之前一直有人問CA證書怎麼配置才能成功使用.現將我參考的一篇文章貢獻出來,希望對大家有所幫助。
注:這裏引用的文章是實現智能卡與證書所需要的配置,如果想使用PEAP,原理類似,證書不太一樣就是了。下面的表格有寫出來。大家舉一反三,自己做吧。
使用EAP-TLS(智能卡與證書)實現802.1X----驗證服務器和交換機相關配置
For this configuration, complete the following steps:
1. Configure Active Directory for accounts and groups.
2. Configure the primary IAS server on a computer.
3. Configure the secondary IAS server on another computer.
netsh aaaa show config >c:\IAS.txt
netsh exec c:\IAS.txt
4. Deploy and configure your authenticating switches.
6. Configure a certificate infrastructure for EAP-TLS.
7. Install computer certificates on wired client computers (EAP-TLS).
8. Install user certificates on wired client computers (EAP-TLS).
9. Configure wired client computers for EAP-TLS.
10.Configure wired client computers for EAP-MD5 CHAP.
11.Verify wired connections.
MD5:
1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters \MaximumPasswordAge (REG_DWORD data type)
2. Enable storage of a reversibly encrypted form of the account's password in your domains.
3. Force a reset of the account passwords so that the new passwords are stored in a reversibly encrypted form.
採用系統爲Windows2003,必須安裝AD,DNS,IAS,CA
------------------------------------
------------------------------------
下表列出了不同的認證方式需要用到的證書:
| Authentication Type | Certificates on Wired client | Certificates on IAS Server |
| PEAP-MS-CHAP v2 | Root CA certificates for issuers of IAS server computer certificates |
Computer certificates |
| EAP-TLS |
Computer certificates
User certificates
Root CA certificates for issuers of IAS server computer certificates |
Computer certificates
Root CA certificates for issuers of wired client computer and user certificates |
| EAP-MD5 CHAP | None | None |
開始配置......
該文檔演示EAP-TLS(智能卡與證書)進行驗證的方式:
1、配置 CA
A、使用共享文件夾會保留證書的副本方便後面導入證書的操作(該證書爲CA的根證書Root CA)
A、使用共享文件夾會保留證書的副本方便後面導入證書的操作(該證書爲CA的根證書Root CA)
B、配置用戶證書:證書頒發機構-》管理證書模板-》複製模板“用戶”到一新建模板LAN Access。
LAN Access的屬性爲:使用者名稱-》不選擇“電子郵件名”&“在使用者名稱中部不包含電子郵件名”
安全:選擇對應的用戶具有自動註冊的權限。
C、新建要頒發的證書模板-》選擇我們剛剛新建的LAN Access
------------------------------------
2、配置IAS
A、先將IAS在AD註冊
B、設置IAS屬性,端口必須和交換機上設置一致
C、新建RADIUS客戶端,客戶端IP地址爲交換機IP地址(Authenticator),共享的密碼也和交換機上所設置密碼一致
D、新建遠程訪問策略,在用戶或組訪問我們採用用戶訪問方式進行測試,在EAP類型選擇智能卡與證書
E、設置策略屬性,授予遠程訪問權限,編輯配置文件,選擇客戶端請求IP地址
------------------------------------
------------------------------------
2、配置IAS
A、先將IAS在AD註冊
B、設置IAS屬性,端口必須和交換機上設置一致
C、新建RADIUS客戶端,客戶端IP地址爲交換機IP地址(Authenticator),共享的密碼也和交換機上所設置密碼一致
D、新建遠程訪問策略,在用戶或組訪問我們採用用戶訪問方式進行測試,在EAP類型選擇智能卡與證書
E、設置策略屬性,授予遠程訪問權限,編輯配置文件,選擇客戶端請求IP地址
------------------------------------
3、配置AD
A、組策略-》Windows 設置-》帳戶策略-》密碼策略-》啓用可還原的加密來儲存密碼
A、組策略-》Windows 設置-》帳戶策略-》密碼策略-》啓用可還原的加密來儲存密碼
B、添加用戶,該用戶是分配給接入客戶端的用戶。在這裏,我們以admin爲例,用戶密碼和所接入計算機用戶admin密碼一致。
C、修改用戶屬性,遠程訪問權限設置爲允許訪問。
D、在客戶端計算機上設置將計算機加入此域中。加入後可以在Computers上查看到。
C、修改用戶屬性,遠程訪問權限設置爲允許訪問。
D、在客戶端計算機上設置將計算機加入此域中。加入後可以在Computers上查看到。
E、使用MD5進行認證的話,修改用戶屬性,遠程訪問權限設置爲允許訪問。
