authentification radius

[didier]

salut à tous, <BR> <BR>je voudrais savoir si qqun parmi vous a déjà réussi à mettre en place une authentification radius sur un réseau wireless ...et je voudrais tout particulièrement savoir si qqun a déjà réussi à faire fonctionner correctement un serveur radius...genre freeradius?? <BR>

[bruno]

Pas encore, mais j'étais justement en train de me pencher sur la question pour faire face aux faiblesses du WEP... <BR>Je te tiens au courant dès que ça marche, c'est à dire peut-être jamais <IMG SRC="images/smiles/icon_lol.gif">

[joebar]

Salut, <BR> <BR>Ben moi aussi je suis dessus ce sujet depuis hier avec IAS sur 2000. Mais les tests ne sont pas tres concluants.... <BR> <BR>Si kelk1 a reussi..................... Merciiiiiiiiiiiii <BR> <BR>@+ <BR> <BR>Je continue à fouiller.

[fiyahbun]

j'ai effectivement mis en place une authentification radius dans une architecture wireless GSM GPRS. Le serveur radius est IAS de Microsoft mais je conseille vivement une des alternatives linux... <BR>

[antolien]

Voici quelques adresses qui vous intéresseront peut-être et même sûrement : <BR> <BR><!-- BBCode auto-link start --><a href="http://www.freeradius.org/" target="_blank">http://www.freeradius.org/</a><!-- BBCode auto-link end --> <BR> <BR><!-- BBCode auto-link start --><a href="http://www.cs.umd.edu/~mvanopst/8021x/howto/server.html" target="_blank">http://www.cs.umd.edu/~mvanopst/8021x/howto/server.html</a><!-- BBCode auto-link end --> <BR> <BR><!-- BBCode auto-link start --><a href="http://www.xs4all.nl/~evbergen/openradius-index.html/" target="_blank">http://www.xs4all.nl/~evbergen/openradius-index.html/</a><!-- BBCode auto-link end --> <BR> <BR><!-- BBCode auto-link start --><a href="http://www.microsoft.com/windows2000/techinfo/howitworks/communications/remoteaccess/ias.asp" target="_blank">http://www.microsoft.com/windows2000/techinfo/howitworks/communications/remoteaccess/ias.asp</a><!-- BBCode auto-link end --> (microsoft) <BR> <BR>et Xtradius <!-- BBCode auto-link start --><a href="http://xtradius.sourceforge.net/" target="_blank">http://xtradius.sourceforge.net/</a><!-- BBCode auto-link end --><BR><BR><font size=-2></font>

[acrorezo]

J'ai trouvé sur <!-- BBCode auto-link start --><a href="http://www.lyon-wireless.org" target="_blank">http://www.lyon-wireless.org</a><!-- BBCode auto-link end --> un descriptif de leur woody box, le document est un draft mais en dehors de quelques problemes pour installer le module pam-radius-auth ( ./configure -make néhfrehfwuh gnagnagna aie pas marcher pourquoi sait pas|-( ) ce document decrit tres bien comment realiser un node securisé avec une authentification radius... <BR> <BR>Faite moi part de vos experiences, je suis preneur <IMG SRC="images/smiles/icon_smile.gif">

[max_78]

Nous avons réussi à mettre en place une authentification par FreeRadius (challenge MD5) avec un client sous Windows XP et un simple AP du commerce (DLink DWL-900AP+) <BR>Des docs sont disponibles ici : <BR><!-- BBCode u2 Start --><A HREF="http://wifi.erasme.org/rubrique.php3?id_rubrique=15" TARGET="_blank">http://wifi.erasme.org/rubrique.php3?id_rubrique=15</A><!-- BBCode u2 End --> <BR> <BR>Pour l'utilisation des certificats, c'est une autre histoire... <BR> <BR>De plus, le 802.1x n'est pas exempt de failles (c'est un co-développeur du projet 802.1x qui le dit ! ), voir <!-- BBCode u2 Start --><A HREF="http://www.cs.umd.edu/~waa/1x.pdf" TARGET="_blank">http://www.cs.umd.edu/~waa/1x.pdf</A><!-- BBCode u2 End -->.

