{"id":1781,"date":"2020-12-02T12:25:57","date_gmt":"2020-12-02T11:25:57","guid":{"rendered":"http:\/\/blogperso.union31.fr\/?p=1781"},"modified":"2020-12-31T16:18:50","modified_gmt":"2020-12-31T15:18:50","slug":"gns3-centralisation-des-comptes-avec-radius","status":"publish","type":"post","link":"https:\/\/blogperso.union31.fr\/?p=1781","title":{"rendered":"GNS3 : centralisation des comptes et de l&rsquo;authentification identifiant et compte machine (avec radius)"},"content":{"rendered":"\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Sommaire<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/blogperso.union31.fr\/?p=1781\/#I_Introduction\" >I Introduction<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/blogperso.union31.fr\/?p=1781\/#II_Serveur_Radius\" >II Serveur Radius<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/blogperso.union31.fr\/?p=1781\/#II1_Installation\" >II.1 Installation<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/blogperso.union31.fr\/?p=1781\/#II2_Declaration_du_routeur_qui_va_communiquer_avec_FreeRadius\" >II.2 D\u00e9claration du routeur qui va communiquer avec FreeRadius<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/blogperso.union31.fr\/?p=1781\/#II3_Declaration_des_identifiants\" >II.3 D\u00e9claration des identifiants<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/blogperso.union31.fr\/?p=1781\/#III_Routeur_identification_des_comptes_via_Radius\" >III Routeur : identification des comptes via Radius<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/blogperso.union31.fr\/?p=1781\/#III1_Declaration_dun_modele_dauthentification_et_declaration_dun_serveur_Radius\" >III.1 D\u00e9claration d&rsquo;un mod\u00e8le d&rsquo;authentification et d\u00e9claration d&rsquo;un serveur Radius<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/blogperso.union31.fr\/?p=1781\/#III2_Activation_du_modele_dauthentification\" >III.2 Activation du mod\u00e8le d&rsquo;authentification<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/blogperso.union31.fr\/?p=1781\/#III3_Test\" >III.3 Test<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/blogperso.union31.fr\/?p=1781\/#III4_Mode_debug\" >III.4 Mode debug<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/blogperso.union31.fr\/?p=1781\/#IV_Authentification_de_PC_Windows_avec_Radius\" >IV Authentification de PC Windows avec Radius<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/blogperso.union31.fr\/?p=1781\/#IV1_Configuration_routeur\" >IV.1 Configuration routeur<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/blogperso.union31.fr\/?p=1781\/#IV11_Cas_des_terminaux_nayant_pas_le_client_Radius\" >IV.1.1 Cas des terminaux n&rsquo;ayant pas le client Radius<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/blogperso.union31.fr\/?p=1781\/#IV12_Cas_des_terminaux_ayant_un_client_radius\" >IV.1.2 Cas des terminaux ayant un client radius<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/blogperso.union31.fr\/?p=1781\/#IV2_Configuration_FreeRadius\" >IV.2 Configuration FreeRadius<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/blogperso.union31.fr\/?p=1781\/#IV3_Configuration_PC_Windows_10\" >IV.3 Configuration PC Windows 10<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/blogperso.union31.fr\/?p=1781\/#IV4_Verification_du_fonctionnement\" >IV.4 V\u00e9rification du fonctionnement<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/blogperso.union31.fr\/?p=1781\/#V_Pour_aller_plus_loin\" >V Pour aller plus loin<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/blogperso.union31.fr\/?p=1781\/#V1_Pistes_a_voir_en_detail\" >V.1 Pistes \u00e0 voir en d\u00e9tail<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-20\" href=\"https:\/\/blogperso.union31.fr\/?p=1781\/#V2_Documentation\" >V.2 Documentation<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-21\" href=\"https:\/\/blogperso.union31.fr\/?p=1781\/#V21_Cisco_et_Radius\" >V.2.1 Cisco et Radius<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-22\" href=\"https:\/\/blogperso.union31.fr\/?p=1781\/#V22_Cisco_et_TACACS\" >V.2.2 Cisco et TACACS<\/a><\/li><\/ul><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"I_Introduction\"><\/span>I Introduction<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>L&rsquo;objectif est de pouvoir centraliser les comptes sur un serveur d\u00e9di\u00e9 et faire faire l&rsquo;authentification des identifiants sur les routeurs par ce serveur.<\/p>\n\n\n\n<p>Nous partons de l&rsquo;architecture suivante dans laquelle nous ajoutons un serveur sur le VLAN 30 :<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"614\" src=\"http:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_radius_intro-1024x614.png\" alt=\"\" class=\"wp-image-1786\" srcset=\"https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_radius_intro-1024x614.png 1024w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_radius_intro-300x180.png 300w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_radius_intro-768x460.png 768w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_radius_intro.png 1158w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Ce serveur debian virtuel sous virtual box aura comme adresse IP 192.168.30.100. Il assurera la fonction serveur Radius<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"II_Serveur_Radius\"><\/span>II Serveur Radius<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"II1_Installation\"><\/span>II.1 