freeradiusで.1x認証をしませう #Cisco

前置き

ネットワークのお勉強でfreeradiusとCatalyst3550で.1x認証してみましょう
ってのが今回の目的
自分用メモなのでご注意を

参考サイト様

https://www.virment.com/radius-server-configuration/
http://labs.septeni.co.jp/entry/20140707/1404670069
https://www.infraexpert.com/study/dot1xz03.html

freeradius環境の構築

今回はVagrantを使ってざっくりCentOS6上にRADIUS環境を作っていきます

Vagrant

d:\VM\radius_svr>vagrant -v
Vagrant 2.2.2

d:\VM\radius_svr>vagrant box list
centos6   (virtualbox, 0)

d:\VM\radius_svr>vagrant init centos6
A `Vagrantfile` has been placed in this directory. You are now
ready to `vagrant up` your first virtual environment! Please read
the comments in the Vagrantfile as well as documentation on
`vagrantup.com` for more information on using Vagrant.

d:\VM\radius_svr>ls -lrt
total 4
-rwxrwx---+ 1 nathaniel None 3084 Feb 17 10:43 Vagrantfile

Vagrantfileの編集

パブリックネットワーク用の設定を入れておきます
config.vm.network :public_network, ip: "192.168.1.150"

起動からfreeradiusのインストールまで

>vagrant up
>vagrant ssh
$ su -
# yum install freeradius freeradius-mysql

設定変更(メモ程度)

[root@localhost ~]# cd /etc/raddb/
[root@localhost raddb]# diff radiusd.conf radiusd.conf_org
167,169c167,168
< user = root
< group = root
<
---
> user = radiusd
> group = radiusd
317c316
<       port = 1812
---
>       port = 0
477c476
<       auth = yes
---
>       auth = no
[root@localhost raddb]#

[root@localhost raddb]# diff clients.conf clients.conf_org
247,250d246
< client 192.168.1.0/24 {
<       secret          = hogehoge
<       shortname       = nekousagi_radius
< }
[root@localhost raddb]#

[root@localhost raddb]# diff users users_org
93,97d92
<
< "nekousagi"   Cleartext-Password := "hogehoge"
<               Reply-Message = "Hello, %{User-Name}"
※ 今回はユーザnekousagi、パスワードをhogehogとしています
<
<
[root@localhost raddb]#


[root@localhost raddb]# cat eap.conf
# -*- text -*-
##
##  eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
##
##      $Id$

#######################################################################
#
#  Whatever you do, do NOT set 'Auth-Type := EAP'.  The server
#  is smart enough to figure this out on its own.  The most
#  common side effect of setting 'Auth-Type := EAP' is that the
#  users then cannot use ANY other authentication method.
#
#  EAP types NOT listed here may be supported via the &quot;eap2&quot; module.
#  See experimental.conf for documentation.
#
        eap {

                default_eap_type =peap
                timer_expire     = 60
                ignore_unknown_eap_types = yes
                cisco_accounting_username_bug = no
                max_sessions = 4096

                  tls {

                        certdir = ${confdir}/certs
                        cadir = ${confdir}/certs
                        private_key_password = whatever
                        private_key_file = ${certdir}/server.key
                        certificate_file = ${certdir}/server.pem
                        CA_file = ${cadir}/ca.pem
                        dh_file = ${certdir}/dh
                        random_file = /dev/urandom
                        CA_path = ${cadir}
                        cipher_list = "DEFAULT"

                        make_cert_command = "${certdir}/bootstrap"

                        cache {
                              enable = no
                              lifetime = 24 # hours
                              max_entries = 255
                        }
                        verify {

                        }
                }

                ttls {
                        default_eap_type = mschapv2
                        copy_request_to_tunnel = yes
                        use_tunneled_reply = yes
                }

                peap {
                        default_eap_type = mschapv2
                }
                mschapv2 {
                }
        }
                mschap {
                  authtype = MS-CHAP
                  use_mppe = yes
                  require_encryption = yes
                  require_strong = yes
               }

[root@localhost raddb]#

起動

[root@localhost raddb]# service radiusd start
Starting radiusd:                                          [  OK  ]
[root@localhost raddb]#

スイッチ側の設定

Switch#sh run
Building configuration...

Current configuration : 2348 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
ip subnet-zero
!
no ip domain-lookup
!
spanning-tree mode pvst
spanning-tree extend system-id
dot1x system-auth-control
!
!
!
!
!
interface FastEthernet0/1
 switchport mode access
!
interface FastEthernet0/2
 switchport mode access
 dot1x port-control auto
 spanning-tree portfast
!

====中略=====

interface FastEthernet0/24
 switchport mode dynamic desirable

!
interface Vlan1
 ip address 192.168.1.250 255.255.255.0
!
ip default-gateway 192.168.1.1
ip classless
ip http server
!
radius-server host 192.168.1.150 auth-port 1812 acct-port 1813 key hogehoge
radius-server retransmit 3
!
line con 0
 logging synchronous
line vty 5 15
!
!
end

Switch#

詳細

radius-server host 192.168.1.150 auth-port 1812 acct-port 1813 key hogehoge
→RADIUS鯖のIP、ポート、パスワードを設定
radius-server retransmit 3
→RADIUS認証の再送回数を指定

aaa new-model
→認証機能を設定
aaa authentication dot1x default group radius
→.1xのユーザ認証方式を指定
aaa authorization network default group radius
→指定されたVLAN情報に従って、VLAN単位認証（動的）を行う場合に指定

interface FastEthernet0/2
switchport mode access
dot1x port-control auto
→ポート単位で.1x認証を有効に
spanning-tree portfast
!

ログ

[root@localhost ~]# cd /var/log/radius/
[root@localhost radius]# tail radius.log
====中略====
Sun Feb 17 03:42:32 2019 : Auth: Login OK: [nekousagi] (from client nekousagi_ra
dius port 0 via TLS tunnel)
Sun Feb 17 03:42:32 2019 : Auth: Login OK: [nekousagi] (from client nekousagi_ra
dius port 50002 cli XX-XX-XX-XX-XX-XX)
[root@localhost radius]#

以上