[staple]

J'ai réussi à faire une authentification radius en 802.1x sur un réseau wifi.J'utilise 1 carte pcmcia orinoco + 1 AP proxim et le logiciel odyssey client / serveur ( <!-- BBCode auto-link start --><a href="http://www.comware.fr/" target="_blank">http://www.comware.fr/</a><!-- BBCode auto-link end --> ). En effet, j'ai également entendu dire qu'il y avait quelque faille de sécurité en 802.1x. Je cherche à monter une plate-forme sécurisé. Vous auriez une idée sur le type de logiciel à utiliser ??? ( j'avais penser à utiliser un vpn associer au serveur radius, mais je ne sais pas si c'est une bonne idée ) <BR> <BR>Staple

[joebar]

Ca y est, j'ai enfin une plate-forme wifi au taf pour tester la sécu. Je viens de mettre un server radius : <BR> <BR>- marche pas du tout avec AP 3COM 802.11G !!! <BR>- marche tres bien avec AP CISCO ARIONET 1100 (2 APs) <BR> <BR>Donc freeradius marche tres bien avec fichier text "users" et EAP/MD5, par contre avec mysql imposible d'authentifier un user correctement. <BR> <BR>Deja qd je lance freeradius j'ai un erreur de connection a mysql vers la fin : <BR> <BR>

Code: Tout sélectionner

  <BR> sql: radius_db = "radius" <BR> sql: acct_table = "radacct" <BR> sql: acct_table2 = "radacct" <BR> sql: authcheck_table = "radcheck" <BR> sql: authreply_table = "radreply" <BR> sql: groupcheck_table = "radgroupcheck" <BR> sql: groupreply_table = "radgroupreply" <BR> sql: usergroup_table = "usergroup" <BR> sql: nas_table = "nas" <BR> sql: dict_table = "dictionary" <BR> sql: sqltrace = no <BR> sql: sqltracefile = "/usr/local/var/log/radius/sqltrace.sql" <BR> sql: deletestalesessions = yes <BR> sql: num_sql_socks = 5 <BR> sql: sql_user_name = "%{Stripped-User-Name:-%{User-Name:-DEFAULT}}" <BR> sql: default_user_profile = "" <BR> sql: query_on_not_found = no <BR> sql: authorize_check_query = "SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id" <BR> sql: authorize_reply_query = "SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id" <BR> sql: authorize_group_check_query = "SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id" <BR> sql: authorize_group_reply_query = "SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op  FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id" <BR> sql: accounting_onoff_query = "UPDATE radacct SET AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = %{Acct-Delay-Time} WHERE AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'" <BR> sql: accounting_update_query = "UPDATE radacct SET FramedIPAddress = '%{Framed-IP-Address}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStopTime = 0" <BR> sql: accounting_start_query = "INSERT into radacct (RadAcctId, AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('', '%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')" <BR> sql: accounting_start_query_alt = "UPDATE radacct SET AcctStartTime = '%S', AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}' AND AcctStopTime = 0" <BR> sql: accounting_stop_query = "UPDATE radacct SET AcctStopTime = '%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}', AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}' AND AcctStopTime = 0" <BR> sql: accounting_stop_query_alt = "INSERT into radacct (RadAcctId, AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('', '%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{Acct-Delay-Time}')" <BR> sql: group_membership_query = "SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}'" <BR> sql: connect_failure_retry_delay = 60 <BR> sql: simul_count_query = "" <BR> sql: simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0" <BR>rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked <BR>rlm_sql (sql): Attempting to connect to <!-- BBcode auto-mailto start --><a href="mailto:root@localhost:/radius">root@localhost:/radius</a><!-- BBCode auto-mailto end --> <BR>rlm_sql (sql): starting 0 <BR>rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 <BR>rlm_sql_mysql: Starting connect to MySQL server for #0 <BR>rlm_sql (sql): Connected new DB handle, #0 <BR> <BR>

