BO MT WLAN BNG RADIUS

SERVER V WPA2
CHNG 1. MNG CC B KHNG DY
1.1 TNG QUAN V WLAN
1.1.1 Lch s hnh thnh v pht trin

Mng LAN khng dy vit tt l WLAN (Wireless Local Area Network), l mt mng dng kt ni hai
hay nhiu my tnh vi nhau m khng s dng dy dn. WLAN dng cng ngh tri ph, s dng sng
v tuyn cho php truyn thng gia cc thit b trong mt vng no .

Cng ngh WLAN ln u tin xut hin vo cui nm 1990.

Nm 1992, nhng nh sn xut bt u bn nhng sn phm WLAN s dng bng tn 2.4Ghz
Nm 1997, Institute of Electrical and Electronics Engineers (IEEE) ph chun s ra i ca chun
802.11.
Nm 1999, IEEE thng qua hai s b sung cho chun 802.11 l cc chun 802.11a v 802.11b
Nm 2003, IEEE cng b thm mt s ci tin l chun 802.11g m c th truyn nhn thng tin c hai
dy tn 2.4Ghz v 5Ghz v c th nng tc truyn d liu ln n 54Mbps.
1.1.2 u im ca WLAN

S tin li

Kh nng di ng

Hiu qu

Trin khai

Kh nng m rng

1.1.3 Nhc im ca WLAN

Bo mt

Phm vi

tin cy

Tc

1.2 CC CHUN THNG DNG CA WLAN

Hin nay tiu chun chnh cho Wireless l mt h giao thc truyn tin qua mng khng dy IEEE 802.11.
Do vic nghin cu v a ra ng dng rt gn nhau nn c mt s giao thc thnh chun ca th gii,
mt s khc vn cn ang tranh ci v mt s cn ang d tho. Mt s chun thng dng nh: 802.11b
(ci tin t 802.11), 802.11a, 802.11g, 802.11n.

1.2.1 Chun IEEE 802.11b

Bng 1.1 Mt s thng s k thut ca chun IEEE 802.11b

Release Op. Data Rate Data Rate Range
Date Frequency (Typ) (Max) (Indoor)

October 2.4 GHz 4.5 Mbit/s 11 Mbit/s ~35 m

1999

1.2.2 Chun IEEE 802.11a

Bng 1.2 Mt s thng s k thut ca chun IEEE 802.11a

Release Op. Data Rate Data Rate Range
Date Frequency (Typ) (Max) (Indoor)

October 5 GHz 23 Mbit/s 54 Mbit/s ~35 m

1999

1.2.3 IEEE 802.11g

Bng 1.3 Mt s thng s k thut ca chun IEEE 802.11g

Release Op. Data Rate Data Rate Range
Date Frequency (Typ) (Max) (Indoor)

June 2.4 GHz 23 Mbit/s 54 Mbit/s ~35 m

2003

1.2.4 Chun IEEE 802.11n

Bng 1.4 Mt s thng s k thut ca chun IEEE 802.11n

Release Op. Data Data Rate Range
Date Frequency Rate (Max) (Indoor)
(Typ)

June 5 GHz and/or 74 Mbit/s 300 Mbit/s (2 ~70 m

2009 2.4 GHz streams)
(est.)

Ngoi nhng chun ph bin c nu ra trn th cng cn rt nhiu chun IEEE 802.1x khc nh: IEEE
802.1i, IEEE 802.1h,
1.3 CU TRC V CC M HNH WLAN
1.3.1 Cu trc c bn ca WirelessLAN

C 4 thnh phn chnh trong cc loi mng s dng chun 802.11:

H thng phn phi (DS _ Distribution System)

im truy cp (Access Point)

Tn lin lc v tuyn (Wireless Medium)

Trm (Stattions)

1.3.2 Cc thit b h tng mng khng dy

im truy cp: AP (Access Point)

Cung cp cho cc my khch(client) mt im truy cp vo mng Ni m cc my tnh dng wireless c
th vo mng ni b ca cng ty. AP l mt thit b song cng(Full duplex) c mc thng minh tng
ng vi mt chuyn mch Ethernet phc tp (Switch).
Cc ch hot ng ca AP
AP c th giao tip vi cc my khng dy, vi mng c dy truyn thng v vi cc AP khc. C 3 Mode
hot ng chnh ca AP: Root mode, Bridge mode v Repeater mode.

Cc thit b my khch trong WLAN

L nhng thit b WLAN c cc my khch s dng kt ni vo WLAN.

