Outils pour utilisateurs

Outils du site


brouillon_1130ag

Cisco 1130AG

Liens:

Trouvé dans une poubelle (enfin presque), un Cisco 1130AG…

Qu'est-ce donc: une borne Wifi Cisco pour les pro… avec CLI, IOS & So on…

Notamment:

16 SSID !
Plusieurs VLAN (optionnel)

Il y a 2 “radio” (comprendre emetteur wifi):

dot11radio 0 802.11n 2.4-GHz la plus ancienne et la plus courante
dot11radio 1 802.11n 5-GHz autorisé depuis 2006 (un equipement fonctionne avec ça?)
A savoir: “WPA 2 offers a higher level of security than WPA because AES offers stronger encryption than Temporal Key Integrity Protocol (TKIP). ”

WPA et Radius: http://wiki.freeradius.org/WPA_HOWTO

Flash

LWAPP to Autonomous

Dés le départ, il est flashé en tant que “Lightweight Access Point”, ce qui ne me plait pas du tout !

$ sh ver
...
cisco AIR-LAP1131AG-E-K9   (PowerPCElvis) processor (revision A0) with 24566K/8192K bytes of mem.
Processor board ID FCZ1149Q0HQ
PowerPCElvis CPU at 262Mhz, revision number 0x0950
Last reset from power-on
LWAPP image version 4.0.217.0
1 FastEthernet interface
2 802.11 Radio(s)
...

Donc, il faut re-flashé en “Autonomous”.

TFTP

Pour flasher, il faut disposer d'un serveur TFTP.

On installe tftpd-hpa (source: http://wozneyenterprises.blogspot.com/2008/12/downgrade-from-lightweight-to.html )

# aptitude install tftpd-hpa

On prépare un répertoire pour le serveur tftpd, par exemple:

/srv/tftp/

IOS

Pour cela, je télécharge un IOS, illégalement, sur un serveur en Chine !!! (Merci le SAV de Cisco :-P )

wget xxxxxxx/c1130-k9w7-tar.124-10b.JA3.tar

Mettre l'image dans le repertoire du serveur “tftp”, avec le nom “c1130-k9w7-tar.default”

$ mv c1130-k9w7-tar.123-11.JA4.tar /srv/tft/c1130-k9w7-tar.default

IP

Sachant que le “cisco” va prendre l'ip 10.0.0.1, je prend la 10.0.0.2 :

# ifconfig eth0:x 10.0.0.2 netmask 255.255.255.0

flasher

tftpd

Demarrer le serveur tftpd comme cela:

# in.tftpd -c -l -s /srv/tftp -a 255.255.255.255

Pourquoi ? parce que le “Cisco” fait une requete broadcast pour recuperer le fichier, et “tftpd” ne fonctionnera bien que s'il est lance comme cela. voila.

reboot

  1. Debrancher/Eteindre l'AP (Access Point Cisco)
  2. Maintenir enfoncé le bouton “Mode”
  3. Brancher/Allumer l'AP
  4. Maintenir toujours le boute “Mode” jusqu'a ce que le voyant “R” devienne rouge: environ 20 secondes.
  5. Relacher

Le serveur tftp doit être interrogé, le flashage commence.

A la fin

Verifions l'IOS:

ap>sh ver
Cisco IOS Software, C1130 Software (C1130-K9W7-M), Version 12.4(10b)JA3, RELEASE SOFTWARE (fc1)
...
ROM: Bootstrap program is C1130 boot loader
BOOTLDR: C1130 Boot Loader (C1130-BOOT-M) Version 12.3(8)JEA, RELEASE SOFTWARE (fc2)
...
ap uptime is 12 minutes
System returned to ROM by power-on
System image file is "flash:/c1130-k9w7-mx.124-10b.JA3/c1130-k9w7-mx.124-10b.JA3"
...

Ok

Tuer le serveur tftp:

# killall in.tftpd

Default Setting

voir doc.

Premiers pas

Par defaut, le mot de passe “super user” est: Cisco

Configuration par defaut:

ap#sh ru
Building configuration...