<BR> <BR>ET donc qd un user se connecte ya ca : <BR> <BR>

Code: Tout sélectionner

<BR>rad_recv: Access-Request packet from host 192.168.216.205:1645, id=249, length=139 <BR>        User-Name = "ODYSSEEerlegiga" <BR>        Framed-MTU = 1400 <BR>        Called-Station-Id = "0002.8a42.26b0" <BR>        Calling-Station-Id = "00c0.49a8.e8e8" <BR>        Message-Authenticator = 0x9083baa9aa10a8faf14a6f4a79d5cd45 <BR>        EAP-Message = 0x02010015014f4459535345455c65726c6567696761 <BR>        NAS-Port-Type = Virtual <BR>        NAS-Port = 509 <BR>        NAS-IP-Address = 192.168.216.205 <BR>        NAS-Identifier = "ap" <BR>modcall: entering group authorize for request 0 <BR>  modcall[authorize]: module "preprocess" returns ok for request 0 <BR>  modcall[authorize]: module "chap" returns noop for request 0 <BR>  rlm_eap: EAP packet type notification id 1 length 21 <BR>  rlm_eap: EAP Start not found <BR>  modcall[authorize]: module "eap" returns updated for request 0 <BR>    rlm_realm: No '@' in User-Name = "ODYSSEEerlegiga", looking up realm NULL <BR>    rlm_realm: No such realm "NULL" <BR>  modcall[authorize]: module "suffix" returns noop for request 0 <BR>    users: Matched DEFAULT at 149 <BR>  modcall[authorize]: module "files" returns ok for request 0 <BR>    rlm_realm: No '@' in User-Name = "ODYSSEEerlegiga", looking up realm NULL <BR>    rlm_realm: No such realm "NULL" <BR>  modcall[authorize]: module "suffix" returns noop for request 0 <BR>    users: Matched DEFAULT at 149 <BR>  modcall[authorize]: module "files" returns ok for request 0 <BR>  modcall[authorize]: module "mschap" returns noop for request 0 <BR>modcall: group authorize returns updated for request 0 <BR>  rad_check_password:  Found Auth-Type EAP <BR>auth: type "EAP" <BR>modcall: entering group authenticate for request 0 <BR>  rlm_eap: EAP packet type notification id 1 length 21 <BR>  rlm_eap: EAP Start not found <BR>  rlm_eap: EAP Identity <BR>  rlm_eap: processing type md5 <BR>rlm_eap_md5: Issuing Challenge <BR>  modcall[authenticate]: module "eap" returns ok for request 0 <BR>modcall: group authenticate returns ok for request 0 <BR>Sending Access-Challenge of id 249 to 192.168.216.205:1645 <BR>        EAP-Message = 0x01020016041018647bc8d4dcb303f84617128828f69f <BR>        Message-Authenticator = 0x00000000000000000000000000000000 <BR>        State = 0xdab52f0816ab707ecca3d8fce1af9eb12aaec33f9fb6a2f2ae21c0457c0a16b4609e4afb <BR>Finished request 0 <BR>Going to the next request <BR>--- Walking the entire request list --- <BR>Waking up in 6 seconds... <BR>rad_recv: Access-Request packet from host 192.168.216.205:1645, id=250, length=178 <BR>        User-Name = "ODYSSEEerlegiga" <BR>        Framed-MTU = 1400 <BR>        Called-Station-Id = "0002.8a42.26b0" <BR>        Calling-Station-Id = "00c0.49a8.e8e8" <BR>        Message-Authenticator = 0x59e81ba62e6139c0b31f84ecb85197d5 <BR>        EAP-Message = 0x020200160410a3be96db63712186fdd7821e84d5ce69 <BR>        NAS-Port-Type = Virtual <BR>        NAS-Port = 509 <BR>        State = 0xdab52f0816ab707ecca3d8fce1af9eb12aaec33f9fb6a2f2ae21c0457c0a16b4609e4afb <BR>        NAS-IP-Address = 192.168.216.205 <BR>        NAS-Identifier = "ap" <BR>modcall: entering group authorize for request 1 <BR>  modcall[authorize]: module "preprocess" returns ok for request 1 <BR>  modcall[authorize]: module "chap" returns noop for request 1 <BR>  rlm_eap: EAP packet type notification id 2 length 22 <BR>  rlm_eap: EAP Start not found <BR>  modcall[authorize]: module "eap" returns updated for request 1 <BR>    rlm_realm: No '@' in User-Name = "ODYSSEEerlegiga", looking up realm NULL <BR>    rlm_realm: No such realm "NULL" <BR>  modcall[authorize]: module "suffix" returns noop for request 1 <BR>    users: Matched DEFAULT at 149 <BR>  modcall[authorize]: module "files" returns ok for request 1 <BR>    rlm_realm: No '@' in User-Name = "ODYSSEEerlegiga", looking up realm NULL <BR>    rlm_realm: No such realm "NULL" <BR>  modcall[authorize]: module "suffix" returns noop for request 1 <BR>    users: Matched DEFAULT at 149 <BR>  modcall[authorize]: module "files" returns ok for request 1 <BR>  modcall[authorize]: module "mschap" returns noop for request 1 <BR>modcall: group authorize returns updated for request 1 <BR>  rad_check_password:  Found Auth-Type EAP <BR>auth: type "EAP" <BR>modcall: entering group authenticate for request 1 <BR>  rlm_eap: EAP packet type notification id 2 length 22 <BR>  rlm_eap: EAP Start not found <BR>  rlm_eap: Request found, released from the list <BR>  rlm_eap: EAP_TYPE - md5 <BR>  rlm_eap: processing type md5 <BR>rlm_eap_md5: No password configured for this user <BR>  modcall[authenticate]: module "eap" returns invalid for request 1 <BR>modcall: group authenticate returns invalid for request 1 <BR>auth: Failed to validate the user. <BR>Delaying request 1 for 1 seconds <BR>Finished request 1 <BR>Going to the next request <BR>Waking up in 6 seconds... <BR> <BR> <BR>Help !!!    <BR>