Card PCI Wireless

Card PCMCIA Wireless

Card USB Wireless

1.3.2 Cc m hnh WLAN

Mng 802.11 linh hot v thit k, gm 3 m hnh mng sau:

M hnh mng c lp (IBSSs) hay cn gi l mng Ad hoc.

M hnh mng c s (BSSs).

M hnh mng m rng (ESSs).

i) M hnh mng AD HOC (Independent Basic Service Sets (IBSSs) )

 Hnh 1.12 M hnh mng AD HOC

ii) M hnh mng c s (Basic service sets (BSSs) )

Hnh 1.13 M hnh mng c s

iii) M hnh mng m rng (Extended Service Set (ESSs))

Hnh 1.14 M hnh mng m rng

1.4 THC TRNG V BO MT WLAN HIN
NAY
Nu con s thng k ng th c 5 ngi dng mng khng dy ti nh c n 4 ngi khng kch hot bt
k ch bo mt no. Mc nh, cc nh sn xut tt ch bo mt cho vic thit lp ban u c
d dng, khi s dng bn phi m li. Tuy nhin, chng ta cn phi cn thn khi kch hot tnh nng bo
mt, di y l mt s sai lm thng gp phi.

Sai lm 1. Khng thay i mt khu ca nh sn xut.

Sai lm 2. Khng kch hot tnh nng m ha.
Sai lm 3. Khng kim tra ch bo mt.
Sai lm 4. Qu tch cc vi cc thit lp bo mt m khng nh a ch MAC ca my tnh
chng ta.
Sai lm 5. Cho php mi ngi truy cp.

CHNG 2. CC HNH THC TN CNG

WLAN
Theo rt nhiu ti liu nghin cu, hin ti tn cng vo mng WLAN th cc Attacker c th s dng
mt trong nhng cch sau:

Rogue Access Point

De-authentication Flood Attack

Fake Access Point

Tn cng da trn s cm nhn lp vt l

Disassociation Flood Attack

2.1 ROGUE ACCESS POINT

i) nh ngha
Access Point gi mo c dng m t nhng Access Point c to ra mt cch v tnh hay c lm
nh hng n h thng mng hin c. N c dng ch cc thit b hot ng khng dy tri php m
khng quan tm n mc ch s dng ca chng.
ii) Phn loi
Access Point c cu hnh khng hon chnh

Access Point gi mo t cc mng WLAN ln cn

Access Point gi mo do k tn cng to ra

Access Point gi mo c thit lp bi chnh nhn vin ca cng ty

2.2 TN CNG YU CU XC THC LI

 K tn cng xc nh mc tiu tn cng l cc ngi dng trong mng wireless v cc kt
ni ca h (Access Point n cc kt ni ca n).

Chn cc frame yu cu xc thc li vo mng WLAN bng cch gi mo a ch MAC

ngun v ch ln lt ca Access Point v cc ngi dng.
Ngi dng wireless khi nhn c frame yu cu xc thc li th ngh rng chng do
Access Point gi n.

Sau khi ngt c mt ngi dng ra khi dch v khng dy, k tn cng tip tc thc hin
tng t i vi cc ngi dng cn li.

Thng thng ngi dng s kt ni li phc hi dch v, nhng k tn cng nhanh

chng tip tc gi cc gi yu cu xc thc li cho ngi dng.

2.3 FAKE ACCESS POINT

K tn cng s dng cng c c kh nng gi cc gi beacon vi a ch vt l (MAC) gi mo v SSID
gi to ra v s Access Point gi lp. iu ny lm xo trn tt c cc phn mm iu khin card mng
khng dy ca ngi dng.

2.4 TN CNG DA TRN S CM NHN

SNG MANG LP VT L
Ta c th hiu nm na l: K tt cng li dng giao thc chng ng CSMA/CA, tc l n s lm cho
tt c ngi dng ngh rng lc no trong mng cng c 1 my tnh ang truyn thng. iu ny lm cho
cc my tnh khc lun lun trng thi ch i k tn cng y truyn d liu xong dn n tnh trng
nghn trong mng.
2.5 TN CNG NGT KT NI
K tn cng xc nh mc tiu (wireless clients) v mi lin kt gia AP vi cc clients.

K tn cng gi disassociation frame bng cch gi mo Source v Destination MAC n

AP v cc client tng ng.
Client s nhn cc frame ny v ngh rng frame hy kt ni n t AP. ng thi k tn
cng cng gi disassociation frame n AP.

