ! encryption mode ciphers aes-ccm tkip ! ssid virgin-mobile ! station-role root access-point no dot11 extension aironet bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio1 no ip address no ip route-cache shutdown ! encryption mode ciphers aes-ccm tkip ! ssid virgin-mobile ! no dfs band block channel dfs station-role root access-point no dot11 extension aironet bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface BVI1 ip address 192.168.0.11 255.255.255.0 no ip route-cache ! ip default-gateway 192.168.0.254 no ip http server ip http authentication aaa ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag bridge 1 route ip ! ! ! line con 0 line vty 0 4 ! end
ap01#sh dot11 bssid Interface BSSID Guest SSID Dot11Radio1 001e.4acd.e1b0 Yes virgin-mobile Dot11Radio0 001e.4ac0.4bf0 Yes virgin-mobile
VLANs
Lien: http://www.cisco.com/en/US/docs/wireless/access_point/12.3_8_JA/configuration/guide/s38vlan.html
reconfig
Etat de l'interface:
ap01#sh ru interface fastEthernet 0 Building configuration... Current configuration : 175 bytes ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled end
Configurer l'interface “native”.
ap01#configure terminal ap01(config)#interface fastEthernet 0.1 ap01(config-subif)#encapsulation dot1Q 1 native ap01(config-subif)#no ip route-cache ap01(config-subif)#bridge-group 1 ap01(config-subif)#no bridge-group 1 source-learning ap01(config-subif)#bridge-group 1 spanning-disabled
A la fin, on peut voir que la config s'est adapté…
ap01#sh ru interface fastEthernet 0 Building configuration... Current configuration : 90 bytes ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto end ap01#sh ru interface fastEthernet 0.1 Building configuration... Current configuration : 167 bytes ! interface FastEthernet0.1 encapsulation dot1Q 1 native no ip route-cache bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled end
On ajoute une interface dans un VLAN 974.
ap01#sh ru interface fastEthernet 0.974 Building configuration... Current configuration : 164 bytes ! interface FastEthernet0.974 encapsulation dot1Q 974 no ip route-cache bridge-group 2 no bridge-group 2 source-learning bridge-group 2 spanning-disabled end
Etat de l'interface “radio”… fonctionne mais ne laisse plus passé les connexions.
ap01#show running-config interface Dot11Radio 0 Building configuration... Current configuration : 387 bytes ! interface Dot11Radio0 no ip address no ip route-cache ! encryption mode ciphers aes-ccm tkip ! ssid virgin-mobile ! station-role root access-point no dot11 extension aironet bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled end
On créé une nouvelle radio (virtuel) :
ap01#configure terminal ap01(config)#interface Dot11Radio 0.1 ap01(config-subif)#encapsulation dot1Q 1 native ap01(config-subif)#no ip route-cache ap01(config-subif)#no cdp enable ap01(config-subif)#bridge-group 1 ap01(config-subif)#bridge-group 1 subscriber-loop-control ap01(config-subif)#bridge-group 1 block-unknown-source ap01(config-subif)#no bridge-group 1 source-learning ap01(config-subif)#no bridge-group 1 unicast-flooding ap01(config-subif)#bridge-group 1 spanning-disabled
Comme pour les interfaces, la configuration s'est adapté:
ap01#sh ru interface Dot11Radio 0 Building configuration... Current configuration : 189 bytes ! interface Dot11Radio0 no ip address no ip route-cache ! encryption mode ciphers aes-ccm tkip ! ssid virgin-mobile ! station-role root access-point no dot11 extension aironet end ap01#sh ru interface Dot11Radio 0.1 Building configuration... Current configuration : 293 bytes ! interface Dot11Radio0.1 encapsulation dot1Q 1 native no ip route-cache no cdp enable bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled end
ap01#sh ru ssid virgin-mobile Building configuration... Current configuration: dot11 ssid virgin-mobile vlan 1 mbssid guest-mode end
ap01(config)#interface dot11Radio 0 ap01(config-if)#encryption vlan 1 mode ciphers aes-ccm tkip
On en profite pour installer le 2ieme ssid:
ap01(config-if)#encryption vlan 974 mode ciphers aes-ccm tkip ap01(config-if)#ssid test2
