// Á¦ ¸ñ: À¯¹«¼± °øÀ¯±â Á¦ÀÛ: 802.1x, RADIUS ¼³Ä¡ [4]
// ÀÛ¼ºÀÚ: ±è¿µ´ë( http://www.howto.pe.kr )
Å×½ºÆ® ȯ°æ
- È£½ºÆ® Àåºñ(Linux):
ÀÛ¾÷ µð·ºÅ丮: /home/LDS
½© ÇÁ·ÒÇÁÆ®: [root@cozylinux]
IP: 211.204.72.53
- Ÿ°Ù Àåºñ(LDS2000):
NFS ·çÆ® µð·ºÅ丮: /home/LDS/LDS2000/External/RootFS/image
½© ÇÁ·ÒÇÁÆ®: [root@cozyLDS]
IP: 211.204.72.60
¹«¼±·£ ÃÊâ±â¿¡ IEEE802.11 Ç¥ÁØÈ ¹× °³¹ßÀÚµéÀº SSID¿Í WEP(Wired Equivalent Privacy) ¸¦
¹«¼± º¸¾È Ç¥ÁØÀ¸·Î Á¦½ÃÇÏ¿´´Ù. ÇÏÁö¸¸ ÀÌ°ÍÀº ¹«¼± ·£ÀÇ º¸¾È¼º¿¡ ½É°¢ÇÑ Ãë¾à¼ºÀ» º¸¿©ÁÖ¸ç
»õ·Î¿î ´ë¾ÈÀ» ã°Ô Çß´Ù. ¶ÇÇÑ AP ¿¡ Á¢¼Ó(association)ÇÑ »ç¿ëÀÚÀÇ °ú±Ý Á¤Ã¥, »ç¿ë Á¦ÇÑ, ´ë¿ª ÇÒ´ç
µî Áß¾Ó ÁýÁßÀûÀÎ »ç¿ëÀÚ °ü¸®°¡ ÇÊ¿äÇÏ°Ô µÇ¾ú´Ù. ±×¸®ÇÏ¿© µîÀåÇÑ°ÍÀÌ 802.1x ÇÁ·¡ÀÓ¿öÅ© ÀÌ´Ù.
°á±¹ IEEE802.1x ÀÇ ¸ñÀûÀº »ç¿ëÀÚµéÀÌ AP¿Í °°Àº NAS ¿¡ Á¢¼ÓÇϱâ Àü¿¡ RADIUS ÀÎÁõ ¼¹ö·Î ºÎÅÍ
»ç¿ëÀÚ ÀÎÁõÀ» ¹ÞÀº ÈÄ AP ¸¦ »ç¿ëÇÒ ¼ö ÀÖ°Ô ÇÏ´Â °ÍÀÌ´Ù.
±×·¯¹Ç·Î ÀÌ ¹®¼¸¦ ÀбâÀü¿¡ ¹Ýµå½Ã 802.1x ¿Í RADIUS ¼¹ö¿¡ ´ëÇÑ ÀڷḦ ã¾Æ ÃæºÐÈ÷ ¼÷ÁöÇÑ ÈÄ
ÁøÇàÇϱ⠹ٶõ´Ù. ƯÈ÷ ÇöÀç Windows 2000/XP ¿¡¼ Áö¿øÇÏ´Â EAP ÀÎÁõ ¾Ë°í¸®ÁòÀº µÎ°¡Áö·Î
EAP-TLS, PEAP(MD5/MSCHAPv2) À̹ǷΠÀÌ µÎ°¡Áö¸¦ ÁßÁ¡ÀûÀ¸·Î »ìÆ캸±â ¹Ù¶õ´Ù.
Âü°í »çÀÌÆ®:
- http://www.dslreports.com/forum/remark,9286052~mode=flat
- http://www.missl.cs.umd.edu/wireless/eaptls
- http://www.freeradius.org/doc/EAPTLS.pdf
- http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm
- http://www.missl.cs.umd.edu/Projects/wireless/2kclient/2kclient.html
802.1x ÀÇ ±¸¼º Àåºñ 3°¡Áö:
- Supplicant: ÀÎÁõ ¹ÞÀ» ¹«¼± ·£Ä«µå¸¦ ÀåÂøÇÑ ÀÏ¹Ý PC
(¿©±â¼´Â Windows 2000 ¿¡ 802.1x Client ¸¦ ¼³Ä¡ÇÏ¿© »ç¿ëÇϸç Windows XP ÀÇ °æ¿ì´Â
ÀÌ¹Ì ¼³Ä¡µÇ¾î ÀÖ´Ù. ºÒÇàÈ÷µµ WIndows 98 ÀÌÇÏ´Â »ç¿ëÇÒ ¼ö ¾ø´Ù)
- Authenticator: ÀÎÁõ °á°ú¿¡ µû¶ó ³×Æ®¿öÅ© Á¢±Ù Æ÷Æ®¸¦ Á¦¾îÇÏ´Â NSA(Network Access Server ¶Ç´Â RAS)
(¿©±â¼´Â ŸÄÏ ÀåºñÀÎ AccessPoint ¸¦ ¸»ÇÑ´Ù)
- Authentication Server: À¯¼±À¸·Î NAS(AccessPoint, Bridge, Switch µîµî) ¿¡ ÀÎÁõ ¼ºñ½º Á¦°ø
(¿©±â¼´Â È£½ºÆ® ÀåºñÀÎ Linux ¸¦ ¸»ÇÑ´Ù)
¼³Ä¡ÇÒ ÆÄÀÏ ´Ù¿î:
- Windows 2000 Patch: 802.1x for Windows 2000 (Windows XP ÀÇ °æ¿ì´Â ÀÌ¹Ì ¼³Ä¡µÇ¾î ÀÖÀ½)
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=6B78EDBE-D3CA-4880-929F-453C695B9637
- HostAP source (hostap-2002-10-12.tar.gz)
http://hostap.epitest.fi/releases
- OpenSSL source (openssl.tar.gz, ÇöÀç´Â 0.9.7d ¹öÀüÀÌ´Ù)
http://www.openssl.org
- freeRADIUS source (freeradius.tar.gz, ÇöÀç´Â 1.0.0-pre1 ¹öÀüÀÌ´Ù)
http://www.freeradius.org
1.802.1x for Windows 2000 patch ¼³Ä¡ - Supplicant
Supplicant ·Î »ç¿ëÇÒ ÀÏ¹Ý PC ¿¡ 802.1x for Windows 2000 patch ¸¦ ¼³Ä¡ ÇÑ ÈÄ À̸¦ ¼ºñ½º·Î ±¸µ¿
½ÃÄÑ¾ß ÇÑ´Ù. ¼³Ä¡ ÈÄ "½ÃÀÛ"->"¼³Á¤"->"Á¦¾îÆÇ"->"°ü¸®µµ±¸"->"¼ºñ½º" ¿¡¼ "Wireless Configuration"
Ç׸ñÀ» ¼±ÅÃÇÑ ÈÄ ¼ºñ½º¸¦ "½ÃÀÛ" »óÅ·Π¸¸µç´Ù. À©µµ¿ìÁîÀÇ ºÎÆýø¶´Ù ÀÌ°ÍÀ» ÀÚµ¿ ½ÃÀÛÇÏ°Ô ÇÏ·Á¸é
µî·Ï Á¤º¸¿¡¼ ½ÃÀÛ À¯ÇüÀ» "ÀÚµ¿"À¸·Î ÇÏ¸é µÈ´Ù.
±×¸®°í µ¥½ºÅ©Å¾ÀÇ "³×Æ®¿öÅ© ȯ°æ"ÀÇ µî·Ï Á¤º¸¸¦ ¼±ÅÃÇÑ ÈÄ ¹«¼± ·£¿¡ ÇØ´çÇÏ´Â "·ÎÄà ¿µ¿ª ¿¬°á"À»
¼±ÅÃÇÏ¿© µî·Ï Á¤º¸¸¦ º¸¸é "ÀÎÁõ" ÅÇÀÌ º¸ÀÏ °ÍÀÌ°í ±× ¾È¿¡ 802.1x °ü·Ã ¼³Á¤ Ç׸ñµéÀÌ º¸ÀÏ °ÍÀÌ´Ù.