Sau khi ngt kt ni ca mt client, k tn cng tip tc thc hin tng t vi cc client
cn li lm cho cc client t ng ngt kt ni vi AP.

Khi cc clients b ngt kt ni s thc hin kt ni li vi AP ngay lp tc. K tn cng tip

tc gi disassociation frame n AP v clients.

C th ta s rt d nhm ln gia 2 kiu tn cng : Disassociation flood attack v De-

authentication Flood Attack.
Ging nhau : V hnh thc tn cng, c th cho rng chng ging nhau v n
ging nh mt i bc 2 nng , va tn cng Access Point va tn
cng Clients. V quan trng hn ht, chng n pho lin tc.
Khc nhau:
 De-authentication Flood Attack: Yu cu c AP v client gi li
frame xc thc xc thc failed.
Disassociation flood attack : Gi disassociation frame lm cho
AP v client tin tng rng kt ni gia chng b ngt.

CHNG 3. CC GII PHP BO MT

WLAN
3.1 TI SAO PHI BO MT WLAN?
Nhng nguy c bo mt trong WLAN bao gm:
Cc thit b c th kt ni ti nhng Access Point ang broadcast SSID.

Hacker s c gng tm kim cc phng thc m ho ang c s dng trong

qu trnh truyn thng tin trn mng, sau c phng thc gii m ring v
ly cc thng tin nhy cm.

Ngi dng s dng Access Point ti gia nh s khng m bo tnh bo mt

nh khi s dng ti doanh nghip.

bo mt mng WLAN, ta cn thc hin qua cc bc:

Authentication Encryption IDS & IPS.
3.2 WEP
WEP (Wired Equivalent Privacy) c ngha l bo mt khng dy tng ng vi c dy. Thc ra, WEP
a c xc thc ngi dng v m bo an ton d liu vo cng mt phng thc khng an ton. WEP
s dng mt kho m ho khng thay i c di 64 bit hoc 128 bit, (nhng tr i 24 bit s dng cho
vector khi to kho m ho, nn di kho ch cn 40 bit hoc 104 bit) c s dng xc thc cc
thit b c php truy cp vo trong mng v cng c s dng m ho truyn d liu.

3.3 WLAN VPN

Mng ring o VPN bo v mng WLAN bng cch to ra mt knh che chn d liu khi cc truy cp tri
php. VPN to ra mt tin cy cao thng qua vic s dng mt c ch bo mt nh IPSec (Internet Protocol
Security). IPSec dng cc thut ton mnh nh Data Encryption Standard (DES) v Triple DES (3DES)
m ha d liu v dng cc thut ton khc xc thc gi d liu. IPSec cng s dng th xc nhn s
xc nhn kha m (public key). Khi c s dng trn mng WLAN, cng kt ni ca VPN m nhn
vic xc thc, ng gi v m ha.
3.4 TKIP (TEMPORAL KEY INTEGRITY
PROTOCOL)
L gii php ca IEEE c pht trin nm 2004. L mt nng cp cho WEP nhm v nhng vn bo
mt trong ci t m dng RC4 trong WEP. TKIP dng hm bm (hashing) IV chng li vic gi mo
gi tin, n cng cung cp phng thc kim tra tnh ton vn ca thng ip MIC (message integrity
check) m bo tnh chnh xc ca gi tin. TKIP s dng kha ng bng cch t cho mi frame mt
chui s ring chng li dng tn cng gi mo.
3.5 AES
Trong mt m hc, AES (vit tt ca t ting Anh: Advanced Encryption Standard, hay Tiu chun m ha
tin tin) l mt thut ton m ha khi c chnh ph Hoa k p dng lm tiu chun m ha. Ging nh
tiu chun tin nhim DES, AES c k vng p dng trn phm vi th gii v c nghin cu rt k
lng. AES c chp thun lm tiu chun lin bang bi Vin tiu chun v cng ngh quc gia Hoa k
(NIST) sau mt qu trnh tiu chun ha ko di 5 nm.

Thut ton c thit k bi hai nh mt m hc ngi B: Joan Daemen v Vincent Rijmen (ly tn chung
l Rijndael khi tham gia cuc thi thit k AES). Rijndael c pht m l Rhine dahl theo phin m
quc t (IPA: [aindal]).

