FreeRADIUS2を利用した802.1X認証を実施する。
オーセンティケータにはCisco機器(ルータ・L2SW)を利用する
サプリカントはWindowsXP付属のものを利用する
RADIUSサーバはCentOS6.3上で稼動。本稿記述時点でのバージョンは2.1.12
[root@radius]# radiusd -v radiusd: FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on Oct 3 2012 at 01:22:51 Copyright (C) 1999-2011 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. [root@radius]#
以下の認証方式による接続テストを実施する。
利用するCisco機器は以下
WindowsXPは標準でEAP-MD5,EAP-PEAP,EAP-TLS対応のサプリカントが搭載されているが、 SP3を適用すると、ローカルエリア接続のプロパティに「認証タブ」が表示されなくなる。 その場合は、以下の手順でサービスを開始する。
aaa new-model
aaa group server radius ForDot1X server-private 192.168.10.193 auth-port 1812 acct-port 1813 timeout 1 retransmit 1 key SECRET
aaa authentication dot1x default group ForDot1X dot1x system-auth-control
スイッチポートをアクセスポートに設定しないと802.1X認証が動作しない。
Catalyst系でも設定が微妙に違うが、IOSバージョンなどでもまた違う可能性がある。
interface FastEthernet2 switchport access vlan 10 no ip address dot1x pae authenticator dot1x port-control auto spanning-tree portfast
interface FastEthernet0/5 switchport access vlan 10 switchport mode access dot1x port-control auto spanning-tree portfast
interface FastEthernet0/1 switchport access vlan 10 switchport mode access authentication order dot1x authentication priority dot1x authentication port-control auto dot1x pae authenticator spanning-tree portfast
MACアドレス認証はMACアドレスバイパスであり、802.1X認証ではない。
interface FastEthernet0/2 switchport access vlan 10 switchport mode access authentication order mab authentication priority mab authentication port-control auto mab dot1x pae authenticator spanning-tree portfast
[centos@radius]# vi /etc/raddb/sites-available authorize { files unix eap { ok = return } } authenticate { files unix eap } post-auth { exec Post-Auth-Type REJECT { attr_filter.access_reject } }
ユーザ定義ファイルにユーザ名とパスワードを記載する。
Auth-TypeがSystemになっていれば、LinuxUID/PWDが利用できるが、EAPの場合にはAuth-TypeをEAPにする必要があるため、LinuxUID/PWDは利用できないみたい。
[centos@radius]# vi /etc/raddb/users ------------8<----------------- eapuser Auth-Type:=EAP , Cleartext-Password := "eappass" ------------8<-----------------
PEAPはサーバ証明書を利用し、UID/PWDによる利用者認証を実施する。
PEAPの場合も特に設定は変更しなくてよい。ただし、デフォルトのFreeRADIUSで作成されている証明書情報などを利用する場合には、有効期限切れのため、独自でRADIUSサーバとしてのサーバ証明書を生成する必要がある。
cd ~/ca mkdir RadiusSV cd ~/ca/RadiusSV mkdir private openssl req -config ../configs/openssl_req.cnf -new -newkey rsa:2048 -keyout private/RadiusSV_key.pem -out RadiusSV_csr.pem openssl rsa -in private/RadiusSV_key.pem -out private/RadiusSV_key.pem cd ~/ca/RootCA openssl ca -config ../configs/openssl_sign.cnf -keyfile private/RootCA_key.pem -batch -days 30 -cert RootCA_crt.pem -extensions v3_server -in ../RadiusSV/RadiusSV_csr.pem -out ../RadiusSV/RadiusSV_crt.pem cd ~/ca/RadiusSV openssl x509 -in RadiusSV_crt.pem -out RadiusSV_crt.pem
cd ~/ca mkdir ClientDV01 cd ~/ca/ClientDV01 mkdir private openssl req -config ../configs/openssl_req.cnf -new -newkey rsa:2048 -keyout private/ClientDV01_key.pem -out ClientDV01_csr.pem openssl rsa -in private/ClientDV01_key.pem -out private/ClientDV01_key.pem cd ~/ca/InterCA openssl ca -config ../configs/openssl_sign.cnf -keyfile private/InterCA_key.pem -batch -days 30 -cert InterCA_crt.pem -extensions v3_client -in ../ClientDV01/ClientDV01_csr.pem -out ../ClientDV01/ClientDV01_crt.pem cd ~/ca/ClientDV01 openssl pkcs12 -export -inkey private/ClientDV01_key.pem -in ClientDV01_crt.pem -certfile ../chainCA_crt.pem -out ClientDV01_crt.p12 →ここでパスワードは空欄エンターとする
cd ~/ca mkdir ClientDV02 cd ~/ca/ClientDV02 mkdir private openssl req -config ../configs/openssl_req.cnf -new -newkey rsa:2048 -keyout private/ClientDV02_key.pem -out ClientDV02_csr.pem cd ~/ca/InterCA openssl ca -config ../configs/openssl_sign.cnf -keyfile private/InterCA_key.pem -batch -days 30 -cert InterCA_crt.pem -extensions v3_client -in ../ClientDV02/ClientDV02_csr.pem -out ../ClientDV02/ClientDV02_crt.pem cd ~/ca/ClientDV02 openssl pkcs12 -export -inkey private/ClientDV02_key.pem -in ClientDV02_crt.pem -certfile ../RootCA/RootCA_crt.pem -out ClientDV02_crt.p12
