Bao Cao Tim Hieu Radius

Bo mt WLAN bng chng thc RADIUS
LI M U
Vi tc pht trin v khng ngng ci tin ca cng ngh mng. Mi ngi, t cng nhn cho n nhng ngi ch, t sinh vin n gio vin, t chc doanh nghip cng nh chnh ph, tt c u c nhu cu kt ni mi lc, mi ni. V vy, mng WLAN ra i p ng nhu cu trn. Mng WLAN ra i thc s l mt bc tin vt bt ca cng ngh mng, y l phng php chuyn giao t im ny sang im khc s dng sng v tuyn. V hin nay ph bin trn ton th gii, mang li rt nhiu li ch cho ngi s dng, nht l kh nng di ng ca n. mt s nc c nn thng tin cng ngh pht trin, mng khng dy thc s i vo cuc sng. Ch cn c mt Laptop, PDA hoc mt thit b truy cp khng dy bt k, chng ta c th truy cp vo mng khng y bt k ni u, trn c quan, trong nh, trn my bay, qun Caffe bt k u trong phm vi ph sng ca WLAN. Vi rt nhiu li ch v s truy cp cng cng nh vy, nhng vn bo mt lun lm au u cc nh sn xut, cc t chc v c nhn ngi s dng. V phng tin truyn tin ca WLAN l sng v tuyn v mi trng truyn tin l khng kh, ch thit b thu ch cn nm trong vng ph sng l c c kh nng truy cp vo mng. iu ny dn n vn nghim trng v bo mt mng WLAN. Chnh v vy, trong hc phn Mng khng dy, Nhm 4 lp MM02A trng C CNTT Hu Ngh Vit Hn chn ti Bo mt mng WLAN vi chng thc RADIUS lm n kt thc hc phn. Tuy c nhiu c gng nhng khng th trnh khi nhng sai st trong n, v vy Nhm 4 mong nhn c s ng gi ca bn b v thy c n c hon thin hn. nng ngy 5 thng 11 nm 2010 Sinh vin thc hin: Nhm 4
Nhm 4 MM02A - C CNTT Hu Ngh Vit Hn
Trang
MC LC
CHNG 1. TNG QUAN V WLAN..................................................................................1 1.1. Tng quan v WLAN.....................................................................................................1 1.1.1. Mng WLAN l g?.................................................................................................1 1.1.2. Lch s hnh thnh v pht trin..............................................................................1 1.1.3. u im ca WLAN...............................................................................................2 1.1.4. Nhc im.............................................................................................................2 1.2. C s h tng WLAN....................................................................................................3 1.2.1. Cu trc c bn ca WLAN....................................................................................3 1.2.2. Thit b dnh cho WLAN........................................................................................3 1.2.3. Cc m hnh WLAN................................................................................................7 1.2.3.1. M hnh mng c lp......................................................................................7 1.2.3.2. M hnh mng c s (BSSs)............................................................................8 1.2.3.3. M hnh mng m rng (ESSs).......................................................................9 CHNG 2. CC HNH THC TN CNG PH BIN TRONG WLAN V GII PHP PHNG CHNG......................................................................................................................11 2.1. Cc hnh thc tn cng ph bin trong WLAN............................................................11 2.1.1. Rogue Access Point..............................................................................................11 2.1.1.1. nh ngha......................................................................................................11 2.1.1.2. Phn loi.........................................................................................................11 2.1.1.3. Access Point c cu hnh khng hon chnh:..............................................11 2.1.1.4. Access Point gi mo t cc mng WLAN ln cn.........................................12 2.1.1.5. Access Point gi mo do k tn cng to ra:....................................................12 2.1.2. Tn cng yu cu xc thc li................................................................................14 2.1.3. Face Access Point.................................................................................................15 2.1.4. Tn cng da trn s cm nhn sng mang lp vt l...........................................15 2.1.5. Tn cng ngt kt ni.............................................................................................16 2.2. Cc gii php bo mt WLAN......................................................................................17 2.2.1. WEP......................................................................................................................17 2.2.2. WLAN VPN..........................................................................................................18 2.2.3. TKIP (Temporal Key Integrity Protocol)..............................................................19 2.2.4. AES........................................................................................................................19 2.2.5. 802.1X v EAP......................................................................................................20 2.2.6. WPA (WI-FI Protected Access).............................................................................21 2.2.7. WPA2.....................................................................................................................22 2.2.8. LC (Filltering)....................................................................................................22 2.3. Kt lun.........................................................................................................................25 CHNG 3. TM HIU GIAO THC XC THC RADIUS V RADIUS SERVER.....26 3.1. Giao thc RADIUS.......................................................................................................26 3.1.1. Tng quan v giao thc RADIUS.........................................................................26 3.1.2. Gii thiu..............................................................................................................26 3.1.3. Tnh cht ca RADIUS.........................................................................................26 3.1.4. Giao thc RADIUS 1............................................................................................27 3.1.4.1. C ch hot ng...........................................................................................27 3.1.4.2. Dng gi ca packet.......................................................................................29 3.1.4.3. Packet type (kiu packet)...............................................................................31 3.1.5. Giao thc RADIUS 2............................................................................................37 3.1.5.1. C ch hot ng...........................................................................................37 3.1.5.2. Packet Format ................................................................................................37 3.1.6. Phng php m ha v gi m............................................................................38 3.2. RADIUS SERVER.......................................................................................................39
Trang
ii
Bo mt WLAN bng chng thc RADIUS 3.2.1. Tng quan..............................................................................................................39 3.2.2. Xc thc- cp php v kim ton..........................................................................39 3.2.3. S bo mt v tnh m rng...................................................................................40 3.2.4. p dng RADIUS cho WLAN..............................................................................41 3.2.5. Cc ty chn b sung............................................................................................42 CHNG 4. BO MT WLAN BNG PHNG PHP CHNG THC RADIUS ......43 4.1. Phn tch v thit k h thng chng thc bo mt WLAN vi RADIUS..................43 4.1.1. Gii thiu..............................................................................................................43 4.1.2. Yu cu h thng.....................................................................................................43 4.1.2.1. Phn cng.......................................................................................................43 4.1.2.2. Phn mm.......................................................................................................43 4.2. Quy trnh ci t v trin khai......................................................................................44 4.2.1. Ci t v cu hnh DHCP....................................................................................44 4.2.1.1. Ci t DHCP.................................................................................................44 4.2.1.2. Cu hnh DHCP.............................................................................................44 4.2.2. Ci Enterprise CA v Request Certificate t CA Enterprite Server.....................44 4.2.2.1. Ci t Enterprise CA....................................................................................44 4.2.2.2. Request Certificate t CA Enterprite Server .......................................................................................................................................45 4.2.3. To user, cp quyn Remote Access cho users v chuyn sang Native Mode.....46 4.2.3.1. To OU c tn KTX...................................................................................46 4.2.3.2. Chuyn sang Native Mode...............................................................................47 4.2.4. Ci t v cu hnh RADIUS, to Remote Access Policy....................................47 4.2.4.1. Ci t RADIUS............................................................................................47 4.2.4.2. To Remove Access Policy............................................................................48 4.2.5. Cu hnh AP..........................................................................................................50 4.2.6. Cu hnh Wireless client ......................................................................................51 4.2.7. Demo.....................................................................................................................54
Trang iii
MC LC HNH NH
Trang iv
CHNG 1. TNG QUAN V WLAN