3.6 802.1X V EAP

802.1x l chun c t cho vic truy cp da trn cng (port-based) c nh ngha bi IEEE. Hot ng
trn c mi trng c dy truyn thng v khng dy. Vic iu khin truy cp c thc hin bng cch:
Khi mt ngi dng c gng kt ni vo h thng mng, kt ni ca ngi dng s c t trng thi b
chn (blocking) v ch cho vic kim tra nh danh ngi dng hon tt.
EAP l phng thc xc thc bao gm yu cu nh danh ngi dng (password, cetificate,), giao thc
c s dng (MD5, TLS_Transport Layer Security, OTP_ One Time Password,) h tr t ng sinh
kha v xc thc ln nhau.

Qu trnh chng thc 802.1x-EAP

Wireless client mun lin kt vi mt AP trong mng.
1. AP s chn li tt c cc thng tin ca client cho ti khi client log on vo mng, khi
Client yu cu lin kt ti AP
2. AP p li yu cu lin kt vi mt yu cu nhn dng EAP
3. Client gi p li yu cu nhn dng EAP cho AP
4. Thng tin p li yu cu nhn dng EAP ca client c chuyn ti Server chng thc
5. Server chng thc gi mt yu cu cho php ti AP
6. AP chuyn yu cu cho php ti client
7. Client gi tr li s cp php EAP ti AP
8. AP chuyn s tr li ti Server chng thc
9. Server chng thc gi mt thng bo thnh cng EAP ti AP
10. AP chuyn thng bo thnh cng ti client v t cng ca client trong ch forward.
3.7 WPA (WI-FI PROTECTED ACCESS)
WEP c xy dng bo v mt mng khng dy trnh b nghe trm. Nhng nhanh chng sau
ngi ta pht hin ra nhiu l hng cng ngh ny. Do , cng ngh mi c tn gi WPA (Wi-Fi
Protected Access) ra i, khc phc c nhiu nhc im ca WEP.
Trong nhng ci tin quan trng nht ca WPA l s dng hm thay i kho TKIP. WPA cng s dng
thut ton RC4 nh WEP, nhng m ho y 128 bit. V mt c im khc l WPA thay i kho cho
mi gi tin. Cc cng c thu thp cc gi tin ph kho m ho u khng th thc hin c vi WPA.
Bi WPA thay i kho lin tc nn hacker khng bao gi thu thp d liu mu tm ra mt khu.

Khng nhng th, WPA cn bao gm kim tra tnh ton vn ca thng tin (Message Integrity Check). V
vy, d liu khng th b thay i trong khi ang trn ng truyn. WPA c sn 2 la chn: WPA
Personal v WPA Enterprise. C 2 la chn u s dng giao thc TKIP, v s khc bit ch l kho
khi to m ha lc u. WPA Personal thch hp cho gia nh v mng vn phng nh, kho khi to s
c s dng ti cc im truy cp v thit b my trm. Trong khi , WPA cho doanh nghip cn mt
my ch xc thc v 802.1x cung cp cc kho khi to cho mi phin lm vic.
3.8 WPA2
Mt gii php v lu di l s dng 802.11i tng ng vi WPA2, c chng nhn bi Wi-Fi Alliance.
Chun ny s dng thut ton m ho mnh m v c gi l Chun m ho nng cao AES. AES s dng
thut ton m ho i xng theo khi Rijndael, s dng khi m ho 128 bit, v 192 bit hoc 256 bit.
nh gi chun m ho ny, Vin nghin cu quc gia v Chun v Cng ngh ca M, NIST (National
Institute of Standards and Technology), thng qua thut ton m i xng ny.
Lu : Chun m ho ny c s dng cho cc c quan chnh ph M bo v cc thng tin nhy cm.
3.9 LC (FILTERING)
Lc l c ch bo mt c bn c th s dng cng vi WEP. Lc hot ng ging nh Access list trn
router, cm nhng ci khng mong mun v cho php nhng ci mong mun. C 3 kiu lc c bn c th
c s dng trong wireless lan:
Lc SSID

Lc a ch MAC

Lc giao thc

3.10 KT LUN
Cho cc im truy cp t ng (hotspots), vic m ho khng cn thit, ch cn ngi dung
xc thc m thi.

Vi ngi dng s dng mng WLAN cho gia nh, mt phng thc bo mt vi WPA
passphare hay preshared key c khuyn co s dng.

Vi gii php doanh nghip, ti u qu trnh bo mt vi 802.1x EAP lm phng thc

xc thc v TKIP hay AES lm phng thc m ho. c da theo chun WPA hay
WPA2 v 802.11i security.

