如何改进办公室的无线安全(Radius )?证书?)
如何改进办公室的无线安全(Radius )?证书?)
提问于 2012-07-22 01:21:26
编辑1:
我们的环境是混合的,大多数OSX与一些Windows和Linux盒。更重要的是,Android和Apple手机也需要定期无线接入。
我们有一个红帽盒子可以用来运行Freeradius。所有网络设备都是基于思科的(ASA +催化剂交换机+ Aironet 1140 AP)
感谢HopelessN00b的反馈,我目前正在考虑Freeradius + PEAP作为我的解决方案。我正在为授权服务器端准备一个测试床,以获得它的感觉。
现在,我们正在使用wpa2密钥+ MAC地址过滤在一个由2个思科Aironet 1140组成的设置通过WDS连接。
它运行良好,但每个人都共享相同的WPA2密钥,而且每次添加某个人时,都必须对两个AP信任进行编辑,这有点费时。我们只有2个AP和大约12-15人在办公室,不需要与其他地点同步。我们是一个混合的mac/windows/linux办公室。你会推荐什么设置?
当我到达那里时,一切都已经配置好了,我在a的运行配置中看到了对radius服务器的2个引用,但是所引用的机器似乎没有打开这些端口,因此我怀疑这些行是不活动的。我说的对吗?
下面是正在运行的配置的副本:
附件1:
service password-encryption
!
hostname wap
!
logging rate-limit console 9
enable secret 5 [redacted]
!
aaa new-model
!
!
aaa group server radius rad_eap
server 192.168.90.245 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods group rad_mac
aaa authentication login wds-server group rad_eap
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
clock timezone -0500 -5
clock summer-time -0400 recurring
ip domain name nyc.acme.local
!
!
dot11 association mac-list 700
dot11 syslog
!
dot11 ssid ACME-NYC
vlan 1
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii 7 [redacted]
!
dot11 aaa csid ietf
!
!
username ckent privilege 15 secret 5 [redacted]
username e0f847203232 password 7 [redacted]
username e0f847203232 autocommand exit
username 58946b90ca20 password 7 [redacted]
username 58946b90ca20 autocommand exit
username bwayne privilege 15 secret 5 [redacted]
username e0f847320cca password 7 [redacted]
username e0f847320cca autocommand exit
username 58946bbf4868 password 7 [redacted]
username 58946bbf4868 autocommand exit
username pparker privilege 15 secret 5 [redacted]
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 1 mode ciphers aes-ccm tkip
!
ssid Acme-NYC
!
antenna gain 0
speed basic-11.0 18.0 24.0 36.0 48.0 54.0
channel 2412
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 1 mode ciphers aes-ccm tkip
!
ssid ACME-NYC
!
antenna gain 0
dfs band 3 block
channel dfs
station-role root
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.90.245 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.90.254
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
access-list 111 permit tcp any any neq telnet
access-list 700 permit [redacted] 0000.0000.0000
access-list 700 permit [redacted] 0000.0000.0000
access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
snmp-server community acme RO
radius-server local
no authentication eapfast
no authentication mac
nas 192.168.90.245 key 7 [redacted]
user ap2 nthash 7 [redacted]
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.90.201 auth-port 1645 acct-port 1646 key 7 [redacted]
radius-server host 192.168.90.245 auth-port 1812 acct-port 1813 key 7 [redacted]
radius-server vsa send accounting
bridge 1 route ip
!
!
wlccp authentication-server infrastructure wds-server
wlccp wds aaa csid ietf
wlccp wds priority 200 interface BVI1
!
line con 0
access-class 111 in
line vty 0 4
access-class 111 in
!
end接入点2:
service password-encryption
!
hostname wap2
!
logging rate-limit console 9
!
aaa new-model
!
!
aaa group server radius rad_eap
server 192.168.90.245 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods group rad_mac
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
clock timezone -0500 -5
clock summer-time -0400 recurring
ip domain name nyc.acme.local
!
!
dot11 association mac-list 700
dot11 syslog
!
dot11 ssid Acme-NYC
vlan 1
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii 7 [redacted]
!
dot11 aaa csid ietf
!
!
username ckent privilege 15 secret 5 [redacted]
username e0f847203232 password 7 [redacted]
username e0f847203232 autocommand exit
username 58946b90ca20 password 7 [redacted]
username 58946b90ca20 autocommand exit
username bwayne privilege 15 secret 5 [redacted]
username e0f847320cca password 7 [redacted]
username e0f847320cca autocommand exit
username 58946bbf4868 password 7 [redacted]
username 58946bbf4868 autocommand exit
username pparker privilege 15 secret 5 [redacted]
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 1 mode ciphers aes-ccm tkip
!
ssid Acme-NYC
!
antenna gain 0
speed basic-11.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 1 mode ciphers aes-ccm tkip
!
ssid Acme-NYC
!
antenna gain 0
dfs band 3 block
channel dfs
station-role root
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.90.246 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.90.254
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
access-list 111 permit tcp any any neq telnet
access-list 700 permit [redacted] 0000.0000.0000
access-list 700 permit [redacted] 0000.0000.0000
access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
snmp-server community Acme RO
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.90.201 auth-port 1645 acct-port 1646 key 7 [redacted]
radius-server vsa send accounting
bridge 1 route ip
!
!
wlccp ap username ap2 password 7 [redacted]
wlccp wds aaa csid ietf
!
line con 0
access-class 111 in
line vty 0 4
access-class 111 in
!
sntp server 192.168.90.254
sntp broadcast client
end回答 1
Server Fault用户
发布于 2012-07-22 01:37:50
在不了解您的技能水平和环境的情况下,您的回答有点宽泛和困难,但是是的,我肯定会推荐基于证书的802.1x身份验证,而不是使用共享的WPA2密钥。
它更安全(客户端不能窥探对方的流量,因为每个客户端都使用不同的密钥),这样更容易管理,而且您不必再让可怜的服务台人员为新机器或新用户敲键了。共享密钥实际上就是懒散或不熟练的管理员“让无线工作”的快速攻击,我很难想出在专业环境中我认为它的合法用例是什么。
如果你不能设置它,也许有几个小时的顾问为你设置它是值得的,但我们不能说这是你的钱的一个好的使用,或者如果你的商店的大小和无线数据的价值低到一个共享的WPA2密钥是“足够好”。
这并不是那么困难(不过,Windows/Mac/OSX环境可能会使您很难设置它),即使您以前没有这样做过,但是您肯定希望坐下来阅读一下如何最好地实现和设置一个新的证书颁发机构以及RADIUS服务器。老实说,在这么少的人和这么多不同的客户端OSes的环境中,我不太确定我会喜欢什么样的实现。
而FYI,总是在你的AP吐露中修改密码。将散列转换为密码很简单。(我现在就解决这个问题,但下次请记住.)
页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://serverfault.com/questions/409979
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号