Skip to content

Instantly share code, notes, and snippets.

@gustavohenrique
Created November 4, 2024 13:39
Show Gist options
  • Save gustavohenrique/22061ab4a05dbd3362fc7ceca0afe104 to your computer and use it in GitHub Desktop.
Save gustavohenrique/22061ab4a05dbd3362fc7ceca0afe104 to your computer and use it in GitHub Desktop.

WPA2 Enterprise

LXD

Instalando e configurando o LXD no Arch Linux.

install lxd
sudo systemctl enable lxd.socket
sudo systemctl start lxd.socket
sudo systemctl start lxd.service
sudo usermod -v 1000000-1000999999 -w 1000000-1000999999 root
sudo lxd init
sudo usermod -aG lxd gustavo (restart the machine)
lxc launch ubuntu:24.04 freeradius

Corrigindo a conexão com a internet.

sudo su
for ipt in iptables iptables-legacy ip6tables ip6tables-legacy; do $ipt --flush; $ipt --flush -t nat; $ipt --delete-chain; $ipt --delete-chain -t nat; $ipt -P FORWARD ACCEPT; $ipt -P INPUT ACCEPT; $ipt -P OUTPUT ACCEPT; done
systemctl restart lxd.socket
systemctl restart lxd

Tentando mapear o nome dos containers para um dominio LXD. Ex.: container1.lxd. Não funcionou ainda.

LXD_IP=`lxc network get lxdbr0 ipv4.address | cut -d / -f 1`
cat > `lxd.network <<EOF
[Match]
Name=lxdbr0

[Network]
DNS=${LXD_IP}
Domains=~lxd
IgnoreCarrierLoss=yes

[Address]
Address=${LXD_IP}/24
Gateway=${LXD_IP}
EOF
sudo mv lxd.network /etc/systemd/network/

Freeradius

A instalação no ArchLinux é diferente e por isso optei por rodar dentro de um container LXD com Ubuntu 24.04. O dir no Ubuntu é /etc/freeradius/3.0

O que precisa ser feito?

  1. Adicionar o IP do HostAPD no arquivo clients.conf
  2. Adicionar usuário da rede no arquivo users
  3. Testar a config rodando freeradius -X e em outro terminal o radtest

Para add o hostapd:

client hostapd {
  ipaddr = 10.228.190.1  # IP do host
  secret = senhaforte
}

Para add user:

echo 'gustavo\tCleartext-Password := "123123"' | sudo tee -a users
radtest gustavo 123123 <ip-freeradius> 1812 senhaforte

Usando MySQL

Não vale a pena.
TODO: Tentar usar sqlite ou postgres e criar um frontend para substituir o daloradius

  1. Instalar o MariaDB
  2. Criar database, user e tables
  3. Alterar as configs de banco em mods-available/sql
  4. Habilitar o modulo sql criando um synlink em mods-enabled/sql
  5. Instalare configurar Apache2 + PHP + Daloradius

MariaDB:

apt --no-install-recommends install mariadb-server freeradius-mysql
mariadb-secure-installation
mariadb -u root -p
	CREATE DATABASE raddb;
	GRANT ALL ON raddb.* TO 'raduser'@'localhost' IDENTIFIED BY 'radpass';
	FLUSH PRIVILEGES;
	EXIT;
systemctl enable mariadb

# Tabelas
mariadb -u raduser -p raddb < /etc/freeradius/3.0/mods-config/sql/main/mysql/schema.sql

Configurando módulo SQL:

sed -Ei '/^[\t\s#]*tls\s+\{/, /[\t\s#]*\}/ s/^/#/' /etc/freeradius/3.0/mods-available/sql
cd /etc/freeradius/3.0/mods-enabled
ln -sn ../mods-available/sql
chown -R freerad:freerad sql

# Alterar o arquivo sql
dialect = "mysql"
driver = "rlm_sql_${dialect}"
...
server = "localhost"
port = 3306
login = "raduser"
password = "radpass"
radius_db = "raddb"
...
read_clients = yes
client_table = nas

Daloradius:

apt --no-install-recommends install apache2 php libapache2-mod-php \
                                    php-mysql php-zip php-mbstring php-common php-curl \
                                    php-gd php-db php-mail php-mail-mime \
                                    mariadb-client freeradius-utils rsyslog git
cd /var/www
git clone https://github.com/lirantal/daloradius.git
mkdir -p /var/log/apache2/daloradius/{operators,users}

cat <<EOF >> /etc/apache2/envvars
# daloRADIUS users interface port
export DALORADIUS_USERS_PORT=80

# daloRADIUS operators interface port
export DALORADIUS_OPERATORS_PORT=8000

# daloRADIUS package root directory
export DALORADIUS_ROOT_DIRECTORY=/var/www/daloradius  

# daloRADIUS administrator's email
export [email protected]
EOF

cat <<EOF > /etc/apache2/ports.conf

# daloRADIUS
Listen \${DALORADIUS_USERS_PORT}
Listen \${DALORADIUS_OPERATORS_PORT}
EOF

cat <<EOF > /etc/apache2/sites-available/operators.conf
<VirtualHost *:\${DALORADIUS_OPERATORS_PORT}>
  ServerAdmin \${DALORADIUS_SERVER_ADMIN}
  DocumentRoot \${DALORADIUS_ROOT_DIRECTORY}/app/operators
  
  <Directory \${DALORADIUS_ROOT_DIRECTORY}/app/operators>
    Options -Indexes +FollowSymLinks
    AllowOverride All
    Require all granted
  </Directory>