ap01(config)#interface Dot11Radio 0.2 ap01(config-subif)#encapsulation dot1Q 2 native ap01(config-subif)#no ip route-cache ap01(config-subif)#no cdp enable ap01(config-subif)#bridge-group 2 ap01(config-subif)#bridge-group 2 subscriber-loop-control ap01(config-subif)#bridge-group 2 block-unknown-source ap01(config-subif)#no bridge-group 2 source-learning ap01(config-subif)#no bridge-group 2 unicast-flooding ap01(config-subif)#bridge-group 2 spanning-disabled
ne pas ajouter “native” |
Configurer le VLAN de sortie comme cela:
ap01#sh ru interface fastEthernet 0.974 Building configuration... Current configuration : 164 bytes ! interface FastEthernet0.974 encapsulation dot1Q 974 no ip route-cache bridge-group 2 no bridge-group 2 source-learning bridge-group 2 spanning-disabled end
Config
Voila… plusieurs SSID et plusieurs VLANs:
ap01#sh ru Building configuration... Current configuration : 4520 bytes ! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname ap01 ! no logging console ! aaa new-model ! ! aaa authentication login default local aaa authorization exec default local ! aaa session-id common ip domain name pinkfloyd ip name-server 192.168.0.2 ip name-server 212.27.40.240 ip name-server 212.27.40.241 ! ! ! dot11 ssid virgin-mobile vlan 1 authentication open authentication key-management wpa mbssid guest-mode wpa-psk ascii 7 00554155500E5D5157 ! dot11 ssid test2 vlan 2 authentication open authentication key-management wpa mbssid guest-mode wpa-psk ascii 7 1446435A5D557B7A75 ! power inline negotiation prestandard source ! crypto pki trustpoint TP-self-signed-2716797280 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2716797280 revocation-check none rsakeypair TP-self-signed-2716797280 ! ! crypto pki certificate chain TP-self-signed-2716797280 certificate self-signed 01 ... <snip> ... 46FB2C4E C005BB45 B699 quit username tjaouen privilege 15 secret 5 xxxxxxxxxx ! bridge irb ! ! interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 1 mode ciphers aes-ccm tkip ! encryption vlan 2 mode ciphers aes-ccm tkip ! ssid virgin-mobile ! ssid test2 ! mbssid station-role root access-point no dot11 extension aironet ! interface Dot11Radio0.1 encapsulation dot1Q 1 native no ip route-cache no cdp enable bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio0.2 encapsulation dot1Q 2 no ip route-cache no cdp enable bridge-group 2 bridge-group 2 subscriber-loop-control bridge-group 2 block-unknown-source no bridge-group 2 source-learning no bridge-group 2 unicast-flooding bridge-group 2 spanning-disabled ! interface Dot11Radio1 no ip address no ip route-cache shutdown ! encryption mode ciphers aes-ccm tkip no dfs band block channel dfs station-role root access-point no dot11 extension aironet bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto ! interface FastEthernet0.1 encapsulation dot1Q 1 native no ip route-cache bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface FastEthernet0.974 encapsulation dot1Q 974 no ip route-cache bridge-group 2 no bridge-group 2 source-learning bridge-group 2 spanning-disabled ! interface BVI1 ip address 192.168.0.11 255.255.255.0 no ip route-cache ! ip default-gateway 192.168.0.254 no ip http server ip http authentication aaa ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag bridge 1 route ip ! ! ! line con 0 line vty 0 4 ! end
radius
Lien: http://supportwiki.cisco.com/ViewWiki/index.php/EAP_Authentication_with_RADIUS_Server
Tester le radius. Lien: http://www.fcug.fr/ios-tester-l-039-authentification-radius
ap01(config)#aaa group server radius rad_eap ap01(config-sg-radius)#server 192.168.0.10 auth-port 1812 acct-port 1813 ap01(config-sg-radius)#exit ap01(config)#aaa authentication login eap_methods group rad_eap ap01(config)#end ap01(config)#radius-server host 192.168.0.10 auth-port 1812 acct-port 1813 key ceci-est-mon-secret
ap01(config)#dot11 ssid virgin-mobile
On vire la config precedente
ap01(config-ssid)#no wpa-psk ap01(config-ssid)#no authentication key-management ap01(config-ssid)#no authentication open
Puis on ajoute les nouveaux trucs:
ap01(config-ssid)#authentication open eap eap_methods ap01(config-ssid)#authentication network-eap eap-methods
Ajoute le WPA (my stuff):
ap01(config-ssid)#authentication key-management wpa
Mais sans clé partagé… bizarre pour moi…
ap01(config-ssid)#end
Accounting: pas trouvé comment activer l'accounting radius !!!