Installation<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Une distribution d\u00e9bian sera utilis\u00e9e pour cet exemple. Une fois install\u00e9e et param\u00e9tr\u00e9e au niveau du r\u00e9seau le serveur Radius qui va \u00eatre utilis\u00e9 sera free radius<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt-get install freeradius<\/code><\/pre>\n\n\n\n<p>Pour v\u00e9rifier si le serveur est bien install\u00e9 : freeradius -v<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"794\" height=\"162\" src=\"http:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_freeradius_version.png\" alt=\"\" class=\"wp-image-1788\" srcset=\"https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_freeradius_version.png 794w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_freeradius_version-300x61.png 300w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_freeradius_version-768x157.png 768w\" sizes=\"auto, (max-width: 794px) 100vw, 794px\" \/><\/figure>\n\n\n\n<p>Puis indiquer que ce service fonctionne \u00e0 chaque d\u00e9marrage :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl enable freeradius<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"805\" height=\"131\" src=\"http:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_radius_enable.png\" alt=\"\" class=\"wp-image-1820\" srcset=\"https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_radius_enable.png 805w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_radius_enable-300x49.png 300w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_radius_enable-768x125.png 768w\" sizes=\"auto, (max-width: 805px) 100vw, 805px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"II2_Declaration_du_routeur_qui_va_communiquer_avec_FreeRadius\"><\/span>II.2 D\u00e9claration du routeur qui va communiquer avec FreeRadius<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Dans un premier temps il faut indiquer \u00e0 FreeRadius qui peut communiquer avec lui : dans notre cas ce sera l&rsquo;adresse IP du routeur.<\/p>\n\n\n\n<p>Pour cela il faut modifier le fichier clients.conf dont le chemin complet est le suivant :  <strong>\/etc\/freeradius\/3.0\/clients.conf<\/strong>. <\/p>\n\n\n\n<p>Ainsi pour accepter les requetes du routeur R3 il faudra ajouter ces lignes par exemple :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>...\n\nclient 192.168.30.254 {\n   secret = test\n   nastype = cisco\n   shortname = routeur3\n}\n\n...<\/code><\/pre>\n\n\n\n<p>Pour que le routeur communique avec FreeRadius, il faudra de son c\u00f4t\u00e9 le configurer. Ce qui sera vu apr\u00e8s ce chapitre<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"II3_Declaration_des_identifiants\"><\/span>II.3 D\u00e9claration des identifiants<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Il faut maintenant d\u00e9clarer des utilisateurs. Cette partie est renseign\u00e9e dans le fichier <strong>\/etc\/freeredius\/3.0\/users<\/strong>.<\/p>\n\n\n\n<p>Ainsi pour ajouter un utilisateur, ci-dessous un exemple simple \u00e0 ajouter :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>....\n\ntest    Cleartext-password :=\"motdepasse\"\n        Service-Type = NAS-Prompt-User,\n        cisco-avpair = \"shell:priv-lvl=15\"\n\n....<\/code><\/pre>\n\n\n\n<p>Remarque : ne pas oublier la \u00ab\u00a0,\u00a0\u00bb. Sinon le service ne red\u00e9marrera pas \ud83d\ude42<\/p>\n\n\n\n<p>Enfin, pour la prise en compte de ce nouveau compte, on relance le service :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl restart freeradius<\/code><\/pre>\n\n\n\n<p>A ce stade, la configuration minimal est effectu\u00e9e du c\u00f4t\u00e9 du serveur Radius.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"III_Routeur_identification_des_comptes_via_Radius\"><\/span>III Routeur : identification des comptes via Radius<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"III1_Declaration_dun_modele_dauthentification_et_declaration_dun_serveur_Radius\"><\/span>III.1 D\u00e9claration d&rsquo;un mod\u00e8le d&rsquo;authentification et d\u00e9claration d&rsquo;un serveur Radius<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Nous allons configurer le routeur R3 pour qu&rsquo;il puisse communiquer avec le serveur radius.<\/p>\n\n\n\n<p>Il faut dans un premier temps activer \u00ab\u00a0aaa\u00a0\u00bb<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>R3#conf t\nR3(config)#aaa new-model<\/code><\/pre>\n\n\n\n<p>Ce qui a pour effet de d\u00e9bloquer les commande de configuration du serveur radius. Ainsi nous allons maintenant configurer l&rsquo;acc\u00e8s \u00e0 un serveur radius<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>R3(config)#radius-server host 192.168.30.100 auth-port 1812 acct-port 1813<\/code><\/pre>\n\n\n\n<p>3 param\u00e8tres :<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>l&rsquo;@IP du serveur Radius (notre serveur d\u00e9bian) : host 192.168.30.100<\/li><li>le port d&rsquo;\u00e9coute pour l&rsquo;authentification : auth-port 1812<\/li><li>le port d&rsquo;\u00e9coute pour l&rsquo;accounting : acct-port 1813<\/li><\/ul>\n\n\n\n<p>Enfin il faut indiquer le \u00ab\u00a0secret\u00a0\u00bb entre les 2 appareils :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>R3(config)#radius-server key test<\/code><\/pre>\n\n\n\n<p>A ce stade la d\u00e9claration du serveur radius est termin\u00e9e. Il est conseill\u00e9 de sauvegarder la configuration.