我该如何改善办公室的无线安全性(Radius?证书?)

tag-icon tag-icon security cisco certificate wifi radius
我该如何改善办公室的无线安全性(Radius?证书?)

编辑1:

我们的环境是混合的,大多数是 OSX,还有一些 Windows 和 Linux 机器。更重要的是,Android 和 Apple 手机也需要定期无线接入。

我们有一个可用于运行 Freeradius 的 Redhat 盒子。所有网络设备均基于 Cisco(ASA + Catalyst 交换机 + Aironet 1140 AP)

感谢 HopelessN00b 的反馈,我目前正在考虑使用 Freeradius + PEAP 作为解决方案。我正在为授权服务器端准备一个测试平台,以便对其进行体验。

现在,我们正在由 2 个通过 WDS 连接的 Cisco Aironet 1140 组成的设置上使用 wpa2 密钥 + MAC 地址过滤。

它运行良好,但每个人都共享相同的 WPA2 密钥,每次添加某人时都必须编辑两个 AP 配置,这有点耗时。我们办公室只有 2 个 AP,大约有 12-15 人,不需要与其他位置同步。我们是混合使用 mac/windows/linux 的办公室。您会推荐哪种设置?

当我到达那里时,一切都已配置完毕,我在 AP 的运行配置中看到 2 个对 radius 服务器的引用,但引用的机器似乎没有打开这些端口,所以我怀疑这些线路处于非活动状态。我说得对吗?

以下是正在运行的配置的副本:

接入点 1:

    service password-encryption
    !
    hostname wap
    !
    logging rate-limit console 9
    enable secret 5 [redacted]
    !
    aaa new-model
    !
    !
    aaa group server radius rad_eap
     server 192.168.90.245 auth-port 1812 acct-port 1813
    !
    aaa group server radius rad_mac
    !
    aaa group server radius rad_acct
    !
    aaa group server radius rad_admin
    !
    aaa group server tacacs+ tac_admin
    !
    aaa group server radius rad_pmip
    !
    aaa group server radius dummy
    !
    aaa authentication login default local
    aaa authentication login eap_methods group rad_eap
    aaa authentication login mac_methods group rad_mac
    aaa authentication login wds-server group rad_eap
    aaa authorization exec default local 
    aaa accounting network acct_methods start-stop group rad_acct
    !
    aaa session-id common
    clock timezone -0500 -5
    clock summer-time -0400 recurring
    ip domain name nyc.acme.local
    !
    !
    dot11 association mac-list 700
    dot11 syslog
    !         
    dot11 ssid ACME-NYC
       vlan 1
       authentication open 
       authentication key-management wpa version 2
       guest-mode
       wpa-psk ascii 7 [redacted]
    !
    dot11 aaa csid ietf
    !
    !
    username ckent privilege 15 secret 5 [redacted]
    username e0f847203232 password 7 [redacted]
    username e0f847203232 autocommand exit
    username 58946b90ca20 password 7 [redacted]
    username 58946b90ca20 autocommand exit
    username bwayne privilege 15 secret 5 [redacted]
    username e0f847320cca password 7 [redacted]
    username e0f847320cca autocommand exit
    username 58946bbf4868 password 7 [redacted]
    username 58946bbf4868 autocommand exit
    username pparker privilege 15 secret 5 [redacted]
    !
    !
    bridge irb
    !         
    !
    interface Dot11Radio0
     no ip address
     no ip route-cache
     !
     encryption vlan 1 mode ciphers aes-ccm tkip 
     !
     ssid Acme-NYC
     !
     antenna gain 0
     speed  basic-11.0 18.0 24.0 36.0 48.0 54.0
     channel 2412
     station-role root
    !
    interface Dot11Radio0.1
     encapsulation dot1Q 1 native
     no ip route-cache
     bridge-group 1
     bridge-group 1 subscriber-loop-control
     bridge-group 1 block-unknown-source
     no bridge-group 1 source-learning
     no bridge-group 1 unicast-flooding
     bridge-group 1 spanning-disabled
    !
    interface Dot11Radio1
     no ip address
     no ip route-cache
     !
     encryption vlan 1 mode ciphers aes-ccm tkip 
     !
     ssid ACME-NYC
     !
     antenna gain 0
     dfs band 3 block
     channel dfs
     station-role root
    !
    interface Dot11Radio1.1
     encapsulation dot1Q 1 native
     no ip route-cache
     bridge-group 1
     bridge-group 1 subscriber-loop-control
     bridge-group 1 block-unknown-source
     no bridge-group 1 source-learning
     no bridge-group 1 unicast-flooding
     bridge-group 1 spanning-disabled
    !         
    interface GigabitEthernet0
     no ip address
     no ip route-cache
     duplex auto
     speed auto
     no keepalive
    !
    interface GigabitEthernet0.1
     encapsulation dot1Q 1 native
     no ip route-cache
     bridge-group 1
     no bridge-group 1 source-learning
     bridge-group 1 spanning-disabled
    !
    interface BVI1
     ip address 192.168.90.245 255.255.255.0
     no ip route-cache
    !
    ip default-gateway 192.168.90.254
    ip http server
    no ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    ip radius source-interface BVI1 
    access-list 111 permit tcp any any neq telnet
    access-list 700 permit [redacted]   0000.0000.0000
    access-list 700 permit [redacted]   0000.0000.0000
    access-list 700 deny   0000.0000.0000   ffff.ffff.ffff