1.1. Tng quan v WLAN 1.1.1. Mng WLAN l g? Mng LAN khng dy vit tt l WLAN (Wireless Local Area Network) hay WIFI (Wireless Fidelity), l mt mng dng kt ni hai hay nhiu my tnh vi nhau m khng s dng dy dn. WLAN dng cng ngh tri ph, s dng sng v tuyn cho php truyn thng gia cc thit b trong mt vng no gi l Basic Service Set. y l mt gii php c rt nhiu u im so vi kt ni mng c dy (wireline) truyn thng. Ngi dng vn duy tr kt ni vi mng khi di chuyn trong vng ph sng. 1.1.2. Lch s hnh thnh v pht trin. Nm 1990, cng ngh WLAN ln u tin xut hin, khi nhng nh sn xut gii thiu nhng sn phm hot ng bng tn 900 Mhz. Cc gii php ny (khng c s thng nht ca cc nh sn xut) cung cp tc truyn d liu 1Mbs, thp hn rt nhiu so vi tc 10 Mbs ca hu ht cc mng s dng cp lc . Nm 1992, cc nh sn xut bt u bn nhng sn phm WLAN s dng bng tn 2.4GHz. Mc d nhng sn phm ny c tc truyn cao hn nhng chng vn ch l nhng gii php ring ca mi nh sn xut v khng c cng b rng ri. S cn thit cho vic thng nht hot ng gia cc thit b nhng dy tn s khc nhau dn n mt s t chc bt u pht trin ra nhng chun mng khng dy. Nm 1997, IEEE (Institute of Electrical and Electronics Engineers) thng qua s ra i ca chun 802.11, v c bit n vi tn WIFI (Wireless Fidelity) cho cc mng WLAN. Nm 1999, IEEE thng qua s b sung cho chun 802.11 l chun 802.11a v 802.11b (nh ngha ra nhng phng php truyn tn hiu). V cc thit b WLAN da trn chun 802.11b nhanh chng tr thnh cng ngh khng dy ni tri. Nm 2003, IEEE cng b thm s ci tin l chun 802.11g, chun ny c gng tch hp tt nht cc chun 802.11a, 802.11b v 802.11g. S dng bng tn 2.4Ghz cho phm vi ph sng ln hn.
Trang
Nm 2009, IEEE cui cng cng thng qua chun WIFI th h mi 802.11n sau 6 nm th nghim. Chun 802.11n c kh nng truyn d liu tc 300Mbps hay thm ch cao hn. 1.1.3. u im ca WLAN S tin li: Mng khng dy cung cp gii php cho php ngi s dng
truy cp ti nguyn trn mng bt k ni u trong khu vc WLAN c trin khai (khch sn, trng hc, th vin). Vi s bng n ca my tnh xch tay v cc thit b di ng h tr wifi nh hin nay, iu tht s rt tin li. Kh nng di ng: Vi s pht trin v cng mnh m ca vin thng di ng, ngi s dng c th truy cp internet bt c u. Nh: Qun caf, th vin, trng hc v thm ch l cc cng vin hay va h. Ngi s dng u c th truy cp internet min ph. Hiu qu: Ngi s dng c th duy tr kt ni mng khi h i t ni Trin khai: Rt d dng cho vic trin khai mng khng dy, chng ta ny n ni khc. ch cn mt ng truyn ADSL v mt AP l c mt mng WLAN n gin. Vi vic s dng cp, s rt tn km v kh khn trong vic trin khai nhiu ni trong ta nh. Kh nng m rng: M rng d dng v c th p ng tc th khi c s gia tng ln v s lng ngi truy cp. 1.1.4. Nhc im Bn cnh nhng thun li m mng khng dy mang li cho chng ta th n cng mc phi nhng nhc im. y l s hn ch ca cc cng ngh ni chung. Bo mt: y c th ni l nhc im ln nht ca mng WLAN, bi v phng tin truyn tn hiu l song v mi trng truyn tn hiu l khng kh nn kh nng mt mng khng dy b tn cng l rt ln Phm vi: Nh ta bit chun IEEE 802.11n mi nht hin nay cng ch c th hot ng phm vi ti a l 150m, nn mng khng dy ch ph hp cho mt khng gian hp.
Trang
tin cy: Do phng tin truyn tn hiu l sng v tuyn nn vic b
nhiu, suy giml iu khng th trnh khi. iu ny gy nh hng n hiu qu hot ng ca mng. Tc : Tc cao nht hin nay ca WLAN c th ln n 600Mbps nhng vn chm hn rt nhiu so vi cc mng cp thng thng (c th ln n hng Gbps) 1.2. C s h tng WLAN 1.2.1. Cu trc c bn ca WLAN Distribution System (H thng phn phi ): y l mt thnh phn logic
s dng iu phi thng tin n cc station ch.Chun 802.11 khng c t chnh xc k thut cho DS. Access Point: chc nng chnh cha AP l m rng mng. N c kh nng chuyn i cc frame d liu trong 802.11 thnh cc frame thng dng c th s dng trong mng khc. Wireless Medium (tng lin lc v tuyn): Chun 802.11 s dng tn Station (cc my trm): y l cc thit b ngoi vi c h tr kt ni v lin lc v tuyn chuyn i cc frame d liu gia cc my trm vi nhau. tuyn nh: laptop, PDA, Palm
1. Access Point (AP) 2. Wireless Medium 3. Station
Hnh 1-1 Cu trc c bn ca WLAN 1.2.2. Thit b dnh cho WLAN Wireless Accesspoint(AP): L thit b c nhim v cung cp cho my
khch (client) mt im truy cp vo mng.
Trang
Hnh 1-2 Thit b Wireless Accesspoint Cc ch hot ng ca AP: AP c ba ch hot ng chnh. o Ch gc (root mode): Root mode c s dng khi AP kt ni vi mng backbone c dy thng qua giao din c dy (thng l Ethernet) ca n. Hu ht cc AP u hot ng ch mc nh l root mode.
Hnh 1-3: AP hot ng root mode
Trang
o Ch cu ni(bridge mode): Trong bridge mode, AP hot ng hon ton nh cu mi khng dy. Vi ch ny, my khch (client) s khng kt ni trc tip vi AP, nhng thay vo , AP dng ni hai hay nhiu on mng c dy li vi nhau. Hin nay, hu ht cc thit b AP u h tr ch bridge.
Hnh 1-3 Ch
cu ni ca AP
o Ch lp (Repeater mode): ch Repeater, s c t nht hai thit b AP, mt root AP v mt AP hot ng nh mt Repeater khng dy. AP trong Repeater mode hot ng nh mt my khch khi kt ni vi root AP v hot ng nh mt AP khi kt ni vi my khch.
Hnh 1-4 Ch Repeater ca AP
Trang
Wireless Router
Ngy nay, vi s tin b ca cng ngh v k thut, s ra i ca thit b a nng Wireless Router vi s kt hp chc nng ca ba thit b l Wireless Accesspoint, Ethernet Switch v Router.
Hnh 1-5 Thit b Wireless Router Wireless NICs:
L cc thit b c my khch dng kt ni vo AP.
Trang
Hnh 1-6 Wireless NICs 1.2.3. Cc m hnh WLAN. Mng 802.11 rt linh hot v thit k, bao gm 3 m hnh c bn sau M hnh mng c lp (IBSSs) hay cn gi l mng Ad-hoc. M hnh mng c s (BSSs). M hnh mng m rng (ESSs). 1.2.3.1. M hnh mng c lp Mng IBSSs (Independent Basic Service Set) hay cn gi l mng ad-hoc, trong m hnh mng ad-hoc cc client lin lc trc tip vi nhau m khng cn thng qua AP nhng phi trong phm vi cho php. M hnh mng nh nht trong chun 802.11 l 2 my client lin lc trc tip vi nhau. Thng thng m hnh ny c thit lp bao gm mt s client c ci t dng chung mc ch c th trong khong thi gian ngn .Khi m s lin lc kt thc th m hnh IBSS ny cng c gii phng.
Trang
Hnh 1-7 M hnh mng Ad-hoc. 1.2.3.2. M hnh mng c s (BSSs) The Basic Service Sets (BSS) l mt topology nn tng ca mng 802.11. Cc thit b giao tip to nn mt BSS vi mt AP duy nht vi mt hoc nhiu client. Cc my trm kt ni vi sng wireless ca AP v bt u giao tip thng qua AP. Cc my trm l thnh vin ca BSS c gi l c lin kt. Thng thng cc AP c kt ni vi mt h thng phn phi trung bnh (DSM), nhng khng phi l mt yu cu cn thit ca mt BSS. Nu mt AP phc v nh l cng vo dch v phn phi, cc my trm c th giao tip, thng qua AP, vi ngun ti nguyn mng ti h thng phn phi trung bnh. N cng cn lu l nu cc my client mun giao tip vi nhau, chng phi chuyn tip d liu thng qua cc AP. Cc client khng th truyn thng trc tip vi nhau, tr khi thng qua cc AP. Hnh sau m t m hnh mt BSS chun.
Trang
Hnh 1-8 M hnh mng BSS chun 1.2.3.3. M hnh mng m rng (ESSs) Trong khi mt BSS c coi l nn tng ca mng 802.11, mt m hnh mng m rng ESS (extended service set) ca mng 802.11 s tng t nh l mt ta nh c xy dng bng . Mt ESS l hai hoc nhiu BSS kt ni vi nhau thng qua h thng phn phi. Mt ESS l mt s hi t nhiu im truy cp v s lin kt cc my trm ca chng. Tt c ch bng mt DS. Mt v d ph bin ca mt ESS c cc AP vi mc mt phn cc t bo chng cho ln nhau. Mc ch ng sau ca vic ny l cung cp s chuyn vng lin tc cho cc client. Hu ht cc nh cung cp dch v ngh cc t bo chng ln nhau khong 10%-15% t c thnh cng trong qu trnh chuyn vng.
Trang
Hnh 1-9 M hnh mng ESS
Trang 10
CHNG 2. CC HNH THC TN CNG PH BIN TRONG WLAN V GII PHP PHNG CHNG
2.1. Cc hnh thc tn cng ph bin trong WLAN Tn cng v phng chng trong mng WLAN l vn c quan tm n rt nhiu hin nay bi cc chuyn gia trong lnh vc bo mt. Nhiu gii php tn cng v phng chng c a ra nhng cho n by gi cha c gii php no c gi l bo mt an ton, cho n hin nay mi gii php phng chng c a ra u ch l tng i (ngha l tnh bo mt trong mng WLAN vn c th b ph v bng nhiu cch khc nhau). Vn tn cng mt mng WLAN nh th no? V gii php phng chng ra sao? Chng ta s cng tm hiu r hn trong phn di y. Theo rt nhiu ti liu nghin cu, hin ti tn cng vo mng WLAN th cc attacker c th s dng mt trong nhng cch sau: Rogue Access Point De-authentication Flood Attack Fake Access point Tn cng da trn cm nhn lp vt l Disassociation Flood Attack
2.1.1. Rogue Access Point 2.1.1.1. nh ngha Access Point gi mo c dng m t nhng Access Point c to ra mt cch v tnh hay c lm nh hng n h thng mng hin c. N c dng ch cc thit b hot ng khng dy tri php m khng quan tm n mc ch s dng ca chng. 2.1.1.2. Phn loi 2.1.1.3.Access Point c cu hnh khng hon chnh: Mt Access Point c th bt ng tr thnh thit b gi mo do sai st trong vic cu hnh. S thay i trong services set Indentifier (SSID), thit lp xc thc, thit lp m ha,.. iu nghim trng nht l chng s khng th xc thc cc kt ni nu b cu hnh sai.
Trang 11
VD: Trong trng thi xc thc m (open mode authentication) cc ngi dng khng dy trng thi 1 (cha xc thc v cha kt ni) c th gi cc yu cu xc thc n mt Access Point v c xc thc thnh cng s chuyn sang trng thi 2 (c xc thc nhng cha kt ni). Nu mt Access Point khng xc nhn s hp l ca mt my khch do li trong cu hnh, k tn cng c th gi mt s lng ln yu cu xc thc, lm trn bng yu cu kt ni ca cc my khch Access Point, lm cho Access Point t chi truy cp ca cc ngi dng khc bao gm cc ngi dng c php truy cp. 2.1.1.4.Access Point gi mo t cc mng WLAN ln cn Cc my khch theo chun 802.11 t ng chn Access Point c sng mnh nht m n pht hin c kt ni. VD: Windows XP t ng kt ni n kt ni tt nht c th xum quanh n. V vy, nhng ngi dng c xc thc ca mt t chc c th kt ni n cc Access Point ca cc t chc khc ln cn. Mc d cc Access Point ln cn khng c thu ht kt ni t cc ngi dng, nhng kt ni l nhng d liu nhy cm. 2.1.1.5.Access Point gi mo do k tn cng to ra: Gi mo AP l kiu tn cng Man-In-The-Middle c in. y l kiu tn cng m tin tc ng gia v trm lu lng truyn gia 2 nt. Kiu tn cng ny rt mnh v tin tc c th ly trm tt c lu lng i qua mng. Rt kh khn to mt cuc tn cng man in middle trong mng c dy bi v kiu tn cng ny yu cu truy cp thc s n ng truyn. Trong mng khng dy th li rt d b tn cng kiu ny. Tin tc phi to ra mt AP thu ht nhiu s la chn hn AP chnh thng. AP gi ny c th thit lp bng cch sao chp tt c cc cu hnh ca AP chnh thng l: SSID, a ch MAC Bc tip theo l lm cho nn nhn thc hin kt ni n AP gi. Cch th nht l i cho ngi dng t kt ni. Cch th 2 l gy ra mt cuc tn cng t chi dch v DOS trong AP Trong mng 802.11 s lu chn c thc hin bi cng tnh hiu nhn. iu duy nht m tin tc phi thc hin l chc chn rng AP ca mnh phi c cng tn hiu ca mnh mnh hn c. c c iu tin tc
chnh thng do vy ngi dng s phi kt ni li vi AP gi.
Trang 12