<IMG SRC="images/smiles/icon_biggrin.gif"> <IMG SRC="images/smiles/icon_biggrin.gif"> <IMG SRC="images/smiles/icon_biggrin.gif"> <IMG SRC="images/smiles/icon_biggrin.gif"> <IMG SRC="images/smiles/icon_biggrin.gif">

[joebar]

je me répond a moi meme mais ca px servire a d'autre : <BR> <BR>j'avais oubiler ca dans le radius.conf : <BR> <BR>authorize { <BR> <!-- BBCode Start --><B>sql</B><!-- BBCode End --> <BR> files <BR> mschap <BR>} <BR> <BR>authenticate { <BR> mschap <BR>} <BR> <BR>accounting { <BR> unix <BR> <!-- BBCode Start --><B>sql</B><!-- BBCode End --> <BR> radutmp <BR>} <BR> <BR> <BR>Et puis lenom du login avec le nom du domaine ca marche pas du tout !!!

[deglingo60]

bonjour moi aussi je taf sur le WIFI et notamment sur le EAP-TLS <BR>Pour ca j'utilise freeRadius ou IAS sous Win 2000 Server mais g vraiment bcp de dificultés a les configurer <BR>Sinon j'avais reussi avec le LEAP ca marchait nikel <BR>voila j'attend vos reponses <BR> <BR>PS:ecrivez moi a <!-- BBcode auto-mailto start --><a href="mailto:tag78@caramail.Com">tag78@caramail.Com</a><!-- BBCode auto-mailto end -->