    snmp-server community acme   RO
    radius-server local
      no authentication eapfast
      no authentication mac
      nas 192.168.90.245 key 7 [redacted]
      user ap2 nthash 7 [redacted]
    !
    radius-server attribute 32 include-in-access-req format %h
    radius-server host 192.168.90.201 auth-port 1645 acct-port 1646 key 7 [redacted]
    radius-server host 192.168.90.245 auth-port 1812 acct-port 1813 key 7 [redacted]
    radius-server vsa send accounting
    bridge 1 route ip
    !
    !
    wlccp authentication-server infrastructure wds-server
    wlccp wds aaa csid ietf
    wlccp wds priority 200 interface BVI1
    !
    line con 0
     access-class 111 in
    line vty 0 4
     access-class 111 in
    !
    end

接入点2:

    service password-encryption
    !
    hostname wap2
    !
    logging rate-limit console 9
    !
    aaa new-model
    !
    !
    aaa group server radius rad_eap
     server 192.168.90.245 auth-port 1812 acct-port 1813
    !
    aaa group server radius rad_mac
    !
    aaa group server radius rad_acct
    !
    aaa group server radius rad_admin
    !
    aaa group server tacacs+ tac_admin
    !
    aaa group server radius rad_pmip
    !
    aaa group server radius dummy
    !
    aaa authentication login default local
    aaa authentication login eap_methods group rad_eap
    aaa authentication login mac_methods group rad_mac
    aaa authorization exec default local 
    aaa accounting network acct_methods start-stop group rad_acct
    !
    aaa session-id common
    clock timezone -0500 -5
    clock summer-time -0400 recurring
    ip domain name nyc.acme.local
    !
    !
    dot11 association mac-list 700
    dot11 syslog
    !
    dot11 ssid Acme-NYC
       vlan 1
       authentication open 
       authentication key-management wpa version 2
       guest-mode
       wpa-psk ascii 7 [redacted]
    !
    dot11 aaa csid ietf
    !
    !
    username ckent privilege 15 secret 5 [redacted]
    username e0f847203232 password 7 [redacted]
    username e0f847203232 autocommand exit
    username 58946b90ca20 password 7 [redacted]
    username 58946b90ca20 autocommand exit
    username bwayne privilege 15 secret 5 [redacted]
    username e0f847320cca password 7 [redacted]
    username e0f847320cca autocommand exit
    username 58946bbf4868 password 7 [redacted]
    username 58946bbf4868 autocommand exit
    username pparker privilege 15 secret 5 [redacted]
    !
    bridge irb
    !
    !
    interface Dot11Radio0
     no ip address
     no ip route-cache
     !
     encryption vlan 1 mode ciphers aes-ccm tkip 
     !
     ssid Acme-NYC
     !
     antenna gain 0
     speed  basic-11.0 18.0 24.0 36.0 48.0 54.0
     station-role root
    !
    interface Dot11Radio0.1
     encapsulation dot1Q 1 native
     no ip route-cache
     bridge-group 1
     bridge-group 1 subscriber-loop-control
     bridge-group 1 block-unknown-source
     no bridge-group 1 source-learning
     no bridge-group 1 unicast-flooding
     bridge-group 1 spanning-disabled
    !
    interface Dot11Radio1
     no ip address
     no ip route-cache
     !
     encryption vlan 1 mode ciphers aes-ccm tkip 
     !
     ssid Acme-NYC
     !
     antenna gain 0
     dfs band 3 block
     channel dfs
     station-role root
    !
    interface Dot11Radio1.1
     encapsulation dot1Q 1 native
     no ip route-cache
     bridge-group 1
     bridge-group 1 subscriber-loop-control
     bridge-group 1 block-unknown-source
     no bridge-group 1 source-learning
     no bridge-group 1 unicast-flooding
     bridge-group 1 spanning-disabled
    !         
    interface GigabitEthernet0
     no ip address
     no ip route-cache
     duplex auto
     speed auto
     no keepalive
    !
    interface GigabitEthernet0.1
     encapsulation dot1Q 1 native
     no ip route-cache
     bridge-group 1
     no bridge-group 1 source-learning
     bridge-group 1 spanning-disabled
    !
    interface BVI1
     ip address 192.168.90.246 255.255.255.0
     no ip route-cache
    !
    ip default-gateway 192.168.90.254
    ip http server
    ip http authentication aaa
    no ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    ip radius source-interface BVI1 
    access-list 111 permit tcp any any neq telnet
    access-list 700 permit [redacted]   0000.0000.0000
    access-list 700 permit [redacted]   0000.0000.0000
    access-list 700 deny   0000.0000.0000   ffff.ffff.ffff

    snmp-server community Acme RO
    radius-server attribute 32 include-in-access-req format %h
    radius-server host 192.168.90.201 auth-port 1645 acct-port 1646 key 7 [redacted]
    radius-server vsa send accounting
    bridge 1 route ip
    !
    !
    wlccp ap username ap2 password 7 [redacted]
    wlccp wds aaa csid ietf
    !
    line con 0
     access-class 111 in
    line vty 0 4
     access-class 111 in
    !
    sntp server 192.168.90.254
    sntp broadcast client
    end

答案1

这个问题有点宽泛,如果不了解您的技能水平和环境的话很难回答,但是是的,我绝对建议使用基于证书的 802.1x 身份验证,而不是使用共享的 WPA2 密钥。

它更安全(客户端无法窥探彼此的流量,因为每个客户端使用不同的密钥),更容易管理,而且您不再需要让某个可怜的服务台人员为新机器或新用户输入密钥。共享密钥实际上只是懒惰或不熟练的管理员“让无线网络正常工作”的快速破解方法,我很难想象在专业环境中它会有什么合法的用例。

如果您无法进行设置,可能需要请一位顾问花几个小时来为您设置,但我们无法判断这是否是金钱的合理用途,或者您的商店规模和无线传输数据的价值是否足够低,以至于共享的 WPA2 密钥“足够好”。

即使您以前没有这样做过,这也并不困难(不过,您的 Windows/Mac/OSX 环境可能会使设置变得很麻烦),但您肯定会想坐下来阅读一些关于如何最好地实施和设置新的证书颁发机构以及 RADIUS 服务器的资料。老实说,在人员如此之少且客户端操作系统如此之多的环境中,我不太确定我会喜欢哪种实现方式。

仅供参考,请始终编辑 AP 配置中的密码。将哈希转换为密码很简单。(我现在会修复它,但请记住下次……)

相关内容