phi t AP ca mnh gn ngi b la hn l AP chnh thng hoc s dng k thut anten nh hng. Sau khi nn nhn kt ni ti AP gi, nn nhn vn hot ng nh bnh thng do vy nu nn nhn kt ni n mt AP chnh thng khc th d liu ca nn nhn u i qua AP gi. Tin tc s s dng cc tin ch ghi li mt khu ca nn nhn trao i vi Web Server. Nh vy tin tc s c c nhng g anh ta mun ng nhp vo mng chnh thng. Kiu tn cng ny tn ti l do trong 802.11 khng yu cu xc thc 2 hng gia AP v nt. AP pht qung b ra ton mng. iu ny rt d b tin tc nghe trm v do vy tin tc c th ly c tt c cc thng tin m chng cn. Cc nt trong mng s dng WEP xc thc chng vi AP nhng WEP cng c nhng l hng c th khai thc. Mt tin tc c th nghe trm thng tin v s dng b phn tch m ha trm mt khu ca ngi dng. Access Point gi mo c thit lp bi chnh nhn vin ca cng ty: V s tin li ca mng khng dy mt s nhn vin ca cng ty t trang b Access Point v kt ni chng vo mng c dy ca cng ty. Do khng hiu r v nm vng v bo mt trong mng khng dy nn h v tnh to ra mt l hng ln v bo mt. Nhng ngi l vo cng ty v hacker bn ngoi c th kt ni n Access Point khng c xc thc nh cp bng thng, nh cp thng tin nhy cm ca cng ty, s dng mng ca cng ty tn cng ngi khc
Trang 13
Hnh 2-10 Tn cng Man-In-The-Middle 2.1.2. Tn cng yu cu xc thc li
Hnh 2-11 M hnh tn cng yu cu xc thc li K tn cng xc nh mc tiu tn cng l cc ngi dng trong mng Chn cc frame yu cu xc thc li vo mng WLAN bng cch gi Ngi dng wireless khi nhn c frame yu cu xc thc li th ngh
wireless v cc kt ni ca h (Access Point n cc kt ni ca n). mo a ch MAC ngun v ch ln lt ca Access Point v cc ngi dng. rng chng do Access Point gi n.
Trang 14
Sau khi ngt c mt ngi dng ra khi dch v khng dy, k tn Thng thng th ngi dng s kt ni li phc hi dch v, nhng
cng tip tc thc hin tng t i vi cc ngi dng cn li. k tn cng nhanh chng gi cc gi yu cu xc thc li cho ngi dng. 2.1.3. Face Access Point K tn cng s dng cng c c kh nng gi cc gi beacon vi a ch vt l (MAC) gi mo v SSID gi to ra v s cc Access Point gi lp. iu ny lm xo trn tt c cc phn mm iu khin card mng khng dy ca ngi dng.
Hnh 2-12 M hnh tn cng Fake Access Point 2.1.4. Tn cng da trn s cm nhn sng mang lp vt l K tn cng li dng giao thc chng ng CSMA/CA, tc l n s lm cho tt c ngi dng ngh rng lc no trong mng cng c mt my ang truyn thng. iu ny lm cho cc my tnh khc lun lun trng thi ch i k tn cng y truyn d liu xong, dn n tnh trng nghn trong mng. Tn s l mt nhc im bo mt trong mng khng dy. Mc nguy him thay i ph thuc vo giao din ca lp vt l. C mt vi tham s quyt nh s chu ng ca mng l: nng lng my pht, nhy ca my thu, tn s RF (Radio Frequency), bng thng v s nh hng ca anten. Trong 802.11 s dng thut ton a truy cp cm nhn sng mang (CSMA) trnh va chm. CSMA l mt phn ca lp MAC. CSMA c s dng chc chn s khng c va chm d liu trn ng truyn. Kiu tn cng ny khng s dng tp m to ra li cho mng nhng n s
Trang 15
li dng chnh chun . C nhiu cch khai thc giao thc cm nhn sng mang vt l. Cch n gin l lm cho cc nt trong mng u tin tng rng c mt nt ang truyn tin ti thi im hin ti. Cch d nht t c iu ny l to ra mt nt gi mo truyn tin mt cch lin tc. Mt cch khc l s dng b to tn hiu RF. Mt cch tn cng tin vi hn l lm cho card mng chuyn vo ch kim tra m n truyn i lin tip mt mu kim tra. Tt c cc nt trong phm vi ca mt nt gi l rt nhy vi sng mang v trong khi c mt nt ang truyn th s khng c nt no c truyn. 2.1.5. Tn cng ngt kt ni
Hnh 2-13 M hnh tn cng ngt kt ni K tn cng xc nh mc tiu (wireless cliens) v mi lin kt gia AP K tn cng gi disassociation frame bng cch gi mo source v Client s nhn cc frame ny v ngh rng frame hy kt ni n t AP. Sau khi ngt kt ni ca mt clien, k tn cng tip tc thc hin
vi cc client. Destination MAC n AP v cc clien tng ng. ng thi k tn cng cng gi gi disassociation frame n AP. tng t vi cc clien cn li lm cho cc clien t ng ngt kt ni vi AP.
Trang 16
Khi cc clien b ngt kt ni s thc hin kt ni li vi AP ngay lp tc.
K tn cng tip tc gi gi disassociation frame n AP v clien. C th ta s rt d nhm ln gia 2 kiu tn cng: Disassocition flood attack v Deauthentication Flood Attack. Ging nhau: V hnh thc tn cng, c th cho rng chng ging nhau v n ging nh mt i bc 2 nng, va tn cng Access Point va tn cng Clients. V qua trng hn ht chng n pho lin tc. Khc nhau: o De-authentication Flood Attack: Yu cu c AP v Client gi li frame xc thc dn n xc thc failed. o Disassociation Flood Attack: Gi disassociation frame lm cho AP v Client tin tng rng kt ni gia chng b ngt. 2.2. Cc gii php bo mt WLAN Vi cc hnh thc tn cng c nu trn, hacker c th li dng bt c im yu v tn cng vo h thng vWLAN bt c lc no. V vy, ra cc bin php bo mt vWLAN l iu cp thit. Di y l cc bit php bo mt WLAN qua cc thi k. C mt s bin php b hacker qua mt nh m ha WEB nhng trong phm vi n, nhm 4 sinh trnh by bit r c u im, nhc im ca cc gii php bo mt. T la chn cc gii php bo mt ph hp vi tng m hnh ca mng WLAN 2.2.1. WEP Wep (Wired Equivalen Privacy) c ngha l bo mt khng dy tng ng vi c dy. Thc ra, WEP a c xc thc ngi dng v m bo an ton d liu vo cng mt phng thc khng an ton. WEP s dng mt kh m ha khng thay i c di 64 bit hoc 128 bit, (nhng tr i 24 bit s dng cho vector khi to kha m ha, nn di kha ch cn 40 bit hoc 104 bit) c s dng xc thc cc thit b c php truy cp vo trong mng v cng c s dng m ha truyn d liu. Rt n gin, cc kha m ha ny d dng c b gy bi thut ton bruteforce v kiu tn cng th li (tria-and-error). Cc phn mm min ph nh Aircrack-
Trang 17
ng, Airsnort, hoc WEP crack s cho php hacker c th ph v kha m ha nu h thu thp t 5 n 10 triu gi tin trn mt mng khng dy. Vi nhng kha m ha 128 bit cng khng kh hn: 24 bit cho khi to m ha nn ch c 104 bit c s dng. Dng m ho v cch thc cng ging nh m ha c di 64 bit nn m hoa 128 bit cng d dng bi b kha. Ngoi ra, nhng im yu trong nhng vector khi to kha m ho gip cho hacker c th tm ra mt khu nhanh hn vi t gi thng tin hn rt nhiu. Khng d on c nhng li trong kha m ha. WEP c th c tao ra cch bo mt mnh m hn niu s dng mt giao thc xc thc m cung cp mi kha m ha mi cho mi phin lm vit. kha m ha s thay i trn mi phin lm vit. iu ny s gy kh khn hn cho hacker thu thp cc gi d liu cn thit c th b gy kha bo mt. 2.2.2. WLAN VPN Mng ring VPN bo v mng WLAN bng cch to ra mt knh che chng d liu khi cc truy cp tri php. VPN to ra mt tin cy cao thng qua vit s dng mt c ch bo mt nh Ipsec (Internet Protocol Security). IPSec m ha d liu v dng cc thut ton khc cc thc gi d lieeuk pec cng s dng th xc nhn s xc nhn kha m (public key). Khi c s dng trn mng WLAN, cng kt ca VPN m nhn vit xc thc, ng gi v m ha
Trang 18
Hnh 2-14 M hnh WLAN VPN 2.2.3. TKIP (Temporal Key Integrity Protocol) L gii php ca IEEE c pht trin nm 2004. L mt nng cp cho WED nhm v nhng vn bo mt trong ci t m dng RC4 trong WEP. TKIP dng hm bm (hashing) IV chng li vic MIC (message integity check) m bo tnh chnh xc ca gi tin TKIP v s dng kha ng bng cch t cho mi frame mt chui sng li dng tn cng gi mo. 2.2.4. AES Trong mt m hc AES (vit tt ca t ting Anh: Advanced Encryption Stadar, hay Tiu chun m ha tin tin) l mt thut ton m ha khi c chnh ph Hoa k p dng lm tiu chun m ha. Ging nh tiu chun tin nhim DES, AES c k vng p dng trn phm vi th gii v c nghin cu rt k lng. AES c chp nhn lm tiu chun lien bang bi vin tiu chun v cng ngh quc gia Hoa k (NIST) sau mt qu trnh tiu chun ha ko di 5 nm. Thut ton c thit k bi 2 nh mt m hc ngi B: Joan Daemen v Vincent Rijmen (ly tn chung l Rijndael khi tham gia cuc thi thit k AES). Rijdael c pht m l Rhine dahl (theo phin m quc t ).
Trang 19
2.2.5. 802.1X v EAP 802.1x l chun c t cho vic truy cp da trn cng (port-based) c nh ngha bi IEEE. Hot ng trn c mi trng c dy truyn thng v khng dy. Vic iu khin truy cp c thc hin bng cch: Khi mt ngi dng c gng kt ni vo h thng mng, kt ni ca ngi dng s c t trng thi b chn (bloking) v ch cho vic kim tra nh danh ngi dng hon tt.
Hnh 2-15 M hnh hot ng xc thc 802.1x EAP l phng thc xc thc bao gm yu cu nh danh ngi dng (password, certificate,), giao thc c s dng (MD5, TLI_Transport Layer Security, OTP_One Time Password,) h tr t ng sinh kha v xc thc ln nhau. Qu tnh chng thc 802.1x-EAP nh sau: Wireless client mun lien kt vi mt AP trong mng. 1. AP s chn li tt c cc thng tin ca client cho ti khi client log on vo
mng. Khi client yu cu lien kt ti AP. 2. 3. 4. AP p li yu cu lin kt vi mt yu cu nhn dng EAP. Client gi p li yu cu nhn dng EAP cho AP. Thng tin p li yu cu nhn dng EAP ca client c chuyn ti
Server chng thc. 5. Server chng thc gi mt yu cu cho php AP.
Trang 20
6. 7. 8. 9. 10.
AP chuyn yu cu cho php ti client. Client gi tr li s cp php EAP ti AP. AP chuyn s tr li ti Server chng thc. Server chng tc gi mt thng bo thnh cng EAP ti AP. AP chuyn thng bo thnh cng ti client v t cng ca client trogn
ch forward. 2.2.6. WPA (WI-FI Protected Access) WEP c xy dng bo v mt mng khng dy trnh b nghe trm. Nhng nhanh chng sau ngi ta pht hin ra nhiu l hng cng ngh ny. Do cng ngh mi co tn gi WPA (Wi-Fi Protected Access) ra i, khc phc c nhiu nhc im ca WEP. Trong nhng ci tin quan trng nht ca WPA l s dng hm thay i kha TKIP. WPA cng s dng thut ton RC4 nh WEP, nhng m ha y 128 bit. V mt c im khc l WPA thay i kha cho mi gi tin. Cc cng c thu thp cc gi tin kha ph m ha u khng th thc hin c vi WPA. Bi WPA thay i kha lin tc nn hacker khng bao gi thu thp d liu mu tm ra mt khu. Khng nhng th WPA cn bao gm c tnh ton vn ca thng tin (Message Integrity check). V vy, d liu khng th b thay i trong khi ang trn ng truyn. WPA c sn 2 la chn: WPA Personal v WPA Enterprise. C 2 la chn u s dng gio thc TKIP, v s khc bit ch l kha khi to m ha lc u. WPA Personal thch hp cho gia nh v mng vn phng nh, kha khi to s c s dng ti cc im truy cp v thit b my trm. Trong khi , WPA cho doanh nghip cn mt my ch xc thc v 802.1x cung cp cc kha khi to cho mi phin lm vic. Lu : i. C mt l hng trong WPA v li ny ch xy ra vi WPA Personal.
Khi m s dng hm thay i kha TKIP c s dng to ra cc kha m ha cha pht hin, nu hacker c th on c kha khi to hoc mt phn ca mt
Trang 21
khu, h c th xc nh c ton b mt khu, do c th gii m c d liu. tuy nhin, l hng ny cng s c loi b bng cch s dng nhng kha khi to khng d on (ng s dng nhng t nh P@SSWORD lm mt khu). ii. iu ny cng c ngha rng th thut TKIP ca WPA ch l gii php
tam thi, cha cung capas mt phng thc bo mt cao nht. WPA ch thch hp vi nhng cng ty m khng truyn d liu mt v nhng thng mi hay cc thng tin nhy cmWPA cng thch hp vi nhng hot ng hng ngy v mang tnh th nghim cng ngh. 2.2.7. WPA2 Mt gii php v lu di l s dng 802.11i tng ng vi WPA2, c chng nhn bi Wi-Fi Alliance. Chun ny s dng thut ton m ha mnh m v c gi l Chun m ha nng cao AES. AES s dng thut ton m ha i xng theo khi Rijndael, s dng khi m h 128 bit, v 192 bit hoc 256 bit. nh gi chun m ha ny, Vic nghin cu quc gia v Chun v Cng ngh ca M, NIST (National Institute of Standards and Technology), thng qua thut ton m i xng ny. Lu : Chun m ha ny c s dng cho cc c quan chnh ph M bo v cc thng tin nhy cm. Trong khi AES c xem nh l bo mt tt hn rt nhiu so vi WEP 128 bit hoc 168 bit DES (Digital Encryption standanrd). m bo v mt hiu nng, qu trnh m ha cn thc hin trong cc thit b phn cng nh tch hp vo chip. Tuy nhin, rt t ngi s dng mng khng dy quan tm ti vn ny. Hn na, hu ht cc thit b cm tay WI-FI v my qut m vch u khng tng thch vi chun 802.11i. 2.2.8. LC (Filltering) Lc l c ch bo mt c bn c th s dng cng vi WEP. Lc hot ng ging access list trn router, cm nhng ci khng mng mun v cho php nhng ci mong mun. C 3 kiu lc c bn c th s dng trong wireless lan: Lc SSID
Trang 22
Lc a ch MAC Lc giao thc

