brouillon_1130ag
Différences
Ci-dessous, les différences entre deux révisions de la page.
Les deux révisions précédentesRévision précédenteProchaine révision | Révision précédenteDernière révisionLes deux révisions suivantes | ||
brouillon_1130ag [2009/05/11 15:56] – thierry | brouillon_1130ag [2010/02/18 18:32] – thierry | ||
---|---|---|---|
Ligne 3: | Ligne 3: | ||
Liens: | Liens: | ||
-http:// | -http:// | ||
+ | -http:// | ||
Trouvé dans une poubelle (enfin presque), un Cisco 1130AG... | Trouvé dans une poubelle (enfin presque), un Cisco 1130AG... | ||
Ligne 234: | Ligne 235: | ||
Desactive cette polution: | Desactive cette polution: | ||
ap01(config)# | ap01(config)# | ||
+ | |||
Ligne 281: | Ligne 283: | ||
AP(config)# end | AP(config)# end | ||
+ | === disabling http === | ||
+ | #no ip http server | ||
+ | et/ou: | ||
+ | #no ip http secure-server | ||
==== DHCP ==== | ==== DHCP ==== | ||
Ligne 885: | Ligne 891: | ||
Donc, on abandonne cette pseudo simplicité. | Donc, on abandonne cette pseudo simplicité. | ||
- | ==== certs ===== | ||
- | # openssl pkcs12 -export -in demoCA/ | ||
- | Enter pass phrase for demoCA/ | ||
- | Je bloque !!!!!!! | ||
- | http:// | ||
Ligne 898: | Ligne 899: | ||
===== LEAP ===== | ===== LEAP ===== | ||
Je n'y arrive pas. | Je n'y arrive pas. | ||
+ | |||
+ | |||
===== PEAP ===== | ===== PEAP ===== | ||
+ | Lien: http:// | ||
+ | |||
Une manière trés compliqué de rendre un reseau super securisé... | Une manière trés compliqué de rendre un reseau super securisé... | ||
Ligne 911: | Ligne 916: | ||
On créé ensuite les certificat pour les clients. | On créé ensuite les certificat pour les clients. | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
Ligne 937: | Ligne 947: | ||
Tout le reste va bien par defaut. | Tout le reste va bien par defaut. | ||
- | ==== scriptes ==== | + | |
+ | === scriptes | ||
+ | Il y a plein de methodes pour procéder, mais on va s' | ||
+ | |||
+ | On retrouve un script proche de ce qui suit dans " | ||
+ | |||
+ | == CA.root == | ||
+ | |||
+ | #!/bin/sh | ||
+ | # | ||
+ | #export PATH=${SSL}/ | ||
+ | #export LD_LIBRARY_PATH=${SSL}/ | ||
+ | export PATH=/ | ||
+ | export LD_LIBRARY_PATH=/ | ||
+ | # needed if you need to start from scratch otherwise the CA.pl -newca command doesn' | ||
+ | # private key into the CA directories | ||
+ | rm -rf demoCA | ||
+ | echo " | ||
+ | echo " | ||
+ | echo "When prompted override the default value for the Common Name field" | ||
+ | echo " | ||
+ | echo | ||
+ | # Generate a new self-signed certificate. | ||
+ | # After invocation, newreq.pem will contain a private key and certificate | ||
+ | # newreq.pem will be used in the next step | ||
+ | openssl req -new -x509 -keyout newreq.pem -out newreq.pem -passin pass: | ||
+ | echo " | ||
+ | echo " | ||
+ | echo "and private key created in the last step" | ||
+ | echo " | ||
+ | echo | ||
+ | echo " | ||
+ | echo " | ||
+ | echo " | ||
+ | echo " | ||
+ | echo | ||
+ | # Create a PKCS#12 file, using the previously created CA certificate/ | ||
+ | # The certificate in demoCA/ | ||
+ | # using "-in demoCA/ | ||
+ | # the " | ||
+ | openssl pkcs12 -export -in demoCA/ | ||
+ | # parse the PKCS#12 file just created and produce a PEM format certificate and key in root.pem | ||
+ | openssl pkcs12 -in root.p12 -out root.pem -passin pass: | ||
+ | # Convert root certificate from PEM format to DER format | ||
+ | openssl x509 -inform PEM -outform DER -in root.pem -out root.der | ||
+ | #Clean Up | ||
+ | rm -rf newreq.pem | ||
+ | |||
+ | # TJ ------ | ||
+ | echo " | ||
+ | # --------- | ||
+ | |||
+ | Par rapport a l' | ||
+ | |||
+ | | :!: la pass phrase par defaut est " | ||
+ | |||
+ | |||
+ | == CA.svr == | ||
+ | #!/bin/sh | ||
+ | # | ||
+ | #export PATH=${SSL}/ | ||
+ | #export LD_LIBRARY_PATH=${SSL}/ | ||
+ | export PATH=/ | ||
+ | export LD_LIBRARY_PATH=/ | ||
+ | echo " | ||