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"III2_Activation_du_modele_dauthentification\"><\/span>III.2 Activation du mod\u00e8le d&rsquo;authentification<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Il faut maintenant indiquer le mode d&rsquo;authentification au routeur.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>aaa authentication login default group radius local<\/code><\/pre>\n\n\n\n<p>A ce niveau seul une authentification par le serveur Radius est possible. Un gros probl\u00e8me peut arriver si le serveur Radius ne fonctionne plus. Il faut donc pouvoir se connecter avec un compte local<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>R3#conf t\nR3(config)#aaa authentication login localauth local\n<\/code><\/pre>\n\n\n\n<p>et cr\u00e9er ce compte :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>R3(config)#username admin nopassword<\/code><\/pre>\n\n\n\n<p>En temps normal il faut un mot de passe ! Ce compte ne sera utilisable que si et seulement si l&rsquo;authentification Radius ne peut se faire. C&rsquo;est une sorte de voie de secours.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"III3_Test\"><\/span>III.3 Test <span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Pour tester, il faut maintenant quitter l&rsquo;environnement de l&rsquo;utilisateur<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>exit\nexit\n...<\/code><\/pre>\n\n\n\n<p>et attendre l&rsquo;\u00e9cran d\u2019accueil :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\n\nR3 con0 is now available\n\n\n\n\n\nPress RETURN to get started.\n\n\n\n<\/code><\/pre>\n\n\n\n<p>Ensuite renseigner les identifiants :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>User Access Verification\n\nUsername: test\nPassword: \n\nR3#\n<\/code><\/pre>\n\n\n\n<p>Dans le cas ou les identifiants seraient incorrects :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>User Access Verification\n\nUsername: \nUsername: test1\nPassword: \n\n% Authentication failed\n\nUsername: \n<\/code><\/pre>\n\n\n\n<p>On s&rsquo;aperc\u00e7oit que le compte admin ne fonctionne pas :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Username: admin\nPassword: \n\n% Authentication failed\n\nUsername: <\/code><\/pre>\n\n\n\n<p>Ce qui est normal car ce compte n&rsquo;est pas d\u00e9clar\u00e9 dans Radius.<\/p>\n\n\n\n<p>En revanche, si Radius n&rsquo;est pas joignable, <\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_radius_deconnect.png\" alt=\"\" class=\"wp-image-1805\" width=\"391\" height=\"191\" srcset=\"https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_radius_deconnect.png 617w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_radius_deconnect-300x147.png 300w\" sizes=\"auto, (max-width: 391px) 100vw, 391px\" \/><\/figure>\n\n\n\n<p>et apr\u00e8s quelques longues secondes :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>User Access Verification\n\nUsername: admin\nPassword: \n\nR3#<\/code><\/pre>\n\n\n\n<p>La connexion est possible.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"III4_Mode_debug\"><\/span>III.4 Mode debug<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Il est possible d&rsquo;activer le mode debug pour essayer de comprendre certains dysfonctionnements. Pour cela :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>R3#debug radius \nRadius protocol debugging is on\nRadius protocol brief debugging is off\nRadius protocol verbose debugging is off\nRadius packet hex dump debugging is off\nRadius packet protocol debugging is on\nRadius elog debugging debugging is off\nRadius packet retransmission debugging is off\nRadius server fail-over debugging is off\nRadius elog debugging debugging is off\n<\/code><\/pre>\n\n\n\n<p>Ainsi lors d&rsquo;une connexion il est possible de voir les \u00e9changes entre le routeur et le serveur Radius :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Username: admin \nPassword: \n*Mar  1 01:12:31.495: RADIUS\/ENCODE(0000000C): ask \"Password: \"\n*Mar  1 01:12:31.495: RADIUS\/ENCODE(0000000C): send packet; GET_PASSWORD\n\n*Mar  1 01:12:33.995: RADIUS\/ENCODE(0000000C):Orig. component type = EXEC\n*Mar  1 01:12:33.995: RADIUS:  AAA Unsupported Attr: interface         &#91;157] 4   \n*Mar  1 01:12:33.999: RADIUS:   74 74                                            &#91;tt]\n*Mar  1 01:12:33.999: RADIUS\/ENCODE(0000000C): dropping service type, \"radius-server attribute 6 on-for-login-auth\" is off\n*Mar  1 01:12:33.999: RADIUS(0000000C): Config NAS IP: 0.0.0.0\n*Mar  1 01:12:33.999: RADIUS\/ENCODE(0000000C): acct_session_id: 12\n*Mar  1 01:12:34.003: RADIUS(0000000C): sending\n*Mar  1 01:12:34.003: RADIUS\/ENCODE: Best Local IP-Address 192.168.30.254 for Radius-Server 192.168.30.100\n*Mar  1 01:12:34.007: RADIUS(0000000C): Send Access-Request to 192.168.30.100:1812 id 1645\/13, len 76\n*Mar  1 01:12:34.007: RADIUS:  authenticator D2 06 6B B6 63 DE 41 24 - A1 63 E4 1E C9 F8 B3 99\n*Mar  1 01:12:34.007: RADIUS:  User-Name           &#91;1]   7   \"admin\"\n*Mar  1 01:12:34.011: RADIUS:  User-Password       &#91;2]   18  *\n*Mar  1 01:12:34.011: RADIUS:  NAS-Port            &#91;5]   6   0                         \n*Mar  1 01:12:34.011: RADIUS:  NAS-Port-Id         &#91;87]  6   \"tty0\"\n*Mar  1 01:12:34.011: RADIUS:  NAS-Port-Type       &#91;61]  6   Async                     &#91;0]\n*Mar  1 01:12:34.015: RADIUS:  Calling-Station-Id  &#91;31]  7   \"async\"\n*Mar  1 01:12:34.015: RADIUS:  NAS-IP-Address      &#91;4]   6   192.168.30.254            \n*Mar  1 01:12:38.995: RADIUS: no sg in radius-timers: ctx 0x6575B19C sg 0x0000\n*Mar  1 01:12:38.995: RADIUS: Retransmit to (192.168.30.100:1812,1813) for id 1645\/13\n*Mar  1 01:12:43.555: RADIUS: no sg in radius-timers: ctx 0x6575B19C sg 0x0000\n*Mar  1 01:12:43.555: RADIUS: Retransmit to (192.168.30.100:1812,1813) for id 1645\/13\n*Mar  1 01:12:48.459: RADIUS: no sg in radius-timers: ctx 0x6575B19C sg 0x0000\n*Mar  1 01:12:48.459: RADIUS: Retransmit to (192.168.30.100:1812,1813) for id 1645\/13\nR3#\n*Mar  1 01:12:52.931: RADIUS: no sg in radius-timers: ctx 0x6575B19C sg 0x0000\n*Mar  1 01:12:52.931: RADIUS: No response from (192.168.30.100:1812,1813) for id 1645\/13\n*Mar  1 01:12:52.935: RADIUS\/DECODE: No response from radius-server; parse response; FAIL\n*Mar  1 01:12:52.935: RADIUS\/DECODE: Case error(no response\/ bad packet\/ op decode);parse response; FAIL\n<\/code><\/pre>\n\n\n\n<p>Les log montrent une impossibilit\u00e9 de se connecter sur le serveur Radius.<\/p>\n\n\n\n<p>Dans un cas qui fonctionne, les log pourront ressembler \u00e0 ceux-ci :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>User Access Verification\n\nUsername: test\n*Mar  1 01:14:30.395: RADIUS\/ENCODE(0000000D): ask \"Username: \"\n*Mar  1 01:14:30.395: RADIUS\/ENCODE(0000000D): send packet; GET_USER\nUsername: test\nPassword: \n*Mar  1 01:14:35.215: RADIUS\/ENCODE(0000000D): ask \"Password: \"\n*Mar  1 01:14:35.215: RADIUS\/ENCODE(0000000D): send packet; GET_PASSWORD\n\nR3#\n*Mar  1 01:14:38.039: RADIUS\/ENCODE(0000000D):Orig. component type = EXEC\n*Mar  1 01:14:38.039: RADIUS:  AAA Unsupported Attr: interface         &#91;157] 4   \n*Mar  1 01:14:38.043: RADIUS:   74 74                                            &#91;tt]\n*Mar  1 01:14:38.043: RADIUS\/ENCODE(0000000D): dropping service type, \"radius-server attribute 6 on-for-login-auth\" is off\n*Mar  1 01:14:38.043: RADIUS(0000000D): Config NAS IP: 0.0.0.0\n*Mar  1 01:14:38.043: RADIUS\/ENCODE(0000000D): acct_session_id: 13\n*Mar  1 01:14:38.047: RADIUS(0000000D): sending\n*Mar  1 01:14:38.047: RADIUS\/ENCODE: Best Local IP-Address 192.168.30.254 for Radius-Server 192.168.30.100\n*Mar  1 01:14:38.051: RADIUS(0000000D): Send Access-Request to 192.168.30.100:1812 id 1645\/14, len 75\n*Mar  1 01:14:38.051: RADIUS:  authenticator 2F B9 F4 58 79 8F 83 A8 - 44 85 07 3B 3B 3D FA 9B\n*Mar  1 01:14:38.051: RADIUS:  User-Name           &#91;1]   6   \"test\"\n*Mar  1 01:14:38.055: RADIUS:  User-Password       &#91;2]   18  *\n*Mar  1 01:14:38.055: RADIUS:  NAS-Port            &#91;5]   6   0                         \n*Mar  1 01:14:38.055: RADIUS:  NAS-Port-Id         &#91;87]  6   \"tty0\"\n*Mar  1 01:14:38.055: RADIUS:  NAS-Port-Type       &#91;61]  6   Async                     &#91;0]\n*Mar  1 01:14:38.059: RADIUS:  Calling-Station-Id  &#91;31]  7   \"async\"\n*Mar  1 01:14:38.059: RADIUS:  NAS-IP-Address      &#91;4]   6   192.168.30.254            \n*Mar  1 01:14:38.091: RADIUS: Received from id 1645\/14 192.168.30.100:1812, Access-Accept, len 51\n*Mar  1 01:14:38.091: RADIUS:  authenticator D1 8E 1C BB EB 53 5A 95 - E4 DE BE AE C0 26 F8 3D\n*Mar  1 01:14:38.095: RADIUS:  Service-Type        &#91;6]   6   NAS Prompt                &#91;7]\n*Mar  1 01:14:38.095: RADIUS:  Vendor, Cisco       &#91;26]  25  \n*Mar  1 01:14:38.095: RADIUS:   Cisco AVpair       &#91;1]   19  \"shell:priv-lvl=15\"\n*Mar  1 01:14:38.099: RADIUS(0000000D): Received from id 1645\/14\n<\/code><\/pre>\n\n\n\n<p>ou \u00e0 ceux-ci si les identifiants sont incorrects :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>User Access Verification\n\nUsername: te\n*Mar  1 01:15:42.479: RADIUS\/ENCODE(0000000E): ask \"Username: \"\n*Mar  1 01:15:42.479: RADIUS\/ENCODE(0000000E): send packet; GET_USER\nUsername: test1\nPassword: \n*Mar  1 01:15:46.343: RADIUS\/ENCODE(0000000E): ask \"Password: \"\n*Mar  1 01:15:46.343: RADIUS\/ENCODE(0000000E): send packet; GET_PASSWORD\n\n*Mar  1 01:15:48.579: RADIUS\/ENCODE(0000000E):Orig. component type = EXEC\n*Mar  1 01:15:48.583: RADIUS:  AAA Unsupported Attr: interface         &#91;157] 4   \n*Mar  1 01:15:48.583: RADIUS:   74 74                                            &#91;tt]\n*Mar  1 01:15:48.583: RADIUS\/ENCODE(0000000E): dropping service type, \"radius-server attribute 6 on-for-login-auth\" is off\n*Mar  1 01:15:48.583: RADIUS(0000000E): Config NAS IP: 0.0.0.0\n*Mar  1 01:15:48.587: RADIUS\/ENCODE(0000000E): acct_session_id: 14\n*Mar  1 01:15:48.587: RADIUS(0000000E): sending\n*Mar  1 01:15:48.591: RADIUS\/ENCODE: Best Local IP-Address 192.168.30.254 for Radius-Server 192.168.30.100\n*Mar  1 01:15:48.591: RADIUS(0000000E): Send Access-Request to 192.168.30.100:1812 id 1645\/15, len 76\n*Mar  1 01:15:48.595: RADIUS:  authenticator 12 F9 15 8B 42 25 94 2E - E3 AA 87 CE E8 F7 BB 75\n*Mar  1 01:15:48.595: RADIUS:  User-Name           &#91;1]   7   \"test1\"\n*Mar  1 01:15:48.595: RADIUS:  User-Password       &#91;2]   18  *\n*Mar  1 01:15:48.595: RADIUS:  NAS-Port            &#91;5]   6   0                         \n*Mar  1 01:15:48.595: RADIUS:  NAS-Port-Id         &#91;87]  6   \"tty0\"\n*Mar  1 01:15:48.599: RADIUS:  NAS-Port-Type       &#91;61]  6   Async                     &#91;0]\n*Mar  1 01:15:48.599: RADIUS:  Calling-Station-Id  &#91;31]  7   \"async\"\n*Mar  1 01:15:48.599: RADIUS:  NAS-IP-Address      &#91;4]   6   192.168.30.254            \n*Mar  1 01:15:49.043: RADIUS: Received from id 1645\/15 