Requete sur le radius (pas encore monté) ?
17:43:28.088527 IP 192.168.0.11.datametrics > mds.thierry-jaouen.local.radius: RADIUS, Access Request (1), id: 0x02 length: 216
Yes !
On s'approche:
*** Received from 192.168.0.11 port 1645 .... Code: Access-Request Identifier: 6 Authentic: xxxxxxx Attributes: User-Name = "1208012000584533@wlan.mnc001.mcc208.3gppnetwork.org" Framed-MTU = 1400 Called-Station-Id = "001e.4ac0.4bf0" Calling-Station-Id = "0018.8d06.8092" Service-Type = Login-User Message-Authenticator = xxxxxxxxx EAP-Message = <2><2><0>8<1>1208012000584533@wlan.mnc001.mcc208.3gppnetwork.org NAS-Port-Type = Wireless-IEEE-802-11 NAS-Port = 279 NAS-Port-Id = "279" NAS-IP-Address = 192.168.0.11
LEAP ne fonctionne pas. |
-LEAP est pourri (voir goog)
- LEAP ne fonctionne pas sous Windows XP Family… dommage.
Donc, on abandonne cette pseudo simplicité.
wpa2
Lien: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008054339e.shtml
LEAP
Je n'y arrive pas.
PEAP
Lien: http://web.archive.org/web/20031206113912/http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm
Une manière trés compliqué de rendre un reseau super securisé…
En tout cas, avec un “Windoz XP Home”, c'est trés chiant.
principes généraux
Ca ressemble furieusement à un “vpn”…
On a un certificat “root” a creer, qui va signer tout le reste.
On créé un certificat “serveur”: pour nous, c'est le “ssid” du reseau Wifi.
On créé ensuite les certificat pour les clients.
Configuration
openssl.cnf
Editer /etc/ssl/openssl.cnf
(sauver l'original, on sait jamais), et personnalisé ce qui doit l'être… En gros:
... # 10 ans de validité, c'est mieux qu'un an default_days = 3650 # how long to certify for ... [ req_distinguished_name ] ... countryName_default = FR ... localityName_default = Paris ... 0.organizationName_default = TJ Corp. ... organizationalUnitName_default = AP lab ... commonName_default = TJ-Root-CA ... emailAddress_default = postmaster@thierry-jaouen.fr ...
Tout le reste va bien par defaut.
scriptes
Il y a plein de methodes pour procéder, mais on va s'aider de scripts pompé sur le net.
On retrouve un script proche de ce qui suit dans “Radiator” , avec le nom “mkcertificate.sh”
…
CA.root
#!/bin/sh #SSL=/usr/local/openssl-certgen #export PATH=${SSL}/bin/:${SSL}/ssl/misc:${PATH} #export LD_LIBRARY_PATH=${SSL}/lib export PATH=/usr/bin/:/usr/lib/ssl/misc:${PATH} export LD_LIBRARY_PATH=/usr/lib/ssl # needed if you need to start from scratch otherwise the CA.pl -newca command doesn't copy the new # private key into the CA directories rm -rf demoCA echo "*********************************************************************************" echo "Creating self-signed private key and certificate" echo "When prompted override the default value for the Common Name field" echo "*********************************************************************************" echo # Generate a new self-signed certificate. # After invocation, newreq.pem will contain a private key and certificate # newreq.pem will be used in the next step openssl req -new -x509 -keyout newreq.pem -out newreq.pem -passin pass:whatever -passout pass:whatever echo "*********************************************************************************" echo "Creating a new CA hierarchy (used later by the "ca" command) with the certificate" echo "and private key created in the last step" echo "*********************************************************************************" echo echo "newreq.pem" | CA.pl -newca >/dev/null echo "*********************************************************************************" echo "Creating ROOT CA" echo "*********************************************************************************" echo # Create a PKCS#12 file, using the previously created CA certificate/key # The certificate in demoCA/cacert.pem is the same as in newreq.pem. Instead of # using "-in demoCA/cacert.pem" we could have used "-in newreq.pem" and then omitted # the "-inkey newreq.pem" because newreq.pem contains both the private key and certificate openssl pkcs12 -export -in demoCA/cacert.pem -inkey newreq.pem -out root.p12 -cacerts -passin pass:whatever -passout pass:whatever # parse the PKCS#12 file just created and produce a PEM format certificate and key in root.pem openssl pkcs12 -in root.p12 -out root.pem -passin pass:whatever -passout pass:whatever # Convert root certificate from PEM format to DER format openssl x509 -inform PEM -outform DER -in root.pem -out root.der #Clean Up rm -rf newreq.pem # TJ ------ echo "01" > demoCA/serial # ---------
Par rapport a l'original, j'ai modifié les lignes du debut et à la fin (car le fichier “serial” n'est pas créé).