Bng 3.1 Escalating Security

Open Access Basic Security Enhanced Remote Access
Security

No WPA 802.1x EAP Virtual Private

encryption Passphase Mutual Network (VPN)
Basic WEP Anthentication
anthentication Encryption TKIP & AES Business Traveler
Public Home use Encrytion Telecommuter
hotspots WPA/WPA2
802.11i
Security
Enterprise

CHNG 4. BO MT WLAN BNG

PHNG PHP CHNG THC RADIUS
SERVER V WPA2
4.1 GII THIU TNG QUAN
Vic bo mt WLAN s dng chun 802.1x kt hp vi xc thc ngi dng trn Access Point (AP). Mt
my ch thc hin vic xc thc trn nn tng RADIUS c th l mt gii php tt cung cp xc thc cho
chun 802.1x.

4.1.1 Xc thc, cp php v kim ton

Giao thc Remote Authentication Dial In User Service (RADIUS) c nh ngha trong
RFC 2865 nh sau: Vi kh nng cung cp xc thc tp trung, cp php v iu khin truy
cp (Authentication, Authorization, v Accounting AAA) cho cc phin lm vic vi SLIP
v PPP Dial-up nh vic cung cp xc thc ca cc nh cung cp dch v Internet (ISP)
u da trn giao thc ny xc thc ngi dng khi h truy cp Internet.

Khi mt user kt ni, NAS s gi mt message dng RADIUS Access-Request ti my ch

AAA Server, chuyn cc thng tin nh username v password, thng qua mt port xc nh,
NAS identify, v mt message Authenticator.

Sau khi nhn c cc thng tin my ch AAA s dng cc gi tin c cung cp nh NAS
identify, v Authenticator thm nh li vic NAS c c php gi cc yu cu
khng. Nu c kh nng, my ch AAA s tm kim tra thng tin username v password m
ngi dng yu cu truy cp trong c s d lu. Nu qu trnh kim tra l ng th n s
mang mt thng tin trong Access-Request quyt nh qu trnh truy cp ca user l c
chp nhn.

Khi qu trnh xc thc bt u c s dng, my ch AAA c th s tr v mt RADIUS

Access-Challenge mang mt s ngu nhin. NAS s chuyn thng tin n ngi dng t xa
(vi v d ny s dng CHAP). Khi ngi dng s phi tr li ng cc yu cu xc nhn
 (trong v d ny, a ra li ngh m ho password), sau NAS s chuyn ti my ch
AAA mt message RADIUS Access-Request.

Nu my ch AAA sau khi kim tra cc thng tin ca ngi dng hon ton tho mn s cho
php s dng dch v, n s tr v mt message dng RADIUS Access-Accept. Nu khng
tho mn my ch AAA s tr v mt tin RADIUS Access-Reject v NAS s ngt kt ni
vi user.

Khi mt gi tin Access-Accept c nhn v RADIUS Accounting c thit lp, NAS

s gi mtgi tin RADIUS Accounting-Request (Start) ti my ch AAA. My ch s thm
cc thng tin vo file Log ca n, vi vic NAS s cho php phin lm vic vi user bt u
khi no, v kt thc khi no, RADIUS Accouting lm nhim v ghi li qu trnh xc thc
ca user vo h thng, khi kt thc phin lm vic NAS s gi mt thng tin RADIUS
Accounting-Request (Stop).

4.1.2 S bo mt v tnh m rng

Tt c cc message ca RADIUS u c ng gi bi UDP datagrams, n bao gm cc thng tin nh:

message type, sequence number, length, Authenticator, v mt lot cc Attribute-Value.

Authenticator: Tc dng ca Authenticator l cung cp mt ch bo mt. NAS v AAA Server s dng

Authenticator hiu uc cc thng tin c m ha ca nhau nh mt khu chng hn. Authenticator
cng gip NAS pht hin s gi mo ca gi tin RADIUS Responses. Cui cng, Authenticator c s
dng lm cho bin password thnh mt dng no , ngn chn vic lm l mt khu ca ngi dng
trong cc message RADIUS.

Authenticator gi Access-Request trong mt s ngu nhin. MD5 s bm (hash) s ngu nhin thnh
mt dng ring l ORed cho mt khu ca ngi dng v gi trong Access-Request User-Password. Ton
b RADIUS response sau c MD5 bm (hash) vi cng thng s bo mt ca Authenticator, v cc
thng s response khc.