  <Directory \${DALORADIUS_ROOT_DIRECTORY}>
    Require all denied
  </Directory>

  ErrorLog \${APACHE_LOG_DIR}/daloradius/operators/error.log
  CustomLog \${APACHE_LOG_DIR}/daloradius/operators/access.log combined
</VirtualHost>
EOF

cat <<EOF > /etc/apache2/sites-available/users.conf
<VirtualHost *:\${DALORADIUS_USERS_PORT}>
  ServerAdmin \${DALORADIUS_SERVER_ADMIN}
  DocumentRoot \${DALORADIUS_ROOT_DIRECTORY}/app/users

  <Directory \${DALORADIUS_ROOT_DIRECTORY}/app/users>
    Options -Indexes +FollowSymLinks
    AllowOverride None
    Require all granted
  </Directory>

  <Directory \${DALORADIUS_ROOT_DIRECTORY}>
    Require all denied
  </Directory>

  ErrorLog \${APACHE_LOG_DIR}/daloradius/users/error.log
  CustomLog \${APACHE_LOG_DIR}/daloradius/users/access.log combined
</VirtualHost>
EOF

cd /var/www/daloradius/app/common/includes
cp daloradius.conf.php.sample daloradius.conf.php
chown www-data:www-data daloradius.conf.php  
chmod 664 daloradius.conf.php
chown www-data:www-data /var/www/daloradius/contrib/scripts/dalo-crontab
cd /var/www/daloradius/
mkdir -p var/{log,backup}
chown -R www-data:www-data var  
chmod -R 775 var

cd /var/www/daloradius/contrib/db
mariadb -u raduser -p raddb < fr3-mariadb-freeradius.sql
mariadb -u raduser -p raddb < mariadb-daloradius.sql

a2dissite 000-default.conf  
a2ensite operators.conf users.conf
systemctl enable apache2
systemctl restart apache2

Usando:

# Username: administrator
# Password: radius
xdg-open http://10.228.190.102:8000

HostAPD

Ver interfaces instaladas:

ip -o link show | awk -F': ' '{print $2}'

# A interface USB Wireless a ser usada é a wlp0s20f0u4
sudo ip link set up dev wlp0s20f0u4
sudo ip addr add 192.168.200.1/24 dev wlp0s20f0u4

Instalação e configuração:

install hostapd wpa_supplicant
FREERADIUS_IP=`lxc info freeradius | grep "inet:" | grep global | awk '{print $2}'`
cat > hostapd.conf <<EOF
interface=wlp0s20f0u4
driver=nl80211
ssid=provedor4
hw_mode=g
channel=6
logger_syslog=-1
logger_syslog_level=0
ctrl_interface=/var/run/hostapd/
beacon_int=100
macaddr_acl=0
ignore_broadcast_ssid=0
auth_algs=1
rsn_pairwise=CCMP
wpa=2

# sem radius
#wpa_key_mgmt=WPA-PSK
#wpa_passphrase=123123123

# com radius
ctrl_interface_group=0
wpa_key_mgmt=WPA-EAP
ieee8021x=1
radius_retry_primary_interval=120
wmm_enabled=1
wpa_group_rekey=300
wpa_gmk_rekey=86400
eap_server=0
auth_server_addr=10.228.190.102
auth_server_port=1812
auth_server_shared_secret=senhaforte

EOF
sudo mv hostapd.conf /etc/hostapd/hostapd.conf

Configurar DHCP:

# dchpd no lugar do dnsmasq por causa de conflito com o LXD
# add em /etc/dhcpd.conf
...
default-lease-time 600;
max-lease-time 7200;
authoritative;
log-facility local7;
subnet 192.168.200.0 netmask 255.255.255.0 {
  range 192.168.200.10 192.168.200.50;
  option routers 192.168.200.1;
  option broadcast-address 192.168.200.255;
  option domain-name-servers 8.8.8.8; 
  option domain-name-servers  8.8.4.4;
}
...
sudo systemctl start dhcpd4

# alternativa caso não esteja usando LXD:
# add em /etc/dnsmasq.conf
...
interface=wlp0s20f0u4
except-interface=lxdbr0
dhcp-range=192.168.200.10,192.168.200.50,12h
...
sudo systemctl restart dnsmasq

Habilitar ip_forwarding e melhoras no Kernel:

# Arch nao usa mais /etc/sysctl.conf

sudo su
cat > /etc/sysctl.d/99-sysctl.conf <<EOF
net.ipv4.ip_forward=1
net.ipv4.tcp_rmem = 4096 1048576 2097152
net.ipv4.tcp_wmem = 4096 65536 16777216
net.ipv4.udp_rmem_min = 8192
net.ipv4.udp_wmem_min = 8192
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_max_tw_buckets = 2000000
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 10
net.ipv4.tcp_slow_start_after_idle = 0
net.core.netdev_max_backlog = 16384
net.core.somaxconn = 8192
net.core.rmem_default = 1048576
net.core.rmem_max = 16777216
net.core.wmem_default = 1048576
net.core.wmem_max = 16777216
net.core.optmem_max = 65536
EOF

sudo sysctl -p /etc/sysctl.d/99-sysctl.conf

Ignorar interface no SystemD:

sudo su
cat /etc/NetworkManager/conf.d/unmanaged.conf
[keyfile]
unmanaged-devices=interface-name:wlp0s20f0u4

Regras de firewall e NAT:

WAN=wlp4s0
LAN=wlp0s20f0u4
sudo iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

# sudo iptables -A FORWARD -i $WAN -o $LAN -m state --state RELATED,ESTABLISHED -j ACCEPT
# sudo iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment