802.1X Port-Based Authentication HOWTO - Lars Strand (spicy books to read .TXT) 📗
- Author: Lars Strand
- Performer: -
Book online «802.1X Port-Based Authentication HOWTO - Lars Strand (spicy books to read .TXT) 📗». Author Lars Strand
During the authentication process, the Authenticator just relays all
messages between the Supplicant and the Authentication Server (RADIUS). EAPOL
is used between the Supplicant and the Authenticator; and, between the
Authenticator and the Authentication Server, UDP is used.
5.1. Access Point
Many access point have support for 802.1X (and RADIUS) authentication. It
must first be configured to use 802.1X authentication.
Note Configuring and setting up 802.1X on the AP may differ between vendors.
Listed below are the required settings to make a Cisco AP350 work. Other settings to TIKP, CCMP etc. may also be configured.The AP must set the ESSID to "testnet" and must activate:
[8021X-CiscoAP]
Figure AP350: The RADIUS configuration screen for a Cisco AP-350
��*� 802.1X-2001: Make sure the 802.1X Protocol version is set to
"802.1X-2001". Some older Access Points support only the draft version of the 802.1X standard (and may therefore not work).��*� RADIUS Server: the name/IP address of the RADIUS server and the shared
secret between the RADIUS server and the Access Point (which in this document is "SharedSecret99"). See figure AP350.��*� EAP Authentication: The RADIUS server should be used for EAP
authentication.[8021X-CiscoAP2]
Figure AP350-2: The Encryption configuration screen for a Cisco AP-350
��*� Full Encryption to allow only encrypted traffic. Note that 802.1X may
be used without using encryption, which is nice for test purposes.��*� Open Authentication to make the Supplicant associate with the Access
Point before encryption keys are available. Once the association is done, the Supplicant may start EAP authentication.��*� Require EAP for the "Open Authentication". That will ensure that only
authenticated users are allowed into the network.5.2. Linux Authenticator
An ordinary Linux node can be set up to function as a wireless Access Point
and Authenticator. How to set up and use Linux as an AP is beyond the scope
of this document. Simon Anderson's Linux Wireless Access Point HOWTO may be
of guidance.
Testbed6.1. Testcase
[8021X-Testbed]
figure testbed: A wireless node request authentication.
Our testbed consists of two nodes and one Access Point (AP). One node
functions as the Supplicant (WN), the other as the back-end Authentication
Server running RADIUS (AS). The Access Point is the Authenticator. See figure
testbed for explanation.
Important It is crucial that the Access Point be able to reach (ping) the
Authentication Server, and vice versa!6.2. Running some tests
Running some tests
The RADIUS server is started in debug mode. This produces a lot of
debug information. The important snippets are below:
# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
......
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
......
Module: Loaded eap
eap: default_eap_type = "peap" (1)
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
tls: rsa_key_exchange = no (2)
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem"
tls: private_key_password = "SecretKeyPass77"
tls: dh_file = "/usr/local/etc/raddb/certs/dh"
tls: random_file = "/usr/local/etc/raddb/certs/random"
tls: fragment_size = 1024
Comments (0)