¼¼ºÎÀûÀÎ ¼³Á¤Àº ¾Æ·¡¿¡ ´Ù½Ã ÀÚ¼¼È÷ ´Ù·é´Ù.
Âü°í·Î "EAP Á¾·ù" ÀÇ "½º¸¶Æ®Ä«µå ¶Ç´Â ±âŸ ÀÎÁõ¼"´Â EAP-TLS ¸¦ ÀǹÌÇÏ°í,
"º¸È£µÈ EAP (PEAP)" ´Â Ŭ¶óÀ̾ðÆ® ÀÎÁõ ¹æ¹ýÀ¸·Î MD5(MSCHAPv2)¸¦ »ç¿ëÇÏ´Â PEAP ¸¦ ÀǹÌÇÑ´Ù.
2.HostAP ÀÇ hostapd ¼³Ä¡ - Authenticator
hostapd ´Â ÀÌÀü¿¡ ¼³Ä¡ÇÑ HostAP µå¶óÀ̹ö¿Í ÇÔ²² ¹èÆ÷µÇ´Â ÆÄÀÏ·Î ¾Æ¸¶ ±× ¿ëµµ¸¦ ±Ã±ÝÇØ ÇßÀ»°ÍÀÌ´Ù.
Áö±Ý ´çÀå HostAP °¡ ¼³Ä¡µÇ¾î ÀÖ´Â µð·ºÅ丮·Î À̵¿ÇÏ¿© hostapd µð·ºÅ丮°¡ ÀÖ´ÂÁö È®ÀÎÇ϶ó.
ÀÌ ÆÄÀÏÀÌ ¹Ù·Î AP ¿¡¼ µ¿ÀÛÇÏ´Â Authenticator ÀÌ´Ù. Authenticator ´Â ´ÜÁö Supplicant ¿Í
Authentication Server »çÀÌ¿¡¼ EAPOL/EAP over Radius ÇÁ·¡ÀÓÀ» Áß°èÇÏ°í Authentication Server ÀÇ
ÀÎÁõ °á°ú¿¡ µû¶ó Supplicant ÀÇ Controlled Port ¸¦ ÅëÁ¦ÇÏ¿© AP ·ÎÀÇ °áÇÕ(association)À» °áÁ¤ÇÑ´Ù.
Ȥ½Ã ÀÌÀü¿¡ HostAP ¸¦ ¼³Ä¡ÇÏÁö ¾ÊÀº »ç¶÷À» À§ÇØ HostAP ¼³Ä¡ ºÎºÐÀ» ÇÔ²² ¼³¸íÇÑ´Ù.
´Ù¿î¹ÞÀº HostAP ÀÇ ¾ÐÃàÀ» Ǭ ÈÄ µð·ºÅ丮·Î À̵¿ÇÑ´Ù.(ÀÌ¹Ì HostAP ¸¦ ¼³Ä¡Çß´Ù¸é ´ÜÁö µð·ºÅ͸®·Î À̵¿)
[root@cozylinux temp]# tar xvfz hostap-2002-10-12.tar.gz
[root@cozylinux temp]# cd hostap-2002-10-12
óÀ½¿¡ HostAP µå¶óÀ̹ö¸¦ ¼³Ä¡ÇÏ¸é µå¶óÀ̹ö¿¡ hostapd °¡ disable µÇ¾î ÀÖ¾î À̸¦ enable ÇØ¾ß ÇÑ´Ù
¼³Á¤ÇÏ´Â ¹æ¹ýÀº HostAP ¾ÐÃà¿ï Ǭ µð·ºÅ丮ÀÇ driver/modules/hostap_config.h ÆÄÀÏÀ» ¿¾î ´ÙÀ½ µÎ°³ÀÇ
ÁÖ¼®À» Ç®°í ÀúÀåÇÑ´Ù.
#define PRISM2_HOSTAPD
#define PRISM2_DOWNLOAD_SUPPORT
hostapd µð·ºÅ丮·Î À̵¿ÇÏ¿© Makefile À» ¿¾î Ä¿³Î ¼Ò½º¿Í gcc ÄÄÆÄÀÏ·¯¸¦ º¯°æÇÑ´Ù
"KERNEL_PATH" ¿¡´Â Ä¿³Î ¼Ò½º°¡ ÀÖ´Â µð·ºÅ丮¸¦ "CC"´Â Å©·Î½º ÄÄÆÄÀÏ·¯ ½ÇÇà ÆÄÀϸíÀ» ¸»ÇÑ´Ù.
KERNEL_PATH=/home/LDS/LDS2000/kernel-2.4.18
CC=arm-linux-gcc
±×·± ÈÄ ÄÄÆÄÀÏ ÇÑ´Ù
[root@cozylinux hostapd]# make clean
[root@cozylinux hostapd]# make
Áö±Ý ÄÄÆÄÀÏÀº È£½ºÆ® Àåºñ¿¡¼ Ÿ°Ù Àåºñ¸¦ À§ÇØ Å©·Î½º ÄÄÆÄÀÏ ÇÑ °ÍÀ̹ǷΠÄÄÆÄÀÏÇÑ hostapd ÆÄÀÏÀ»
½ÇÁ¦ NFS ·Î Àü´ÞÇØÁÙ µð·ºÅ丮(Ÿ°Ù ÀåºñÀÇ NFS Root µð·ºÅ丮)ÀÇ sbin ¿¡ º¹»çÇØ ÁØ´Ù
[root@cozylinux hostapd]# cp hostapd /home/LDS/LDS2000/External/RootFS/image/sbin
HostAP µå¶óÀ̹ö¿¡ hostapd ¸¦ enable ½ÃŲ °ÍÀ̹ǷΠÀ̰͵µ ´Ù½Ã ÄÄÆÄÀÏÇØÁØ´Ù
[root@cozylinux hostap-2002-10-12]# make clean
[root@cozylinux hostap-2002-10-12]# make pccard
[root@cozylinux hostap-2002-10-12]# make install_pccard
3.OpenSSL ¼³Ä¡ - Authentication Server
OpenSSL Àº Linux ¼³Ä¡½Ã º¸Åë ÇÔ²² ¼³Ä¡µÈ´Ù. ÀÌÀü¿¡ ¼³Ä¡µÈ OpenSSL ÀÌ ¼Ò½ºÀÌ¸é ´Ù½Ã ¼³Ä¡ÇÒ ÇÊ¿ä°¡
¾øÁö¸¸ Redhat ÀÇ binary RPM ó·³ binary ¸¸ ¼³Ä¡µÈ °æ¿ì´Â ¼Ò½º¸¦ Ãß°¡ ¼³Ä¡ÇÑ´Ù
(ÀÌÀü¿¡ ¼³Ä¡µÈ binary RPM Àº »èÁ¦ÇÏÁö ¾Ê°í ¼Ò½º¸¦ ¼³Ä¡Çϴ°ÍÀÌ ÁÁ´Ù)
OpenSSL ÀÇ ¼Ò½º¸¦ Ǭ ÈÄ ÇØ´ç µð·ºÅ丮·Î À̵¿ÇÏ¿© ÄÄÆÄÀÏÇÑ´Ù
¾Æ·¡¿Í °°ÀÌ ¼Ò½º¸¦ ÄÄÆÄÀÏÇÏ¿© /usr/local/openssl µð·ºÅ丮¿¡ ¼³Ä¡ÇÑ´Ù
[root@cozylinux openssl-0.9.7d]# ./config shared --prefix=/usr/local/openssl
[root@cozylinux openssl-0.9.7d]# make clean
[root@cozylinux openssl-0.9.7d]# make
[root@cozylinux openssl-0.9.7d]# make install
OpenSSL ¼³Ä¡½Ã ȸ鿡 Ãâ·ÂµÇ´Â ·Î±× ¸Þ½ÃÁöµéÀ» ³ªÁß¿¡ Âü°íÇϱâ À§ÇØ ÀúÀåÇϴ°͵µ ÁÁÀº ½À°üÀÌ´Ù
¾Æ·¡ ¿¹Ã³·³ redirection ÇÏ¿© ÆÄÀÏ·Î Á¤ÇÒ ¼ö ÀÖ´Ù
[root@cozylinux openssl-0.9.7d]# make > make.log 2>&1
4.freeRADIUS ¼³Ä¡ - Authentication Server
freeRADIUS ÀÇ ¼Ò½º¸¦ Ǭ ÈÄ ÇØ´ç µð·ºÅ丮·Î À̵¿ÇÏ¿© ÄÄÆÄÀÏÇÑ´Ù
¾Æ·¡¿Í °°ÀÌ ¼Ò½º¸¦ ÄÄÆÄÀÏÇÏ¿© /usr/local µð·ºÅ丮 ¾Æ·¡¿¡ ¼³Ä¡ÇÑ´Ù (/usr/local/etc/raddb °¡ »ý¼ºµÈ´Ù)
[root@cozylinux freeradius-1.0.0-pre1]# ./configure \
--with-openssl-includes=/usr/local/openssl/include \
--with-openssl-libraries=/usr/local/openssl/lib \
--prefix=/usr/local
5.ÀÎÁõ¼(cerrificate) ¸¸µé±â - Authentication Server
3Á¾·ùÀÇ ÀÎÁõ¼¸¦ ¸¸µé Â÷·ÊÀÌ´Ù.
