.htaccessが動かないとか聞いて見てみると案の上改行コードがMacintosh。
メーラーの設定ができんとか、全部のファイルがパーミッション777とか、、
はーーーって感じっす。勘弁してくれー
んでは前回の続きでRadius認証してみましょう。
よりによってGentooです。
freeradiusは最近1.xから2.xになりました。
古いものはもうメンテされないのと、古いせいでsambaスキーマとの互換性に問題が
あったりするので2.xをインストールします。(Samba+LDAPは既に構築しているものとする)
emerge -av freeradius
freeradiusの設定をする。まずはバックエンドとなるldapの参照先設定をします。
--- etc/raddb/modules/ldap 2008-08-16 21:54:49.000000000 +0900
+++ /etc/raddb/modules/ldap 2008-08-27 06:32:49.263608077 +0900
@@ -30,11 +30,12 @@
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
- server = "ldap.your.domain"
- #identity = "cn=admin,o=My Org,c=UA"
- #password = mypass
- basedn = "o=My Org,c=UA"
+ server = "ldaps://ldap.example.co.jp"
+ identity = "cn=root,dc=example,dc=co,dc=jp"
+ password = xxxxxxxx
+ basedn = "dc=example,dc=co,dc=jp"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
+ base_filter = "(objectclass=account)"
#base_filter = "(objectclass=radiusprofile)"
# How many connections to keep open to the LDAP server.
@@ -76,7 +77,7 @@
# using ldaps (port 689) connections
start_tls = no
- # cacertfile = /path/to/cacert.pem
+ #cacertfile = /etc/ssl/certs/example.pem
# cacertdir = /path/to/ca/dir/
# certfile = /path/to/radius.crt
# keyfile = /path/to/radius.key
次にmschapの設定(optional)
--- ./raddb.orig/modules/mschap 2008-08-16 21:54:49.000000000 +0900
+++ /etc/raddb/modules/mschap 2008-08-20 03:01:09.347735788 +0900
@@ -16,17 +16,17 @@
# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
#
- #use_mppe = no
+ use_mppe = yes
# if mppe is enabled require_encryption makes
# encryption moderate
#
- #require_encryption = yes
+ require_encryption = yes
# require_strong always requires 128 bit key
# encryption
#
- #require_strong = yes
+ require_strong = yes
# Windows sends us a username in the form of
# DOMAIN\user, but sends the challenge response
認証メソッドEAPの設定をします。使用しない余計なメソッドは全部無効化します。
--- /etc/raddb/eap.conf.orig 2008-08-16 21:54:48.000000000 +0900
+++ /etc/raddb/eap.conf 2008-08-20 18:18:01.448734786 +0900
@@ -27,7 +27,7 @@
# then that EAP type takes precedence over the
# default type configured here.
#
- default_eap_type = md5
+ default_eap_type = peap
# A list is maintained to correlate EAP-Response
# packets with EAP-Request packets. After a
@@ -65,8 +65,8 @@
# for wireless connections. It is insecure, and does
# not provide for dynamic WEP keys.
#
- md5 {
- }
+ #md5 {
+ #}
# Cisco LEAP
#
@@ -80,8 +80,8 @@
# User-Password, or the NT-Password attributes.
# 'System' authentication is impossible with LEAP.
#
- leap {
- }
+ #leap {
+ #}
# Generic Token Card.
#
@@ -94,25 +94,25 @@
# the users password will go over the wire in plain-text,
# for anyone to see.
#
- gtc {
- # The default challenge, which many clients
- # ignore..
- #challenge = "Password: "
-
- # The plain-text response which comes back
- # is put into a User-Password attribute,
- # and passed to another module for
- # authentication. This allows the EAP-GTC
- # response to be checked against plain-text,
- # or crypt'd passwords.
- #
- # If you say "Local" instead of "PAP", then
- # the module will look for a User-Password
- # configured for the request, and do the
- # authentication itself.
- #
- auth_type = PAP
- }
+ #gtc {
+ # # The default challenge, which many clients
+ # # ignore..
+ # #challenge = "Password: "
+
+ # # The plain-text response which comes back
+ # # is put into a User-Password attribute,
+ # # and passed to another module for
+ # # authentication. This allows the EAP-GTC
+ # # response to be checked against plain-text,
+ # # or crypt'd passwords.
+ # #
+ # # If you say "Local" instead of "PAP", then
+ # # the module will look for a User-Password
+ # # configured for the request, and do the
+ # # authentication itself.
