Professional Documents
Culture Documents
SERVER V WPA2
CHNG 1. MNG CC B KHNG DY
1.1 TNG QUAN V WLAN
1.1.1 Lch s hnh thnh v pht trin
Mng LAN khng dy vit tt l WLAN (Wireless Local Area Network), l mt mng dng kt ni hai
hay nhiu my tnh vi nhau m khng s dng dy dn. WLAN dng cng ngh tri ph, s dng sng
v tuyn cho php truyn thng gia cc thit b trong mt vng no .
S tin li
Kh nng di ng
Hiu qu
Trin khai
Kh nng m rng
Bo mt
Phm vi
tin cy
Tc
Ngoi nhng chun ph bin c nu ra trn th cng cn rt nhiu chun IEEE 802.1x khc nh: IEEE
802.1i, IEEE 802.1h,
1.3 CU TRC V CC M HNH WLAN
1.3.1 Cu trc c bn ca WirelessLAN
Trm (Stattions)
Sau khi ngt c mt ngi dng ra khi dch v khng dy, k tn cng tip tc thc hin
tng t i vi cc ngi dng cn li.
Sau khi ngt kt ni ca mt client, k tn cng tip tc thc hin tng t vi cc client
cn li lm cho cc client t ng ngt kt ni vi AP.
Thut ton c thit k bi hai nh mt m hc ngi B: Joan Daemen v Vincent Rijmen (ly tn chung
l Rijndael khi tham gia cuc thi thit k AES). Rijndael c pht m l Rhine dahl theo phin m
quc t (IPA: [aindal]).
Khng nhng th, WPA cn bao gm kim tra tnh ton vn ca thng tin (Message Integrity Check). V
vy, d liu khng th b thay i trong khi ang trn ng truyn. WPA c sn 2 la chn: WPA
Personal v WPA Enterprise. C 2 la chn u s dng giao thc TKIP, v s khc bit ch l kho
khi to m ha lc u. WPA Personal thch hp cho gia nh v mng vn phng nh, kho khi to s
c s dng ti cc im truy cp v thit b my trm. Trong khi , WPA cho doanh nghip cn mt
my ch xc thc v 802.1x cung cp cc kho khi to cho mi phin lm vic.
3.8 WPA2
Mt gii php v lu di l s dng 802.11i tng ng vi WPA2, c chng nhn bi Wi-Fi Alliance.
Chun ny s dng thut ton m ho mnh m v c gi l Chun m ho nng cao AES. AES s dng
thut ton m ho i xng theo khi Rijndael, s dng khi m ho 128 bit, v 192 bit hoc 256 bit.
nh gi chun m ho ny, Vin nghin cu quc gia v Chun v Cng ngh ca M, NIST (National
Institute of Standards and Technology), thng qua thut ton m i xng ny.
Lu : Chun m ho ny c s dng cho cc c quan chnh ph M bo v cc thng tin nhy cm.
3.9 LC (FILTERING)
Lc l c ch bo mt c bn c th s dng cng vi WEP. Lc hot ng ging nh Access list trn
router, cm nhng ci khng mong mun v cho php nhng ci mong mun. C 3 kiu lc c bn c th
c s dng trong wireless lan:
Lc SSID
Lc a ch MAC
Lc giao thc
3.10 KT LUN
Cho cc im truy cp t ng (hotspots), vic m ho khng cn thit, ch cn ngi dung
xc thc m thi.
Vi ngi dng s dng mng WLAN cho gia nh, mt phng thc bo mt vi WPA
passphare hay preshared key c khuyn co s dng.
Giao thc Remote Authentication Dial In User Service (RADIUS) c nh ngha trong
RFC 2865 nh sau: Vi kh nng cung cp xc thc tp trung, cp php v iu khin truy
cp (Authentication, Authorization, v Accounting AAA) cho cc phin lm vic vi SLIP
v PPP Dial-up nh vic cung cp xc thc ca cc nh cung cp dch v Internet (ISP)
u da trn giao thc ny xc thc ngi dng khi h truy cp Internet.