192.168.30.100:1812, Access-Reject, len 20\n*Mar  1 01:15:49.043: RADIUS:  authenticator 4F 02 6A 6B 0D 5E ED 7D - 3D 66 B6 91 6B F0 1F EE\n*Mar  1 01:15:49.047: RADIUS(0000000E): Received from id 1645\/15\n% Authentication failed\n\nUsername: \n*Mar  1 01:15:51.055: RADIUS\/ENCODE(0000000E): ask \"Username: \"\n*Mar  1 01:15:51.055: RADIUS\/ENCODE(0000000E): send packet; GET_USER\nUsername: \n<\/code><\/pre>\n\n\n\n<p>Et pour d\u00e9sactiver le mode debug :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>R3#no debug radius \nRadius protocol debugging is off\nRadius protocol brief debugging is off\nRadius protocol verbose debugging is off\nRadius packet hex dump debugging is off\nRadius packet protocol debugging is off\nRadius elog debugging debugging is off\nRadius packet retransmission debugging is off\nRadius server fail-over debugging is off\nRadius elog debugging debugging is off\n<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IV_Authentification_de_PC_Windows_avec_Radius\"><\/span>IV Authentification de PC Windows avec Radius<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Dans notre cas pratique nous allons d\u00e9placer le PC Windows 10 sur le routeur R3 comme suivant :<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"751\" height=\"306\" src=\"http:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_freeradius_PC_Windows_archi.png\" alt=\"\" class=\"wp-image-1832\" srcset=\"https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_freeradius_PC_Windows_archi.png 751w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_freeradius_PC_Windows_archi-300x122.png 300w\" sizes=\"auto, (max-width: 751px) 100vw, 751px\" \/><\/figure>\n\n\n\n<p>Le PC aura l&rsquo;@IP 192.168.30.1 et le serveur Radius garde la m\u00eame adresse Ip : 192.168.30.100.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IV1_Configuration_routeur\"><\/span>IV.1 Configuration routeur<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IV11_Cas_des_terminaux_nayant_pas_le_client_Radius\"><\/span>IV.1.1 Cas des terminaux n&rsquo;ayant pas le client Radius<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>L&rsquo;appareil \u00e0 authentifier se nomme \u00ab\u00a0supplicant\u00a0\u00bb. Le routeur peut se mettre en mode \u00ab\u00a0supplicant\u00a0\u00bb notemment dans le cas d&rsquo;imprimantes \u00e0 authentifier. Ces derni\u00e8res ne peuvent ne pas avoir de client radius et donc communiquer avec un serveur Radius. Ainsi le routeur prend le relais et c&rsquo;est lui qui va communiquer avec le serveur radius \u00e0 la place de l&rsquo;imprimante et si l&rsquo;authentification (par @MAC) est authoris\u00e9 bascule l&rsquo;interface dans le VLAN choisi. Pour utiliser ce type de service, CISCO pour le \u00ab\u00a0MAC Authentication Bypass Deployment\u00a0\u00bb ou \u00ab\u00a0MAB\u00a0\u00bb. <\/p>\n\n\n\n<p>Ce mode particulier ne peut \u00eatre simuler avec GNS3. Il ne sera donc pas vu. Cependant les sp\u00e9cifications techniques sont ici : <a rel=\"noreferrer noopener\" href=\"https:\/\/www.cisco.com\/c\/en\/us\/products\/collateral\/ios-nx-os-software\/identity-based-networking-services\/config_guide_c17-663759.html\" target=\"_blank\">https:\/\/www.cisco.com\/c\/en\/us\/products\/collateral\/ios-nx-os-software\/identity-based-networking-services\/config_guide_c17-663759.html<\/a><\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IV12_Cas_des_terminaux_ayant_un_client_radius\"><\/span>IV.1.2 Cas des terminaux ayant un client radius<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>Sur le routeur R3 nous allons d\u00e9finir de nouvelles r\u00e8gles aaa :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>aaa authentication dot1x default group radius\naaa authorization network default group radius <\/code><\/pre>\n\n\n\n<p>Ensuite il faut activer le service global d&rsquo;authentification par radius pour les interfaces<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>dot1x system-auth-control<\/code><\/pre>\n\n\n\n<p>Puis sur l&rsquo;interface o\u00f9 est connect\u00e9 le PC, d\u00e9clarer le mode d&rsquo;authentification par Radius.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>interface FastEthernet1\/14\n switchport access vlan 30\n dot1x pae authenticator\n dot1x port-control auto<\/code><\/pre>\n\n\n\n<p>A ce stade, le port est en \u00e9coute de requete radius en provenant du PC.  Le Port n&rsquo;est pas activ\u00e9 car le PC ne s&rsquo;est pas authenfi\u00e9:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>R3#show ip interface brief   \nInterface                  IP-Address      OK? Method Status                Protocol\nFastEthernet0\/0            unassigned      YES NVRAM  administratively down down    \nFastEthernet0\/1            unassigned      YES NVRAM  administratively down down    \nFastEthernet1\/0            192.168.101.2   YES NVRAM  up                    up      \nFastEthernet1\/1            192.168.102.2   YES NVRAM  up                    up      \nFastEthernet1\/2            unassigned      YES unset  up                    down    \nFastEthernet1\/3            unassigned      YES unset  up                    down    \nFastEthernet1\/4            unassigned      YES unset  up                    down    \nFastEthernet1\/5            unassigned      YES unset  up                    down    \nFastEthernet1\/6            unassigned      YES unset  up                    down    \nFastEthernet1\/7            