+ # #
+ # auth_type = PAP
+ #}
## EAP-TLS
#
@@ -144,8 +144,8 @@
certdir = ${confdir}/certs
cadir = ${confdir}/certs
- private_key_password = whatever
- private_key_file = ${certdir}/server.pem
+ #private_key_password = whatever
+ private_key_file = ${certdir}/airmac.key
# If Private key & Certificate are located in
# the same file, then private_key_file &
@@ -157,7 +157,7 @@
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
- certificate_file = ${certdir}/server.pem
+ certificate_file = ${certdir}/airmac.extend.crt
# Trusted Root CA list
#
@@ -174,7 +174,7 @@
# not use client certificates, and you do not want
# to permit EAP-TLS authentication, then delete
# this configuration item.
- CA_file = ${cadir}/ca.pem
+ CA_file = ${cadir}/cacert.pem
#
# For DH cipher suites to work, you have to
@@ -183,7 +183,7 @@
# openssl dhparam -out certs/dh 1024
#
dh_file = ${certdir}/dh
- random_file = ${certdir}/random
+ random_file = /dev/urandom
#
# This can never exceed the size of a RADIUS
@@ -274,57 +274,57 @@
#
# in the control items for a request.
#
- ttls {
- # The tunneled EAP session needs a default
- # EAP type which is separate from the one for
- # the non-tunneled EAP module. Inside of the
- # TTLS tunnel, we recommend using EAP-MD5.
- # If the request does not contain an EAP
- # conversation, then this configuration entry
- # is ignored.
- default_eap_type = md5
-
- # The tunneled authentication request does
- # not usually contain useful attributes
- # like 'Calling-Station-Id', etc. These
- # attributes are outside of the tunnel,
- # and normally unavailable to the tunneled
- # authentication request.
- #
- # By setting this configuration entry to
- # 'yes', any attribute which NOT in the
- # tunneled authentication request, but
- # which IS available outside of the tunnel,
- # is copied to the tunneled request.
- #
- # allowed values: {no, yes}
- copy_request_to_tunnel = no
-
- # The reply attributes sent to the NAS are
- # usually based on the name of the user
- # 'outside' of the tunnel (usually
- # 'anonymous'). If you want to send the
- # reply attributes based on the user name
- # inside of the tunnel, then set this
- # configuration entry to 'yes', and the reply
- # to the NAS will be taken from the reply to
- # the tunneled request.
- #
- # allowed values: {no, yes}
- use_tunneled_reply = no
-
- #
- # The inner tunneled request can be sent
- # through a virtual server constructed
- # specifically for this purpose.
- #
- # If this entry is commented out, the inner
- # tunneled request will be sent through
- # the virtual server that processed the
- # outer requests.
- #
- virtual_server = "inner-tunnel"
- }
+ #ttls {
+ # # The tunneled EAP session needs a default
+ # # EAP type which is separate from the one for
+ # # the non-tunneled EAP module. Inside of the
+ # # TTLS tunnel, we recommend using EAP-MD5.
+ # # If the request does not contain an EAP
+ # # conversation, then this configuration entry
+ # # is ignored.
+ # default_eap_type = md5
+
+ # # The tunneled authentication request does
+ # # not usually contain useful attributes
+ # # like 'Calling-Station-Id', etc. These
+ # # attributes are outside of the tunnel,
+ # # and normally unavailable to the tunneled
+ # # authentication request.
+ # #
+ # # By setting this configuration entry to
+ # # 'yes', any attribute which NOT in the
+ # # tunneled authentication request, but
+ # # which IS available outside of the tunnel,
+ # # is copied to the tunneled request.
+ # #
+ # # allowed values: {no, yes}
+ # copy_request_to_tunnel = no
+
+ # # The reply attributes sent to the NAS are
+ # # usually based on the name of the user
+ # # 'outside' of the tunnel (usually
+ # # 'anonymous'). If you want to send the
+ # # reply attributes based on the user name
+ # # inside of the tunnel, then set this
+ # # configuration entry to 'yes', and the reply
+ # # to the NAS will be taken from the reply to
+ # # the tunneled request.
+ # #
+ # # allowed values: {no, yes}
+ # use_tunneled_reply = no
+
+ # #
+ # # The inner tunneled request can be sent
+ # # through a virtual server constructed
+ # # specifically for this purpose.
+ # #
+ # # If this entry is commented out, the inner
+ # # tunneled request will be sent through
+ # # the virtual server that processed the
+ # # outer requests.
+ # #
+ # #virtual_server = "inner-tunnel"
+ #}
##################################################
#
@@ -406,7 +406,7 @@
# the virtual server that processed the
# outer requests.
#
- virtual_server = "inner-tunnel"
+ #virtual_server = "inner-tunnel"
}
#
@@ -424,5 +424,6 @@
# currently support.
#
mschapv2 {
+ ldap
}
}
radiusを参照するクライアント(AirMac)のアカウントを作ります。
--- raddb.orig/clients.conf 2008-08-16 21:54:48.000000000 +0900
+++ /etc/raddb/clients.conf 2008-08-20 03:01:25.452735162 +0900
@@ -227,3 +227,11 @@
# secret = xxxxxxxx
# }
#}
+
+client airmac1.example.co.jp {
+ secret = xxxxxxxx
+}
どの認証をどのデーターベースを使うかの設定する。
ついでにWindowsから自動で送られてくるアカウント情報にはドメイン名が入るので
取り除く設定を追加。
--- /etc/raddb/sites-available/default.orig 2008-08-16 21:54:48.000000000 +0900
+++ /etc/raddb/sites-available/default 2008-08-20 15:25:18.718859486 +0900
@@ -138,11 +138,11 @@
# to read /etc/passwd or /etc/shadow directly, see the
# passwd module in radiusd.conf.
#
- unix
+ #unix
#
# Read the 'users' file
- files
+ #files
#
# Look in an SQL database. The schema of the database
@@ -160,7 +160,18 @@
#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
-# ldap
+ if("%{User-Name}" =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/) {
+ if("%{User-Name}" =~ /^host\/(.*)$/) {
+ update request {
+ Stripped-User-Name = "%{1}$"
+ }
+ }
+ update request {
+ Stripped-User-Name = "%{1}"
+ }
+ }
+
+ ldap
#
# Enforce daily limits on time spent logged in.
@@ -184,7 +195,7 @@
# This module should be listed last, so that the other modules
# get a chance to set Auth-Type for themselves.
#
- pap
+ #pap
#
# If "status_server = yes", then Status-Server messages are passed
@@ -229,18 +240,18 @@
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
- Auth-Type PAP {
- pap
- }
+ #Auth-Type PAP {
+ # pap
+ #}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
- Auth-Type CHAP {
- chap
- }
+ #Auth-Type CHAP {
+ # chap
+ #}
#
# MSCHAP authentication.
@@ -264,16 +275,16 @@
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
- unix
+ #unix
# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
-# Auth-Type LDAP {
-# ldap
-# }
+ Auth-Type LDAP {
+ ldap
+ }
#
# Allow EAP authentication.
@@ -322,7 +333,7 @@
# Update the wtmp file
#
# If you don't use "radlast", you can delete this line.
- unix
+ #unix
#
# For Simultaneous-Use tracking.
インストール時にデフォルトで証明書が作成されますが、ウチはCAを構築しているた
め別に作ります。ここで注意するのは、デフォルトで出力される証明書はwindowsの
ZCWでは受け 付けられないという事です。(詳細は、、あまり調べてなかったりす
る。)
そのため、-extensions xpserver_ext -extfile /etc/raddb/certs/xpextensionsを
付けて署名します。
cd /www/ca.example.co.jp/keys/airmac.intra
openssl ca -config path/to/openssl.cnf -policy policy_anything -out airmac.extend.crt -extensions xpserver_ext -extfile /etc/raddb/certs/xpextensions -infiles airmac.csr
openssl dsaparam -out dh 2048
cp * /etc/raddb/certs/
cp /www/ca.example.co.jp/cacert.pem /etc/raddb/certs/
ではradiusを起動し、AirMac設定ユーティリティでWPA2を選択して
/etc/raddb/clients.confに設定した認証サーバー情報を入れましょう。
WindowsXPの設定とか
こちらが詳しく紹介されています。
(WindowsXPに作成した証明書をインストールしておく)
ただし、この方法だとWindowsのログイン前に無線に接続できないので、ドメインロ
グオンができない。(キャッシュされてる場合を除く)
なので「Windowsのログオン名と・・・・」はチェックをはずしておく工程はわざと省く。
そうすることでマシンアカウントで接続できるようになりドメインログオンできるようになる。
あとはドメインログオンすればsmbldapのユーザーアカウントで接続できるはず。です。
0 コメント:
コメントを投稿