2015-05-18 08:40:44 +02:00
|
|
|
|
2015-05-20 13:56:02 +02:00
|
|
|
WPA2-EAP (CCMP AES) mit beliebigen login credentials, für ein "offenes" netz jedoch mit transportverschlüsselung (zwischen Client und AP)
|
2015-05-18 08:40:44 +02:00
|
|
|
|
2015-05-20 13:56:02 +02:00
|
|
|
* Proto: EAP-TTLS
|
|
|
|
* AP: '''C3D2.anybert'''
|
2015-05-20 16:38:11 +02:00
|
|
|
* AP: '''C3D2.anybert 5''' (5 GHZ)
|
2015-05-20 13:56:02 +02:00
|
|
|
* Benutzername: '''anonymous'''
|
|
|
|
* Password: '''anonymous'''
|
2015-05-18 08:40:44 +02:00
|
|
|
|
2015-05-20 13:56:02 +02:00
|
|
|
<code>EAP-TTLS, Username: anonymous, Password: anonymous, RADIUS: lxc-to-go anybert in VirtualBox auf FreeNAS</code>
|
2015-05-20 14:00:16 +02:00
|
|
|
<source lang=bash>wpa_supplicant.conf EXAMPLE
|
2015-05-20 13:56:02 +02:00
|
|
|
|
|
|
|
network={
|
|
|
|
ssid="C3D2.anybert"
|
|
|
|
key_mgmt=WPA-EAP
|
|
|
|
eap=TTLS
|
|
|
|
phase2="auth=PAP"
|
|
|
|
identity="anonymous"
|
|
|
|
password="anonymous"
|
|
|
|
priority=25
|
|
|
|
}
|
2015-05-20 14:00:16 +02:00
|
|
|
</source>
|
2015-05-18 08:40:44 +02:00
|
|
|
|
2015-05-20 18:01:18 +02:00
|
|
|
'''- für eine "höhere" Sicherheit sollte ein beliebiger Username/Password mit mindestens 16 Zeichen verwendet werden -'''
|
|
|
|
|
2015-05-18 08:40:44 +02:00
|
|
|
siehe: https://wiki.c3d2.de/WLAN#WLAN
|
2015-05-20 15:27:20 +02:00
|
|
|
|
2015-05-20 15:28:23 +02:00
|
|
|
FreeRADIUS Server, per lxc-to-go, im lxc-to-go Debian VServer, per VirtualBox, auf FreeNAS (storage)
|
2015-05-20 15:27:20 +02:00
|
|
|
|
|
|
|
https://github.com/plitc/lxc-to-go
|
|
|
|
|
2015-05-20 15:28:53 +02:00
|
|
|
<source lang=bash> ./lxc-to-go-template.sh</source>
|
2015-05-20 15:27:20 +02:00
|
|
|
|
2015-05-20 15:28:53 +02:00
|
|
|
TEMPLATE: org.openwrt.freeradius.anonymous-eap-ttls
|
2015-05-20 15:27:20 +02:00
|
|
|
|
2015-05-20 17:40:28 +02:00
|
|
|
= radius.anybert.hq.c3d2.de Certificate =
|
|
|
|
|
2015-05-20 17:47:26 +02:00
|
|
|
<source lang=bash>
|
2015-05-20 17:46:56 +02:00
|
|
|
|
|
|
|
Land DE
|
|
|
|
Bundesland Sachsen
|
|
|
|
Ort Dresden
|
|
|
|
Firma C3D2
|
|
|
|
Organisationseinheit C3D2
|
|
|
|
Allgemeiner Name anybert.hq.c3d2.de
|
|
|
|
E-Mail-Adresse mail@c3d2.de
|
|
|
|
|
|
|
|
Fingerabdrücke
|
2015-05-20 17:47:48 +02:00
|
|
|
|
2015-05-20 17:46:56 +02:00
|
|
|
SHA1 58 B5 F6 15 F3 00 CE 99 52 B2 F2 86 06 2E 7F 12 BD B6 F4 89
|
|
|
|
MD5 85 69 CB 77 1C C9 68 7E 73 43 B0 2C A4 3D 48 08
|
|
|
|
|
2015-05-20 17:47:26 +02:00
|
|
|
</source>
|
2015-05-20 17:40:28 +02:00
|
|
|
|
2015-05-20 17:38:06 +02:00
|
|
|
= anonymous-eap-ttls erstellen =
|
|
|
|
|
2015-05-20 17:39:07 +02:00
|
|
|
|
2015-05-20 17:38:06 +02:00
|
|
|
<source lang=bash>
|
|
|
|
lxc-to-go-provisioning -n radius -t deb8 -h yes -p 1812,1813,1814 -s yes
|
|
|
|
</source>
|
2015-05-20 17:39:07 +02:00
|
|
|
|
|
|
|
* works currently only with deb8 lxc
|
2015-05-20 17:38:06 +02:00
|
|
|
|
2015-05-20 15:27:20 +02:00
|
|
|
https://github.com/plitc/lxc-to-go/blob/master/hooks/templates/org.openwrt.freeradius.anonymous-eap-ttls
|
2015-05-20 17:18:18 +02:00
|
|
|
|
|
|
|
= RootCA für RADIUS erstellen =
|
|
|
|
|
|
|
|
<source lang=bash>
|
|
|
|
ssh root@172.22.99.15
|
|
|
|
lxc-to-go login (anybert)
|
|
|
|
|
|
|
|
cd /etc/freeradius/certs
|
|
|
|
mv ca.pem ca.pem_ORI
|
|
|
|
mv server.key server.key_ORI
|
|
|
|
mv server.pem server.pem_ORI
|
|
|
|
|
|
|
|
openssl genrsa -aes256 -out ca.key 2048
|
|
|
|
openssl req -new -x509 -days 3650 -key ca.key -out ca.pem
|
|
|
|
openssl genrsa -aes256 -out server.key 2048
|
|
|
|
openssl req -new -key server.key -out server.csr
|
|
|
|
openssl x509 -req -days 3650 -in server.csr -CA ca.pem -CAkey ca.key -set_serial 01 -out server.pem
|
|
|
|
|
2015-05-20 17:18:51 +02:00
|
|
|
vi /etc/freeradius/eap.conf
|
2015-05-20 17:18:18 +02:00
|
|
|
|
|
|
|
private_key_password = CHANGEME
|
|
|
|
|
|
|
|
systemctl restart freeradius; systemctl status freeradius; tail -n 30 /var/log/freeradius/radius.log
|
|
|
|
</source>
|