-------------------------------------
4、配置AD組策略屬性
A、在計算機配置-》windows設置-》安全設置配置公鑰策略
新建自動證書申請類型爲“計算機”
B、設置受信任的根證書頒發機構,導入我們最開始建立的證書(Root CA)。
-------------------------------------
4、配置AD組策略屬性
A、在計算機配置-》windows設置-》安全設置配置公鑰策略
新建自動證書申請類型爲“計算機”
B、設置受信任的根證書頒發機構,導入我們最開始建立的證書(Root CA)。
C、在用戶配置-》windows設置-》安全設置-》配置公鑰策略-》自動註冊證書,選擇“續訂過期證書、更新未證書並刪除吊銷的證書”&“更新使用證書模板的證書”
--------------------------------------
5、客戶端配置
A、本地連接-》屬性-》驗證-》啓用此網絡的IEEE 802.1X驗證
B、EAP類型:智能卡與證書
C、智能卡與證書的屬性—在此計算機上使用證書,使用簡單證書選擇,驗證服務器證書—〉受信任的根證書頒發機構:選擇Root CA.
服務器配置到此結束,下面開始配置交換機。
交換機使用FOUNDRY FastIron Edge Switch 2402
1. The IP address or name of a primary RADIUS server, the shared secret, UDP ports for authentication and accounting, and failure detection settings.
2. The IP address or name of a secondary RADIUS server, the shared secret, UDP ports for authentication and accounting, and failure detection settings.
下面是相關配置文檔:
BR-FES2402 Router#sh run
Current configuration:
!
ver 03.4.01Tc1
!
!
!
!
vlan 1 name DEFAULT-VLAN by port
router-interface ve 10
!
!
dot1x-enable
enable ethe 2 to 24
!
aaa authentication dot1x default radius
radius-server host 192.168.100.1 auth-port 1812 acct-port 1813 default key 1 $Gs
ig@U\ dot1x
interface ethernet 3
dot1x port-control auto
!
interface ethernet 4
dot1x port-control auto
!
interface ethernet 5
dot1x port-control auto
!
--More--, next page: Space, next line: Return key, quit: Control-c^C
BR-FES2402 Router#
BR-FES2402 Router#
BR-FES2402 Router#
BR-FES2402 Router#
BR-FES2402 Router#sh run
Current configuration:
!
ver 03.4.01Tc1
!
!
!
!
vlan 1 name DEFAULT-VLAN by port
router-interface ve 10
!
!
dot1x-enable
enable ethe 2 to 24
!
aaa authentication dot1x default radius
radius-server host 192.168.100.1 auth-port 1812 acct-port 1813 default key 1 $Gs
ig@U\ dot1x
interface ethernet 3
dot1x port-control auto
!
interface ethernet 4
dot1x port-control auto
!
interface ethernet 5
dot1x port-control auto
!
interface ethernet 6
dot1x port-control auto
!
interface ethernet 7
dot1x port-control auto
!
interface ethernet 8
dot1x port-control auto
!
interface ethernet 9
dot1x port-control auto
!
interface ethernet 10
dot1x port-control auto
!
interface ethernet 11
dot1x port-control auto
!
interface ethernet 12
dot1x port-control auto
!
interface ethernet 13
dot1x port-control auto
!
interface ethernet 14
dot1x port-control auto
!
interface ethernet 15
dot1x port-control auto
!
interface ethernet 16
dot1x port-control auto
!
interface ethernet 17
dot1x port-control auto
!
interface ethernet 18
dot1x port-control auto
!
interface ethernet 19
dot1x port-control auto
!
interface ethernet 20
dot1x port-control auto
!
interface ethernet 21
dot1x port-control auto
!
interface ethernet 22
dot1x port-control auto
!
interface ethernet 23
dot1x port-control auto
!
interface ethernet 24
dot1x port-control auto
!
interface ve 10
ip address 192.168.100.2 255.255.255.0
!