+ | echo " | ||
+ | echo "When prompted enter the server name in the Common Name field." | ||
+ | echo " | ||
+ | echo | ||
+ | # Request a new PKCS#10 certificate. | ||
+ | # First, newreq.pem will be overwritten with the new certificate request | ||
+ | openssl req -new -keyout newreq.pem -out newreq.pem -passin pass: | ||
+ | # Sign the certificate request. The policy is defined in the openssl.cnf file. | ||
+ | # The request generated in the previous step is specified with the -infiles option and | ||
+ | # the output is in newcert.pem | ||
+ | # The -extensions option is necessary to add the OID for the extended key for server authentication | ||
+ | openssl ca -policy policy_anything -out newcert.pem -passin pass: | ||
+ | # Create a PKCS#12 file from the new certificate and its private key found in newreq.pem | ||
+ | # and place in file specified on the command line | ||
+ | openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out $1.p12 -clcerts -passin pass: | ||
+ | # parse the PKCS#12 file just created and produce a PEM format certificate and key in certsrv.pem | ||
+ | openssl pkcs12 -in $1.p12 -out $1.pem -passin pass: | ||
+ | # Convert certificate from PEM format to DER format | ||
+ | openssl x509 -inform PEM -outform DER -in $1.pem -out $1.der | ||
+ | # Clean Up | ||
+ | rm -rf newert.pem newreq.pem | ||
+ | |||
+ | Même remarque que pour " | ||
+ | |||
+ | == CA.clt == | ||
+ | |||
+ | #!/bin/sh | ||
+ | # | ||
+ | #export PATH=${SSL}/ | ||
+ | #export LD_LIBRARY_PATH=${SSL}/ | ||
+ | export PATH=/ | ||
+ | export LD_LIBRARY_PATH=/ | ||
+ | echo " | ||
+ | echo " | ||
+ | echo "When prompted enter the client name in the Common Name field. This is the same" | ||
+ | echo " used as the Username in FreeRADIUS" | ||
+ | echo " | ||
+ | echo | ||
+ | # Request a new PKCS#10 certificate. | ||
+ | # First, newreq.pem will be overwritten with the new certificate request | ||
+ | openssl req -new -keyout newreq.pem -out newreq.pem -passin pass: | ||
+ | # Sign the certificate request. The policy is defined in the openssl.cnf file. | ||
+ | # The request generated in the previous step is specified with the -infiles option and | ||
+ | # the output is in newcert.pem | ||
+ | # The -extensions option is necessary to add the OID for the extended key for client authentication | ||
+ | openssl ca -policy policy_anything -out newcert.pem -passin pass: | ||
+ | # Create a PKCS#12 file from the new certificate and its private key found in newreq.pem | ||
+ | # and place in file specified on the command line | ||
+ | openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out $1.p12 -clcerts -passin pass: | ||
+ | # parse the PKCS#12 file just created and produce a PEM format certificate and key in certclt.pem | ||
+ | openssl pkcs12 -in $1.p12 -out $1.pem -passin pass: | ||
+ | # Convert certificate from PEM format to DER format | ||
+ | openssl x509 -inform PEM -outform DER -in $1.pem -out $1.der | ||
+ | # clean up | ||
+ | rm -rf newcert newreq.pem | ||
+ | |||
+ | Même remarque que pour " | ||
+ | |||
+ | == executable == | ||
+ | |||
+ | rendre les scripts executable: | ||
+ | # chmod a+x CA.* | ||
+ | |||
+ | |||
+ | == xpextensions == | ||
+ | |||
+ | Encore un fichier nommé " | ||
+ | |||
+ | [ xpclient_ext] | ||
+ | extendedKeyUsage = 1.3.6.1.5.5.7.3.2 | ||
+ | |||
+ | [ xpserver_ext ] | ||
+ | extendedKeyUsage = 1.3.6.1.5.5.7.3.1 | ||
+ | |||
+ | == Au final == | ||
+ | # ls -lrt | ||
+ | -rwxr-xr-x 1 root root 1769 2009-05-11 14:25 CA.svr | ||
+ | -rwxr-xr-x 1 root root 1826 2009-05-11 14:26 CA.clt | ||
+ | -rw-r--r-- 1 root root 111 2009-05-11 14:26 xpextensions | ||
+ | -rwxr-xr-x 1 root root 2350 2009-05-11 14:45 CA.root | ||
+ | |||
+ | |||
+ | ==== En pratique ==== | ||
+ | === repertoire === | ||
+ | Choisir un répertoire de travail, par exemple: | ||
+ | # mkdir / | ||
+ | # cd / | ||
+ | Y copier les fichiers vu ci-dessus, c'est a dire: | ||