Current configuration : 1362 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
enable secret 5 $1$ulXd$aoKZ22oOOTg/Dd29BsSc71
!
no aaa new-model
!
!
power inline negotiation prestandard source
!
!
username Cisco password 7 072C285F4D06
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 shutdown
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 no dfs band block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address dhcp client-id FastEthernet0
 no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 login local
!
end

Et un service “web” est en service.

ap# sh ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
BVI1                       192.168.1.235   YES DHCP   up                    up
Dot11Radio0                unassigned      YES unset  administratively down down
Dot11Radio1                unassigned      YES unset  administratively down down
FastEthernet0              unassigned      YES other  up                    up
ap#show boot
BOOT path-list:
Config file:         flash:/config.txt
Private Config file: flash:/private-config
Enable Break:        no
Manual Boot:         no
Enable IOS Break:    no
HELPER path-list:
NVRAM/Config file
    buffer size:   32768
    Mode Button:    on

Conf de Base

Hostname et plus

hostname

ap#configure terminal
ap(config)#hostname ap01
ap01(config)#

IP

pour configurer une IP à l'AP, il faut jouer avec l'interface “bvi1” , (et non pas FastEthernet…)

Configurer IP:

ap01(config)#interface bvi1
ap01(config-if)#ip address 192.168.0.11 255.255.255.0

gateway

ap01(config)#ip default-gateway 192.168.0.254

DNS ?

ap01(config)#ip name-server 192.168.0.2 212.27.40.240 212.27.40.241

Log console

Desactive cette polution:

ap01(config)#no logging console

Securiser

passe general

Mettre son mot de passe:

#configure terminal
ap01(config)#enable secret <mot_de_passe>

users

FIXME : a valider

#configure terminal

Activer “AAA”:

#aaa new-model

Authentification AAA a partir de la base local (pour toutes les interfaces, par defaut):

#aaa authentication login default local

Authentification AAA definit les droits EXEC (“enable mode”):

#aaa authorization exec default local

Authentification AAA pour tout les services relatif aux reseaux:

#aaa authorization network local

( #aaa session-id common )

# username tjaouen privilege 15 secret 0 <MOT_DE_PASSE_EN_CLAIR>

Et voila ?

https

Lien: http://www.cisco.com/en/US/docs/wireless/access_point/12.4_10b_JA/configuration/guide/scg12410b-chap2-gui.html#wp1098676

FIXME : a valider

AP# configure terminal
AP(config)# hostname ap1100
AP(config)# ip domain name company.com
AP(config)# ip name-server 10.91.107.18
AP(config)# ip http secure-server
AP(config)# end

disabling http

#no ip http server

et/ou:

#no ip http secure-server

DHCP

WPA simple

ssid

ap01(config)#dot11 ssid virgin-mobile
ap01(config-ssid)#guest-mode

“guest-mode” pour broadcasté le SSID

radio

Lien: http://www.cisco.com/en/US/docs/wireless/access_point/12.4_10b_JA/configuration/guide/scg12410b-chap6-radio.html#wp1035071

:!: A faire pour “dot11Radio 0” et “dot11Radio 1”

Entre autre:

ap01#configure terminal
ap01(config)#interface dot11Radio 0

Dire que c'est un “access-point”:

ap01(config-if)#station-role root access-point

Desactiver extension a la con (optionnel):

ap01(config-if)#no dot11 extension aironet

Si necessaire, monter la radio:

ap01(config-if)#no shutdown

Specifier l'encryption:

ap01(config-if)#encryption mode ciphers aes-ccm tkip

Associer le ssid:

ap01(config-if)#ssid virgin-mobile

Et fin:

ap01(config-if)#end
ap01#configure terminal
ap01(config)#dot11 ssid virgin-mobile
ap01(config-ssid)#authentication open
ap01(config-ssid)#authentication key-management wpa
ap01(config-ssid)#wpa-psk ascii 0 12345678

Et voila ?

  • la clé partagé est “12345678”
  • la connexion établie, la borne bridge vers le reseau

Donc, la borne ne fait pas firewall ou serveur dhcp: rien de tout cela.

conf complete

ap01#sh ru brief
Building configuration...

Current configuration : 2310 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap01
!
no logging console
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
ip domain name pinkfloyd
ip name-server 192.168.0.2
ip name-server 212.27.40.240
ip name-server 212.27.40.241
!
!
!
dot11 ssid virgin-mobile
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 7 xxxxxxxxxxxxx
!
power inline negotiation prestandard source
!
crypto pki trustpoint TP-self-signed-2716797280
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2716797280
 revocation-check none
 rsakeypair TP-self-signed-2716797280
!
!
crypto pki certificate chain TP-self-signed-2716797280
 certificate self-signed 01
username tjaouen privilege 15 secret 5 $1$xxxxxxxxxxxxxx
username bbrule privilege 15 secret 5 $1$xxxxxxxxxxxxxx
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm tkip
 !
 ssid virgin-mobile
 !
 station-role root access-point
 no dot11 extension aironet
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 !
 encryption mode ciphers aes-ccm tkip
 !
 ssid virgin-mobile
 !
 no dfs band block
 channel dfs
 station-role root access-point
 no dot11 extension aironet
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address 192.168.0.11 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.0.254
no ip http server
ip http authentication aaa
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
!
end
ap01#sh dot11 bssid
Interface      BSSID         Guest  SSID
Dot11Radio1   001e.4acd.e1b0  Yes  virgin-mobile
Dot11Radio0   001e.4ac0.4bf0  Yes  virgin-mobile

VLANs

reconfig

Etat de l'interface:

ap01#sh ru interface fastEthernet 0
Building configuration...

Current configuration : 175 bytes
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
end

Configurer l'interface “native”.

ap01#configure terminal
ap01(config)#interface fastEthernet 0.1
ap01(config-subif)#encapsulation dot1Q 1 native
ap01(config-subif)#no ip route-cache
ap01(config-subif)#bridge-group 1
ap01(config-subif)#no bridge-group 1 source-learning
ap01(config-subif)#bridge-group 1 spanning-disabled

A la fin, on peut voir que la config s'est adapté…

ap01#sh ru interface fastEthernet 0
Building configuration...

Current configuration : 90 bytes
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
end

ap01#sh ru interface fastEthernet 0.1
Building configuration...

Current configuration : 167 bytes
!
interface FastEthernet0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
end

On ajoute une interface dans un VLAN 974.

ap01#sh ru interface fastEthernet 0.974
Building configuration...

Current configuration : 164 bytes
!
interface FastEthernet0.974
 encapsulation dot1Q 974
 no ip route-cache
 bridge-group 2
 no bridge-group 2 source-learning
 bridge-group 2 spanning-disabled
end

Etat de l'interface “radio”… fonctionne mais ne laisse plus passé les connexions.

ap01#show running-config interface Dot11Radio 0
Building configuration...

Current configuration : 387 bytes
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm tkip
 !
 ssid virgin-mobile
 !
 station-role root access-point
 no dot11 extension aironet
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
end

On créé une nouvelle radio (virtuel) :

ap01#configure terminal
ap01(config)#interface Dot11Radio 0.1
ap01(config-subif)#encapsulation dot1Q 1 native
ap01(config-subif)#no ip route-cache
ap01(config-subif)#no cdp enable
ap01(config-subif)#bridge-group 1
ap01(config-subif)#bridge-group 1 subscriber-loop-control
ap01(config-subif)#bridge-group 1 block-unknown-source
ap01(config-subif)#no bridge-group 1 source-learning
ap01(config-subif)#no bridge-group 1 unicast-flooding
ap01(config-subif)#bridge-group 1 spanning-disabled

Comme pour les interfaces, la configuration s'est adapté:

ap01#sh ru interface Dot11Radio 0
Building configuration...

Current configuration : 189 bytes
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm tkip
 !
 ssid virgin-mobile
 !
 station-role root access-point
 no dot11 extension aironet
end

ap01#sh ru interface Dot11Radio 0.1
Building configuration...

Current configuration : 293 bytes
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
end
ap01#sh ru ssid virgin-mobile
Building configuration...

Current configuration:
dot11 ssid virgin-mobile
   vlan 1
   mbssid guest-mode
end
ap01(config)#interface dot11Radio 0
ap01(config-if)#encryption vlan 1 mode ciphers aes-ccm tkip

On en profite pour installer le 2ieme ssid:

ap01(config-if)#encryption vlan 974 mode ciphers aes-ccm tkip
ap01(config-if)#ssid test2
ap01(config)#interface Dot11Radio 0.2
ap01(config-subif)#encapsulation dot1Q 2 native
ap01(config-subif)#no ip route-cache
ap01(config-subif)#no cdp enable
ap01(config-subif)#bridge-group 2
ap01(config-subif)#bridge-group 2 subscriber-loop-control
ap01(config-subif)#bridge-group 2 block-unknown-source
ap01(config-subif)#no bridge-group 2 source-learning
ap01(config-subif)#no bridge-group 2 unicast-flooding
ap01(config-subif)#bridge-group 2 spanning-disabled
:!: ne pas ajouter “native”

Configurer le VLAN de sortie comme cela:

ap01#sh ru interface fastEthernet 0.974
Building configuration...

Current configuration : 164 bytes
!
interface FastEthernet0.974
 encapsulation dot1Q 974
 no ip route-cache
 bridge-group 2
 no bridge-group 2 source-learning
 bridge-group 2 spanning-disabled
end

Config

Voila… plusieurs SSID et plusieurs VLANs:

ap01#sh ru
Building configuration...

Current configuration : 4520 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap01
!
no logging console
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
ip domain name pinkfloyd
ip name-server 192.168.0.2
ip name-server 212.27.40.240
ip name-server 212.27.40.241
!
!
!
dot11 ssid virgin-mobile
   vlan 1
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 00554155500E5D5157
!
dot11 ssid test2
   vlan 2
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 1446435A5D557B7A75
!
power inline negotiation prestandard source
!
crypto pki trustpoint TP-self-signed-2716797280
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2716797280
 revocation-check none
 rsakeypair TP-self-signed-2716797280
!
!
crypto pki certificate chain TP-self-signed-2716797280
 certificate self-signed 01
  ... <snip> ...
  46FB2C4E C005BB45 B699
  quit
username tjaouen privilege 15 secret 5 xxxxxxxxxx
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 1 mode ciphers aes-ccm tkip
 !
 encryption vlan 2 mode ciphers aes-ccm tkip
 !
 ssid virgin-mobile
 !
 ssid test2
 !
 mbssid
 station-role root access-point
 no dot11 extension aironet
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.2
 encapsulation dot1Q 2
 no ip route-cache
 no cdp enable
 bridge-group 2
 bridge-group 2 subscriber-loop-control
 bridge-group 2 block-unknown-source
 no bridge-group 2 source-learning
 no bridge-group 2 unicast-flooding
 bridge-group 2 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 !
 encryption mode ciphers aes-ccm tkip
 no dfs band block
 channel dfs
 station-role root access-point
 no dot11 extension aironet
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
!
interface FastEthernet0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface FastEthernet0.974
 encapsulation dot1Q 974
 no ip route-cache
 bridge-group 2
 no bridge-group 2 source-learning
 bridge-group 2 spanning-disabled
!
interface BVI1
 ip address 192.168.0.11 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.0.254
no ip http server
ip http authentication aaa
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
!
end

radius

Lien: http://supportwiki.cisco.com/ViewWiki/index.php/EAP_Authentication_with_RADIUS_Server

Tester le radius. Lien: http://www.fcug.fr/ios-tester-l-039-authentification-radius

ap01(config)#aaa group server radius rad_eap
ap01(config-sg-radius)#server 192.168.0.10 auth-port 1812 acct-port 1813
ap01(config-sg-radius)#exit

ap01(config)#aaa authentication login eap_methods group rad_eap
ap01(config)#end

ap01(config)#radius-server host 192.168.0.10 auth-port 1812 acct-port 1813 key ceci-est-mon-secret
ap01(config)#dot11 ssid virgin-mobile

On vire la config precedente

ap01(config-ssid)#no wpa-psk
ap01(config-ssid)#no authentication key-management
ap01(config-ssid)#no authentication open

Puis on ajoute les nouveaux trucs:

ap01(config-ssid)#authentication open eap eap_methods
ap01(config-ssid)#authentication network-eap eap-methods

Ajoute le WPA (my stuff):

ap01(config-ssid)#authentication key-management wpa

Mais sans clé partagé… bizarre pour moi…

ap01(config-ssid)#end

Accounting: :!: pas trouvé comment activer l'accounting radius !!!

Requete sur le radius (pas encore monté) ?

17:43:28.088527 IP 192.168.0.11.datametrics > mds.thierry-jaouen.local.radius: RADIUS, Access Request (1), id: 0x02 length: 216

Yes !

On s'approche:

*** Received from 192.168.0.11 port 1645 ....
Code:       Access-Request
Identifier: 6
Authentic:  xxxxxxx
Attributes:
      User-Name = "1208012000584533@wlan.mnc001.mcc208.3gppnetwork.org"
      Framed-MTU = 1400
      Called-Station-Id = "001e.4ac0.4bf0"
      Calling-Station-Id = "0018.8d06.8092"
      Service-Type = Login-User
      Message-Authenticator = xxxxxxxxx
      EAP-Message = <2><2><0>8<1>1208012000584533@wlan.mnc001.mcc208.3gppnetwork.org
      NAS-Port-Type = Wireless-IEEE-802-11
      NAS-Port = 279
      NAS-Port-Id = "279"
      NAS-IP-Address = 192.168.0.11
:!: LEAP ne fonctionne pas.

-LEAP est pourri (voir goog)

  1. LEAP ne fonctionne pas sous Windows XP Family… dommage.

Donc, on abandonne cette pseudo simplicité.

wpa2

LEAP

Je n'y arrive pas.

PEAP

Lien: http://web.archive.org/web/20031206113912/http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm

Une manière trés compliqué de rendre un reseau super securisé…

En tout cas, avec un “Windoz XP Home”, c'est trés chiant.

principes généraux

Ca ressemble furieusement à un “vpn”…

On a un certificat “root” a creer, qui va signer tout le reste.

On créé un certificat “serveur”: pour nous, c'est le “ssid” du reseau Wifi.

On créé ensuite les certificat pour les clients.

Configuration

openssl.cnf

Editer /etc/ssl/openssl.cnf (sauver l'original, on sait jamais), et personnalisé ce qui doit l'être… En gros:

...
# 10 ans de validité, c'est mieux qu'un an
default_days    = 3650                  # how long to certify for
...
[ req_distinguished_name ]
...
countryName_default             = FR
...
localityName_default            = Paris
...
0.organizationName_default      = TJ Corp.
...
organizationalUnitName_default  = AP lab
...
commonName_default              = TJ-Root-CA
...
emailAddress_default            = postmaster@thierry-jaouen.fr
...

Tout le reste va bien par defaut.

scriptes

Il y a plein de methodes pour procéder, mais on va s'aider de scripts pompé sur le net.

On retrouve un script proche de ce qui suit dans “Radiator” , avec le nom “mkcertificate.sh”

CA.root
#!/bin/sh
#SSL=/usr/local/openssl-certgen
#export PATH=${SSL}/bin/:${SSL}/ssl/misc:${PATH}
#export LD_LIBRARY_PATH=${SSL}/lib
export PATH=/usr/bin/:/usr/lib/ssl/misc:${PATH}
export LD_LIBRARY_PATH=/usr/lib/ssl
# needed if you need to start from scratch otherwise the CA.pl -newca command doesn't copy the new
# private key into the CA directories
rm -rf demoCA
echo "*********************************************************************************"
echo "Creating self-signed private key and certificate"
echo "When prompted override the default value for the Common Name field"
echo "*********************************************************************************"
echo
# Generate a new self-signed certificate.
# After invocation, newreq.pem will contain a private key and certificate
# newreq.pem will be used in the next step
openssl req -new -x509 -keyout newreq.pem -out newreq.pem -passin pass:whatever -passout pass:whatever
echo "*********************************************************************************"
echo "Creating a new CA hierarchy (used later by the "ca" command) with the certificate"
echo "and private key created in the last step"
echo "*********************************************************************************"
echo
echo "newreq.pem" | CA.pl -newca >/dev/null
echo "*********************************************************************************"
echo "Creating ROOT CA"
echo "*********************************************************************************"
echo
# Create a PKCS#12 file, using the previously created CA certificate/key
# The certificate in demoCA/cacert.pem is the same as in newreq.pem. Instead of
# using "-in demoCA/cacert.pem" we could have used "-in newreq.pem" and then omitted
# the "-inkey newreq.pem" because newreq.pem contains both the private key and certificate
openssl pkcs12 -export -in demoCA/cacert.pem -inkey newreq.pem -out root.p12 -cacerts -passin pass:whatever -passout pass:whatever
# parse the PKCS#12 file just created and produce a PEM format certificate and key in root.pem
openssl pkcs12 -in root.p12 -out root.pem -passin pass:whatever -passout pass:whatever
# Convert root certificate from PEM format to DER format
openssl x509 -inform PEM -outform DER -in root.pem -out root.der
#Clean Up
rm -rf newreq.pem

# TJ ------
echo "01" > demoCA/serial
# ---------

Par rapport a l'original, j'ai modifié les lignes du debut et à la fin (car le fichier “serial” n'est pas créé).