ÀÎÁõ¼¸¦ ¸¸µå´Â ÀÌÀ¯´Â 802.1x ÇÁ·¡ÀÓ¿öÅ©¿¡¼ ÀÎÁõ ¾Ë°í¸®ÁòÀ¸·Î EAP-TLS, PEAP ¸¦ »ç¿ëÇϱâ À§ÇÔÀÌ´Ù.
EAP-TLS, PEAP ¸ðµÎ ¾ç¹æÇâ ÀÎÁõ ¹æ½ÄÀ¸·Î Supplicant ´Â Authentication Server ¸¦ ÀÎÁõÇÏ°í Supplicant´Â
Authentication Server ¸¦ ÀÎÁõÇÑ´Ù. EAP-TLS ÀÇ °æ¿ì´Â ¾çÂÊ ´Ù ÀÎÁõ¼°¡ ÇÊ¿äÇÏ´Ù. ÇÏÁö¸¸ AP¸¦
»ç¿ëÇÒ¶§¸¶´Ù ÀÎÁõ¼¸¦ ÁغñÇØ¾ß ÇÏ´Â SupplicantÀÇ ºÒÆíÀ» ´ú¾îÁÖ°íÀÚ ³ª¿Â°ÍÀÌ PEAP ÀÌ´Ù.
PEAP ÀÇ °æ¿ì Supplicant´Â Authentication Server ÀÇ ÀÎÁõ¼¸¦ °¡Áö°í Authentication Server ¸¦ ÀÎÁõ
ÇÏÁö¸¸ Authentication Server ´Â Supplicant ÀÇ UserID/Password ¸¦ º¸°í Supplicant ¸¦ ÀÎÁõÇÑ´Ù.
±×·¡¼ ÀÌ ÀÎÁõ¼¸¦ ¸¸µé¾î¾ß ÇϹǷΠOpenSSL ÀÌ ÇÊ¿äÇß´ø°ÍÀÌ´Ù.
OpenSSL µµ ³»ºÎ µ¿ÀÛÀÌ ÀÎÁõ¼¸¦ »ç¿ëÇÏ´Â PKI ¿ä¼Ò°¡ µé¾î°¡ ÀÖÀ¸¹Ç·Î OpenSSLÀÌ Á¦°øÇÏ´Â ÀÎÁõ¼¸¦
¸¸µå´Â À¯Æ¿¸®Æ¼¸¦ »ç¿ëÇϱâ À§ÇؼÀÌ´Ù.
OpenSSL À» ÀÌ¿ëÇÏ¿© ÀÎÁõ¼¸¦ ¸¸µé±â Àü¿¡ ¸ÕÀú ÀÎÁõ¼ »ý¼º½Ã ÇÊ¿äÇÑ ±âº» Á¤º¸µéÀ» µî·ÏÇØ¾ß ÇÑ´Ù.
/usr/local/openssl/ssl µð·ºÅ丮¿¡ ÀÖ´Â openssl.cnf ÆÄÀÏÀ» ¿¾î ¼öÁ¤ÇÑ´Ù.
´Ù¸¥ Ç׸ñµéÀº ±×³É ³öµÎ°í ¾Æ·¡ÀÇ "X" ¹®ÀÚ°¡ ÀÖ´Â ºÎºÐÀ» ¼öÁ¤ÇÑ´Ù. Ȥ½Ã Ç׸ñÀÌ ¾ø´Ù¸é ÇØ´ç À§Ä¡¿¡
Ãß°¡ÇØÁØ´Ù. countryName_default ¸¸ ¹Ýµå½Ã 2±ÛÀÚ·Î ÀÔ·ÂÇÏ°í(¿¹, KR) ³ª¸ÓÁö´Â ±æÀÌ°¡ ³Ë³ËÇÏ°Ô ÀâÇô
ÀÖÀ¸¹Ç·Î Àǹ̿¡ ºÎÇյǰԸ¸ ÀÔ·ÂÇÑ´Ù.
challengePassword_default ´Â ÀÎÁõ¼ ¾ÏÈ£À̹ǷΠ´Ù¸¥ °ÍÀ¸·Î °íÄ¡´õ¶óµµ ¹Ýµå½Ã ¸Þ¸ðÇصдÙ.
countryName_default = XX
stateOrProvinceName_default = XXXXXXXXXXX
localityName_default = XXXXXXXXXXX
0.organizationName_default = XXXXXXXXXXXXXXXXXXXXXX
organizationalUnitName_default = XXXXXXXXXXXXXXXXXXXXXX
commonName_default = XXXXXXXXXXX
emailAddress_default = XXXXXXXXXXXXXXXXXXXXXX
challengePassword_default = whatever
¸¸µé¾î¾ßÇÒ ÀÎÁõ¼´Â ÃÑ 3Á¾·ùÀÌ´Ù.
PEAPÀÇ °æ¿ì´Â Authentication Server ÀÇ ÀÎÁõ¼¸¸ ÇÊ¿äÇÏÁö¸¸ EAP-TLS´Â Supplicant, Authentication Server
¸ðµÎ ÀÎÁõ¼°¡ ÇÊ¿äÇÏ´Ù. ÀÌ·¸°Ô 2°³ÀÇ ÀÎÁõ¼´Â ¿ëµµ°¡ ºÐ¸íÇѵ¥ ³ª¸ÓÁö ÇϳªÀÇ ÀÎÁõ¼°¡ ±Ã±ÝÇØÁø´Ù.
ÀÌ°ÍÀº ¾ÕÀÇ 2°³ÀÇ ÀÎÁõ¼¸¦ x.509 ÇüÅÂÀÇ ÀÎÁõ¼·Î ¸¸µé¶§ signature ·Î »ç¿ëµÇ´Â root CAÀÇ ÀÎÁõ¼ÀÌ´Ù.
º¸Åë root CA µéÀº ±¹Á¦ÀûÀÎ °øÀÎ ±â°üÀÌ°í ¿©±â¼ ¹èÆ÷ÇÏ´Â °ÍÀÌÁö¸¸ ¿©±â¼´Â ÀÚ½ÅÀÌ root CA °¡ µÇ¾î
¾ÕÀÇ 2°³ÀÇ ÀÎÁõ¼¸¦ °øÀÎÇÏ´Â °ÍÀÌ´Ù. ¹°·Ð ÀÌ°ÍÀº ¾îµð±îÁö³ª Å×½ºÆ®¸¦ À§ÇÑ °ÍÀÌ´Ù. ½ÇÁ¦·Î´Â °øÀÎ
root CA ÀÇ ÀÎÁõ¼¸¦ ±¸ÀÔÇÏ¿© ¾ÕÀÇ 2°³ÀÇ ÀÎÁõ¼¸¦ °øÀÎ ¹Þ¾Æ¾ß ÇÏÁö¸¸ ±×·¯¸é ºñ¿ëÀÌ µç´Ù.