Lc SSID
Lc SSID l phng thc c bn ca lc v ch nn c s dng trong vic iu khin truy cp c bn. SSID ca client phi khp vi SSID ca AP c th xc thc v kt ni vi tp dc v. SSID c qung b m khng c m ha trong cc Beocon nn rt d b pht hin bng cch s dungjcacs phn mm. Mt s sai lm m ngi s dung WLAN mc phi trong qun l SSSID gm: S dng gi tr SSID mc nh to iu kirnj cho hacker d tm a ch MAC ca AP. S dng SSID c lin qua n cng ty. S dng SSID nh l phng thc bo mt ca cng ty. Qung b SSID mt cch khng cn thit.
Lc a ch MAC
Hu ht cc AP u c chc nng lc a ch MAC. Ngi qun tr xy dng danh sch cc a ch MAC c cho php. Nu client c a ch MAC khng nm trong danh sch lc a ch MAC ca AP th AP s ngn chn khng cho php client kt ni vo mng. Nu cng ty c nhiu client th c th xy dng my ch RADIUS c chc nng lc a ch MAC thay v AP. Cu hnh lc a ch MAC l gii php bo mt c tnh m rng cao.
Lc giao thc
Mng Lan khng dy c th lc cc gi i qua mng da trn cc giao thc t lp 2 n lp 7. Trong nhiu trng hp ngi qun tr nn ci t lc giao thc trong mi trng dng chung,
Trang 23
Hnh 2-16 Tin trnh xc thc MAC C mt nhm cu ni khng dy c t trn mt Remote building trong mt mng WLAN ca mt trng i hc m kt ni li ti AP ca ta nh k thut trung tm. V tt c nhng ngi s dng trong Remote builing chia s bng thng 5Mbs gia nhng ta nh ny, nn mt s lng ng k cc iu khin trn cc s dng ny phi c thc hin. Nu cc kt ni ny c ci t vi mc ch c bit ca s truy nhp internet ca ngi s dng, th booj lc giao thc s loi tr tt c cc giao thc, ngoi tr HTTP, SMTP, HTTPS, FTP
Hnh 2-17 Lc giao thc
Trang 24
2.3. Kt lun Qua cc hnh thc tn cng cng nh cc gii php bo mt WLAN trn, ngi thit k mng cng nh bo mt mng phi nm c c th cc hnh thc tn cng no c th xy ra i vi m hnh mng mnh thit k. T c c cc gii php bo mt ph hp vi tng m hnh. m bo tnh bo mt nhng cng m bo tnh tin dng, khng gy kh khn cho ngi dng. Sau y l mt s kiu bo mt p dng cho cc m hnh mng khc nhau. Cho cc im truy cp t ng (hotspots), vic m ha khng cn thit, ch cn ngi dng xc thc m thi. Vi ngi dng s dng mng WLAN cho gia nh, mt phng thc bo mt vi WPA passphare hay preshared key c khuyn co s dng. Vi gii php doanh nghip, ti u qu trnh bo mt vi 802.1x EAP lm phng thc xc thc v TKIP hay AES lm phng thc m ha. c da theo chun WPA hay WPA2 vf 802.11i security. Vi cc doanh nghip i hi bo mt, qun l ngi dng chc ch v tp trung, mt gii php ti u c t ra l s dng dch v chng thc RADIUS kt hp vi WPA2 . Vi dch v chng thc ny, ngi dng khng dng chung mt share key m c tn ng nhp v mt khu ring, c qun l bi server AAA. C th v dch v xc thc s c trnh by trong chng sau.
Hnh 2-18 Escalating Security
Trang 25
CHNG 3. TM HIU GIAO THC XC THC RADIUS V RADIUS SERVER