Sau khi nhn c cc thng tin my ch AAA s dng cc gi tin c cung cp nh NAS
identify, v Authenticator thm nh li vic NAS c c php gi cc yu cu
khng. Nu c kh nng, my ch AAA s tm kim tra thng tin username v password m
ngi dng yu cu truy cp trong c s d lu. Nu qu trnh kim tra l ng th n s
mang mt thng tin trong Access-Request quyt nh qu trnh truy cp ca user l c
chp nhn.
Nu my ch AAA sau khi kim tra cc thng tin ca ngi dng hon ton tho mn s cho
php s dng dch v, n s tr v mt message dng RADIUS Access-Accept. Nu khng
tho mn my ch AAA s tr v mt tin RADIUS Access-Reject v NAS s ngt kt ni
vi user.
Authenticator gi Access-Request trong mt s ngu nhin. MD5 s bm (hash) s ngu nhin thnh
mt dng ring l ORed cho mt khu ca ngi dng v gi trong Access-Request User-Password. Ton
b RADIUS response sau c MD5 bm (hash) vi cng thng s bo mt ca Authenticator, v cc
thng s response khc.
Authenticator gip cho qu trnh giao tip gia NAS v my ch AAA c bo mt nhng nu k tn
cng tm c c hai gi tin RADIUS Access-Request v Access-Response th c th thc hin
dictionary attack phn tch vic ng gi ny. Trong iu kin thc t vic gii m kh khn bn
cn phi s dng nhng thng s di hn, ton b vn c kh nng nguy hi cho qu trnh truyn ti ny
c miu t rt k trong RFC 3580.
Attribute-Value Pairs: Thng tin c mang bi RADIUS uc miu t trong mt dng Attribute-Value,
h tr cho nhiu cng ngh khc nhau, v nhiu phng thc xc thc khc nhau. Mt chun c nh
ngha trong Attribute-Value pairs (cp i), bao gm User-Name, User-Password, NAS-IPAddress, NAS-
Port, Service-Type. Cc nh sn xut (vendors) cng c th nh ngha Attribute-Value pairs mang cc
thng tin ca mnh nh Vendor-Specific ton b v d ny c miu t trong RFC 2548 nh ngh
Microsoft Attribute-Value pair trong MS-CHAP.
Mt qu trnh c thc hin, wireless station gi mt message EAP-Start ti Access Point. Access Point
s yu cu station nhn dng v chuyn cc thng tin ti mt AAA Server vi thng tin l RADIUS
Access-Request User-Name attribute.
My ch AAA v wireless station hon thnh qu trnh bng vic chuyn cc thng tin RADIUS Access-
Challenge v Access-Request qua Access Point. c quyt nh bi pha trn l mt dng EAP, thng tin
ny c chuyn trong mt ng hm c m ho TLS (Encypted TLS Tunnel).
Mt vn u tin bn phi hiu vai tr ca RADIUS trong qu trnh xc thc ca WLAN, bn phi thit
lp mt my ch AAA h tr interaction.
Khi s dng RADIUS cho WLAN mang li kh nng tin li rt cao, xc thc cho ton b h thng nhiu
Access Point, cung cp cc gii php thng minh hn.
Trong phn trn, chng ta hiu c my ch RADIUS cung cp xc thc cho 802.1x Port Access
Control. Chng ta cn quan tm n vic trin khai cc tu chn cho cc gii php s dng chun 802.1x.
Vic qun l s dng ng dng ny cng nh gi c ca mt my ch RADIUS nu c trin khai s l
bao nhiu c th ph hp vi doanh nghip.
Chi ph
Cc cng vic kinh doanh mun nng cao tnh bo mt cho h thng mng WLAN nhng li s dng
chun 802.1x v vi yu cu ny th la chn vic trin khai RADIUS l hp l.