:!: la pass phrase par defaut est “whatever” ⇒ on pourrait la changer, non ?
CA.svr
#!/bin/sh
#SSL=/usr/local/openssl-certgen
#export PATH=${SSL}/bin/:${SSL}/ssl/misc:${PATH}
#export LD_LIBRARY_PATH=${SSL}/lib
export PATH=/usr/bin/:/usr/lib/ssl/misc:${PATH}
export LD_LIBRARY_PATH=/usr/lib/ssl
echo "*********************************************************************************"
echo "Creating server private key and certificate"
echo "When prompted enter the server name in the Common Name field."
echo "*********************************************************************************"
echo
# Request a new PKCS#10 certificate.
# First, newreq.pem will be overwritten with the new certificate request
openssl req -new -keyout newreq.pem -out newreq.pem -passin pass:whatever -passout pass:whatever
# Sign the certificate request. The policy is defined in the openssl.cnf file.
# The request generated in the previous step is specified with the -infiles option and
# the output is in newcert.pem
# The -extensions option is necessary to add the OID for the extended key for server authentication
openssl ca -policy policy_anything -out newcert.pem -passin pass:whatever -key whatever -extensions xpserver_ext -extfile xpextensions -infiles newreq.pem
# Create a PKCS#12 file from the new certificate and its private key found in newreq.pem
# and place in file specified on the command line
openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out $1.p12 -clcerts -passin pass:whatever -passout pass:whatever
# parse the PKCS#12 file just created and produce a PEM format certificate and key in certsrv.pem
openssl pkcs12 -in $1.p12 -out $1.pem -passin pass:whatever -passout pass:whatever
# Convert certificate from PEM format to DER format
openssl x509 -inform PEM -outform DER -in $1.pem -out $1.der
# Clean Up
rm -rf newert.pem newreq.pem

Même remarque que pour “CA.root”.

CA.clt
#!/bin/sh
#SSL=/usr/local/openssl-certgen
#export PATH=${SSL}/bin/:${SSL}/ssl/misc:${PATH}
#export LD_LIBRARY_PATH=${SSL}/lib
export PATH=/usr/bin/:/usr/lib/ssl/misc:${PATH}
export LD_LIBRARY_PATH=/usr/lib/ssl
echo "*********************************************************************************"
echo "Creating client private key and certificate"
echo "When prompted enter the client name in the Common Name field. This is the same"
echo " used as the Username in FreeRADIUS"
echo "*********************************************************************************"
echo
# Request a new PKCS#10 certificate.
# First, newreq.pem will be overwritten with the new certificate request
openssl req -new -keyout newreq.pem -out newreq.pem -passin pass:whatever -passout pass:whatever
# Sign the certificate request. The policy is defined in the openssl.cnf file.
# The request generated in the previous step is specified with the -infiles option and
# the output is in newcert.pem
# The -extensions option is necessary to add the OID for the extended key for client authentication
openssl ca -policy policy_anything -out newcert.pem -passin pass:whatever -key whatever -extensions xpclient_ext -extfile xpextensions -infiles newreq.pem
# Create a PKCS#12 file from the new certificate and its private key found in newreq.pem
# and place in file specified on the command line
openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out $1.p12 -clcerts -passin pass:whatever -passout pass:whatever
# parse the PKCS#12 file just created and produce a PEM format certificate and key in certclt.pem
openssl pkcs12 -in $1.p12 -out $1.pem -passin pass:whatever -passout pass:whatever
# Convert certificate from PEM format to DER format
openssl x509 -inform PEM -outform DER -in $1.pem -out $1.der
# clean up
rm -rf newcert newreq.pem

Même remarque que pour “CA.root”.

executable

rendre les scripts executable:

# chmod a+x CA.*
xpextensions

Encore un fichier nommé “xpentensions” dont le contenu doit être:

[ xpclient_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2

[ xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
Au final
# ls -lrt
-rwxr-xr-x 1 root root 1769 2009-05-11 14:25 CA.svr
-rwxr-xr-x 1 root root 1826 2009-05-11 14:26 CA.clt
-rw-r--r-- 1 root root  111 2009-05-11 14:26 xpextensions
-rwxr-xr-x 1 root root 2350 2009-05-11 14:45 CA.root

En pratique

repertoire

Choisir un répertoire de travail, par exemple:

# mkdir /etc/ssl/radius
# cd /etc/ssl/radius

Y copier les fichiers vu ci-dessus, c'est a dire:

CA.root
CA.svr
CA.clt
xpextensions

Root

:!: a ne faire que la 1er fois !

