bookssland.com » Computers » 802.1X Port-Based Authentication HOWTO - Lars Strand (spicy books to read .TXT) 📗

Book online «802.1X Port-Based Authentication HOWTO - Lars Strand (spicy books to read .TXT) 📗». Author Lars Strand



1 2 3 4 5 6 7 8
Go to page:
information is stored in a plain text file users. A more

sophisticated solution to store user information may be preferred (SQL,

LDAP, PDC, etc.).

Make sure the users file contains the following entry:

"testuser" User-Password == "Secret149"

Supplicant: Setting up Xsupplicant

The Supplicant is usually a laptop or other (wireless) device that requires

authentication. Xsupplicant does the bidding of being the "Supplicant" part

of the IEEE 802.1X-2001 standard.

4.1. Installing Xsupplicant

Installing Xsupplicant

Download the latest source from from [http://www.open1x.org/] http://

www.open1x.org/

# cd /usr/local/src # wget http://belnet.dl.sourceforge.net/sourceforge/open1x/xsupplicant-1.0.tar.gz # tar zxfv xsupplicant-1.0.tar.gz # cd xsupplicant

Configure, make, and install:

# ./configure # make # make install

If the configuration file wasn't installed (copied) into the "etc"

folder, do it manually:

# mkdir -p /usr/local/etc/1x # cp etc/tls-example.conf /usr/local/etc/1x

If installation fails, check the README and INSTALL files included with the

source. You may also check out the official documentation.

4.2. Configuring Xsupplicant

Configuring Xsupplicant

The Supplicant must have access to the root certificate.

If the Supplicant needs to authenticate against the Authentication

Server (authentication both ways), the Supplicant must have certificates

as well.

Create a certificate folder, and move the certificates into it:

# mkdir -p /usr/local/etc/1x/certs # cp root.pem /usr/local/etc/1x/certs/ # (copy optional client certificate(s) into the same folder)

Open and edit the configuration file:

# startup_command: the command to run when Xsupplicant is first started.

# This command can do things such as configure the card to associate with

# the network properly.

startup_command = /usr/local/etc/1x/startup.sh

The startup.sh will be created shortly.

When the client is authenticated, it will transmit a DHCP request or

manually set an IP address. Here, the Supplicant sets its IP address

manually in startup2.sh:

# first_auth_command: the command to run when Xsupplicant authenticates to

# a wireless network for the first time. This will usually be used to

# start a DHCP client process.

#first_auth_command = dhclient %i

first_auth_command = /usr/local/etc/1x/startup2.sh

Since "-i" is just for debugging purpose (and may go away according to

the developers), "allow_interfaces" must be set:

allow_interfaces = eth0

deny_interfaces = eth1

Next, under the "NETWORK SECTION", we'll configure PEAP:

# We'll be using PEAP

allow_types = eap_peap

# Don't want any eavesdropper to learn the username during the

# first phase (which is unencrypted), so 'identity hiding' is

# used (using a bogus username).

identity = anonymous

eap-peap {

# As in tls, define either a root certificate or a directory # containing root certificates. root_cert = /usr/local/etc/1x/certs/root.pem #root_dir = /path/to/root/certificate/dir #crl_dir = /path/to/dir/with/crl chunk_size = 1398 random_file = /dev/urandom #cncheck = myradius.radius.com # Verify that the server certificate # has this value in its CN field. #cnexact = yes # Should it be an exact match? session_resume = yes # Currently 'all' is just mschapv2. # If no allow_types is defined, all is assumed. #allow_types = all # where all = MSCHAPv2, MD5, OTP, GTC, SIM allow_types = eap_mschapv2 # Right now, you can do any of these methods in PEAP: eap-mschapv2 { username = <BEGIN_UNAME>testuser<END_UNAME> password = <BEGIN_PASS>Secret149<END_PASS> }

}

The Supplicant must first associate with the access point. The script

startup.sh does that job. It is also the first command Xsupplicant

executes.

Note Notice the bogus key we give to iwconfig (enc 000000000)! This key

is used to tell the driver to run in encrypted mode. The key gets replaced after successful authentication. This can be set to enc off only if encryption is disabled in the AP (for testing purposes).

Both startup.sh and startup2.sh must be saved under /usr/local/etc/1x/.

#!/bin/bash

echo "Starting startup.sh"

# Take down interface (if it's up)

/sbin/ifconfig eth0 down

# To make sure the routes are flushed

sleep 1

# Configuring the interface with a bogus key

/sbin/iwconfig eth0 mode managed essid testnet enc 000000000

# Bring the interface up and make sure it listens to multicast packets

/sbin/ifconfig eth0 allmulti up

echo "Finished startup.sh"

This next file is used to set the IP address statically. This can be

omitted if a DHCP server is present (as it typically is, in many access

points).

#!/bin/bash

echo "Starting startup2.sh"

# Assigning an IP address

/sbin/ifconfig eth0 192.168.1.5 netmask 255.255.255.0

echo "Finished startup2.sh"

1 2 3 4 5 6 7 8
Go to page:

Free e-book «802.1X Port-Based Authentication HOWTO - Lars Strand (spicy books to read .TXT) 📗» - read online now

Comments (0)

There are no comments yet. You can be the first!
Add a comment