´ÙÇàÈ÷µµ ÀÌ 3°³ÀÇ ÀÎÁõ¼¸¦ Çѹø¿¡ ¸¸µé¾îÁÖ´Â ½ºÅ©¸³Æ®°¡ freeRADIUS µð·ºÅ丮¿¡ ÁغñµÇ¾î ÀÖ´Ù.
freeRADIUS ÀÇ ¾ÐÃàÀ» Ǭ µð·ºÅ丮 ¾Æ·¡ÀÇ scripts µð·ºÅ丮¿¡ CA.all ÆÄÀÏÀÌ ±×°ÍÀÌ´Ù.
ÀÌ ÆÄÀÏÀ» ¿¾î ´ÙÀ½ µÎÁÙÀ» ¾Æ·¡¿Í °°ÀÌ OpenSSL ¼³Ä¡ µð·ºÅ丮¿¡ ¸Â°Ô ¼öÁ¤ÇØ ÁØ´Ù.
SSL=/usr/local/openssl
echo "newreq.pem" | /usr/local/openssl/ssl/misc/CA.pl -newca
±× ´ÙÀ½ ¾Æ·¡Ã³·³ ½ÇÇàÇϸé 3°³ÀÇ ÀÎÁõ¼¸¦ ¸¸µå´Â °úÁ¤ÀÌ Â÷·Ê´ë·Î ÁøÇàµÈ´Ù.
[root@cozylinux scripts]# ./CA.all
ROOT CA ´Â root CA ÀÎÁõ¼¸¦,
client certificate ´Â Supplicant ÀÎÁõ¼¸¦,
server certificate ´Â Authentication Server ÀÎÁõ¼¸¦ ÀǹÌÇÑ´Ù.
root CA ÀÎÁõ¼ÀÇ °æ¿ì´Â openssl.cnf ¿¡ ÀûÈù ±×´ë·Î ¼öÁ¤ÇÒ°ÍÀÌ ¾øÀ¸¹Ç·Î ±×³É ¿£ÅÍÅ°¸¦ Ä¡°í ³Ñ¾î°£´Ù.
client certificate, server certificate ÀÇ °æ¿ì´Â ¸¶Âù°¡Áö·Î °ÅÀÇ ¼öÁ¤ÇÒ°ÍÀÌ ¾ø°í ´ÜÁö ±¸ºÐÀ» À§Çؼ
commonName Á¤µµ´Â º»ÀÎÀÇ À̸§µé·Î ¼öÁ¤ÇØÁִ°ÍÀÌ ÁÁ´Ù. ³ªÀÇ °æ¿ì´Â ROOT CA ¿¡ "Young-DAE, Kim CA" ¸¦,
client certificate ¿¡ "youngdae" ¸¦, server certificate ¿¡ "cozykyd" ¶ó´Â commonName À» ÁÖ¾ú´Ù.
±×¸®°í ºñ¹Ð¹øÈ£´Â ÀüºÎ whatever (¶Ç´Â openssl.cnf ¿¡¼ ¼öÁ¤ÇÑ ºñ¹Ð¹øÈ£)¸¦ »ç¿ëÇÏ°Ô µÈ´Ù.
»ý¼ºµÈ ÆÄÀÏÀº ÃÑ 9°³·Î
root CA ÀÎÁõ¼ = root.pem, root.p12, root.der,
Supplicant ÀÎÁõ¼ = cert-clt.pem, cert-clt.p12, cert-clt.der,
Authentication Server ÀÎÁõ¼ = cert-srv.pem, cert-srv.p12, cert-srv.der ÀÌ´Ù.
ÀÌ ÀÎÁõ¼µéÀº OpenSSL ·Î ¸¸µé¾î Áø°ÍÀ¸·Î freeRADIUS ¿¡¼ »ç¿ëÇÒ ¼ö ÀÖµµ·Ï º¹»çÇØ ÁØ´Ù
[root@cozylinux scripts]# cp *pem *p12 *der /usr/local/etc/raddb/certs
³ªÁß¿¡ ´Ù½Ã ¾Ö±âÇÏ°ÚÁö¸¸ Supplicant ÀÎÁõ¼´Â PC ·Î ´Ù¿î¹Þ¾Æ ÀÎÁõ¼¸¦ ¼³Ä¡ÇØ¾ß ÇÑ´Ù. ±×·¯±â À§Çؼ
root.der, cert-clt.p12 ¸¦ Supplicant ·Î »ç¿ëµÇ´Â ÀÏ¹Ý PC ¿¡ ´Ù¿î¹Þ¾Æ ¼³Ä¡ÇÏ°Ô µÈ´Ù.
6.freeRADIUS ȯ°æ ¼³Á¤ ¹× ½ÇÇà - Authentication Server
¸ÕÀú freeRADIUS °¡ ¼³Ä¡µÈ µð·ºÅ丮·Î À̵¿ÇÑ´Ù.
[root@cozylinux scripts]# cd /usr/local/etc/raddb
802.1x °ü·Ã ÀڷḦ º¸¸é ¾Ë°ÚÁö¸¸ Authentication Server(RADIUS)¿¡ ´ëÇØ Authenticator(AccessPoint)´Â
ÇϳªÀÇ Å¬¶óÀ̾ðÆ®·Î¼ µ¿ÀÛÇÏ°Ô µÈ´Ù. ±×·¡¼ Á¦ÀÏ ¸ÕÀú ÇÒ°ÍÀº ÀÌ·± Ŭ¶óÀ̾ðÆ®µéÀ» Authentication
Server ¿¡ ¾Ë·ÁÁִ°ÍÀÌ´Ù.
À̸¦ À§ÇØ clients.conf À» ¿¾î ¸Ç ¾Æ·¡¿¡ ´ÙÀ½ÀÇ ¿¹¿Í °°ÀÌ Ãß°¡ÇÑ´Ù.
°¢°¢ÀÇ Àǹ̴ 211.204.72.60 ´Â Authenticator Áï AccessPoint ÀÇ IP ÁÖ¼Ò¸¦ ÀǹÌÇÏ¸ç ¸¸¾à µî·ÏÇÒ AP °¡
¿©·¯°³¶ó¸é ¾Æ·¡¿Í °°Àº ºí·°À» ¿©·¯°³ µî·ÏÇÏ¸é µÈ´Ù. ¹°·Ð °¢°¢ÀÇ AP µéÀÇ IP µéÀ» µî·ÏÇÒ ¼öµµ ÀÖÁö¸¸
subnet mask ¸¦ ÀÌ¿ëÇÏ¿© µî·ÏÇÏ´Â ¹æ¹ýµµ ÀÖ´Ù. ÀÌ°ÍÀº clients.conf ÆÄÀÏ ¾È¿¡ ¿¹Á¦°¡ ÀÖ´Ù.
secret Àº Authentication Server ¿Í Authenticator °¡ ÀÎÁõ°úÁ¤ ¿¡¼ »ç¿ëÇÒ °øÀ¯Å°(shared secret key)·Î
ÀÌ°ÍÀ» ÀÌ¿ëÇÏ¿© ÀÎÁõ ¸Þ½ÃÁöµéÀÌ º¸È£µÈ´Ù.
shortname Àº ´ÜÁö ÁÖ¼®°ú °°Àº ¼³¸í¹®À¸·Î ÁÖ·Î ÇØ´ç AP ÀÇ SSID ¸¦ µî·ÏÇØ ÁÖ´Â°Ô ÁÁ´Ù.
client 211.204.72.60 {
secret = cozykyd_ssap
shortname = ssap
}
´ÙÀ½Àº ÀÎÁõÇØÁÙ »ç¿ëÀÚ(Supplicant)µéÀ» µî·ÏÇÏ´Â °úÁ¤ÀÌ´Ù.
°°Àº µð·ºÅ丮¿¡ users ÆÄÀÏÀÌ ±×°ÍÀÌ´Ù. ÀÌ ÆÄÀÏ¿¡´Â ÀÎÁõ°úÁ¤À» °ÅÃÄ Authenticator(AccessPoint) ¸¦
»ç¿ëÇÒ ¼ö ÀÖ´Â »ç¿ëÀÚ(Supplicant) ¸¦ µî·ÏÇÏ¸é µÇ´Âµ¥ À̶§ »ç¿ëÀÚ ¾ÆÀ̵ð´Â Supplicant ÀÎÁõ¼¸¦
¸¸µé¶§ ÀÔ·ÂÇÑ commonName ÀÌ´Ù.
ÀÌÀü¿¡ º»ÀÎÀÇ °æ¿ì´Â "youngdae" ·Î ÀÔ·ÂÇßÀ¸¹Ç·Î ¾Æ·¡ ¿¹Ã³·³ µî·ÏÇØÁØ´Ù
#
# This is an entry for a user with a space in their name.
# Note the double quotes surrounding the name.
#
#"John Doe" Auth-Type := Local, User-Password == "hello"
# Reply-Message = "Hello, %u"
youngdae User-Password == "cozypass"
User-Password == "cozypass" ºÎºÐÀº PEAP ÀÎÁõÀ» ÇÒ¶§¸¸ »ç¿ëµÇ´Â ºñ¹Ð¹øÈ£ ÀÔ·Â ¶õÀÌ´Ù.
Áï EAP-TLS ÀÇ °æ¿ì´Â commonName ¿¡ ÀûÀº Supplicant ÀÇ ÀÎÁõ¼¸¦ ÀÌ¿ëÇÏ¿© ÀÎÁõÇÏ´Â °ÍÀ̹ǷΠºñ¹Ð¹øÈ£°¡
ÇÊ¿ä¾øÁö¸¸ PEAP ´Â Supplicant ¸¦ ÀÎÁõÇÒ¶§ À§ ¹®ÀåÀÇ ¾ÆÀ̵ð¿Í ºñ¹Ð¹øÈ£¸¦ ÀÌ¿ëÇÏ¿© ÀÎÁõÇÑ´Ù.
°°Àº µð·ºÅ丮¿¡ radiusd.conf ÆÄÀÏÀ» ¿¾î ¾Æ·¡ Ç׸ñµéÀ» Ãß°¡Çϰųª ¼öÁ¤ÇØÁØ´Ù
¾Æ·¡ÀÇ È¯°æ¼³Á¤ ÆÄÀÏÀ» º¸¸é¼ ¾Ë°ÚÁö¸¸ Radius ¿¡´Â ´Ù¾çÇÑ ÀÎÁõ ¾Ë°í¸®Áò°ú ¹æ½ÄÀ» Áö¿øÇÑ´Ù.
¿©±â¼ »ç¿ëÇÒ·Á°í ÇÏ´Â EAP-TLS, PEAP ¸¸ Àִ°ÍÀÌ ¾Æ´Ï¶ó EAP-MD5(CHAP), EAP-TTLS, LEAP ÀÎÁõ ¾Ë°í¸®Áò
»Ó¸¸ ¾Æ´Ï¶ó Supplicant Á¤º¸¸¦ ÁÖ´Â ¹æ¹ýµµ ¿©±â¼Ã³·³ users ÆÄÀÏÀ» ÅëÇϱ⵵ ÇÏ°í Unix ÀÇ passwd ÆÄÀÏ
À» »ç¿ëÇÏ¿© ÀÎÁõÇϱ⵵ ÇÏ°í ½ÉÁö¾î LDAP À̳ª DB ¸¦ ÅëÇÏ¿© ÀÎÁõÇÏ´Â ¹æ¹ýµµ Á¦°øÇÑ´Ù.
eap {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/root.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
}
peap {
default_eap_type = mschapv2
}
}
authorize {
preprocess
chap
eap
suffix
files
}
authenticate {
unix
eap
}
À§¿¡¼ default_eap_type À» "tls" ·Î ÁöÁ¤ÇÏ¿© EAP-TLS ¸¦ ±âº» ÀÎÁõ ¹æ½ÄÀ¸·Î ÇÏ°Ú´Ù°í ¼±¾ðÇÏ¿´´Âµ¥
ÀÌ°÷¿¡ "peap" ¸¦ Àû¾îµµ µÈ´Ù. ÀÌ°ÍÀº ¾îµð±îÁö³ª ±âº» EAP ÀÎÁõ ¹æ½ÄÀ» ¼±¾ðÇϴ°ÍÀ¸·Î Supplicant ¿Í
Authentication Server °£¿¡ ÀÎÁõ ¾Ë°í¸®ÁòÀ» Çù»óÇÏ´Â ºÎºÐÀÌ ÀÎÁõ °úÁ¤ÀÇ ÇÁ·ÎÅäÄÝ ¾È¿¡ ÀÖ°í ÀÌ Çù»ó
°úÁ¤¿¡¼ °áÁ¤µÇ´Â ¾Ë°í¸®ÁòÀ» »¡¸® °áÁ¤Çϱâ À§ÇÑ ¹æ¹ýÀÏ »ÓÀÌ´Ù.
private_key_password ´Â ÀÎÁõ¼ ¸¸µé¶§ »ç¿ëÇÑ ºñ¹Ð¹øÈ£ÀÎ challengePassword_default °ª°ú µ¿ÀÏÇÑ °ÍÀÌ´Ù
±×¸®°í ${raddbdir} ´Â ¿©±â¼´Â /usr/local/etc/raddb ¸¦ ÀǹÌÇÑ´Ù.
º¸Åë ÀÎÁõ°úÁ¤¿¡¼´Â session key ¶ó´Â °ÍÀ» »ç¿ëÇÏ¿© Á¤ÀûÀÎ Å°¸¦ »ç¿ëÇÔÀ¸·Î¼ ¹ß»ýÇÏ´Â °ø°ÝÀ» ¸·´Â´Ù.
ºÎ¸£Æ® Æ÷½º °ø°ÝÀ» ¸·À» ¼ö ÀÖ´Â ¼¼¼Ç Å°¸¦ ¸¸µé±â À§ÇÑ µÎ°³ÀÇ ÆÄÀÏÀ» ¸¸µé¾î¾ß ÇÑ´Ù.
certs µð·ºÅ丮·Î À̵¿ÇÑ´Ù. ÀÌ°÷¿¡´Â ÀÌÀü¿¡ »ý¼ºÇÑ 9°³ÀÇ ÀÎÁõ¼°ü·Ã ÆÄÀϵéÀÌ º¹»çµÇ¾î ÀÖÀ»°ÍÀÌ´Ù.
ÀÌ°÷¿¡ ÀÓÀÇÀÇ ¹®ÀÚµéÀÌ µé¾î°£ µÎ°³ÀÇ ÆÄÀÏ DH, Random ÆÄÀÏÀ» ¸¸µç´Ù.
°£´ÜÇÏ°Ô ¸¸µé±â À§Çؼ µÎ°³ÀÇ ÆÄÀÏ ÀüºÎ ÇöÀç ½Ã°£°ªÀ» ¾Æ·¡Ã³·³ ÇÏ¿© ³Ö¾îÁØ´Ù.
[root@cozylinux raddb]# cd certs
[root@cozylinux certs]# date > dh
[root@cozylinux certs]# date > random
±× ´ÙÀ½ RADIUS ¼¹ö¸¦ ½ÇÇà½Ãų ½ºÅ©¸³Æ®¸¦ ¸¸µé¾î º»´Ù.
/usr/local/sbin ¾Æ·¡¿¡ run-radius ¶ó´Â ½ÇÇà°¡´ÉÇÑ ½ºÅ©¸³Æ®¸¦ ¸¸µç´Ù.
[root@cozylinux certs]# vi /usr/local/sbin/run-radius
#!/bin/sh -x
LD_LIBRARY_PATH=/usr/local/openssl/lib
LD_PRELOAD=/usr/local/openssl/lib/libcrypto.so
export LD_LIBRARY_PATH LD_PRELOAD
/usr/local/sbin/radiusd $@
ÀÌ°ÍÀº radiusd ¿¡ ´ëÇÑ wrapper ·Î ÇÊ¿äÇÑ SSL¶óÀ̺귯¸®¸¦ ¹Ì¸® ·ÎµåÇϱâ À§ÇØ ÀÌó·³ ÇÑ°ÍÀÌ´Ù.
½ºÅ©¸³Æ® À̹ǷΠ½ÇÇà ±ÇÇÑÀ» ¾Æ·¡Ã³·³ ÁØ´Ù.