Authenticator gip cho qu trnh giao tip gia NAS v my ch AAA c bo mt nhng nu k tn
cng tm c c hai gi tin RADIUS Access-Request v Access-Response th c th thc hin
dictionary attack phn tch vic ng gi ny. Trong iu kin thc t vic gii m kh khn bn
cn phi s dng nhng thng s di hn, ton b vn c kh nng nguy hi cho qu trnh truyn ti ny
c miu t rt k trong RFC 3580.

Attribute-Value Pairs: Thng tin c mang bi RADIUS uc miu t trong mt dng Attribute-Value,
h tr cho nhiu cng ngh khc nhau, v nhiu phng thc xc thc khc nhau. Mt chun c nh
ngha trong Attribute-Value pairs (cp i), bao gm User-Name, User-Password, NAS-IPAddress, NAS-
Port, Service-Type. Cc nh sn xut (vendors) cng c th nh ngha Attribute-Value pairs mang cc
thng tin ca mnh nh Vendor-Specific ton b v d ny c miu t trong RFC 2548 nh ngh
Microsoft Attribute-Value pair trong MS-CHAP.

Thm vo , rt nhiu chun Attribute-Value pairs c nh ngha trong nhiu nm h tr Extensible

Authentication Protocol (EAP), mt dng khc c hn ca n l PAP v CHAP dial-up protocol. Bn c
th tm thy trong ti liu RFC 3579 cho phin bn mi nht ca RADIUS h tr EAP. Trong phn ny s
ni rt r v h tr xc thc cho WLAN, t khi chun EAP c s dng cho 802.1x Port Access Control
cho php xc thc t bn ngoi cho wireless.

4.1.3 p dng RADIUS cho WLAN

Trong mt mng Wireless s dng 802.1x Port Access Control, cc my trm s dng wireless vi vai tr
Remote User v Wireless Access Point lm vic nh mt Network Access Server (NAS). thay th cho
vic kt ni n NAS vi dial-up nh giao thc PPP, wireless station kt ni n Access Point bng vic
s dng giao thc 802.11.

Mt qu trnh c thc hin, wireless station gi mt message EAP-Start ti Access Point. Access Point
s yu cu station nhn dng v chuyn cc thng tin ti mt AAA Server vi thng tin l RADIUS
Access-Request User-Name attribute.

My ch AAA v wireless station hon thnh qu trnh bng vic chuyn cc thng tin RADIUS Access-
Challenge v Access-Request qua Access Point. c quyt nh bi pha trn l mt dng EAP, thng tin
ny c chuyn trong mt ng hm c m ho TLS (Encypted TLS Tunnel).

Nu my ch AAA gi mt message Access-Accept, Access Point v wireless station s hon thnh qu

trnh kt ni v thc hin phin lm vic vi vic s dng WEP hay TKIP m ho d liu. V ti im
, Access Point s khng cm cng v wireless station c th gi v nhn d liu t h thng mng mt
cch bnh thng.

Cn lu l m ho d liu t wireless station ti Access Point khc vi qu trnh m ho t Access Point

ti my ch AAA Server (RADIUS Server).

Nu my ch AAA gi mt message Access-Reject, Access Point s ngt kt ni ti station. Station c th

c gng th li qu tnh xc thc, nhng Access Point s cm station ny khng gi c cc gi tin ti
cc Access Point gn . Ch l station ny hon ton c kh nng nghe c cc d liu c truyn
i t cc stations khc Trn thc t d liu c truyn qua sng radio v l cu tr li ti sao bn
phi m ho d liu khi truyn trong mng khng dy.

Attribute-Value pare bao gm trong message ca RADIUS c th s dng bi my ch AAA quyt

nh phin lm vic gia Access Point v wireless station, nh Sesstion-Timeout hay VLAN Tag (Tunnel-
Type=VLAN, Tunnel-Private-Group-ID=tag). Chnh xc cc thng tin thm vo c th ph thuc vo my
ch AAA Server hay Access Point v station bn s dng.

4.1.4 Cc ty chn b sung

Mt vn u tin bn phi hiu vai tr ca RADIUS trong qu trnh xc thc ca WLAN, bn phi thit
lp mt my ch AAA h tr interaction.

Nu bn c mt my ch AAA trong mng gi l RADIUS, n sn sng h tr xc

thc cho chun 802.1x v cho php chn la cc dng EAP. Nu c bn chuyn tip n
bc tip theo l lm th no thit lp tnh nng ny.