Deploy WPA with Preshared Keys: Nng cp h thng mng WLAN ca bn ang s dng t Wired
Equivalent Privacy (WEP) ti Wi-Fi Protected Access (WPA) c thc hin khng cn phi s dng
RADIUS m bng cch s dng Preshared Keys (PSK) h tr cho chun 802.1x. Preshared Keys khng
th thc hin vic xc thc cho mi user v kh nng chng cc cuc tn cng dictionary attack l rt
km do tn ti kh nhiu vn v bo mt. Nu s dng gii php ny vic kinh doanh ca bn s c
nhiu ri do hn, v ch p dng cho mi trng nh th gii php WPA-PSK l hp l.
IAS cn thit cho cc nh qun tr hay cc user phi lm vic trn mi trng Windows. V n cng l mt
trong nhng tnh nng cao cp ca Microsoft Wireless Provisioning Service.
Install an Open Source RADIUS Server: Nu bn khng c mt phin bn Windows, mt la chn cho
bn na l s dng gii php phn mm m ngun m, bn c th tham kho
ti: http://www.freeradius.org. Vi kh nng h tr cho chun 802.1x cc my ch chy h iu hnh m
ngun m nh Linux, Free or OpenBSD, OSF/Unix, hoc Solaris u c th s dng lm RADIUS Server.
Mua mt Commercial RADIUS Server: Trong trng hp phi s dng mt gii php chuyn nghip cn
h tr y ton b cc tnh nng cng nh kh nng an ton, v n nh bn c th mua cc bn
thng mi t cc nh sn xut khc, vi tnh nng h tr 802.1x v l mt RADIUS Server chuyn
nghip:
RADIUS server cng c th bao gm c gi ca phn cng/phn mm. V d Funks Steel-Belted Radius
c gi trn mt Network Engines l $7500. LeapPoints AiroPoint 3600 SE c gi khi im l $2499
cho 50 clients. Ton b gi trn l v d cn ph thuc nhiu vo nh cung cp phn mm hay cc i l
ca cc hng khc nhau.
Ngoi ra vi s la chn cho mng doanh nghip nh bn khng c iu kin trin khai my ch RADIUS
mt gii php tt cho bn l s dng gii php bo mt t cc cng ty chuyn v bo mt h thng mng
Wi-Fi nh WSC Guard mang n gii php bo mt cho cc dch v trn nn 802.1x v vi gi khi im
l $89 cho mt ngi dng mt nm v s xung cn $59 khi khch hng ng k 1000 ngi dng.
4.2 M T H THNG
Mng WLAN bn thn n l khng bo mt, tuy nhin i vi mng c dy nu bn khng c mt s
phng nga hay cu hnh bo v g th n cng chng bo mt g. im mu cht to ra mt mng
WLAN bo mt l phi trin khai cc phng php bo mt thit yu cho WLAN gip cho h thng
mng ca mnh c an ton hn. Nhm ngn chn nhng truy cp mng tri php m mnh khng mong
mun. Khi client mun truy cp vo mng th phi ng nhp ng username v password hp l. Qu
trnh xc thc ny c iu khin bi RADIUS server.
M t yu cu:
Cu hnh RADIUS server trn Window Server 2003, to user v password cho cc client d
nh tham gia vo mng.
4.3.2 Bc 2: Ci Enterprise CA
4.3.3 Bc 3: Ci Radius
4.4 DEMO
Ta khi ng Radius server v AP. T Wireless Client ta ng nhp vi user name l
cuong, password 1. Ta s thy kt qu nh sau:
Hnh 4.20 Cc thng s c cp bi DHCP server nh IP, DNS server, Default Gateway
++-++
Fully-Qualified-User-Name = ngocuong.net/wifi/cuong
NAS-IP-Address = 192.168.1.111
Client-IP-Address = 192.168.1.111
Calling-Station-Identifier = 00-1B-77-09-BF-1E
NAS-Port = 1
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = wifi
Authentication-Type = PEAP