3.1. Giao thc RADIUS 3.1.1. Tng quan v giao thc RADIUS RADIUS l mt giao thc s dng rng ri cho php xc thc tp trung, y quyn v kim ton truy cp cho mng. Ban u c pht trin cho thit lp kt ni t xa. Radius bu gi th h tr cho my ch VPN, cc im truy cp khng dy, chng thc chuyn mch internet, truy cp DSL, v cc loi truy cp mng khc. RADIUS c m t trong RFC 2865, "Remote Authentication Dial-in User Service (RADIUS), (IETF Draft Standard) and RFC 2866, "RADIUS Accounting" (Informational). 3.1.2. Gii thiu C 2 loi giao thc RADIUS m t v: Giao thc RADIUS 1: Xc nhn quyn (authentication), phn quyn (authorization), thng tin cu hnh gia my ch qun l truy cp (NAS-Network Access Server) m c cc yu cu cn xc nhn v my ch xc nhn quyn dng chung (Shared Authentication Server). Giao thc RADIUS 2: Thng tin v ti khong gia NAS v my ch qun l ti khon dng chung. 3.1.3. Tnh cht ca RADIUS RADIUS thc ra l mt giao dch c xy dng trn giao thc c cc tnh cht chnh nh sau: Nu nh yu cu (request) gi ti my ch xc nhn quyn s cp (primary authentication server) tht bi, th yu cu ny phi c gi ti my ch s cp (secondary server). thc hin yu cu ny, mt bn sao yu cu phi c lu trn lp transport cho php vic truyn lun phin. iu ny c ngha l phi c timers cho vic truyn li (retransmission).
Trang 26
Cc i hi v thi gian ca RADIUS rt khc bit so vi TCP. Mt mt, RADIUS khng yu cu cu tr li (responsive) v vic d tm d liu b mt. User sn sang ch trong nhiu giy cho vic xc nhn quyn c hon thnh. Vic truyn li thng xy ra i vi cc TCP da trn thi gian truyn nhn trung bnh khng cn thit na, k c thi gian hao tn cho vic nhn bit phn hi v. Mt khc, user khng th ch i qu lu trong nhiu pht cho vic xc nhn quyn. Vic phi ch i qu lu l khng hu ch. Vic s dng lun phin nhanh chng cc server s cho php user truy cp c vo mng trc khi h b cuc. Trng thi rt t do ca RADIUS n gin ha vic s dng UDP. Cc client v server c th ng k vo hoc ra khi mng. H thng b khi ng li v mt l do no , nh: Ngun in b mtCc s kin bt thng ny ni chung s khng gy nguy him nu nh c nhng timeout tt v xc nh c cc cu ni TCP b t. Tuy nhin UDP hon ton b qua cc s c t bit ny; Cc client v server c th mt chuyn vn chuyn d liu UDP ngay lp tc v n t nhin truyn trn mng vi cc s kin c th c. UDP n gin ha vic thc hin server. nhng phin bn trc, server c thc hin n lung (single thread), c ngha l mi lc ch c mt yu cu c nhn, x l v tr v. iu ny khng th qun l c trong mi trng k thut an ton quay vng (back-end security mechanism) dng thi gian thc (real-time). Hng i yu cu ca server s b y, v trong mt mi trng c hng trm ngi c yu cu xc nhn quyn trong mi pht, thi gian quay vng ca yu cu s ln hn rt nhiu so vi thi gian m user ch i. Do vy, gii php c chn l thc hin server ch a lung (multu-thread) vi UDP. Nhng qu trnh x l c lp s c sinh ra trn server tng ng vi mi yu cu v nhng qu trnh ny s tr li trc tip vi cc NAS khch hng bng gi UDP ti lp truyn dn chnh ca client. 3.1.4. Giao thc RADIUS 1 3.1.4.1. C ch hot ng Khi mt client c cu hnh s dng RADIUS, th bt k user no ca client u gii thiu nhng thng tin xc nhn quyn vi client. c th l du nhc lnh ng k vo mng yu cu user nhp username v password vo. User c th la
Trang 27
chn vic s dng protocol thch hp thc hin gii thiu nhng thng tin ny cc gi d liu chng hn nh PPP. Mi client nhn c thng tin nh vy, n c th chn dng RADIUS xc nhn quyn. Client s to ra mt yu cu truy cp (access request) cha cc thuc tnh nh trn: mt khu ca user, ID ca client v ID port m user ny s truy cp vo. Mt khu khi nhp vo s c n (M ha RSA hoc MD5). Yu cu truy cp (access request) s c gi cho RADIUS thng qua mng. Nu khng tr li trong mt khong thi gian qui c th yu cu s c gi li. Client c th chuyn (forward) yu cu cho cc server d phng trong trng hp server chnh b tt hoc h hng hoc hot ng theo kiu round-bin. Mi khi RADIUS server nhn c yu cu, n s xc nhn client gi. Nhng yu cu t cc client no khng chia s thng tin bo mt vi RADIUS s khng c xc nhn v tr li. Nu client l hp l, RADIUS server s tm kim trong c s d liu (CSDL) user c cng tn trong yu cu. Ch mc ca user trong CSDL s cha danh sch cc i hi cn thit cho php user truy cp vo mng. RADIUS lun lun xc nhn mt khu ca user v c th c ID ca client v ID port m user c php truy cp. RADIUS server c th yu cu cc server khc xc nhn yu cu. Lc RADIUS ng vai tr ca mt client. Nu bt c iu kin no khng tha mn, RADIUS server s gi mt tr li t chi truy cp (access reject) biu th rng yu cu ca user l khng hp l. Server c th km theo mt thng bo dng vn bn (text massage) trong access-reject client c th hin th cho user. Khng c mt thuc tnh no khc c php cha trong access-reject. Nu tt c cc iu kin u tha mn v RADIUS server mun a ra mt yu cu i hi user phi tr li, th RADIUS s gi mt tr li i hi truy cp (accesschallenge), n c th di dng mt thng bo dng vn bn c hin th cho user bi client hoc l mt thuc tnh trng thi (state attribute). Client s nhn accesschallenge, v nu n c trang b challenge/ response, n s hin th thng bo nhc nh user tr li yu cu. Sau client s gi li (re-submit) yu cu truy cp (original access-request) vi mt s hiu yu cu (request ID) mi, nhng thuc tnh
Trang 28
usename-password c ly t thng tin va mi np vo, v km lun c thuc tnh trng thi t access-challenge. RADIUS server c th tr li mt access-request bng mt access-accept, access-reject hoc mt access-challenge khc. Nu cui cng tt c cc iu kin trn c tha mn, th danh sch cc gi tr cu hnh cho user c t vo tr li access-accept. Cc gi tr ny bao gm kiu ca dch v (SLIP, PPP, Login..) v cc gi tr cn thit cp pht dch v ny. V d nh i vi SLIP hay PPP, cc gi tr ny c th l a ch IP, subnet mask, MTU, phng php nn v s hiu lc gi. ch k t (character mode), cc gi tr ny c th l giao thc v tn my ch. 3.1.4.2. Dng gi ca packet Mt cch chnh xc, mt gi RADIUS c bao bc trong trng d liu ca gi UDP, v trng a ch ch c s hiu cng l 1812. Khi gi tr li c to ra, s hiu cng ca a ch ngun v ch c bo lu. Mt gi d liu ca RADIUS c xc nh nh sau (cc trng c gi i t tri sang phi).
Hnh 4-19 Packet Format Code: Code field l mt octet, v xc nh kiu gi ca RADIUS. Khi mt gi c m khng hp l s khng c xc nhn RADIUS code (decimal) c ch nh nh sau: 1 2 Access-Request Access-Accept
Trang 29
3 4 5 11 12 13 255
Access-Reject Accounting-Request Accounting-Response Access-Challenge Status-Server (experimental) Status-Client (experimental) Reserved
M s 4 v s 4 c che y trong ti liu RADIUS accouting [5]. M s 12 v 13 l dnh ring cho vic c th s dng, nhng n khng c cp y. Identifier (Trng nh danh ) Indentifier field l mt octet, v ph hp vi vic h tr yu cu v tr li. Cc my ch RADIUS c th pht hin mt yu cu trng lp, nu c cc client c cng mt a ch IP ngun v UDP port v nh danh trong mt thi gian ngn. Length Length field l hai octet, n bao gm cc code field, indentifier, length, authentication, v trng thuc tnh (attribute field). Nhng byte nm ngoi khong qui nh bi length s c coi l nhng byte tha, v s b b qua khi nhn. Nu gi ngn hn gi tr trng length, n s khng c xc nhn v tr li. Gi tr nh nht ca trng length l 20 v gi tr ln nht l 4096. Authenticator Trng authenticator l 16 octet. Octet ln nht c truyn i u tin. Gi tr ny c s dng xc nhn cc tr li t RADIUS server v c s dng trong thut ton n mt khu. Request Authenticator: Trong cc gi access-request, gi tr ca trng xc nhn (authenticator field) l mt s ngu nhin 16 byte c gi l b xc nhn yu cu (request authenticator). Gi tr ny khng th d on trc v duy nht trong sut thi gian sng ca thng tin b mt (mt khu dng chung gia client v RADIUS server); V nu c s lp li ca gi tr ny c ngha l mt attacker c th tr li cu hi ny khng cn s xc nhn ca RADIUS server. Do , b xc nhn yu cu nn c gi tr ton cc v duy nht theo thi gian. Mc d, giao thc RADIUS khng c
Trang 30
kh nng ngn chn s nghe l phin xc thc qua ng dy, nhng vic sinh ra cc gi tr khng th on trc c cho b xc nhn yu cu c th hn ch rt nhiu s kin ny. NAS v RADIUS server chia s thng tin b mt. Thng tin b mt chung ny c c sau khi gi tr ca b xc nhn yu cu c thut ton MD5 bm to ra gi tr 16 byte. Gi tr ny c XOR vi mt khu m user nhp vo, kt qu s c t vo thuc tnh user-password trong gi access-accept. Response authenticator: Gi tr ca trng xc nhn (authenticator field value) trong cc gi access-request, access-reject, access-challenge c coi l b xc nhn tr li (response authenticator). Gi tr ny c tnh bi bm MD5 chui cc byte ca code field, indentifier, length, xc nhn ca gi access-request, v cng thm cc thuc tnh tr li v thng tin b mt dng chung ResponseAuth = MD5(Code+ID+Length+RequestAuth+Attributes+Secret) where + denotes concatenation. Administrative Note Thng tin b mt (chia s password gia client v RADIUS server) nn t nht l ln v pht tp l cch la chn mt khu tt. Mc u tin c th chp nhn c t nht l 16 octet. iu ny m bo phm vi ln cho vic cung cp cc c ch bo mt chng li cc cuc tn cng tm kim. 3.1.4.3. Packet type (kiu packet) Packet type c xc nh bi code field chim byte u tin ca gi RADIUS. Access-Request Gi access-request c gi ti RADIUS server. N chuyn ch thng tin dng xc nh xem user c c php truy cp vo NAS v cc dch v c ch nh hay khng. Code field ca gi phi c gi tr 1. Gi access-request phi cha cc thuc tnh user-name, user-password hoc CHAP-password, v c th cha cc thuc tnh NAS-IP-Address, NAS-Indentifier, NAS-PORT, NAS-PORT-TYPE. Trng indentifier phi c thay i khi ni dung ca trng thuc tnh b thay i khi ni dung ca trng thuc tnh b thay i hoc l nhn c tr li
Trang 31
hp l cho yu cu trc . Trong trng hp phi gi li gi, trng indentifier khng thay i.
Hnh 4-20 Access-request Packet Format Access-accept Gi access-accept c gi tr bi RADIUS server khi tt c cc gi tr thuc tnh ca gi access-request. N cung cp thng tin cu hnh cn thit cp pht cc dch v cho user. Trng code phi c gi tr 2. Gi access-accept nhn c NAS phi c trng danh hiu trng khp vi access-request tng ng gi trc v phi c xc nhn (response authenticator) ph hp vi thng tin b mt dng chung.
Hnh 4-21 Access-accept Packet Format Access-reject Gi access-reject c gi tr t RADIUS server khi c gi tr thuc tnh khng c tha. Trng code ca m phi c gi tr 3. Gi c th cha 1 hoc nhiu thuc tnh reply-message vi mt thng bo dng vn bn m NAS s hin th n vi user.
Trang 32
Trng indentifier ca gi access-reject chnh l bn sao ca gi access-request tng ng.
Hnh 4-22 Access-reject packet format Access-challenge Gi access-challenge c RADIUS server gi n user i hi thm thng tin cn thit m user phi tr li. Trng code ca gi phi c gi tr 11. Gi c th cha 1 hoc nhiu thuc tnh reply-message v c th c 1 thuc tnh state. Cc thuc tnh khc khng c xut hin trong gi access-chanllenge. Trng indentifier ca gi access-challenge phi trng khp vi gi access-request tng ng gi i trc v phi c trng xc nhn (authenticator field) ph hp vi thng tin b mt dng chung. Nu NAS khng c trang b challenge/ response th gi access-challenge nhn c s coi nh gi access-reject. Nu NAS c trang b chc nng challenge/ response v gi access-challenge nhn c l hp l th NAS s hin th thng bo v yu cu user tr li thng tin m RADIUS server yu cu. Sau NAS s gi gi access-request gc nhng vi danh hiu yu cu (request ID) v xc nhn yu cu (request authenticator) mi, ng thi thuc tnh user-password cng c thay th bi thng tin tr li ca user ( c m ha) v c th bao gm c thuc tnh state t gi access-challenge.
Trang 33