unassigned      YES unset  up                    down    \nFastEthernet1\/8            unassigned      YES unset  up                    down    \nFastEthernet1\/9            unassigned      YES unset  up                    down    \nFastEthernet1\/10           unassigned      YES unset  up                    down    \nFastEthernet1\/11           unassigned      YES unset  up                    down    \nFastEthernet1\/12           unassigned      YES unset  up                    down    \nFastEthernet1\/13           192.168.103.1   YES NVRAM  up                    up      \nFastEthernet1\/14           unassigned      YES unset  up                    down    \nFastEthernet1\/15           unassigned      YES unset  up                    up      \nVlan1                      unassigned      YES NVRAM  up                    down    \nVlan30                     192.168.30.254  YES NVRAM  up                    up      \n<\/code><\/pre>\n\n\n\n<p>L&rsquo;interface 14 est tout de m\u00eame dans le VLAN 30 car cela avait d\u00e9fini manuellement apparavant. Il n&rsquo;est pas utile d&rsquo;en pr\u00e9ciser car lors de l&rsquo;authentification, le serveur Radius indequera dans quel VLAN mettre cette interface.<\/p>\n\n\n\n<p>A ce stade, le routeur est configur\u00e9.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IV2_Configuration_FreeRadius\"><\/span>IV.2 Configuration FreeRadius<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Il faut maintenant renseigner le serveur radius sur le compte et mot de passe \u00e0 v\u00e9rifier. Nous allons choisir une authentification de type compte de session.<\/p>\n\n\n\n<p>Pour cela il faut ajouter dans le fichier \/etc\/freeradius\/3.0\/<strong>users<\/strong> les lignes suivantes  pour d\u00e9clarer le compte \u00ab\u00a0Xavior\u00a0\u00bb et son mot de passe :<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"412\" height=\"120\" src=\"http:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_freeradius_compte_windows.png\" alt=\"\" class=\"wp-image-1836\" srcset=\"https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_freeradius_compte_windows.png 412w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_freeradius_compte_windows-300x87.png 300w\" sizes=\"auto, (max-width: 412px) 100vw, 412px\" \/><\/figure>\n\n\n\n<p>Enfin pour que le param\u00e8tre VLAN soit renvoy\u00e9 il faut modifier le fichier \/etc\/freeradius\/3.0\/mods-avalaible\/<strong>eap.conf<\/strong>.  Dans les rubriques peap et\/ou ttls il faut ces valeurs comme suivant (d\u00e9finie par d\u00e9faut \u00e0 \u00ab\u00a0no\u00a0\u00bb) :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>copy_request_to_tunnel = yes\nuse_tunneled_reply = yes<\/code><\/pre>\n\n\n\n<p>Une fois fait, il faudra red\u00e9mmarer le service.<\/p>\n\n\n\n<p>A ce stade le serveur Radius est pr\u00eat.<\/p>\n\n\n\n<p>Pour visualiser les log de connection il faut modifier les param\u00e8tres du serveur radius. Pour cela aller dans le fichier radiusd.conf  et faire en sorte que les lignes ci-dessous apparaissent :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>auth = yes\nauth_badpass = yes\nauth_goodpass = yes<\/code><\/pre>\n\n\n\n<p>Apr\u00e8s avoir red\u00e9marrer le service, il sera possible de visualiser les authentification r\u00e9ussies ou rejet\u00e9es en direct par la commande suivante :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>tail -f \/var\/log\/freeradius\/radius.log<\/code><\/pre>\n\n\n\n<p>Ce qui donnera un exemple suivant :<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"814\" height=\"327\" src=\"http:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_freeradius_log.png\" alt=\"\" class=\"wp-image-1839\" srcset=\"https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_freeradius_log.png 814w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_freeradius_log-300x121.png 300w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_freeradius_log-768x309.png 768w\" sizes=\"auto, (max-width: 814px) 100vw, 814px\" \/><\/figure>\n\n\n\n<p>Dans cet exemple on voit que le PC a d\u00e9j\u00e0 essay\u00e9 de s&rsquo;authentifier sans succ\u00e8s.  On voit aussi que la requ\u00eate vient du routeur R3 et de l&rsquo;interface 1\/14<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IV3_Configuration_PC_Windows_10\"><\/span>IV.3 Configuration PC Windows 10<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Part d\u00e9faut les cartes r\u00e9seau filaires n&rsquo;ont pas d&rsquo;authentification Radius d&rsquo;activ\u00e9. Il faut pour cela lancer le service \u00ab\u00a0configuration automatique de r\u00e9seau c\u00e2bl\u00e9\u00a0\u00bb comme suivant :<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"571\" src=\"http:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_windows_radius_carte_filaire-1024x571.png\" alt=\"\" class=\"wp-image-1847\" srcset=\"https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_windows_radius_carte_filaire-1024x571.png 1024w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_windows_radius_carte_filaire-300x167.png 300w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_windows_radius_carte_filaire-768x428.png 768w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_windows_radius_carte_filaire.png 1362w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Ensuite il faut configurer la carte r\u00e9seau : aller dans \u00ab\u00a0centre r\u00e9seau et partage\u00a0\u00bb puis \u00ab\u00a0Modifier les