la pass phrase par defaut est “whatever” ⇒ on pourrait la changer, non ? |
CA.svr
#!/bin/sh #SSL=/usr/local/openssl-certgen #export PATH=${SSL}/bin/:${SSL}/ssl/misc:${PATH} #export LD_LIBRARY_PATH=${SSL}/lib export PATH=/usr/bin/:/usr/lib/ssl/misc:${PATH} export LD_LIBRARY_PATH=/usr/lib/ssl echo "*********************************************************************************" echo "Creating server private key and certificate" echo "When prompted enter the server name in the Common Name field." echo "*********************************************************************************" echo # Request a new PKCS#10 certificate. # First, newreq.pem will be overwritten with the new certificate request openssl req -new -keyout newreq.pem -out newreq.pem -passin pass:whatever -passout pass:whatever # Sign the certificate request. The policy is defined in the openssl.cnf file. # The request generated in the previous step is specified with the -infiles option and # the output is in newcert.pem # The -extensions option is necessary to add the OID for the extended key for server authentication openssl ca -policy policy_anything -out newcert.pem -passin pass:whatever -key whatever -extensions xpserver_ext -extfile xpextensions -infiles newreq.pem # Create a PKCS#12 file from the new certificate and its private key found in newreq.pem # and place in file specified on the command line openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out $1.p12 -clcerts -passin pass:whatever -passout pass:whatever # parse the PKCS#12 file just created and produce a PEM format certificate and key in certsrv.pem openssl pkcs12 -in $1.p12 -out $1.pem -passin pass:whatever -passout pass:whatever # Convert certificate from PEM format to DER format openssl x509 -inform PEM -outform DER -in $1.pem -out $1.der # Clean Up rm -rf newert.pem newreq.pem
Même remarque que pour “CA.root”.
CA.clt
#!/bin/sh #SSL=/usr/local/openssl-certgen #export PATH=${SSL}/bin/:${SSL}/ssl/misc:${PATH} #export LD_LIBRARY_PATH=${SSL}/lib export PATH=/usr/bin/:/usr/lib/ssl/misc:${PATH} export LD_LIBRARY_PATH=/usr/lib/ssl echo "*********************************************************************************" echo "Creating client private key and certificate" echo "When prompted enter the client name in the Common Name field. This is the same" echo " used as the Username in FreeRADIUS" echo "*********************************************************************************" echo # Request a new PKCS#10 certificate. # First, newreq.pem will be overwritten with the new certificate request openssl req -new -keyout newreq.pem -out newreq.pem -passin pass:whatever -passout pass:whatever # Sign the certificate request. The policy is defined in the openssl.cnf file. # The request generated in the previous step is specified with the -infiles option and # the output is in newcert.pem # The -extensions option is necessary to add the OID for the extended key for client authentication openssl ca -policy policy_anything -out newcert.pem -passin pass:whatever -key whatever -extensions xpclient_ext -extfile xpextensions -infiles newreq.pem # Create a PKCS#12 file from the new certificate and its private key found in newreq.pem # and place in file specified on the command line openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out $1.p12 -clcerts -passin pass:whatever -passout pass:whatever # parse the PKCS#12 file just created and produce a PEM format certificate and key in certclt.pem openssl pkcs12 -in $1.p12 -out $1.pem -passin pass:whatever -passout pass:whatever # Convert certificate from PEM format to DER format openssl x509 -inform PEM -outform DER -in $1.pem -out $1.der # clean up rm -rf newcert newreq.pem
Même remarque que pour “CA.root”.