[root@cozylinux certs]# chmod 700 /usr/local/sbin/run-radius
ÀÌÁ¦ RADIUS ¸¦ ½ÇÇàÇÏ°í ÀÎÁõÀÌ Á¤»óÀûÀ¸·Î µ¿ÀÛÇÏ´ÂÁö Å×½ºÆ® ÇÒ Â÷·ÊÀÌ´Ù.
RADIUS ¸¦ ¾Æ·¡Ã³·³ ÀÎÁõ ·Î±ë(-A) ¹× µð¹ö±ë(-X) ¸ðµå·Î ½ÇÇàÇÑ´Ù. Ãâ·ÂµÇ´Â ¸Þ½ÃÁö¸¦ º¸±â ¹Ù¶õ´Ù.
[root@cozylinux raddb]# /usr/local/sbin/run-radius -X -A
...
...
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
¾ÆÁ÷ Supplicant ¸¦ À§ÇÑ È¯°æÀ» ¼³Á¤ÇÏÁö ¸øÇßÀ¸¹Ç·Î Áö±ÝÀº localhost °¡ Supplicant °¡ µÇ¾î Unix ÀÇ
passwd ÆÄÀÏ¿¡ ÀÖ´Â »ç¿ëÀÚ·Î ÀÎÁõÇغ¸ÀÚ
clients.conf ¸¦ À¯½ÉÈ÷ º» µ¶ÀÚ´Â client 127.0.0.1 {...} ºÎºÐÀ» º¸¾ÒÀ» °ÍÀÌ´Ù. ÀÌ°ÍÀ» ÀÌ¿ëÇÏ¿© ÀÎÁõÀ»
½ÃÄѺ¸¸é ¾Æ·¡¿Í °°¾Æ. ¸ÕÀú /etc/passwd ÆÄÀÏ¿¡ ¾ø´Â »ç¿ëÀÚ(Supplicant)¸¦ ÀÎÁõ½ÃÄѺ¸¸é
[root@cozylinux raddb]# /usr/local/bin/radtest test test localhost 0 testing123
Sending Access-Request of id 203 to 127.0.0.1:1812
User-Name = "test"
User-Password = "test"
NAS-IP-Address = cozylinux.grid.or.kr
NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=203, length=20
¿ª½Ã Access-Reject ´çÇß´Ù.
À̹ø¿¡´Â ½ÇÁ¦ º»ÀÎÀÇ Linux ¿¡ ÀÖ´Â passwd ¿¡ ÀÖ´Â °èÁ¤À» ÀÌ¿ëÇØ ÀÎÁõÇغ¸¸é
[root@cozylinux raddb]# /usr/local/bin/radtest honggildong test1234 localhost 0 testing123
Sending Access-Request of id 198 to 127.0.0.1:1812
User-Name = "honggildong"
User-Password = "test1234"
NAS-IP-Address = cozylinux.grid.or.kr
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=198, length=20
À̹ø¿¡´Â Á¤»óÀûÀ¸·Î Access-Accept ·Î ÀÎÁõµÇ¾ú´Ù.
7.AccessPoint ȯ°æ¼³Á¤ - Authenticator
AccessPoint ¿¡ 802.1x °ü·Ã ȯ°æ¼³Á¤ÇÏ´Â ºÎºÐÀÌ´Ù. ¸¸¾à ´Ù¸¥ Á¦Ç°ÀÇ AccessPoint ¸¦ »ç¿ëÇÑ´Ù¸é ÇØ´ç
¸Þ´º¾óÀ» Âü°íÇÏ°í ¿©±â¼´Â HostAP 2002-10-12 ¹öÀüÀ» ¼³Ä¡ÇßÀ¸¹Ç·Î º°µµ·Î ¼³Á¤ÇÒ ÆÄÀÏÀº ¾ø´Ù
(¸¸¾à ÃÖ½ÅÀÇ HostAP v0.2.1 ÀÌ»óÀ» ¼³Ä¡ÇÏ¿´´Ù¸é hostapd.conf ÆÄÀÏÀ» ¼öÁ¤ÇØ¾ß ÇÑ´Ù)
È£½ºÆ® Àåºñ¿¡¼ Å©·Î½º ÄÄÆÄÀÏÇÑ ÆÄÀÏ hostapd ÆÄÀÏÀ» Ÿ°Ù Àåºñ(AccessPoint)ÀÇ NFS ·Î Àü´ÞÇØÁÙ
µð·ºÅ丮(Ÿ°Ù ÀåºñÀÇ NFS Root µð·ºÅ丮)ÀÇ sbin ¿¡ º¹»çÇØ ÁØ°ÍÀ» ±â¾ïÇÒ°ÍÀÌ´Ù.
Ÿ°Ù Àåºñ¸¦ ºÎÆà ÇÑ ÈÄ sbin ¿¡ ÀÖ´Â hodstapd ¸¦ ¾Æ·¡ ¿¹Ã³·³ ½ÇÇàÇÑ´Ù.
[root@cozyLDS sbin]$hostapd -x -o 211.204.72.60 -a 211.204.72.53 -S ssap -s cozykyd_ssap wlan0
Using interface wlan0ap with hwaddr 00:30:0d:1a:fa:72 and ssid 'ssap'
Flushing old station entries
°¢°¢ÀÇ ¿É¼Ç ¼³¸íÀº
-x ´Â 802.1x ÀÎÁõ,
-o 211.204.72.60 ´Â Authenticator(AccessPoint) ÀÇ IP
-a 211.204.72.53 ´Â Authentication Server ÀÇ IP
-S ssap ´Â AP ÀÇ SSID
-s cozykyd_ssap ´Â Authentication Server ¿Í ÀÎÁõ°úÁ¤¿¡¼ »ç¿ëÇÒ °øÀ¯Å°(shared secret key)
wlan0 ´Â ¹«¼±·£ ÀÎÅÍÆäÀ̽º À̸§ÀÌ´Ù.
8.Windows 2000/XP ȯ°æ¼³Á¤ - Supplicant
Windows 2000 ÀÇ °æ¿ì "802.1x for Windows 2000" patch ¸¦ ÅëÇÏ¿© 802.1x ÇÁ·¡ÀÓ¿öÅ©¸¦ »ç¿ëÇÒ ¼ö ÀÖ´Â
±âº» ȯ°æÀ» ÀÌÀü¿¡ ¸¸µé¾ú¾ú´Ù. Windows XP ÀÇ °æ¿ì´Â ÀÌ¹Ì ¼³Ä¡µÇ¾î ÀÖ´Ù.
Supplicant ÀÎÁõ¼¸¦ PC ¿¡ ¼³Ä¡ÇÏ´Â ÀÌÀ¯´Â ÀÌ ÀÎÁõ¼¸¦ ÀÌ¿ëÇÏ¿© Authentication Server ¿¡ ÀÎÁõÀ» ¹Þ¾Æ
Authenticator(AccessPoint)¿¡ Á¢¼ÓÇϵµ·Ï Çϴ°ÍÀÌ´Ù. ÇÑ°¡Áö ¾Ë¾ÆµÑ°ÍÀº EAP-TLS ÀÇ °æ¿ì´Â Supplicant
ÀÎÁõ¼¸¦ ÅëÇÏ¿© ÀÎÁõÀ» ¹ÞÁö¸¸ PEAP ÀÎ °æ¿ì´Â ¾ÆÀ̵ð¿Í ºñ¹Ð¹øÈ£¸¦ ÀÌ¿ëÇÏ¿© ÀÎÁõÀ» ¹ÞÀ¸¹Ç·Î Supplicant
ÀÎÁõ¼´Â »ç¿ëµÇÁö ¾Ê´Â´Ù. PEAP ÀÇ °æ¿ì´Â MD5(MSCHAPv2) Çؽ¬¸¦ ÀÌ¿ëÇÏ¿© ÀÎÁõÀ» ¹Þ±â ¶§¹®ÀÌ´Ù.
°¡Àå ¸ÕÀú ÇÒ°ÍÀº ÀÎÁõ ¼¹ö¿¡¼ ¸¸µç Supplicant ÀÎÁõ¼¸¦ PC ·Î ´Ù¿î¹Þ¾Æ ÀÎÁõ¼¸¦ ¼³Ä¡ÇØ¾ß ÇÑ´Ù.