param\u00e8tres de la carte\u00a0\u00bb puis click droit sur la carte r\u00e9seau en question et \u00ab\u00a0Propri\u00e9t\u00e9s\u00a0\u00bb :<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"531\" src=\"http:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_windows_radius_carte_filaire2-1024x531.png\" alt=\"\" class=\"wp-image-1850\" srcset=\"https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_windows_radius_carte_filaire2-1024x531.png 1024w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_windows_radius_carte_filaire2-300x155.png 300w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_windows_radius_carte_filaire2-768x398.png 768w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_windows_radius_carte_filaire2.png 1206w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Apr\u00e8s l&rsquo;apparation des propri\u00e9t\u00e9s de la carte, cliquer sur l&rsquo;onglet \u00ab\u00a0Authentification\u00a0\u00bb.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"563\" src=\"http:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_windows_radius_carte_filaire3-1024x563.png\" alt=\"\" class=\"wp-image-1853\" srcset=\"https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_windows_radius_carte_filaire3-1024x563.png 1024w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_windows_radius_carte_filaire3-300x165.png 300w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_windows_radius_carte_filaire3-768x423.png 768w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_windows_radius_carte_filaire3.png 1303w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Choisir le la m\u00e9tode d&rsquo;authentification \u00ab\u00a0Microsoft PEAP\u00a0\u00bb et cliquer sur \u00ab\u00a0Param\u00e8tres\u00a0\u00bb. Une autre fen\u00eatre apparait, d\u00e9selectionner \u00ab\u00a0V\u00e9rifier l&rsquo;identit\u00e9 du serveur&#8230;\u00a0\u00bb, s\u00e9l\u00e9ctionner \u00ab\u00a0mot de passe s\u00e9curis\u00e9 EAP&#8230;\u00a0\u00bb. Puis cliquer sur \u00ab\u00a0Configurer\u00a0\u00bb et s&rsquo;assurer que \u00ab\u00a0Utiliser automatiquement mon nom et mot de passe &#8230;\u00a0\u00bb soit coch\u00e9.<\/p>\n\n\n\n<p>Une fois fais, valider toutes les fen\u00eatres.<\/p>\n\n\n\n<p>A ce stade Windows est configur\u00e9 pour envoyer une trame radius sur la carte r\u00e9seau. Relancer Windows 10.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IV4_Verification_du_fonctionnement\"><\/span>IV.4 V\u00e9rification du fonctionnement <span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Une fois le PC Windows 10, ouvrir une sesseion avec le compte utilisateur \u00ab\u00a0Xavior\u00a0\u00bb. On remarque que le serveur Radius donne l&rsquo;authorisation<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"804\" height=\"234\" src=\"http:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_freeradius_log_OK.png\" alt=\"\" class=\"wp-image-1856\" srcset=\"https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_freeradius_log_OK.png 804w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_freeradius_log_OK-300x87.png 300w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/GNS3_freeradius_log_OK-768x224.png 768w\" sizes=\"auto, (max-width: 804px) 100vw, 804px\" \/><\/figure>\n\n\n\n<p>On remarque \u00e9galement sur le routeur R3 que l&rsquo;interface 14 est d\u00e9bloqu\u00e9e :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>R3#show ip interface brief \nInterface                  IP-Address      OK? Method Status                Protocol\nFastEthernet0\/0            unassigned      YES NVRAM  administratively down down    \nFastEthernet0\/1            unassigned      YES NVRAM  administratively down down    \nFastEthernet1\/0            192.168.101.2   YES NVRAM  up                    up      \nFastEthernet1\/1            192.168.102.2   YES NVRAM  up                    up      \nFastEthernet1\/2            unassigned      YES unset  up                    down    \nFastEthernet1\/3            unassigned      YES unset  up                    down    \nFastEthernet1\/4            unassigned      YES unset  up                    down    \nFastEthernet1\/5            unassigned      YES unset  up                    down    \nFastEthernet1\/6            unassigned      YES unset  up                    down    \nFastEthernet1\/7            unassigned      YES unset  up                    down    \nFastEthernet1\/8            unassigned      YES unset  up                    down    \nFastEthernet1\/9            unassigned      YES unset  up                    down    \nFastEthernet1\/10           unassigned      YES unset  up                    down    \nFastEthernet1\/11           unassigned      YES unset  up                    down    \nFastEthernet1\/12           unassigned      YES unset  up                    down    \nFastEthernet1\/13           192.168.103.1   YES NVRAM  up                    up      \nFastEthernet1\/14           unassigned      YES unset  up                    up      \nFastEthernet1\/15           unassigned      YES unset  up                    up      \nVlan1                      unassigned      YES NVRAM  up                    down    \nVlan30                     192.168.30.254  YES NVRAM  up                    up     <\/code><\/pre>\n\n\n\n<p>Et enfin que le VLAN 30 a \u00e9t\u00e9 attribu\u00e9 \u00e0 cette interface :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>R3# show vlan-switch brief \n\nVLAN Name                             