Hnh 4-23 Access-challenge packet format Attributes (cc thuc tnh) Cc thuc tnh ca RADIUS, cha trong cc gi yu cu/ tr li, mang thng tin xc thc quyn, phn quyn, cu hnh cn thit cp pht cc dch v cho user. Gi tr cc trng length ca gi RADIUS s qui nh im kt thc ca cc thuc tnh trong gi. Dng ca thuc tnh nh sau:
Hnh 4-24 Attributes type o Type Mi trng type l mt octet, gi tr t 192-223 l dnh ring cho nghin cu, gi tr t 224-240 l dnh cho vic thc hin c th, 241-255 l dnh ring v khng nn s dng. RADIUS server c th b qua cc thuc tnh vi mt loi khng r. RADIUS client c th b qua cc thuc tnh vi mt loi khng r. iu ny quan tm c t cc gi tr sau: 1 2 3 4 User-Name User-Password CHAP-Password NAS-IP-Address
Trang 34
5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
NAS-Port Service-Type Framed-Protocol Framed-IP-Address Framed-IP-Netmask Framed-Routing Filter-Id Framed-MTU Framed-Compression Login-IP-Host Login-Service Login-TCP-Port (unassigned) Reply-Message Callback-Number Callback-Id (unassigned) Framed-Route Framed-IPX-Network State Class Vendor-Specific Session-Timeout Idle-Timeout Termination-Action Called-Station-Id Calling-Station-Id NAS-Identifier Proxy-State Login-LAT-Service Login-LAT-Node Login-LAT-Group
Trang 35
37 38 39 60 61 62 63
Framed-AppleTalk-Link Framed-AppleTalk-Network Framed-AppleTalk-Zone CHAP-Challenge NAS-Port-Type Port-Limit Login-LAT-Port o Length (trng di)
40-59 (reserved for accounting)
Biu th di ca thuc tnh cho cc trng kiu, length v value. Nu thuc tnh trong gi access-request c trng di khng hp l th RADIUS server s tr v gi access-reject. Nu thuc tnh trong gi access-reject, access-accept, accesschallenge c trng di khng hp l th NAS client s xem nh l gi accessreject hoc l khng xc nhn v tr li. o Value (trng gi tr)
Dng v chiu di ca trng gi tr c xc nh bi trng kiu (type field) v trng di (length field). C 4 loi d liu cho trng gi tr nh sau: Text 1-253 octets containing UTF-8 encoded 10646 [7] characters. Text of length zero (0) MUST NOT be sent; omit the entire attribute instead. String 1-253 octets containing binary data (values 0 through 255 decimal, inclusive). Strings of length zero (0) MUST NOT be sent; omit the entire attribute instead. Address 32 bit value, most significant octet first. Integer Time 32 bit unsigned value, most significant octet first. 32 bit unsigned value, most significant octet first -seconds since 00:00:00 UTC, January 1, 1970. The
Trang 36
standard Attributes do not use this data type but it is presented here for possible use in future attributes. 3.1.5. Giao thc RADIUS 2 3.1.5.1. C ch hot ng Khi client c ci t s dng RADIUS Accouting, th lc bt u cp pht dch v client s sinh ra mt gi bt u cp pht ti khon m t kiu ca dch v s c cp pht v user s c cp pht dch v ; sau gi gi ny n RADIUS accouting server m ti lt n s gi li mt thng bo nhn bit l gi c nhn. Lc kt thc cp pht dch v client s sinh ra mt gi kt thc cp pht ti khon m t kiu dch c cp pht v cc thng tin thng k c th lc da nh thi gian tri qau, cc byte nhp/ xut, cc gi nhp/xut; sau gi gi ny n RADIUS accouting server m ti lt n s gi li mt thng bo nhn bit l gi nhn c. Yu cu cp pht ti khon (accouting-request) ca hai loi start v stop c gi cho RADIUS accouting server qua mng. thng th client s tip tc c gng gi gi accouting-request sau mt khong thi gian nht nh cho ti khi nhn c phn hi (ACK). Client c th gi tip (forward) cho cc server khc nhau trong trng hp server chnh b off hoc hng. Trong trng hp ny RADIUS accouting server ng vai tr ca mt client. 3.1.5.2. Packet Format Ging nh giao thc RADIUS 1, giao thc RADIUS 2 cng c 4 trng: code, indentifier, length, authentication, attributes v ch khc ni dung th hin Trng code ch c hai gi tr 4 v 5 c trng cho hai kiu gi accoutingrequest v accouting-response. Cc thuc tnh hp l trong gi RADIUS dng access-request, access-accept s hp l trong cc gi accouting-request, tr mt s thuc tnh khng th hin nh: User-Password, CHAP-Password, Reply-Message,State. Mt s thuc tnh phi lun lun c mt trong gi accouting-request nh: NAS-IP-Address, NAS-Indentifier v mt s thuc tnh khc nn c mt nh: NAS-port, NAS-Port-Type.
Trang 37
Cn
mt
chi
tit
khc
cc
bn
th
tham
kho
ti
http://www.faqs.org/rfcs/rfc2865.html
3.1.6. Phng php m ha v gi m Thuc tnh user-password cha trong cc gi access-request hoc accesschallenge, c trng cho mt khu (password) ca user, s c n trong khi truyn ti RADIUS server. Mt khu s c thm vo cc k t NULL sao cho di l bi ca 16 buye. Bm MD5 mt chiu (one-way MD5 hash) s c xy dng t chui cc byte ca thng tin b mt chung gia NAS v RADIUS server v thng xc nhn yu cu.Gi tr tnh c s c XOR vi on 16 byte u tin ca mt khu, kt qu s c t vo 16 byte u tin ca trng gi tr ca thuc tnh userpassword. Nu password di hn 16 k t th gi tr bm th hai c tnh t chui cc byte tip theo ca thng tin b mt chung v kt qu ca XOR ln trc. Gi tr bm c c s XOR vi 16 byte tip theo ca mt khu, kt qu s c t vo 16 byte tip theo ca trng gi tr kiu string ca thuc tnh user-password. Qu trnh tip theo c tip din n khi ht cc on (segment) c chia ca mt khu (ti a l 128 k t). Bn c th tham kho thm ti liu RFC 2865 Gi s gi thng tin b mt chung l S, gi tr ca trng xc nh yu cu (request authentication) 128 bit l RA. Chia mt khu c lp y bi cc k t NULL (nu cn) thnh cc phn con (chunks) p1, p2Gi cc khi mt m dng vn bn (ciphertext blocks) l c(1), c(2),v cc gi tr trung gian l b1, b2Du + l php cng chui.
b1 = MD5(S + RA) b2 = MD5(S + c(1)) . . . bi = MD5(S + c(i-1)) The String will concatenation. contain c(1) = p1 xor b1 c(2) = p2 xor b2 . . . c(i) = pi xor bi c(1)+c(2)+...+c(i) where + denotes
Khi gi RADIUS c nhn, qu trnh s din ra ngc li trong qu trnh gii m.
Trang 38
3.2. RADIUS SERVER 3.2.1. Tng quan Vic bo mt WLAN s dng chun 802.11x kt hp vi xc thc ngi dng trn AP. Mt my ch thc hin vic xc thc trn nn tng RADIUS c th l mt gii php tt nht cung cp xc thc cho chun 802.11x
Hnh 4-25 M hnh xc thc s dng RADIUS Server 3.2.2. Xc thc- cp php v kim ton Giao thc RADIUS c nh ngha trong RFC 2865 nh sau: Vi kh nng cung cp xc thc tp trung, cp php v iu khin truy cp (Authentication, Authorization v Accouting-AAA) cho cc phin lm vic vi SLIP v PPP Dial-Up. Nh vic cung cp dch v internet (ISP) u da trn giao thc ny xc thc ngi dng khi h truy cp internet. N cn thit trong cc NAS lm vic vi danh sch cc username v password cho vic cp php, RADIUS Access-request s chuyn thng tin ti mt Authentication Server, thng thng n l mt AAA Server. Trong kin trc ca h thng n to ra kh nng tp trung cc d liu, thng tin ca ngi dng, cc iu
Nhm 4 MM02A - C CNTT Hu Ngh Vit Hn Trang 39
khin truy cp trn mt im duy nht (single point), trong khi c kh nng cung cp cho mt h thng ln, cung cp gii php NASs Khi mt user kt ni, NAS s gi mt message dng RADIUS Access-request ti my ch AAA Server, chuyn cc thng tin nh Username, Password , UDP port, NAS indentifier v mt Authentication message. Sau khi nhn cc thng tin AAA s dng gi tin c cung cp nh NAS Indentify, v Authentication thm nh li vic NAS c c php gi cc yu cu khng?Nu c kh nng, AAA server s kim tra thng tin username v password m ngi dng yu cu truy cp trong database. Nu qu trnh kim tra l ng th n s mang mt thng tin trong Access-request quyt nh qu trnh truy cp ca user l c chp nhn. Khi qu trnh chng thc bt u c s dng, AAA server c th tr v mt RADIUS Access-Challenge mang mt s ngu nhin. NAS s chuyn thng tin n ngi dng t xa. Khi ngi dng s phi tr li ng yu cu xc nhn, sau NAS s chuyn n AAA server mt RADIUS Access-Request AAA server sau khi kim tra cc thng tin ca ngi dng hon ton tha mn s cho php s dng dch v, n s tr v mt message dng RADIUS Access-accept. Nu khng tha mn AAA server s tr v mt tin RADIUS Access-reject v NAS s ngt dch v. Khi gi tin Access-accept c nhn v RADIUS Accouting c thit lp, NAS s gi mt gi tin RADIUS Accouting request ti AAA server. My ch s thm cc thng tin vo logfile ca n, vi vic NAS s cho php phin lm vic vi User bt u khi no v kt thc khi no. RADIUS Accouting lm nhim v ghi li qu trnh xc thc ca user vo h thng, khi kt thc phin lm vic NAS s gi thng tin RADIUS Accouting-request 3.2.3. S bo mt v tnh m rng Tt c cc message ca RADIUS u ng gi bi UDP Datagram s, n bao gm cc thng tin nh: message type, sequence number, length, authenticator, v mt lot cc attributes values m chng ta tm hiu trn.
Trang 40
3.2.4. p dng RADIUS cho WLAN Trong mt mng WLAN s dng 802.11x port access control, cc my trm s dng Wireless ng vai tr Remote Access v Wireless Access Point lm vic nh mt NAS-Network Access Server. thay th vic kt ni n NAS vi dial-up nh giao thc PPP, Wireless station kt ni n AP bng vic s dng giao thc 802.11 Mt qu trnh c thc hin , wireless station gi mt EAP-Start ti AP. AP s yu cu station nhn dng v chuyn thng tin ti mt AAA server vi thng tin l RADIUS Access-request Usename attribute. AAA server v Wireless Station hon thnh bng vic chuyn cc thng tin RADIUS Access-challenge v Access-request qua AP. c quyt nh bi pha trn l mt dng EAP, thng tin ny c chuyn trong mt ng hm c m ha TLS (Encypted TLS Tunnel). Nu AAA server gi mt message Access-accept, AP v Wireless station s hon thnh qu trnh kt ni v hon thnh phin lm vic vi vic s dng WEP hay TKIP m ha d liu. V ti im , AP s khng cm cng v wireless station c th gi v nhn d liu t h thng mng mt cch bnh thng. Cn ch l qu trnh m ha d liu gia wireless station v AP khc qu trnh m ha t AP n AAA server. Nu AAA server gi mt message Access-reject, AP s ngt kt ni n wireless station. Wireless station c th c gng th li qu trnh xc thc, nhng AP cm wireless station ny khng c gi cc gi UDP n cc AP gn . Ch l station ny hon ton c th lng nghe cc d liu c truyn i t cc station khc. Trn thc t d liu c truyn qua song radio v l l do ti sao bn phi m ha d liu khi truyn trn mng khng dy. Attribute-value pare bao gm trn cc message ca RADIUS c th s dng AAA server quyt nh phin lm vic gia AP v wireless station, nh sessiontimeout hay VLAN tag (Tunnel-Type=VLAN, Tunnel-Private-Group-ID=TAG). Chnh xc thng tin thm vo c th ph thuc vo AAA server hay AP v wireless station m bn ang s dng.
Trang 41
3.2.5. Cc ty chn b sung Mt vn u tin bn phi hiu vai tr ca RADIUS trong qu trnh xc thc ca WLAN, bn cn thit lp mt AAA server h tr interaction. Nu mt AAA server gi l RADIUS, n sn sang h tr xc thc cho chun 802.11x v cho php la chn cc dng EAP. Nu c bn chuyn n bc tip theo l lm th no thit lp tnh nng ny. Nu bn c mt RADIUS h tr 802.11x, hoc khng h tr dng EAP, bn c th la chn bng cch cp nht cc phin bn phn mm mi hn cho server, hay bn c th ci t mt my ch mi. Nu bn ci mt server mi c h tr xc thc cho chun 802.11x, bn c th s dng tnh nng RADIUS proxy thit lp mt chui cc my ch, cng chia s mt c s d liu tp trung, RADIUS proxy c th s dng chuyn cc yu cu xc thc n cc my ch c kh nng xc thc chun 802.11x Nu bn khng c my ch RADIUS, bn cn thit phi ci t mt my ch cho qu trnh xc thc WLAN, la chn ci t ny l mt cng vic th v. Vi c s trung tm Gii php s dng RADIUS cho mng WLAN l rt quan trng bi nu mt h thng mng ca bn c nhiu AP th vic cu hnh bo mt h thng ny rt kh qun l ring bit, ngi dng c th xc thc t nhiu AP khc nhau v iu l khng thc s bo mt Khi s dng RADIUS cho WLAN mang li kh nng tin li rt cao, xc thc cho ton b h thng nhiu AP,cung cp cc gii php thng minh hn.
Trang 42
CHNG 4. BO MT WLAN BNG PHNG PHP CHNG THC RADIUS

