|
[ Pobierz całość w formacie PDF ]
.Ideally, you will have twohosts for redundancy.Remember, if you are requiring802.1x of your clients and your authentication server goesdown, no one can join the network.In order to use EAP-TLS with FreeRADIUS, you will need to download andinstall OpenSSL from http://www.openssl.org/.Perform a standard installper the documentation with the distribution.You will need at least Version�0.9.7 for FreeRADIUS to work properly.Be sure to modify youropenssl.conf to reflect your organization and contact information.OpenSSL supplies the crypto libraries used by the RADIUS server.It alsowill serve as a Certificate Authority for your wireless network.You willneed to create a self-signed certificate to act as the root certificate for yourPKI infrastructure.Then you will need to generate a certificate for theRADIUS server as well as certificates for supplicants.The easiest way to dothis is running the script located athttp://www.missl.cs.umd.edu/wireless/eaptls/doc/CA.all.This script willtake care of all your initial certificate generation needs as well as serve as atemplate for future client certificates.The downside of running a EAP-TLS based infrastructureis the fact that you have to run your own certificateauthority.For an organization of any size, this is not anissue to be undertaken lightly.There are many issues,technical and otherwise, involved in running a CA.Theseissues are well outside the scope of this book.If youwould like more information on OpenSSL and running aCA, we recommend Network Security with OpenSSL byJohn Viega, et al (O'Reilly).Once you have OpenSSL installed and configured, download and install theFreeRADIUS server from http://www.freeradius.org/.Before you compilethe RADIUS server, you will need to modify/usr/src/modules/rlm_eap/types/rlm_eap_tls/Makefile with your OpenSSLlocation.Be sure TARGET = rlm_eap_tls is specified in the makefile.Compile and install the RADIUS server per the instructions in the READMEfile.Once the installation is complete, you will need to modify/etc/raddb/radius.conf to enable EAP-TLS and specify the location of yourcertificates.Read through the file and edit where necessary.Also, whencreating users in the RADIUS server, be sure they have an Auth-Type ofEAP.At this point, you should be able to start the RADIUS server and havea fully functional 802.1x authentication server.RADIUS is a complicated but robust protocol.It is a flexible platform fortriple-A services.A complete discussion of the features and implementationof various RADIUS servers is outside the scope of this book.For an analysis�of RADIUS as well as practical examples, we recommend RADIUS byJonathan Hassell (O'Reilly).14.3.3.2 AuthenticatorAt the time of this writing, the Open1x authenticator is still very beta.Download and install the authenticator per the instructions on the Open1xweb site.The authenticator must be running on your wireless access point.The access point should be configured per the instructions provided inChapter 9.Once the authenticator is installed, it is started with the auth command.authtakes the following arguments:p or --serveripThis is the IP address of the authentication server.s or --serverdeviceThis is the interface that traffic destined for the authentication serverwill traverse.This is typically the wired interface, such as eth0.t or --suppdeviceThis parameter specified the interface that the authenticator willreceive supplicant traffic on.This is typically the wireless interface,such as wlan0.o or --serverportThis is the port the authentication server is listening on.For RADIUS,this would be 1812.Be sure to launch the authenticator in the startup location of your choice.14.3.3.3 SupplicantOnce you download the supplicant, compile and install it per the instructionsincluded in the README file.Included in the supplicant distribution arestartup scripts for various operating systems including FreeBSD and Linux.Make sure they are installed in the correct location to ensure the supplicantstarts at boot time.There are two major configuration activities.First, you must obtain an x.509certificate for use with your authentication server.This is a requirementsince the only EAP method the supplicant understands is EAP-TLS.Thecertificate must be in ANS1 DER format and the private key must be inPEM format.You must obtain this certificate from a Certificate Authoritytrusted by your authentication server.�The configuration file for the supplicant is stored in /etc/1x/1x.conf bydefault.The file has the following structure::id =:cert =:key =:root =:auth = EAP | noneThe field is your ESSID.This group of parameters can berepeated for multiple ESSIDs so you can roam from one 802.1x-basednetwork to another.The fields in the configuration file are as follows:idThis is the user ID specified in the certificate, which is typically youremail address.certThis it the absolute path to your certificate stored in DER format.keyThis is the absolute path to your private key stored in PEM format.rootThis is the absolute path to a PEM encoded file containing yourtrusted root certificates.authThis can be set to either EAP or none.A setting of EAP means thatthe supplicant will attempt to authenticate to the specified network.Asetting of none will cause the supplicant to treat the network as anon-802.1x network and not attempt EAP authentication.Now that you have your supplicant configured, you can associate to yournetwork and authenticate via 802.1x through your access point to yourFreeRADIUS authentication server.�Chapter 15.Putting It All TogetherSection 15.1.Pieces of a Coherent SystemSection 15.2.User KnowledgeSection 15.3.Looking Ahead15.1 Pieces of a Coherent SystemThroughout the book, we have examined wireless security one step at a time,moving from clients all the way through to gateways
[ Pobierz całość w formacie PDF ]
zanotowane.pldoc.pisz.plpdf.pisz.plhanula1950.keep.pl
|