Status    Ports\n---- -------------------------------- --------- -------------------------------\n1    default                          active    \n30   VLAN0030                         active    Fa1\/2, Fa1\/3, Fa1\/4, Fa1\/5\n                                                Fa1\/6, Fa1\/7, Fa1\/8, Fa1\/9\n                                                Fa1\/10, Fa1\/11, Fa1\/12, Fa1\/14\n                                                Fa1\/15\n<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"V_Pour_aller_plus_loin\"><\/span>V Pour aller plus loin<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"V1_Pistes_a_voir_en_detail\"><\/span>V.1 Pistes \u00e0 voir en d\u00e9tail<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>\u00e9tudier les champs radius d\u00e9di\u00e9s aux routeurs en profondeur<\/li><li>d\u00e9clarer plusieurs serveurs Radius sur les routeurs<\/li><li>effectuer une authentification de compte AD :<ul><li>en passant par freeRadius et un AD,<\/li><li>en utilisant Microsoft NPS et un AD,<\/li><\/ul><\/li><li>Mise en place de VLAN invit\u00e9 et m\u00e9tier. Voir comment g\u00e9rer le VLAN invit\u00e9 d&rsquo;un point de vue infra serveur&#8230;<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"V2_Documentation\"><\/span>V.2 Documentation<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"V21_Cisco_et_Radius\"><\/span>V.2.1 Cisco et Radius<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>Ensemble de documentations utiles sur le net :<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>doc officielle cisco : <a rel=\"noreferrer noopener\" href=\"https:\/\/www.cisco.com\/c\/en\/us\/td\/docs\/switches\/lan\/catalyst2960cx_3650cx\/software\/release\/15-2_3_e\/configuration\/guide\/b_1523e_consolidated_2960cx_3560cx_cg\/b_consolidated_152ex_2960-X_cg_chapter_0100101.pdf\" target=\"_blank\">https:\/\/www.cisco.com\/c\/en\/us\/td\/docs\/switches\/lan\/catalyst2960cx_3650cx\/software\/release\/15-2_3_e\/configuration\/guide\/b_1523e_consolidated_2960cx_3560cx_cg\/b_consolidated_152ex_2960-X_cg_chapter_0100101.pdf<\/a><\/li><li>doc FreeRadius pour connecter des appareils CISCO : <a rel=\"noreferrer noopener\" href=\"https:\/\/wiki.freeradius.org\/vendor\/Cisco\" target=\"_blank\">https:\/\/wiki.freeradius.org\/vendor\/Cisco<\/a><\/li><li>en fran\u00e7ais, impl\u00e9mentation avec OpenClassRooms : <a rel=\"noreferrer noopener\" href=\"https:\/\/openclassrooms.com\/fr\/courses\/2557196-administrez-une-architecture-reseau-avec-cisco\/5135511-gerez-vos-acces-reseau-grace-au-serveur-radius\" target=\"_blank\">https:\/\/openclassrooms.com\/fr\/courses\/2557196-administrez-une-architecture-reseau-avec-cisco\/5135511-gerez-vos-acces-reseau-grace-au-serveur-radius<\/a><\/li><\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"V22_Cisco_et_TACACS\"><\/span>V.2.2 Cisco et TACACS<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>TACACS est une solution CISCO pour effectuer une centralisation des droits au m\u00eam titre que Radius.<\/p>\n\n\n\n<p>Liens utiles pour d\u00e9couvrir :<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/www.cisco.com\/c\/fr_ca\/support\/docs\/security-vpn\/terminal-access-controller-access-control-system-tacacs-\/10368-basictacacs.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/www.cisco.com\/c\/fr_ca\/support\/docs\/security-vpn\/terminal-access-controller-access-control-system-tacacs-\/10368-basictacacs.pdf<\/a><\/li><li><a href=\"https:\/\/blog.marquis.co\/configuring-tacacs-server-on-ubuntu-14-04lts\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/blog.marquis.co\/configuring-tacacs-server-on-ubuntu-14-04lts\/<\/a><\/li><\/ul>\n\n\n\n<p><a href=\"https:\/\/doc.rero.ch\/record\/31225\/files\/TDIG_68.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/doc.rero.ch\/record\/31225\/files\/TDIG_68.pdf<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.reseaucerta.org\/sites\/default\/files\/Authentification-802.1x-V1.0.pdf\">https:\/\/www.reseaucerta.org\/sites\/default\/files\/Authentification-802.1x-V1.0.pdf<\/a><\/p>\n\n\n\n<p><a href=\"http:\/\/idum.fr\/spip.php?article335\">http:\/\/idum.fr\/spip.php?article335<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/blog.clemanet.com\/linux\/freeradius-2-802-1x.html\">https:\/\/blog.clemanet.com\/linux\/freeradius-2-802-1x.html<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>I Introduction L&rsquo;objectif est de pouvoir centraliser les comptes sur un serveur d\u00e9di\u00e9 et faire faire l&rsquo;authentification des identifiants sur les routeurs par ce serveur. Nous partons de l&rsquo;architecture suivante dans laquelle nous ajoutons un serveur sur le VLAN 30<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-1781","post","type-post","status-publish","format-standard","hentry","category-_systeme"],"_links":{"self":[{"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/posts\/1781","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1781"}],"version-history":[{"count":58,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/posts\/1781\/revisions"}],"predecessor-version":[{"id":1974,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/posts\/1781\/revisions\/1974"}],"wp:attachment":[{"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1781"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1781"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1781"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}