4.1. Phn tch v thit k h thng chng thc bo mt WLAN vi RADIUS 4.1.1. Gii thiu Xut pht t nhng li ch rt d thy nh tnh linh ng, thut tin trong vic p dng mng WLAN vo cc ni cng cng nh cng s, trng hc. t bit l trng CD CNTT Hu Ngh Vit Hn vi s lng ging vin, sinh vin khu vc KTX c nhu cu s dng mng internet rt ln. Nhm 4 xin xut p dng m hnh trin khai mng WLAN vi hnh thc chng thc RADIUS cho k tc xc trng C CNTT Hu Ngh Vit Hn vi i tng l Ging Vin, vin chc v Sinh Vin ca trng. Vi i tng l Ging vin, vin chc ca trng, cc d liu truyn trong mng cn c s bo mt trn ng truyn do s t chc cc i tng ny vo cc OU, Group c phn quyn v p dng cc chnh sch thch hp p ng nhu cu bo mt d liu truyn trn mng cng nh vn phn quyn. i vi i tng l Sinh vin, nhu cu truy cp s dng mng internet l chnh nn cc i tng ny s c t chc vo cc OU, group thch hp. Sinh vin c nhu cu s dng mng WLAN s c cp user v password. p dng cho cc user ny c thi gian truy cp cng nh cc vn v thu phvv. 4.1.2.Yu cu h thng 4.1.2.1. Phn cng Mt my Server dng trin khai RADIUS, mt my tnh PC hoc Laptop lm client(phi c wireless card) t nht mt Access Point c h tr chng thc RADIUS 4.1.2.2. Phn mm Trn my server ci t h iu hnh Windows Server 2003
Trang 43
4.2. Quy trnh ci t v trin khai 4.2.1. Ci t v cu hnh DHCP 4.2.1.1. Ci t DHCP Vo Control Panel Add/Remove program Add/Remove Windows Component Networking Services Chn Dynamic Host Configuration Protocol (DHCP) Chn OK 4.2.1.2. Cu hnh DHCP M DHCP Console t th mc Administrator Tools, chut phi vo tn server v chn Authorize ng k vi DC. To mt Scope c tn l radiusdhcp Scope range: 10.10.6.100/24 10.10.6.200/24 Lease Duration: 8 ngy Default Gateway: 10.10.6.1 DNS Server: 10.10.6.99, 203.162.0.181
Hnh 5-26 Kt qu cu hnh cp pht DHCP ca Server 4.2.2. Ci Enterprise CA v Request Certificate t CA Enterprite Server 4.2.2.1. Ci t Enterprise CA Vo Control Panel Add/Remove program Add/Remove Windows Component Certificate services chn Certificate Service CA v chn Certificate Services Web Enroment Support Chn OK( trong qu trnh ci t nh chn lun
IIS dng Web Enrollment Winzard). Trong cc winzard tip theo ta chn Enterprise root CA v t cho CA ny l wifi, nhp Next cho ti khi hon tt.
Hnh 5-27 Cc thng s cu hnh Enterprise CA 4.2.2.2. Request Certificate t CA Enterprite Server C hai cch Request Certificate t CA Enterprise Server Th nht vo trnh duyt nhp vo a ch
http://ip-ca-server/certsrv trong trng hp ny l http://10.10.6.99/certsrv , nhp user v pasword administrator sau chn Request a Certificate chn Advanced Certificate Request chn Create and submit a request to this CA. Trong trang Advanced Certificate Request chn Certificate Template v in y thng tin trong phn Identifying information for offline template . Trong phn Key Options click chn Store certificate in the local coputer certificate store Sau khi certification c cp pht click Install this certificate ci certificate.
Th hai vo Run g mmc xut hin ca s Console Root v chn Add/Remove Snap-in Add Certificates v chn snap-in v computer account Chn Local coputer chn All Tasks Request new Certificate Chn Domain Controler
Trang 45
t tn radius sau khi request Certificate c tn nh hnh bn di. Vo C:\ s thy Certificate c tn server1.mm02a.com-wifi.crt ci t n.
Hnh 5-28 Kt qu sau khi Request Certificate t CA Enterprise Server 4.2.3. To user, cp quyn Remote Access cho users v chuyn sang Native Mode 4.2.3.1. To OU c tn KTX Vo Administrator Tools m Active Directory User and computer. To OU c tn l wifi.Trong OU wifi to user c tn l viet, password l aA123456. Cng trong OU ny, to Group sinhvien v a user viet vo group sinhvien.
Hnh 5-29 To OU, User v Group
Trang 46
4.2.3.2.Chuyn sang Native Mode iu khin truy cp ca user qua Remove Access Policy, m Active Director User and Computer, click chut phi vo computer v chn Raise domain Functional Level.
Hnh 5-30 Chuyn domain sang Native mode 4.2.4. Ci t v cu hnh RADIUS, to Remote Access Policy 4.2.4.1. Ci t RADIUS Vo Control panel Add/Remove program Add/Remove Windows component Networking Service Chn Internet Authentication Service. 1.1.1.1. Cu hnh RADIUS Vo Administrative Tools Internet Authenticaton Service . Trong ca s Internet Authenticaton Service, click chut phi vo Internet Authenticaton Service (local) v chn Register Server in Active Directory.
Trang 47
Hnh 5-31 Cu hnh RADIUS Chuyn xung mc RADIUS Cliens, click chut phi vo v chn New RADIUS Cliens. Trong cc ca s tip theo, nhp tn thit b Access point ( y t l TPLink) v Secret key l viethanit (ch Secret key cu hnh AP).
Hnh 5-32 To mi RADIUS Client 4.2.4.2. To Remove Access Policy Cng trong ca s Internet Authenticaton Service click chut phi vo Remove Access Policies v chn New Remove Access Policy. Trong Policy name t tn l wifi. Phng thc truy cp Access methois chn Wireless trong hp thoi Select
Trang 48
group, Add group sinhvien vo. Trong hp thoi Authentication Methods chn Protected EAP (PEAP).
Hnh 5-33 To mi Remote Access Policy
Vo Administrator Tools m Active Directory User and computer. Trong OU wifi, Click chut phi vo user viet chn Property, trong hp thoi property chn tab Dial-in. mc Remove Access Permission tch chn Control access through Remove Access Policy qun l user ny bng policy va to ra.
Trang 49
Hnh 5-34 Cu hnh qun l truy cp t xa cho User 4.2.5. Cu hnh AP Kt ni my tnh vo cng LAN ca AP bng cp thng. G a ch cng LAN ca AP (mt nh ca TPLink l http://192.168.1.1). ng nhp vi ti khon mt nh (user admin password admin). Nu khng c tin hnh reset li AP tham s cu hnh tr v mc nh. Tin hnh cu hnh cng LAN v WAN nh bnh thng. Ring phn Wireless Security chn kiu m ha l WPA2 v AES, a ch IP ca server RADIUS l 10.10.6.99 vi port l 1082, share secret ging vi khai bo server RADIUS l viethanit.
Trang 50
Hnh 5-35 Cu hnh AP 4.2.6. Cu hnh Wireless client y Wireless client s dng Windows XP. V vy trc windows chng thc c WPA2, ta phi tin hnh update. Download update t link sau: Click chut phi vo wireless card Properties chn tab Wireless Networks cu hnh nh bn di.
Trang 51
Hnh 5-36 Cu hnh SSID, kiu chng thc v m ha
Hnh 5-37 Cu hnh chng thc
Trang 52
Hnh 5-38 Cu hnh kiu kt ni v phng php chng thc
Hnh 5-39 Kt qu cu hnh Wireless Network cho client
Trang 53
4.2.7. Demo hon thnh cu hnh RADIUS Server v AP, t client tin hnh kt ni vo mng wireless KTXVietHanIT, ng nhp vi user v mt khu c to Server RADIUS l viet v aA123456, domain l MM02A.
Hnh 5-40 Ca
s ng nhp chng thc cho client
Hnh 5-41 Kt qu sau khi kt ni thnh cng.
Trang 54
Hnh 5-42 Kt qu cp pht IP, Subnet Mask DNS... trn client
Hnh 5-43 Kt qu cp pht DHCP trn server
Trang 55
Hnh 5-44 Event view ghi li qu trnh chng thc
Hnh 5-45 C th thng tin chng thc trong Event view
Trang 56
Chi tit qu trnh chng thc c ghi li trong Event view User MM02A\viet was granted access. Fully-Qualified-User-Name = mm02a.com/wifi/viet NAS-IP-Address = 10.10.6.1 NAS-Identifier = <not present> Client-Friendly-Name = TPLink Client-IP-Address = 10.10.6.1 Calling-Station-Identifier = 00-25-86-EB-0F-D0 NAS-Port-Type = Wireless - IEEE 802.11 NAS-Port = 0 Proxy-Policy-Name = Use Windows authentication for all users Authentication-Provider = Windows Authentication-Server = <undetermined> Policy-Name = wifi Authentication-Type = PEAP EAP-Type = Secured password (EAP-MSCHAP v2) For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
KT LUN
Kt qu t c o V l thuyt: Phng php bo mt m nhm nghin cu l mt trong nhng phng php bo mt WLAN tt nht hin nay. C ngha thc tin cao, p dng c co cc c quan, doanh nghip c nhu cu v bo mt WLAN cao. Sau khi thc hin xong ti, cc thnh vin trong nhm hiu c tng quan v h thng mng khng dy, cc hnh thc tn cng cng nh bo mt mng khng dy c bn. t bit hiu r c c ch, tm quan trng ca bo mt mng khng dy bng chng thc RADIUS. o V thc hnh Cc thnh vin trong nhm thnh tho cu hnh cc kiu chng thc, m ho, vn hnh c bn cng nh bo mt Wireless Access point. Trong qu trnh cu hnh chng thc, cc thnh vin hiu r hn c c ch chng thc ca Windows Server 2003.
Hn ch Cha trin khai trn h thng Linux vi chng thc LDAP. Ch trin khai trn qui m nh v cha c p dng thc t nn cha kim tra c cc s c pht sinh trong qu trnh vn hnh. Cc my Wireless Client phi tin hnh ci t mi c th xc thc c Hng m Trin khai h thng xc thc RADIUS trn LINUX v m rng m hnh xc thc khng ch cho WIFI m c h thng mng s dng cp, cc my VPN server, NAS Server Nghin cu ng dng cng ngh vWMAN (IEEE 802.16), WWAN (802.20) Tm hiu yu cu, m hnh thit k, trin khai v bo mt h thng WMAN, WWAN
Trang 58
TI LIU THAM KHO