vlan database vlan 192 exit ! aaa new-model aaa session-id common radius-server host 10.40.132.189 auth-port 1812 acct-port 1813 timeout 1 retransmit 1 key DNPDiiNS aaa authentication dot1x default group radius aaa authentication login default group radius local-case aaa authentication enable default group radius enable aaa authorization exec default group radius if-authenticated aaa authorization network default group radius if-authenticated dot1x system-auth-control enable secret drGi60to username nteam password drMatee2 ! interface vlan 192 ip address 192.168.192.199 255.255.255.0 ip default-gateway 192.168.192.254 ip route 0.0.0.0 0.0.0.0 192.168.192.254 ! interface range fas 3 - 8 shutdown interface fas 2 ## AuthPort : eap ### switchport mode access no ip address dot1x port-control auto spanning-tree portfast interface fas 9 switchport access vlan 192 spanning-tree portfast
aaa new-model aaa session-id common aaa group server radius ForDot1X server-private 10.40.132.189 auth-port 1812 acct-port 1813 timeout 1 retransmit 1 key RADSECRET aaa group server radius ForLogin server-private 10.40.132.189 auth-port 1812 acct-port 1813 timeout 1 retransmit 1 key RADSECRET aaa authentication dot1x default group ForDot1X aaa authentication login default group ForLogin local-case aaa authentication enable default group ForLogin enable aaa authorization exec default group ForLogin if-authenticated aaa authorization network default group radius if-authenticated dot1x system-auth-control enable secret SECRET username nteam password PASSWORD vlan 192 name soumu_seg interface vlan 192 ip address 192.168.192.199 255.255.255.0 ip default-gateway 192.168.192.254 ! interface range giga 0/5 - 47 shutdown interface range giga 0/1 - 2 ## AuthPort : mac address bypass ## switchport mode access dot1x mac-auth-bypass dot1x pae authenticator dot1x port-control auto dot1x violation-mode protect dot1x timeout tx-period 3 spanning-tree portfast interface range giga 0/3 - 4 ## AuthPort : eap ### switchport mode access dot1x pae authenticator dot1x port-control auto dot1x violation-mode protect dot1x timeout tx-period 3 spanning-tree portfast interface range giga 0/48 switchport access vlan 192 spanning-tree portfast
# vi users $INCLUDE /etc/raddb/userlist/users.eap $INCLUDE /etc/raddb/userlist/users.login $INCLUDE /etc/raddb/userlist/users.mab01 $INCLUDE /etc/raddb/userlist/users.mab02
# vi userlist/users.eap eapuser Auth-Type == EAP , Cleartext-Password := "eappass"
# vi userlist/users.login #################################################### ## priv-lvl=15 : Not Applied for Console login. ## echo -n PASSWORD | openssl md5 #################################################### loginuser Auth-Type := PAP , MD5-Password := "xxxx" $enab15$ Auth-Type := PAP , MD5-Password := "xxxx" user Auth-Type := PAP , MD5-Password := "xxxx" Service-Type := NAS-Prompt-User , Cisco-AVPair := "shell:priv-lvl=1" admin Auth-Type := PAP , MD5-Password := "xxxx" Service-Type := NAS-Prompt-User , Cisco-AVPair := "shell:priv-lvl=15"
# vi userlist/users.mab01 DEFAULT Auth-Type == PAP Tunnel-Type := 13 , Tunnel-Medium-Type := 6 , Tunnel-Private-Group-Id := "soumu_seg" Fall-Through = Yes 055dc061bf92 Cleartext-Password := "055dc061bf92" , NAS-Port-Type == Ethernet 1877ecd5f394 Cleartext-Password := "1877ecd5f394" , NAS-Port-Type == Ethernet
# vi userlist/users.mab02 DEFAULT Auth-Type == PAP Tunnel-Type := 13 , Tunnel-Medium-Type := 6 , Tunnel-Private-Group-Id := "keiri_seg" Fall-Through = Yes 055dc061bf92 Cleartext-Password := "055dc061bf92" , NAS-Port-Type == Ethernet 742b627d1b20 Cleartext-Password := "742b627d1b20" , NAS-Port-Type == Ethernet
# vi eap.conf eap { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = RadiusSV private_key_file = ${certdir}/RadiusSV_key.pem certificate_file = ${certdir}/RadiusSV_crt.pem CA_file = ${cadir}/chainCA_crt.pem dh_file = ${certdir}/dh random_file = /dev/urandom cipher_list = "DEFAULT" make_cert_command = "${certdir}/bootstrap" cache { enable = no lifetime = 24 # hours max_entries = 255 } } }