executable
rendre les scripts executable:
# chmod a+x CA.*
xpextensions
Encore un fichier nommé “xpentensions” dont le contenu doit être:
[ xpclient_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [ xpserver_ext ] extendedKeyUsage = 1.3.6.1.5.5.7.3.1
Au final
# ls -lrt -rwxr-xr-x 1 root root 1769 2009-05-11 14:25 CA.svr -rwxr-xr-x 1 root root 1826 2009-05-11 14:26 CA.clt -rw-r--r-- 1 root root 111 2009-05-11 14:26 xpextensions -rwxr-xr-x 1 root root 2350 2009-05-11 14:45 CA.root
En pratique
repertoire
Choisir un répertoire de travail, par exemple:
# mkdir /etc/ssl/radius # cd /etc/ssl/radius
Y copier les fichiers vu ci-dessus, c'est a dire:
CA.root CA.svr CA.clt xpextensions
Root
a ne faire que la 1er fois ! |
Générer le certificat d'authorité:
# ./CA.root
Verifier le “Common Name”, par exemple: TJ-RADIUS-CA .
Cela créé divers fichiers (et répertoires).
Serveur
Générer le certificat du “serveur”.
# ./CA.svr virgin-mobile
Le “Common Name” doit être: virgin-mobile
(Je crois qu'il y a une vérification de correspondance du “Common Name” avec le ssid)
Client
Générer le certificat d'un client. (ou d'un “pool” de clients ?)
# ./CA.clt tjaouen
le “Common Name” n'a aucune importance par la suite, notamment pour l'authentification.
Le “username”/password final, demandé par Windoz, est independant du “Common Name”.
au final
root.pem root.der <servername>.pem <clientusername>.p12
On ignore le reste? ok….
Radius
Un extrait de la configuration de radius:
AutoMPPEKeys yes EAPType PEAP,MSCHAP-V2 #EAPType PEAP,MSCHAP-V2, TTLS #EAPType PEAP EAPTLS_CAFile %D/ssl2/root.pem EAPTLS_CertificateFile %D/ssl2/virgin-mobile.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/ssl2/virgin-mobile.pem EAPTLS_PrivateKeyPassword whatever EAPTLS_MaxFragmentSize 1000
Dans ce cas, les fichiers ont été déposé dans le sous répertoire “…/ssl2/”, mais peu importe?
- la pass-phrase est en clair…
- la clé publique et privé sont dans le même fichier (virgin-mobile.pem)
Windows XP
Transferer les fichiers suivant sur le client:
root.der <username>.p12
Comment ? on s'en fout.
installer certificats
D'abord “root.der”
Puis <username>.p12
Au moment du montage “wifi” c'est plus compliquer:
Propriété reseau > Wifi > “virgin-mobile” > Propriété > Authentification
EAP protégé (PEAP)
[x] Authentifier en tant qu'ordinateur ....
Propriété PEAP …
[ ] Valider le certificat du serveur
Mot de passe (EAP-MSCHAP v2) > Configurer
[ ] Utiliser automatiquement mon nom ...
Aprés avoir fait tout cela, vous vous rendrez compte qu'il faudra recommencer a chaque fois ! dumoins sous Windoz XP SP3 HOME.
En plus, il faut faire ça au bon moment !!! ggrrrrrrrrrrr
Cisco Conf
... ! aaa new-model ! ! aaa group server radius rad_eap server 192.168.0.10 auth-port 1812 acct-port 1813 ! aaa authentication login default local aaa authentication login eap_methods group rad_eap aaa authorization exec default local ! aaa session-id common ... ! dot11 ssid virgin-mobile vlan 1 authentication open eap eap_methods authentication network-eap eap_methods authentication key-management wpa mbssid guest-mode ! ... interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 1 mode ciphers aes-ccm ! encryption vlan 2 mode ciphers aes-ccm tkip ! ssid virgin-mobile ! ssid test2 ! mbssid station-role root access-point no dot11 extension aironet ! ... ! ip default-gateway 192.168.0.254 no ip http server ip http authentication aaa ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag radius-server host 192.168.0.10 auth-port 1812 acct-port 1813 key 7 15110E0F0D672E373C7E382D1D4A0506C bridge 1 route ip ! ...
Tips
redirection
Redirection d'un SSID
ap01#configure terminal ap01(config)#dot11 ssid virgin-mobile ap01(config-ssid)#ip redirection host 192.168.166.2
mais c'est du DNAT !!!! pas du routing ! |
grrrr