Sch, gio trnh, n [1]. [2]. Gio trnh CCNA Exploration 4.0 LAN Switching and Wireless Cisco System
Hacking Wireless K Thut Thm Nhp Mng Khng Dy -NXB Hng c n tm hiu giao thc xc thc RADIUS v xy dng m hnh bo mt
[3].
WLAN vi RADIUS server Nguyn Minh Nht H Duy Tn. [4]. n Bo mt WLAN vi RADIUS v WPA2 ng Ngc Cng H
Bch Khoa TP HCM

Internet [1]. [2]. [3]. [4]. http://nhatnghe.com/forum http://hvaonline.net http://vi.wikipedia.org/wiki http://2mit.org
Trang 59

Bao Cao Tim Hieu Radius

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Bao Cao Tim Hieu Radius

Uploaded by

Copyright:

Available Formats

Bo mt WLAN bng chng thc RADIUS

Nhm 4 MM02A - C CNTT Hu Ngh Vit Hn

Bo mt WLAN bng chng thc RADIUS

Nhm 4 MM02A - C CNTT Hu Ngh Vit Hn

Nhm 4 MM02A - C CNTT Hu Ngh Vit Hn

Bo mt WLAN bng chng thc RADIUS

Nhm 4 MM02A - C CNTT Hu Ngh Vit Hn

Bo mt WLAN bng chng thc RADIUS

CHNG 1. TNG QUAN V WLAN

Nhm 4 MM02A - C CNTT Hu Ngh Vit Hn

Bo mt WLAN bng chng thc RADIUS

Nhm 4 MM02A - C CNTT Hu Ngh Vit Hn

Bo mt WLAN bng chng thc RADIUS

tin cy: Do phng tin truyn tn hiu l sng v tuyn nn vic b

1. Access Point (AP) 2. Wireless Medium 3. Station

khch (client) mt im truy cp vo mng.

Nhm 4 MM02A - C CNTT Hu Ngh Vit Hn

Bo mt WLAN bng chng thc RADIUS

Hnh 1-3: AP hot ng root mode

Nhm 4 MM02A - C CNTT Hu Ngh Vit Hn

Bo mt WLAN bng chng thc RADIUS

Hnh 1-4 Ch Repeater ca AP

Nhm 4 MM02A - C CNTT Hu Ngh Vit Hn

Bo mt WLAN bng chng thc RADIUS

Hnh 1-5 Thit b Wireless Router Wireless NICs:

L cc thit b c my khch dng kt ni vo AP.

Nhm 4 MM02A - C CNTT Hu Ngh Vit Hn

Bo mt WLAN bng chng thc RADIUS

Nhm 4 MM02A - C CNTT Hu Ngh Vit Hn

Bo mt WLAN bng chng thc RADIUS

Nhm 4 MM02A - C CNTT Hu Ngh Vit Hn

Bo mt WLAN bng chng thc RADIUS

Nhm 4 MM02A - C CNTT Hu Ngh Vit Hn

Bo mt WLAN bng chng thc RADIUS

Hnh 1-9 M hnh mng ESS

Nhm 4 MM02A - C CNTT Hu Ngh Vit Hn

Bo mt WLAN bng chng thc RADIUS

Nhm 4 MM02A - C CNTT Hu Ngh Vit Hn

Bo mt WLAN bng chng thc RADIUS

chnh thng do vy ngi dng s phi kt ni li vi AP gi.

Nhm 4 MM02A - C CNTT Hu Ngh Vit Hn

Bo mt WLAN bng chng thc RADIUS

Nhm 4 MM02A - C CNTT Hu Ngh Vit Hn

Bo mt WLAN bng chng thc RADIUS

Hnh 2-10 Tn cng Man-In-The-Middle 2.1.2. Tn cng yu cu xc thc li

Nhm 4 MM02A - C CNTT Hu Ngh Vit Hn

Bo mt WLAN bng chng thc RADIUS

Nhm 4 MM02A - C CNTT Hu Ngh Vit Hn

Bo mt WLAN bng chng thc RADIUS

Nhm 4 MM02A - C CNTT Hu Ngh Vit Hn

Bo mt WLAN bng chng thc RADIUS

Khi cc clien b ngt kt ni s thc hin kt ni li vi AP ngay lp tc.

Nhm 4 MM02A - C CNTT Hu Ngh Vit Hn

Bo mt WLAN bng chng thc RADIUS

Nhm 4 MM02A - C CNTT Hu Ngh Vit Hn

Bo mt WLAN bng chng thc RADIUS

Nhm 4 MM02A - C CNTT Hu Ngh Vit Hn

Bo mt WLAN bng chng thc RADIUS

Server chng thc. 5. Server chng thc gi mt yu cu cho php AP.

Nhm 4 MM02A - C CNTT Hu Ngh Vit Hn

Bo mt WLAN bng chng thc RADIUS

Nhm 4 MM02A - C CNTT Hu Ngh Vit Hn

Bo mt WLAN bng chng thc RADIUS