±×·¯±â À§Çؼ root.der, cert-clt.p12 ¸¦ Supplicant ·Î »ç¿ëµÇ´Â ÀÏ¹Ý PC ¿¡ ´Ù¿î¹Þ¾Æ ¼³Ä¡ÇÏ¸é µÈ´Ù.
cert-clt.p12 Àº ÆÄÀÏ¸í ±×´ë·Î client certificate Áï Supplicant ÀÎÁõ¼¸¦ ¸»ÇÑ´Ù. root.der ÀÇ ¿ëµµ´Â
root CA ÀÎÁõ¼·Î ÀÌ Supplicant ÀÎÁõ¼¸¦ signature ÇÑ ÀÎÁõ¼ÀÌ´Ù.
¸ÕÀú root CA ÀÎÁõ¼ÀÎ root.der À» ¼³Ä¡ÇÑ´Ù.
PC ·Î ´Ù¿î¹ÞÀº root.der À» ´õºíŬ¸¯ÇÑ´Ù. ±×·¯¸é ÀÎÁõ¼ Á¤º¸°¡ ù ȸ鿡 º¸À̴µ¥ ¿©±â¼ "¹ß±ÞÀÚ"
Ç׸ñÀ» º¸¸é ÀÌÀü¿¡ root CA ÀÎÁõ¼ ¸¸µé¶§ »ç¿ëÇÑ commonName ÀÌ º¸ÀÏ°ÍÀÌ´Ù. ±× ȸ鿡¼ "ÀÎÁõ¼ ¼³Ä¡"
¹öÆ°À» Ŭ¸¯ÇÑ´Ù. "ÀÎÁõ¼ ÀúÀå¼Ò" ´Ü°è¿¡¼ "¸ðµç ÀÎÁõ¼¸¦ ´ÙÀ½ ÀúÀå¼Ò¿¡ ÀúÀå"À» ¼±ÅÃÇÏ°í "ã¾Æº¸±â"
¹öÆ°À» Ŭ¸¯ÇÏ¿© ³ªÅ¸³ ¸ñ·Ï¿¡¼ "½Å·ÚµÈ ·çÆ® ÀÎÁõ ±â°ü"À» ¼±ÅÃÇÏ°í È®ÀÎÀ» ´·¯ ¼³Ä¡ ÀÛ¾÷À» ¸¶Ä£´Ù.
À̹ø¿¡´Â Supplicant ÀÎÁõ¼ÀÎ cert-clt.p12 ¸¦ ¼³Ä¡ÇÑ´Ù.
¸¶Âù°¡Áö·Î cert-clt.p12 À» ´õºíŬ¸¯ÇÏ¿© ¾ÏÈ£ ȸé±îÁö À̵¿ÇÑ´Ù. "¾ÏÈ£" Ç׸ñ¿¡ ÀÎÁõ¼ ¸¸µé떄 »ç¿ëÇÑ
challengePassword_default °ªÀÎ whatever ¸¦ ÀÔ·ÂÇÏ°í ´ÙÀ½À¸·Î ³Ñ¾î°£´Ù. À̹ø¿¡µµ "ÀÎÁõ¼ ÀúÀå¼Ò"
ȸéÀÌ ³ªÅ¸³ª´Âµ¥ À̶§´Â "ÀÎÁõ¼ Á¾·ù ±âÁØÀ¸·Î ÀÎÁõ¼ ÀúÀå¼Ò¸¦ ÀÚµ¿À¸·Î ¼±ÅÃ" À» ¼±ÅÃÇÏ¿© ¿Ï·áÇÑ´Ù.
9.ÅëÇÕ Å×½ºÆ® EPA-TLS
Supplicant ÀÎÁõ¼¸¦ »ç¿ëÇÏ¿© AccessPoint ¸¦ »ç¿ëÇÏ´Â Å×½ºÆ® ȯ°æÀ» ¸¸µé¾î º»´Ù.
Authentication Server ÀÎ RADIUS ¸¦ ½ÇÇàÇÑ´Ù.
[root@cozylinux raddb]# /usr/local/sbin/run-radius -X -A
Authenticator ÀÎ AccessPoint ÀÇ hostapd ¸¦ ½ÇÇàÇÑ´Ù.
[root@cozyLDS sbin]$hostapd -x -o 211.204.72.60 -a 211.204.72.53 -S ssap -s cozykyd_ssap wlan0
Supplicant ÀÎ ÀÏ¹Ý PC ÀÇ "³×Æ®¿öÅ© ȯ°æ"ÀÇ µî·Ï Á¤º¸¸¦ ¼±ÅÃÇÑ ÈÄ ¹«¼± ·£¿¡ ÇØ´çÇÏ´Â "·ÎÄà ¿µ¿ª ¿¬°á"À»
¼±ÅÃÇÏ¿© µî·Ï Á¤º¸¸¦ º¸¸é "ÀÎÁõ" ÅÇÀÌ º¸ÀÏ °ÍÀÌ°í ±× ¾È¿¡ 802.1x °ü·Ã ¼³Á¤ Ç׸ñµéÀÌ º¸ÀÏ °ÍÀÌ´Ù.
"IEEE 802.1x¸¦ »ç¿ëÇÏ¿© ³×Æ®¿öÅ© ¾×¼¼½º Á¦¾î" ¸¦ ¼±ÅÃÇÑ´Ù.
"EAP Á¾·ù" ·Î "½º¸¶Æ®Ä«µå ¶Ç´Â ±âŸ ÀÎÁõ¼" ¸¦ ¼±ÅÃÇÑ´Ù. ÀÌ°ÍÀº EAP-TLS¸¦ ÀǹÌÇÑ´Ù.
"ÄÄÇ»ÅÍ Á¤º¸°¡ ÀÖÀ¸¸é ÄÄÇ»ÅÍ·Î ÀÎÁõ"À» ¼±ÅÃÇÑ´Ù.
±× ´ÙÀ½ "¼Ó¼º" ¹öÆ°À» Ŭ¸¯ÇÏ¿© "½º¸¶Æ®Ä«µå ¶Ç´Â ´Ù¸¥ ÀÎÁõ¼ ¼Ó¼º" ȸéÀ¸·Î À̵¿ÇÑ´Ù.
"ÀÌ ÄÄÇ»ÅÍÀÇ ÀÎÁõ¼ »ç¿ë"À» ¼±ÅÃÇÏ°í "°£´ÜÇÑ ÀÎÁõ¼ ¼±Åà »ç¿ë(±ÇÀå)"À» ¼±ÅÃÇÑ´Ù.
"¼¹ö ÀÎÁõ¼ À¯È£¼º °Ë»ç"À» ¼±ÅÃÇÑ ÈÄ "½Å·ÚµÈ ·çÆ® ÀÎÁõ ±â°ü" ¸ñ·Ï¿¡¼ root CA ÀÎÁõ¼ ¸¸µé¶§ »ç¿ëÇÑ
commonName À» ¼±ÅÃÇÑ´Ù.
ÀÌÁ¦ ȯ°æ¼³Á¤Àº ³¡³µÀ¸¹Ç·Î ½ÇÁ¦ EAP-TLS ÀÎÁõÀ» ÅëÇÑ AccessPoint Á¢¼Ó ¿©ºÎ¸¦ Å×½ºÆ® ÇÑ´Ù.
EAP-TLS ÀÎÁõÀ» ÅëÇÑ Å×½ºÆ® °á°ú Á¤»óÀûÀ¸·Î ÀÎÁõÀÌ µÈ´Ù¸é Authenticator ÀÎ AccessPoint ÀÇ hostapd ´Â
¾Æ·¡¿Í °°Àº ÀÎÁõÀÌ ¼º°øÇÑ ¸Þ½ÃÁö¸¦ ȸ鿡 Ãâ·ÂÇÑ´Ù.