Nu bn c mt RADIUS AAA Server khng h tr 802.1x, hoc khng h tr cc dng

EAP, bn c th la chn bng cch cp nht cc phin bn phn mm mi hn cho server,
hay bn c th ci t mt my ch mi. Nu bn ci t mt my ch AAA h tr xc thc
cho chun 802.1x, bn c th s dng tnh nng RADIUS proxy thit lp mt chui cc
my ch, cng chia s chung mt c s d liu tp trung, RADIUS proxy c th s dng
chuyn cc yu cu xc thc ti my ch c kh nng xc thc qua chun 802.1x.

Nu bn khng c mt RADIUS l my ch AAA, bn cn thit phi ci t mt my ch

cho qu trnh xc thc ca WLAN, la chn ci t ny l mt cng vic th v.
Vi c s tp trung Gii php s dng RADIUS cho mng WLAN l rt quan trng bi nu mt h
thng mng ca bn c rt nhiu Access Point vic cu hnh bo mt h thng ny l rt kh nu qun
l ring bit, ngi dng c th xc thc t nhiu Access Point khc nhau v iu l khng bo mt.

Khi s dng RADIUS cho WLAN mang li kh nng tin li rt cao, xc thc cho ton b h thng nhiu
Access Point, cung cp cc gii php thng minh hn.

4.1.5 Chng ta s la chn my ch RADIUS nh th no l hp l?

Phn ny s trnh by vic qun l s dng ng dng cng nh gi c ca mt my ch RADIUS nu c

trin khai s l bao nhiu c th ph hp vi doanh nghip.

Trong phn trn, chng ta hiu c my ch RADIUS cung cp xc thc cho 802.1x Port Access
Control. Chng ta cn quan tm n vic trin khai cc tu chn cho cc gii php s dng chun 802.1x.
Vic qun l s dng ng dng ny cng nh gi c ca mt my ch RADIUS nu c trin khai s l
bao nhiu c th ph hp vi doanh nghip.

Chi ph
Cc cng vic kinh doanh mun nng cao tnh bo mt cho h thng mng WLAN nhng li s dng
chun 802.1x v vi yu cu ny th la chn vic trin khai RADIUS l hp l.

Deploy WPA with Preshared Keys: Nng cp h thng mng WLAN ca bn ang s dng t Wired
Equivalent Privacy (WEP) ti Wi-Fi Protected Access (WPA) c thc hin khng cn phi s dng
RADIUS m bng cch s dng Preshared Keys (PSK) h tr cho chun 802.1x. Preshared Keys khng
th thc hin vic xc thc cho mi user v kh nng chng cc cuc tn cng dictionary attack l rt
km do tn ti kh nhiu vn v bo mt. Nu s dng gii php ny vic kinh doanh ca bn s c
nhiu ri do hn, v ch p dng cho mi trng nh th gii php WPA-PSK l hp l.

Use Microsofts RADIUS Server: Nu bn c mt my ch chy h iu hnh Microsoft Windows Server

2000/2003 th hon ton c kh nng, vi vic s dng Microsofts Internet Authentication Service (IAS).

IAS cn thit cho cc nh qun tr hay cc user phi lm vic trn mi trng Windows. V n cng l mt
trong nhng tnh nng cao cp ca Microsoft Wireless Provisioning Service.

Install an Open Source RADIUS Server: Nu bn khng c mt phin bn Windows, mt la chn cho
bn na l s dng gii php phn mm m ngun m, bn c th tham kho
ti: http://www.freeradius.org. Vi kh nng h tr cho chun 802.1x cc my ch chy h iu hnh m
ngun m nh Linux, Free or OpenBSD, OSF/Unix, hoc Solaris u c th s dng lm RADIUS Server.
Mua mt Commercial RADIUS Server: Trong trng hp phi s dng mt gii php chuyn nghip cn
h tr y ton b cc tnh nng cng nh kh nng an ton, v n nh bn c th mua cc bn
thng mi t cc nh sn xut khc, vi tnh nng h tr 802.1x v l mt RADIUS Server chuyn
nghip:

Aradial WiFi http://www.aradial.com

Bridgewater Wi-Fi AAA http://www.bridgewatersystems.com
Cisco Secure Access Control Server http://www.cisco.com/
Funk Odyssey http://www.funk.com/
IEA RadiusNT http://www.iea-software.com/
Infoblox RADIUS One Appliance http://www.infoblox.com/
Interlink Secure XS http://www.interlinknetworks.com/
LeapPoint AiroPoint Appliance http://www.leappoint.com/
Meetinghouse AEGIS http://www.mtghouse.com/
 OSC Radiator http://www.open.com.au/radiator/
Vircom VOP Radius http://www.vircom.com
Commercial RADIUS Servers c gi c tu vo kh nng ca sn phm. V d bn mua mt Funk
Odyssey Server, bao gm 25 license Odyssey Client. VOB Radius Small Bussiness gi khi im l $995
cho 100 Users. Mt my ch Radiator license gi $720.