+ | CA.root | ||
+ | CA.svr | ||
+ | CA.clt | ||
+ | xpextensions | ||
+ | |||
+ | === Root === | ||
+ | |||
+ | | :!: a ne faire que la 1er fois ! | | ||
+ | |||
+ | Générer le certificat d' | ||
+ | # ./CA.root | ||
+ | Verifier le " | ||
+ | |||
+ | Cela créé divers fichiers (et répertoires). | ||
+ | |||
+ | === Serveur === | ||
+ | |||
+ | Générer le certificat du " | ||
+ | # ./CA.svr virgin-mobile | ||
+ | Le " | ||
+ | |||
+ | (Je crois qu'il y a une vérification de correspondance du " | ||
+ | |||
+ | === Client === | ||
+ | |||
+ | Générer le certificat d'un client. (ou d'un " | ||
+ | # ./CA.clt tjaouen | ||
+ | |||
+ | :!: le " | ||
+ | Le " | ||
+ | |||
+ | === au final === | ||
+ | |||
+ | root.pem | ||
+ | root.der | ||
+ | < | ||
+ | < | ||
+ | |||
+ | On ignore le reste? ok.... | ||
+ | |||
+ | |||
+ | |||
+ | ==== Radius ==== | ||
+ | |||
+ | Un extrait de la configuration de radius: | ||
+ | AutoMPPEKeys | ||
+ | |||
+ | EAPType PEAP, | ||
+ | |||
+ | #EAPType PEAP, | ||
+ | #EAPType PEAP | ||
+ | |||
+ | EAPTLS_CAFile %D/ | ||
+ | EAPTLS_CertificateFile %D/ | ||
+ | EAPTLS_CertificateType PEM | ||
+ | EAPTLS_PrivateKeyFile %D/ | ||
+ | |||
+ | EAPTLS_PrivateKeyPassword whatever | ||
+ | |||
+ | EAPTLS_MaxFragmentSize 1000 | ||
+ | |||
+ | Dans ce cas, les fichiers ont été déposé dans le sous répertoire " | ||
+ | |||
+ | :!: | ||
+ | -la pass-phrase est en clair... | ||
+ | -la clé publique et privé sont dans le même fichier (virgin-mobile.pem) | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ==== Windows XP ==== | ||
+ | Transferer les fichiers suivant sur le client: | ||
+ | root.der | ||
+ | < | ||
+ | |||
+ | Comment ? on s'en fout. | ||
+ | |||
+ | === installer certificats === | ||
+ | D' | ||
+ | |||
+ | Puis < | ||
+ | |||
+ | Au moment du montage " | ||
+ | |||
+ | Propriété reseau > Wifi > " | ||
+ | EAP protégé (PEAP) | ||
+ | |||
+ | [x] Authentifier en tant qu' | ||
+ | |||
+ | Propriété PEAP ... | ||
+ | [ ] Valider le certificat du serveur | ||
+ | |||
+ | Mot de passe (EAP-MSCHAP v2) > Configurer | ||
+ | [ ] Utiliser automatiquement mon nom ... | ||
+ | |||
+ | Aprés avoir fait tout cela, vous vous rendrez compte qu'il faudra recommencer a chaque fois ! dumoins sous Windoz XP SP3 HOME. | ||
+ | |||
+ | En plus, il faut faire ça au bon moment !!! ggrrrrrrrrrrr | ||
+ | |||
+ | |||
+ | ==== Cisco Conf ==== | ||
+ | ... | ||
+ | ! | ||
+ | aaa new-model | ||
+ | ! | ||
+ | ! | ||
+ | aaa group server radius rad_eap | ||
+ | | ||
+ | ! | ||
+ | aaa authentication login default local | ||
+ | aaa authentication login eap_methods group rad_eap | ||
+ | aaa authorization exec default local | ||
+ | ! | ||
+ | aaa session-id common | ||
+ | ... | ||
+ | ! | ||
+ | dot11 ssid virgin-mobile | ||
+ | vlan 1 | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | ! | ||
+ | ... | ||
+ | interface Dot11Radio0 | ||
+ | no ip address | ||
+ | no ip route-cache | ||
+ | ! | ||
+ | | ||
+ | ! | ||
+ | | ||
+ | ! | ||
+ | ssid virgin-mobile | ||
+ | ! | ||
+ | ssid test2 | ||
+ | ! | ||
+ | | ||
+ | | ||
+ | no dot11 extension aironet | ||
+ | ! | ||
+ | ... | ||
+ | ! | ||
+ | ip default-gateway 192.168.0.254 | ||
+ | no ip http server | ||
+ | ip http authentication aaa | ||
+ | ip http secure-server | ||
+ | ip http help-path http:// | ||
+ | radius-server host 192.168.0.10 auth-port 1812 acct-port 1813 key 7 15110E0F0D672E373C7E382D1D4A0506C | ||
+ | bridge 1 route ip | ||
+ | ! | ||
+ | ... | ||
+ | |||
+ | ===== Tips ===== | ||
+ | |||
+ | ==== redirection ==== | ||
+ | Redirection d'un SSID | ||
+ | ap01# | ||
+ | ap01(config)# | ||
+ | ap01(config-ssid)# | ||
+ | |||
+ | | :!: mais c'est du DNAT !!!! pas du routing ! | | ||
+ | grrrr | ||
+ | |||
+ | ====== Test ====== | ||
+ | Liens: | ||
+ | *http:// | ||
brouillon_1130ag.txt · Dernière modification : 2010/02/18 22:35 de thierry