!
!
!
!
!
end
-------------------------------------
下面是相關配置文檔:
BR-FES2402 Router#sh run
Current configuration:
!
ver 03.4.01Tc1
!
!
!
!
vlan 1 name DEFAULT-VLAN by port
router-interface ve 10
!
!
dot1x-enable
enable ethe 2 to 24
!
aaa authentication dot1x default radius
radius-server host 192.168.100.1 auth-port 1812 acct-port 1813 default key 1 $Gs
ig@U\ dot1x
interface ethernet 3
dot1x port-control auto
!
interface ethernet 4
dot1x port-control auto
!
interface ethernet 5
dot1x port-control auto
!
--More--, next page: Space, next line: Return key, quit: Control-c^C
BR-FES2402 Router#
BR-FES2402 Router#
BR-FES2402 Router#
BR-FES2402 Router#
BR-FES2402 Router#sh run
Current configuration:
!
ver 03.4.01Tc1
!
!
!
!
vlan 1 name DEFAULT-VLAN by port
router-interface ve 10
!
!
dot1x-enable
enable ethe 2 to 24
!
aaa authentication dot1x default radius
radius-server host 192.168.100.1 auth-port 1812 acct-port 1813 default key 1 $Gs
ig@U\ dot1x
interface ethernet 3
dot1x port-control auto
!
interface ethernet 4
dot1x port-control auto
!
interface ethernet 5
dot1x port-control auto
!
interface ethernet 6
dot1x port-control auto
!
interface ethernet 7
dot1x port-control auto
!
interface ethernet 8
dot1x port-control auto
!
interface ethernet 9
dot1x port-control auto
!
interface ethernet 10
dot1x port-control auto
!
interface ethernet 11
dot1x port-control auto
!
interface ethernet 12
dot1x port-control auto
!
interface ethernet 13
dot1x port-control auto
!
interface ethernet 14
dot1x port-control auto
!
interface ethernet 15
dot1x port-control auto
!
interface ethernet 16
dot1x port-control auto
!
interface ethernet 17
dot1x port-control auto
!
interface ethernet 18
dot1x port-control auto
!
interface ethernet 19
dot1x port-control auto
!
interface ethernet 20
dot1x port-control auto
!
interface ethernet 21
dot1x port-control auto
!
interface ethernet 22
dot1x port-control auto
!
interface ethernet 23
dot1x port-control auto
!
interface ethernet 24
dot1x port-control auto
!
interface ve 10
ip address 192.168.100.2 255.255.255.0
!
!
!
!
!
!
end
-------------------------------------
6、驗證
Authentication Server(WIN2003):192.168.6.10
Authenticator(SWITCH):192.168.6.1
Authentication Server(WIN2003):192.168.6.10
Authenticator(SWITCH):192.168.6.1
Client(WINXP):192.168.6.20
A、事件查看器查看
B、PING測試
C、Sniffer抓包測試
部分中文參考網站:
部分英文參考網站:See the following resources for further information:
· Windows 2000 Service Pack 4 (SP4) at [url]http://www.microsoft.com/windows2000/downloads/servicepacks/sp4/default.asp[/url]
· Internet Authentication Service Web site at [url]http://www.microsoft.com/windowsserver2003/technologies/ias/default.mspx[/url]
· Security Services Web site at [url]http://www.microsoft.com/windowsserver2003/technologies/security/default.mspx.[/url]
· Windows XP Wireless Deployment Technology and Component Overview at [url]http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/wificomp.mspx.[/url]
· Troubleshooting Windows XP IEEE 802.11 Wireless Access at [url]http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/wifitrbl.mspx.[/url]
For the latest information about Windows XP, see the Windows XP Web site at [url]http://www.microsoft.com/windowsxp[/url].