Générer le certificat d'authorité:

# ./CA.root

Verifier le “Common Name”, par exemple: TJ-RADIUS-CA .

Cela créé divers fichiers (et répertoires).

Serveur

Générer le certificat du “serveur”.

# ./CA.svr virgin-mobile

Le “Common Name” doit être: virgin-mobile

(Je crois qu'il y a une vérification de correspondance du “Common Name” avec le ssid)

Client

Générer le certificat d'un client. (ou d'un “pool” de clients ?)

# ./CA.clt tjaouen

:!: le “Common Name” n'a aucune importance par la suite, notamment pour l'authentification.
Le “username”/password final, demandé par Windoz, est independant du “Common Name”.

au final

root.pem
root.der
<servername>.pem
<clientusername>.p12

On ignore le reste? ok….

Radius

Un extrait de la configuration de radius:

AutoMPPEKeys    yes

EAPType PEAP,MSCHAP-V2

#EAPType PEAP,MSCHAP-V2, TTLS
#EAPType PEAP

EAPTLS_CAFile %D/ssl2/root.pem
EAPTLS_CertificateFile %D/ssl2/virgin-mobile.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/ssl2/virgin-mobile.pem

EAPTLS_PrivateKeyPassword whatever

EAPTLS_MaxFragmentSize 1000

Dans ce cas, les fichiers ont été déposé dans le sous répertoire “…/ssl2/”, mais peu importe?

:!:

  1. la pass-phrase est en clair…
  2. la clé publique et privé sont dans le même fichier (virgin-mobile.pem)

Windows XP

Transferer les fichiers suivant sur le client:

root.der
<username>.p12

Comment ? on s'en fout.

installer certificats

D'abord “root.der”

Puis <username>.p12

Au moment du montage “wifi” c'est plus compliquer:

Propriété reseau > Wifi > “virgin-mobile” > Propriété > Authentification

EAP protégé (PEAP)
[x] Authentifier en tant qu'ordinateur ....

Propriété PEAP …

[ ] Valider le certificat du serveur

Mot de passe (EAP-MSCHAP v2) > Configurer

[ ] Utiliser automatiquement mon nom ...

Aprés avoir fait tout cela, vous vous rendrez compte qu'il faudra recommencer a chaque fois ! dumoins sous Windoz XP SP3 HOME.

En plus, il faut faire ça au bon moment !!! ggrrrrrrrrrrr

Cisco Conf

...
!
aaa new-model
!
!
aaa group server radius rad_eap
 server 192.168.0.10 auth-port 1812 acct-port 1813
!
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authorization exec default local
!
aaa session-id common
...
!
dot11 ssid virgin-mobile
   vlan 1
   authentication open eap eap_methods
   authentication network-eap eap_methods
   authentication key-management wpa
   mbssid guest-mode
!
...
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 1 mode ciphers aes-ccm
 !
 encryption vlan 2 mode ciphers aes-ccm tkip
 !
 ssid virgin-mobile
 !
 ssid test2
 !
 mbssid
 station-role root access-point
 no dot11 extension aironet
!
...
!
ip default-gateway 192.168.0.254
no ip http server
ip http authentication aaa
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
radius-server host 192.168.0.10 auth-port 1812 acct-port 1813 key 7 15110E0F0D672E373C7E382D1D4A0506C
bridge 1 route ip
!
...

Tips

redirection

Redirection d'un SSID

ap01#configure terminal
ap01(config)#dot11 ssid virgin-mobile
ap01(config-ssid)#ip redirection host 192.168.166.2
:!: mais c'est du DNAT !!!! pas du routing !

grrrr

Test

brouillon_1130ag.txt · Dernière modification : 2010/02/18 22:35 de thierry