Station 00:e0:63:50:9a:9e authenticated (open system)
Station 00:e0:63:50:9a:9e associated (aid 1)
IEEE 802.1X: Start authentication for new station 00:e0:63:50:9a:9e
IEEE 802.1X: Unauthorizing station 00:e0:63:50:9a:9e
IEEE 802.1X: Authorizing station 00:e0:63:50:9a:9e
±×¸®°í Authentication Server ÀÎ RADIUS µµ ¾Æ·¡¿Í °°Àº Access-Request ¸Þ½ÃÁö¸¦ º¸¿©ÁØ´Ù.
rad_recv: Access-Request packet from host 211.204.72.60:1025, id=0, length=154
User-Name = "youngdae"
NAS-IP-Address = 211.204.72.60
NAS-Port = 1
Called-Station-Id = "00-30-0D-1A-FA-72:ssap"
Calling-Station-Id = "00-E0-63-50-9A-9E"
Framed-MTU = 2304
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0202000d01796f756e67646165
Message-Authenticator = 0x2e2637890114574f6decf999900d9b5a
...
...
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], CertificateVerify
TLS_accept: SSLv3 read certificate verify A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
....
....
Sending Access-Accept of id 5 to 211.204.72.60:1026
MS-MPPE-Recv-Key = 0x4929fe53257ac2151c87cac8dc38bf0b5bebbc6271e22a8dc2090f7ad775259c
MS-MPPE-Send-Key = 0x518cd21f38c1e470a8614aa624d514fd49162e5d9da767231ffbe7e2448c6a92
EAP-Message = 0x03060004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "youngdae"
10.ÅëÇÕ Å×½ºÆ® PEAP
¾ÆÀ̵ð¿Í ºñ¹Ð¹øÈ£¸¦ ÀÌ¿ëÇÏ¿© AccessPoint ¸¦ »ç¿ëÇÏ´Â Å×½ºÆ® ȯ°æÀ» ¸¸µé¾î º»´Ù.
Authentication Server ÀÎ RADIUS ¸¦ ½ÇÇàÇÑ´Ù.
[root@cozylinux raddb]# /usr/local/sbin/run-radius -X -A
Authenticator ÀÎ AccessPoint ÀÇ hostapd ¸¦ ½ÇÇàÇÑ´Ù.
[root@cozyLDS sbin]$hostapd -x -o 211.204.72.60 -a 211.204.72.53 -S ssap -s cozykyd_ssap wlan0
Supplicant ÀÎ ÀÏ¹Ý PC ÀÇ "³×Æ®¿öÅ© ȯ°æ"ÀÇ µî·Ï Á¤º¸¸¦ ¼±ÅÃÇÑ ÈÄ ¹«¼± ·£¿¡ ÇØ´çÇÏ´Â "·ÎÄà ¿µ¿ª ¿¬°á"À»
¼±ÅÃÇÏ¿© µî·Ï Á¤º¸¸¦ º¸¸é "ÀÎÁõ" ÅÇÀÌ º¸ÀÏ °ÍÀÌ°í ±× ¾È¿¡ 802.1x °ü·Ã ¼³Á¤ Ç׸ñµéÀÌ º¸ÀÏ °ÍÀÌ´Ù.
"IEEE 802.1x¸¦ »ç¿ëÇÏ¿© ³×Æ®¿öÅ© ¾×¼¼½º Á¦¾î" ¸¦ ¼±ÅÃÇÑ´Ù.
"EAP Á¾·ù" ·Î "º¸È£µÈ EAP (PEAP)" ¸¦ ¼±ÅÃÇÑ´Ù. ÀÌ°ÍÀº PEAP¸¦ ÀǹÌÇÑ´Ù.
"ÄÄÇ»ÅÍ Á¤º¸°¡ ÀÖÀ¸¸é ÄÄÇ»ÅÍ·Î ÀÎÁõ"À» ¼±ÅÃÇÑ´Ù.
±× ´ÙÀ½ "¼Ó¼º" ¹öÆ°À» Ŭ¸¯ÇÏ¿© "º¸È£µÈ EAP ¼Ó¼º" ȸéÀ¸·Î À̵¿ÇÑ´Ù.
"¼¹ö ÀÎÁõ¼ À¯È£¼º °Ë»ç"À» ¼±ÅÃÇÑ ÈÄ "½Å·ÚµÈ ·çÆ® ÀÎÁõ ±â°ü" ¸ñ·Ï¿¡¼ root CA ÀÎÁõ¼ ¸¸µé¶§ »ç¿ëÇÑ
commonName À» ¼±ÅÃÇÑ´Ù.
"ÀÎÁõ ¹æ¹ý ¼±ÅÃ" Àº "º¸¾ÈµÈ ¾ÏÈ£ (EAP-MSCHAP v2)"¸¦ ¼±ÅÃÇÏ°í ¹Ù·Î ¿·ÀÇ "±¸¼º" ¹öÆ°À» Ŭ¸¯ÇÏ¿© ³ªÅ¸³
ȸ鿡¼ "ÀÚµ¿À¸·Î Windows ·Î±×¿Â À̸§ ¹× ¾ÏÈ£(µµ¸ÞÀÎÀÌ ÀÖÀ¸¸é µµ¸ÞÀεµ »ç¿ë)"Àº ¼±ÅÃÀ» ÇØÁ¦ÇÑ´Ù.
ÀÌÁ¦ ȯ°æ¼³Á¤Àº ³¡³µÀ¸¹Ç·Î ½ÇÁ¦ MD5(MSCHAPv2)ÀÎÁõÀ» ÅëÇÑ AccessPoint Á¢¼Ó ¿©ºÎ¸¦ Å×½ºÆ® ÇÑ´Ù.
PEAP ÀÎÁõÀ» ÅëÇÑ Å×½ºÆ® °á°ú freeRADIUS ȯ°æ ÆÄÀÏÁß users ÆÄÀÏ¿¡ µî·ÏÇÑ ¾ÆÀ̵ð¿Í ºñ¹Ð¹øÈ£·Î
"»ç¿ëÀÚ À̸§"°ú "¾ÏÈ£"¸¦ ÀÔ·ÂÇÏ°í Á¤»óÀûÀ¸·Î ÀÎÁõÀÌ µÈ´Ù¸é Authenticator ÀÎ AccessPoint ÀÇ hostapd ´Â
¾Æ·¡¿Í °°Àº ¸Þ½ÃÁö¸¦ ȸ鿡 Ãâ·ÂÇÑ´Ù.
Station 00:e0:63:50:9a:9e authenticated (open system)
Station 00:e0:63:50:9a:9e associated (aid 1)
IEEE 802.1X: Start authentication for new station 00:e0:63:50:9a:9e
IEEE 802.1X: Unauthorizing station 00:e0:63:50:9a:9e
EAP Identifier of the Response-Identity from 00:e0:63:50:9a:9e does not match (was 1, expected 2)
EAP Identifier of the Response-Identity from 00:e0:63:50:9a:9e does not match (was 1, expected 2)
IEEE 802.1X: Authorizing station 00:e0:63:50:9a:9e
±×¸®°í Authentication Server ÀÎ RADIUS µµ ¾Æ·¡¿Í °°Àº Access-Request ¸Þ½ÃÁö¸¦ º¸¿©ÁØ´Ù.
rad_recv: Access-Request packet from host 211.204.72.60:1030, id=7, length=188
User-Name = "youngdae"
NAS-IP-Address = 211.204.72.60
NAS-Port = 1
Called-Station-Id = "00-30-0D-1A-FA-72:ssap"
Calling-Station-Id = "00-E0-63-50-9A-9E"
Framed-MTU = 2304
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0209001d19001703010012b922110d106dead559c232a997f421baddb6
State = 0x398048c0eee8260705486fa942d6a792
Message-Authenticator = 0x1633ebee04daa5bd6bce3ec9ee364739
...
...
modcall: group authenticate returns ok for request 7
PEAP: Got tunneled reply RADIUS code 2
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "youngdae"
PEAP: Processing from tunneled session code 0x81877a0 2
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "youngdae"
PEAP: Tunneled authentication was successful.
rlm_eap_peap: SUCCESS
....
....
Sending Access-Accept of id 8 to 211.204.72.60:1030
MS-MPPE-Recv-Key = 0x48a148c708b87dcecdac16521edd01e3fec235822fe9ce5bb228a8a34a896dd6
MS-MPPE-Send-Key = 0xba52fa4eadcbcdc98ca0ab4d1801c512726660a2aad41e832b5c551f0757fe40
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "youngdae"
|
|