RADIUS server cng c th bao gm c gi ca phn cng/phn mm. V d Funks Steel-Belted Radius
c gi trn mt Network Engines l $7500. LeapPoints AiroPoint 3600 SE c gi khi im l $2499
cho 50 clients. Ton b gi trn l v d cn ph thuc nhiu vo nh cung cp phn mm hay cc i l
ca cc hng khc nhau.

Ngoi ra vi s la chn cho mng doanh nghip nh bn khng c iu kin trin khai my ch RADIUS
mt gii php tt cho bn l s dng gii php bo mt t cc cng ty chuyn v bo mt h thng mng
Wi-Fi nh WSC Guard mang n gii php bo mt cho cc dch v trn nn 802.1x v vi gi khi im
l $89 cho mt ngi dng mt nm v s xung cn $59 khi khch hng ng k 1000 ngi dng.

4.2 M T H THNG
Mng WLAN bn thn n l khng bo mt, tuy nhin i vi mng c dy nu bn khng c mt s
phng nga hay cu hnh bo v g th n cng chng bo mt g. im mu cht to ra mt mng
WLAN bo mt l phi trin khai cc phng php bo mt thit yu cho WLAN gip cho h thng
mng ca mnh c an ton hn. Nhm ngn chn nhng truy cp mng tri php m mnh khng mong
mun. Khi client mun truy cp vo mng th phi ng nhp ng username v password hp l. Qu
trnh xc thc ny c iu khin bi RADIUS server.
M t yu cu:
Cu hnh RADIUS server trn Window Server 2003, to user v password cho cc client d
nh tham gia vo mng.

Trn AP Linksys, thit t security mode l WPA2-Enterprise.

Cho PC tham gia vo mng, kim tra kt ni.

Thit b yu cu: 1 Access point Linksys WRT54G, 2 pc (1 pc c gn card

wireless v 1 pc lm Radius server).
PC lm Radius server s dng h iu hnh Windows Server 2003 Enterprise Edition v c nng ln
Domain Controller, PC lm wireless client s dng h iu hnh Windows XP Professional v c
join domain.

4.3 QUY TRNH CI T

4.3.1 Bc 1: Ci DHCP

4.3.2 Bc 2: Ci Enterprise CA

4.3.3 Bc 3: Ci Radius

4.3.4 Bc 4: Chuyn sang Native Mode

4.3.5 Bc 5: Cu hnh DHCP

4.3.6 Bc 6: Cu hnh Radius

4.3.7 Bc 7: To users, cp quyn Remote access cho users v cho computer

4.3.8 Bc 8: To Remote Access Policy

4.3.9 Bc 9: Cu hnh AP v khai bo a ch my RADIUS

4.3.10 Bc 10: Cu hnh Wireless Client

4.4 DEMO
Ta khi ng Radius server v AP. T Wireless Client ta ng nhp vi user name l
cuong, password 1. Ta s thy kt qu nh sau:

Hnh 4.20 Cc thng s c cp bi DHCP server nh IP, DNS server, Default Gateway

Trn Radius Server, ta vo Administrative Tools Event Viewer Security, ta s thy kt

qu nh sau:
 Hnh 4.21 Event Viewer
Chi tit c th ca qu trnh ng nhp c ghi li trong log file nh sau:

++-++

User NGOCUONG\cuong was granted access.

Fully-Qualified-User-Name = ngocuong.net/wifi/cuong
NAS-IP-Address = 192.168.1.111

NAS-Identifier = <not present>

Client-Friendly-Name = Linksys 54G

Client-IP-Address = 192.168.1.111

Calling-Station-Identifier = 00-1B-77-09-BF-1E

NAS-Port-Type = Wireless IEEE 802.11

NAS-Port = 1

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server = <undetermined>

Policy-Name = wifi

Authentication-Type = PEAP

EAP-Type = Secured password (EAP-MSCHAP v2)

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

++-++